>
+/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/cron.if b/cron.if
new file mode 100644
index 0000000..35241ed
--- /dev/null
+++ b/cron.if
@@ -0,0 +1,633 @@
+## Periodic execution of scheduled commands.
+
+#######################################
+##
+## The common rules for a crontab domain.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`cron_common_crontab_template',`
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ application_domain($1_t, crontab_exec_t)
+ ubac_constrained($1_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_t self:capability { fowner setuid setgid chown dac_override };
+ allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ allow $1_t $1_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_t, $1_tmp_t, file)
+
+ # create files in /var/spool/cron
+ manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+ filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+ files_list_spool($1_t)
+
+ # crontab signals crond by updating the mtime on the spooldir
+ allow $1_t cron_spool_t:dir setattr;
+
+ kernel_read_system_state($1_t)
+
+ # for the checks used by crontab -u
+ selinux_dontaudit_search_fs($1_t)
+
+ fs_getattr_xattr_fs($1_t)
+
+ domain_use_interactive_fds($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
+ files_dontaudit_search_pids($1_t)
+
+ auth_domtrans_chk_passwd($1_t)
+
+ logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
+
+ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ seutil_read_config($1_t)
+
+ userdom_manage_user_tmp_dirs($1_t)
+ userdom_manage_user_tmp_files($1_t)
+ # Access terminals.
+ userdom_use_user_terminals($1_t)
+ # Read user crontabs
+ userdom_read_user_home_content_files($1_t)
+
+ tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit $1_t crond_t:process signal;
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_t)
+ ')
+')
+
+########################################
+##
+## Role access for cron
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
+ ')
+
+ role $1 types { cronjob_t crontab_t };
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process signal;
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+##
+## Role access for unconfined cronjobs
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`cron_unconfined_role',`
+ gen_require(`
+ type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ ')
+
+ role $1 types { unconfined_cronjob_t crontab_t };
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process signal;
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+
+ allow unconfined_cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+##
+## Role access for cron
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`cron_admin_role',`
+ gen_require(`
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+ class passwd crontab;
+ ')
+
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
+
+ # Manipulate other users crontab.
+ allow $2 self:passwd crontab;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process signal;
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+ #corecmd_shell_domtrans(admin_crontab_t, $2)
+ corecmd_exec_bin(admin_crontab_t)
+ corecmd_exec_shell(admin_crontab_t)
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(admin_cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+##
+## Make the specified program domain accessable
+## from the system cron jobs.
+##
+##
+##
+## The type of the process to transition to.
+##
+##
+##
+##
+## The type of the file used as an entrypoint to this domain.
+##
+##
+#
+interface(`cron_system_entry',`
+ gen_require(`
+ type crond_t, system_cronjob_t;
+ ')
+
+ domtrans_pattern(system_cronjob_t, $2, $1)
+ domtrans_pattern(crond_t, $2, $1)
+
+ role system_r types $1;
+')
+
+########################################
+##
+## Execute cron in the cron system domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cron_domtrans',`
+ gen_require(`
+ type system_cronjob_t, crond_exec_t;
+ ')
+
+ domtrans_pattern($1, crond_exec_t, system_cronjob_t)
+')
+
+########################################
+##
+## Execute crond_exec_t
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_exec',`
+ gen_require(`
+ type crond_exec_t;
+ ')
+
+ can_exec($1, crond_exec_t)
+')
+
+########################################
+##
+## Execute crond server in the nscd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cron_initrc_domtrans',`
+ gen_require(`
+ type crond_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
+########################################
+##
+## Inherit and use a file descriptor
+## from the cron daemon.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_use_fds',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fd use;
+')
+
+########################################
+##
+## Send a SIGCHLD signal to the cron daemon.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_sigchld',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:process sigchld;
+')
+
+########################################
+##
+## Read a cron daemon unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to write cron daemon unnamed pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cron_dontaudit_write_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:fifo_file write;
+')
+
+########################################
+##
+## Read and write a cron daemon unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file { getattr read write };
+')
+
+########################################
+##
+## Read, and write cron daemon TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Dontaudit Read, and write cron daemon TCP sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cron_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Search the directory containing user cron tables.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_search_spool',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 cron_spool_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Manage pid files used by cron
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_pid_files',`
+ gen_require(`
+ type crond_var_run_t;
+ ')
+
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+##
+## Execute anacron in the cron system domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cron_anacron_domtrans_system_job',`
+ gen_require(`
+ type system_cronjob_t, anacron_exec_t;
+ ')
+
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+')
+
+########################################
+##
+## Inherit and use a file descriptor
+## from system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_use_system_job_fds',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:fd use;
+')
+
+########################################
+##
+## Write a system cron job unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_write_system_job_pipes',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:file write;
+')
+
+########################################
+##
+## Read and write a system cron job unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_system_job_pipes',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Allow read/write unix stream sockets from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_system_job_stream_sockets',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to append temporary
+## files from the system cron jobs.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cron_dontaudit_append_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+')
diff --git a/cron.te b/cron.te
new file mode 100644
index 0000000..f22d27c
--- /dev/null
+++ b/cron.te
@@ -0,0 +1,628 @@
+policy_module(cron, 2.3.0)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+##
+##
+gen_tunable(cron_can_relabel, false)
+
+##
+##
+## Enable extra rules in the cron domain
+## to support fcron.
+##
+##
+gen_tunable(fcron_crond, false)
+
+attribute cron_spool_type;
+
+type anacron_exec_t;
+application_executable_file(anacron_exec_t)
+
+type cron_spool_t;
+files_type(cron_spool_t)
+
+# var/lib files
+type cron_var_lib_t;
+files_type(cron_var_lib_t)
+
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
+# var/log files
+type cron_log_t;
+logging_log_file(cron_log_t)
+
+type cronjob_t;
+typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
+typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
+domain_type(cronjob_t)
+domain_cron_exemption_target(cronjob_t)
+corecmd_shell_entry_type(cronjob_t)
+ubac_constrained(cronjob_t)
+
+type crond_t;
+type crond_exec_t;
+init_daemon_domain(crond_t, crond_exec_t)
+domain_interactive_fd(crond_t)
+domain_cron_exemption_source(crond_t)
+
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
+type crond_tmp_t;
+files_tmp_file(crond_tmp_t)
+
+type crond_var_run_t;
+files_pid_file(crond_var_run_t)
+
+type crontab_exec_t;
+application_executable_file(crontab_exec_t)
+
+cron_common_crontab_template(admin_crontab)
+typealias admin_crontab_t alias sysadm_crontab_t;
+typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
+
+cron_common_crontab_template(crontab)
+typealias crontab_t alias { user_crontab_t staff_crontab_t };
+typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+
+type system_cron_spool_t, cron_spool_type;
+files_type(system_cron_spool_t)
+
+type system_cronjob_t alias system_crond_t;
+init_daemon_domain(system_cronjob_t, anacron_exec_t)
+corecmd_shell_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
+
+type system_cronjob_lock_t alias system_crond_lock_t;
+files_lock_file(system_cronjob_lock_t)
+
+type system_cronjob_tmp_t alias system_crond_tmp_t;
+files_tmp_file(system_cronjob_tmp_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+domain_cron_exemption_target(unconfined_cronjob_t)
+
+# Type of user crontabs once moved to cron spool.
+type user_cron_spool_t, cron_spool_type;
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
+typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+files_type(user_cron_spool_t)
+ubac_constrained(user_cron_spool_t)
+
+########################################
+#
+# Admin crontab local policy
+#
+
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+
+# Manipulate other users crontab.
+selinux_get_fs_mount(admin_crontab_t)
+selinux_validate_context(admin_crontab_t)
+selinux_compute_access_vector(admin_crontab_t)
+selinux_compute_create_context(admin_crontab_t)
+selinux_compute_relabel_context(admin_crontab_t)
+selinux_compute_user_contexts(admin_crontab_t)
+
+tunable_policy(`fcron_crond', `
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
+')
+
+########################################
+#
+# Cron daemon local policy
+#
+
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process { setexec setfscreate };
+allow crond_t self:fd use;
+allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
+allow crond_t self:unix_dgram_socket sendto;
+allow crond_t self:unix_stream_socket connectto;
+allow crond_t self:shm create_shm_perms;
+allow crond_t self:sem create_sem_perms;
+allow crond_t self:msgq create_msgq_perms;
+allow crond_t self:msg { send receive };
+allow crond_t self:key { search write link };
+
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+logging_log_filetrans(crond_t, cron_log_t, file)
+
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
+files_pid_filetrans(crond_t, crond_var_run_t, file)
+
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+
+manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
+
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
+
+dev_read_urand(crond_t)
+
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
+
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+
+corecmd_exec_shell(crond_t)
+corecmd_list_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
+
+domain_use_interactive_fds(crond_t)
+
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
+files_read_etc_files(crond_t)
+files_read_generic_spool(crond_t)
+files_list_usr(crond_t)
+# Read from /var/spool/cron.
+files_search_var_lib(crond_t)
+files_search_default(crond_t)
+
+init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
+
+auth_use_nsswitch(crond_t)
+
+logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
+
+seutil_read_config(crond_t)
+seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
+
+miscfiles_read_localization(crond_t)
+
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
+userdom_list_user_home_dirs(crond_t)
+
+mta_send_mail(crond_t)
+
+ifdef(`distro_debian',`
+ # pam_limits is used
+ allow crond_t self:process setrlimit;
+
+ optional_policy(`
+ # Debian logcheck has the home dir set to its cache
+ logwatch_search_cache_dir(crond_t)
+ ')
+')
+
+ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(crond_t)
+ ')
+')
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
+optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
+')
+
+optional_policy(`
+ amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
+ amavis_search_lib(crond_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(crond_t)
+')
+
+optional_policy(`
+ # cjp: why?
+ munin_search_lib(crond_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(crond_t)
+')
+
+optional_policy(`
+ # Commonly used from postinst scripts
+ rpm_read_pipes(crond_t)
+')
+
+optional_policy(`
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db(crond_t)
+')
+
+optional_policy(`
+ udev_read_db(crond_t)
+')
+
+########################################
+#
+# System cron process domain
+#
+
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+allow system_cronjob_t self:passwd rootok;
+
+# This is to handle creation of files in /var/log directory.
+# Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
+logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+
+# This is to handle /var/lib/misc directory. Used currently
+# by prelink var/lib files for cron
+allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+
+# Write /var/lock/makewhatis.lock.
+allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+
+# write temporary files
+manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+
+# Read from /var/spool/cron.
+allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+allow system_cronjob_t cron_spool_t:file read_file_perms;
+
+kernel_read_kernel_sysctls(system_cronjob_t)
+kernel_read_system_state(system_cronjob_t)
+kernel_read_software_raid_state(system_cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(system_cronjob_t)
+
+corecmd_exec_all_executables(system_cronjob_t)
+
+corenet_all_recvfrom_unlabeled(system_cronjob_t)
+corenet_all_recvfrom_netlabel(system_cronjob_t)
+corenet_tcp_sendrecv_generic_if(system_cronjob_t)
+corenet_udp_sendrecv_generic_if(system_cronjob_t)
+corenet_tcp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_tcp_sendrecv_all_ports(system_cronjob_t)
+corenet_udp_sendrecv_all_ports(system_cronjob_t)
+
+dev_getattr_all_blk_files(system_cronjob_t)
+dev_getattr_all_chr_files(system_cronjob_t)
+dev_read_urand(system_cronjob_t)
+
+fs_getattr_all_fs(system_cronjob_t)
+fs_getattr_all_files(system_cronjob_t)
+fs_getattr_all_symlinks(system_cronjob_t)
+fs_getattr_all_pipes(system_cronjob_t)
+fs_getattr_all_sockets(system_cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+files_exec_etc_files(system_cronjob_t)
+files_read_etc_files(system_cronjob_t)
+files_read_etc_runtime_files(system_cronjob_t)
+files_list_all(system_cronjob_t)
+files_getattr_all_dirs(system_cronjob_t)
+files_getattr_all_files(system_cronjob_t)
+files_getattr_all_symlinks(system_cronjob_t)
+files_getattr_all_pipes(system_cronjob_t)
+files_getattr_all_sockets(system_cronjob_t)
+files_read_usr_files(system_cronjob_t)
+files_read_var_files(system_cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_generic_spool(system_cronjob_t)
+
+init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
+
+auth_use_nsswitch(system_cronjob_t)
+
+libs_exec_lib_files(system_cronjob_t)
+libs_exec_ld_so(system_cronjob_t)
+
+logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
+logging_send_syslog_msg(system_cronjob_t)
+
+miscfiles_read_localization(system_cronjob_t)
+miscfiles_manage_man_pages(system_cronjob_t)
+
+seutil_read_config(system_cronjob_t)
+
+ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_cronjob_t)
+ ')
+')
+
+tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_cronjob_t)
+',`
+ selinux_get_fs_mount(system_cronjob_t)
+ selinux_validate_context(system_cronjob_t)
+ selinux_compute_access_vector(system_cronjob_t)
+ selinux_compute_create_context(system_cronjob_t)
+ selinux_compute_relabel_context(system_cronjob_t)
+ selinux_compute_user_contexts(system_cronjob_t)
+ seutil_read_file_contexts(system_cronjob_t)
+')
+
+optional_policy(`
+ # Needed for certwatch
+ apache_exec_modules(system_cronjob_t)
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
+')
+
+optional_policy(`
+ cyrus_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+ ftp_read_log(system_cronjob_t)
+')
+
+optional_policy(`
+ inn_manage_log(system_cronjob_t)
+ inn_manage_pid(system_cronjob_t)
+ inn_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
+ mrtg_append_create_logs(system_cronjob_t)
+')
+
+optional_policy(`
+ mta_send_mail(system_cronjob_t)
+')
+
+optional_policy(`
+ mysql_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabelfrom_lib(system_cronjob_t)
+')
+
+optional_policy(`
+ samba_read_config(system_cronjob_t)
+ samba_read_log(system_cronjob_t)
+ #samba_read_secrets(system_cronjob_t)
+')
+
+optional_policy(`
+ slocate_create_append_log(system_cronjob_t)
+')
+
+optional_policy(`
+ spamassassin_manage_lib_files(system_cronjob_t)
+')
+
+optional_policy(`
+ sysstat_manage_log(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_domain(system_cronjob_t)
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+')
+
+########################################
+#
+# User cronjobs local policy
+#
+
+allow cronjob_t self:process { signal_perms setsched };
+allow cronjob_t self:fifo_file rw_fifo_file_perms;
+allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
+kernel_read_system_state(cronjob_t)
+kernel_read_kernel_sysctls(cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(cronjob_t)
+
+corenet_all_recvfrom_unlabeled(cronjob_t)
+corenet_all_recvfrom_netlabel(cronjob_t)
+corenet_tcp_sendrecv_generic_if(cronjob_t)
+corenet_udp_sendrecv_generic_if(cronjob_t)
+corenet_tcp_sendrecv_generic_node(cronjob_t)
+corenet_udp_sendrecv_generic_node(cronjob_t)
+corenet_tcp_sendrecv_all_ports(cronjob_t)
+corenet_udp_sendrecv_all_ports(cronjob_t)
+corenet_tcp_connect_all_ports(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
+
+dev_read_urand(cronjob_t)
+
+fs_getattr_all_fs(cronjob_t)
+
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(cronjob_t)
+domain_dontaudit_getattr_all_domains(cronjob_t)
+
+files_read_usr_files(cronjob_t)
+files_exec_etc_files(cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(cronjob_t)
+
+libs_exec_lib_files(cronjob_t)
+libs_exec_ld_so(cronjob_t)
+
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
+logging_search_logs(cronjob_t)
+
+seutil_read_config(cronjob_t)
+
+miscfiles_read_localization(cronjob_t)
+
+userdom_manage_user_tmp_files(cronjob_t)
+userdom_manage_user_tmp_symlinks(cronjob_t)
+userdom_manage_user_tmp_pipes(cronjob_t)
+userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
+userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
+userdom_manage_user_home_content_files(cronjob_t)
+userdom_manage_user_home_content_symlinks(cronjob_t)
+userdom_manage_user_home_content_pipes(cronjob_t)
+userdom_manage_user_home_content_sockets(cronjob_t)
+#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
+tunable_policy(`fcron_crond', `
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+')
+
+# need a per-role version of this:
+#optional_policy(`
+# mono_domtrans(cronjob_t)
+#')
+
+optional_policy(`
+ nis_use_ypbind(cronjob_t)
+')
+
+########################################
+#
+# Unconfined cronjobs local policy
+#
+
+optional_policy(`
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t unconfined_cronjob_t:process transition;
+ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ allow crond_t unconfined_cronjob_t:fd use;
+
+ unconfined_domain(unconfined_cronjob_t)
+')
diff --git a/cups.fc b/cups.fc
new file mode 100644
index 0000000..1b492ed
--- /dev/null
+++ b/cups.fc
@@ -0,0 +1,73 @@
+
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+
+/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
+
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
diff --git a/cups.if b/cups.if
new file mode 100644
index 0000000..305ddf4
--- /dev/null
+++ b/cups.if
@@ -0,0 +1,358 @@
+## Common UNIX printing system
+
+########################################
+##
+## Setup cups to transtion to the cups backend domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_backend',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+ role system_r types $1;
+
+ domtrans_pattern(cupsd_t, $2, $1)
+ allow cupsd_t $1:process signal;
+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+ cups_read_config($1)
+ cups_append_log($1)
+')
+
+########################################
+##
+## Execute cups in the cups domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cups_domtrans',`
+ gen_require(`
+ type cupsd_t, cupsd_exec_t;
+ ')
+
+ domtrans_pattern($1, cupsd_exec_t, cupsd_t)
+')
+
+########################################
+##
+## Connect to cupsd over an unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_stream_connect',`
+ gen_require(`
+ type cupsd_t, cupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+')
+
+########################################
+##
+## Connect to cups over TCP. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Send and receive messages from
+## cups over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_dbus_chat',`
+ gen_require(`
+ type cupsd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_t:dbus send_msg;
+ allow cupsd_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Read cups PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_read_pid_files',`
+ gen_require(`
+ type cupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cupsd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute cups_config in the cups_config domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cups_domtrans_config',`
+ gen_require(`
+ type cupsd_config_t, cupsd_config_exec_t;
+ ')
+
+ domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t)
+')
+
+########################################
+##
+## Send generic signals to the cups
+## configuration daemon.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_signal_config',`
+ gen_require(`
+ type cupsd_config_t;
+ ')
+
+ allow $1 cupsd_config_t:process signal;
+')
+
+########################################
+##
+## Send and receive messages from
+## cupsd_config over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_dbus_chat_config',`
+ gen_require(`
+ type cupsd_config_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_config_t:dbus send_msg;
+ allow cupsd_config_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Read cups configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+')
+
+########################################
+##
+## Read cups-writable configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`cups_read_rw_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+')
+
+########################################
+##
+## Read cups log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`cups_read_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 cupsd_log_t:file read_file_perms;
+')
+
+########################################
+##
+## Append cups log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_append_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, cupsd_log_t, cupsd_log_t)
+')
+
+########################################
+##
+## Write cups log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_write_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 cupsd_log_t:file write_file_perms;
+')
+
+########################################
+##
+## Connect to ptal over an unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_stream_connect_ptal',`
+ gen_require(`
+ type ptal_t, ptal_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an cups environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the cups domain.
+##
+##
+##
+#
+interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+ type cupsd_var_run_t, ptal_etc_t;
+ type ptal_var_run_t, hplip_var_run_t;
+ type cupsd_initrc_exec_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cupsd_t)
+
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, cupsd_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, cupsd_config_var_run_t)
+
+ admin_pattern($1, cupsd_log_t)
+ logging_list_logs($1)
+
+ admin_pattern($1, cupsd_lpd_tmp_t)
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+ admin_pattern($1, cupsd_spool_t)
+ files_list_spool($1)
+
+ admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, cupsd_var_run_t)
+ files_list_pids($1)
+
+ admin_pattern($1, hplip_var_run_t)
+
+ admin_pattern($1, ptal_etc_t)
+
+ admin_pattern($1, ptal_var_run_t)
+')
diff --git a/cups.te b/cups.te
new file mode 100644
index 0000000..0f28095
--- /dev/null
+++ b/cups.te
@@ -0,0 +1,781 @@
+policy_module(cups, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type cupsd_config_t;
+type cupsd_config_exec_t;
+init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
+
+type cupsd_config_var_run_t;
+files_pid_file(cupsd_config_var_run_t)
+
+type cupsd_t;
+type cupsd_exec_t;
+init_daemon_domain(cupsd_t, cupsd_exec_t)
+
+type cupsd_etc_t;
+files_config_file(cupsd_etc_t)
+
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
+type cupsd_rw_etc_t;
+files_config_file(cupsd_rw_etc_t)
+
+type cupsd_lock_t;
+files_lock_file(cupsd_lock_t)
+
+type cupsd_log_t;
+logging_log_file(cupsd_log_t)
+
+type cupsd_lpd_t;
+type cupsd_lpd_exec_t;
+domain_type(cupsd_lpd_t)
+domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+role system_r types cupsd_lpd_t;
+
+type cupsd_lpd_tmp_t;
+files_tmp_file(cupsd_lpd_tmp_t)
+
+type cupsd_lpd_var_run_t;
+files_pid_file(cupsd_lpd_var_run_t)
+
+type cups_pdf_t;
+type cups_pdf_exec_t;
+cups_backend(cups_pdf_t, cups_pdf_exec_t)
+
+type cups_pdf_tmp_t;
+files_tmp_file(cups_pdf_tmp_t)
+
+type cupsd_tmp_t;
+files_tmp_file(cupsd_tmp_t)
+
+type cupsd_var_run_t;
+files_pid_file(cupsd_var_run_t)
+mls_trusted_object(cupsd_var_run_t)
+
+type hplip_t;
+type hplip_exec_t;
+init_daemon_domain(hplip_t, hplip_exec_t)
+# For CUPS to run as a backend
+cups_backend(hplip_t, hplip_exec_t)
+
+type hplip_etc_t;
+files_config_file(hplip_etc_t)
+
+type hplip_tmp_t;
+files_tmp_file(hplip_tmp_t)
+
+type hplip_var_lib_t;
+files_type(hplip_var_lib_t)
+
+type hplip_var_run_t;
+files_pid_file(hplip_var_run_t)
+
+type ptal_t;
+type ptal_exec_t;
+init_daemon_domain(ptal_t, ptal_exec_t)
+
+type ptal_etc_t;
+files_config_file(ptal_etc_t)
+
+type ptal_var_run_t;
+files_pid_file(ptal_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Cups local policy
+#
+
+# /usr/lib/cups/backend/serial needs sys_admin(?!)
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow cupsd_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
+allow cupsd_t self:sem create_sem_perms;
+allow cupsd_t self:tcp_socket create_stream_socket_perms;
+allow cupsd_t self:udp_socket create_socket_perms;
+allow cupsd_t self:appletalk_socket create_socket_perms;
+# generic socket here until appletalk socket is available in kernels
+allow cupsd_t self:socket create_socket_perms;
+
+allow cupsd_t cupsd_etc_t:{ dir file } setattr;
+read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+files_search_etc(cupsd_t)
+
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+
+manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+
+# allow cups to execute its backend scripts
+can_exec(cupsd_t, cupsd_exec_t)
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
+allow cupsd_t cupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+allow cupsd_t cupsd_log_t:dir setattr;
+logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+
+manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+allow cupsd_t cupsd_var_run_t:dir setattr;
+manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
+
+allow cupsd_t hplip_t:process { signal sigkill };
+
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
+allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+allow cupsd_t ptal_var_run_t : sock_file setattr;
+
+kernel_read_system_state(cupsd_t)
+kernel_read_network_state(cupsd_t)
+kernel_read_all_sysctls(cupsd_t)
+kernel_request_load_module(cupsd_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_all_recvfrom_netlabel(cupsd_t)
+corenet_tcp_sendrecv_generic_if(cupsd_t)
+corenet_udp_sendrecv_generic_if(cupsd_t)
+corenet_raw_sendrecv_generic_if(cupsd_t)
+corenet_tcp_sendrecv_generic_node(cupsd_t)
+corenet_udp_sendrecv_generic_node(cupsd_t)
+corenet_raw_sendrecv_generic_node(cupsd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_t)
+corenet_udp_sendrecv_all_ports(cupsd_t)
+corenet_tcp_bind_generic_node(cupsd_t)
+corenet_udp_bind_generic_node(cupsd_t)
+corenet_tcp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
+corenet_tcp_bind_reserved_port(cupsd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
+corenet_tcp_connect_all_ports(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_sendrecv_ipp_server_packets(cupsd_t)
+
+dev_rw_printer(cupsd_t)
+dev_read_urand(cupsd_t)
+dev_read_sysfs(cupsd_t)
+dev_rw_input_dev(cupsd_t) #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
+dev_getattr_printer_dev(cupsd_t)
+
+domain_read_all_domains_state(cupsd_t)
+
+fs_getattr_all_fs(cupsd_t)
+fs_search_auto_mountpoints(cupsd_t)
+fs_search_fusefs(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+
+mls_file_downgrade(cupsd_t)
+mls_file_write_all_levels(cupsd_t)
+mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
+mls_socket_write_all_levels(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
+
+term_use_unallocated_ttys(cupsd_t)
+term_search_ptys(cupsd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_shell(cupsd_t)
+corecmd_exec_bin(cupsd_t)
+
+domain_use_interactive_fds(cupsd_t)
+
+files_list_spool(cupsd_t)
+files_read_etc_files(cupsd_t)
+files_read_etc_runtime_files(cupsd_t)
+# read python modules
+files_read_usr_files(cupsd_t)
+# for /var/lib/defoma
+files_read_var_lib_files(cupsd_t)
+files_list_world_readable(cupsd_t)
+files_read_world_readable_files(cupsd_t)
+files_read_world_readable_symlinks(cupsd_t)
+# Satisfy readahead
+files_read_var_files(cupsd_t)
+files_read_var_symlinks(cupsd_t)
+# for /etc/printcap
+files_dontaudit_write_etc_files(cupsd_t)
+# smbspool seems to be iterating through all existing tmp files.
+# redhat bug #214953
+# cjp: this might be a broken behavior
+files_dontaudit_getattr_all_tmp_files(cupsd_t)
+
+selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
+
+init_exec_script_files(cupsd_t)
+init_read_utmp(cupsd_t)
+
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
+auth_use_nsswitch(cupsd_t)
+
+# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+libs_read_lib_files(cupsd_t)
+libs_exec_lib_files(cupsd_t)
+
+logging_send_audit_msgs(cupsd_t)
+logging_send_syslog_msg(cupsd_t)
+
+miscfiles_read_localization(cupsd_t)
+# invoking ghostscript needs to read fonts
+miscfiles_read_fonts(cupsd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+
+seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
+
+files_dontaudit_list_home(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+
+# Write to /var/spool/cups.
+lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
+lpd_relabel_spool(cupsd_t)
+
+optional_policy(`
+ apm_domtrans_client(cupsd_t)
+')
+
+optional_policy(`
+ cron_system_entry(cupsd_t, cupsd_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(cupsd_t)
+
+ userdom_dbus_send_all_users(cupsd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(cupsd_t)
+')
+
+optional_policy(`
+ inetd_core_service_domain(cupsd_t, cupsd_exec_t)
+')
+
+optional_policy(`
+ logrotate_domtrans(cupsd_t)
+')
+
+optional_policy(`
+ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cupsd_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(cupsd_t)
+')
+
+optional_policy(`
+ udev_read_db(cupsd_t)
+')
+
+########################################
+#
+# Cups configuration daemon local policy
+#
+
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+dontaudit cupsd_config_t self:capability sys_tty_config;
+allow cupsd_config_t self:process { getsched signal_perms };
+allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+
+allow cupsd_config_t cupsd_t:process signal;
+ps_process_pattern(cupsd_config_t, cupsd_t)
+
+manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+
+manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
+
+can_exec(cupsd_config_t, cupsd_config_exec_t)
+
+allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+
+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
+manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+
+kernel_read_system_state(cupsd_config_t)
+kernel_read_all_sysctls(cupsd_config_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_all_recvfrom_netlabel(cupsd_config_t)
+corenet_tcp_sendrecv_generic_if(cupsd_config_t)
+corenet_tcp_sendrecv_generic_node(cupsd_config_t)
+corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+corenet_tcp_connect_all_ports(cupsd_config_t)
+corenet_sendrecv_all_client_packets(cupsd_config_t)
+
+dev_read_sysfs(cupsd_config_t)
+dev_read_urand(cupsd_config_t)
+dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
+
+files_search_all_mountpoints(cupsd_config_t)
+
+fs_getattr_all_fs(cupsd_config_t)
+fs_search_auto_mountpoints(cupsd_config_t)
+
+corecmd_exec_bin(cupsd_config_t)
+corecmd_exec_shell(cupsd_config_t)
+
+domain_use_interactive_fds(cupsd_config_t)
+# killall causes the following
+domain_dontaudit_search_all_domains_state(cupsd_config_t)
+
+files_read_usr_files(cupsd_config_t)
+files_read_etc_files(cupsd_config_t)
+files_read_etc_runtime_files(cupsd_config_t)
+files_read_var_symlinks(cupsd_config_t)
+
+# Alternatives asks for this
+init_getattr_all_script_files(cupsd_config_t)
+
+auth_use_nsswitch(cupsd_config_t)
+
+logging_send_syslog_msg(cupsd_config_t)
+
+miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
+
+seutil_dontaudit_search_config(cupsd_config_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+
+cups_stream_connect(cupsd_config_t)
+
+lpd_read_config(cupsd_config_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(cupsd_config_t)
+ ')
+')
+
+optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
+ cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
+')
+
+optional_policy(`
+ dbus_system_domain(cupsd_config_t, cupsd_config_exec_t)
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_config_t)
+ ')
+')
+
+optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
+')
+
+optional_policy(`
+ hostname_exec(cupsd_config_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(cupsd_config_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(cupsd_config_t)
+ userdom_read_all_users_state(cupsd_config_t)
+')
+
+optional_policy(`
+ rpm_read_db(cupsd_config_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cupsd_config_t)
+')
+
+optional_policy(`
+ udev_read_db(cupsd_config_t)
+')
+
+optional_policy(`
+ unconfined_stream_connect(cupsd_config_t)
+')
+
+########################################
+#
+# Cups lpd support
+#
+
+allow cupsd_lpd_t self:process signal_perms;
+allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+allow cupsd_lpd_t self:udp_socket create_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cupsd_lpd_t self:capability { setuid setgid };
+files_search_home(cupsd_lpd_t)
+optional_policy(`
+ kerberos_use(cupsd_lpd_t)
+')
+#end for identd
+
+allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
+read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+
+allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
+read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+
+manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
+
+manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
+files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(cupsd_lpd_t)
+kernel_read_system_state(cupsd_lpd_t)
+kernel_read_network_state(cupsd_lpd_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
+corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
+corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
+corenet_udp_sendrecv_generic_node(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_tcp_bind_generic_node(cupsd_lpd_t)
+corenet_udp_bind_generic_node(cupsd_lpd_t)
+corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+
+dev_read_urand(cupsd_lpd_t)
+dev_read_rand(cupsd_lpd_t)
+
+fs_getattr_xattr_fs(cupsd_lpd_t)
+
+files_read_etc_files(cupsd_lpd_t)
+
+auth_use_nsswitch(cupsd_lpd_t)
+
+logging_send_syslog_msg(cupsd_lpd_t)
+
+miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+
+cups_stream_connect(cupsd_lpd_t)
+
+optional_policy(`
+ inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+')
+
+########################################
+#
+# cups_pdf local policy
+#
+
+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+allow cups_pdf_t self:fifo_file rw_file_perms;
+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+
+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+
+fs_rw_anon_inodefs_files(cups_pdf_t)
+
+kernel_read_system_state(cups_pdf_t)
+
+files_read_etc_files(cups_pdf_t)
+files_read_usr_files(cups_pdf_t)
+
+corecmd_exec_shell(cups_pdf_t)
+corecmd_exec_bin(cups_pdf_t)
+
+auth_use_nsswitch(cups_pdf_t)
+
+miscfiles_read_localization(cups_pdf_t)
+miscfiles_read_fonts(cups_pdf_t)
+
+userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_manage_user_home_content_dirs(cups_pdf_t)
+userdom_manage_user_home_content_files(cups_pdf_t)
+
+lpd_manage_spool(cups_pdf_t)
+
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(cups_pdf_t)
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(cups_pdf_t)
+ fs_manage_cifs_files(cups_pdf_t)
+')
+
+########################################
+#
+# HPLIP local policy
+#
+
+# Needed for USB Scanneer and xsane
+allow hplip_t self:capability { dac_override dac_read_search net_raw };
+dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:fifo_file rw_fifo_file_perms;
+allow hplip_t self:process signal_perms;
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
+allow hplip_t self:tcp_socket create_stream_socket_perms;
+allow hplip_t self:udp_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
+
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
+
+cups_stream_connect(hplip_t)
+
+allow hplip_t hplip_etc_t:dir list_dir_perms;
+read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+files_search_etc(hplip_t)
+
+manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+
+manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+
+kernel_read_system_state(hplip_t)
+kernel_read_kernel_sysctls(hplip_t)
+
+corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_all_recvfrom_netlabel(hplip_t)
+corenet_tcp_sendrecv_generic_if(hplip_t)
+corenet_udp_sendrecv_generic_if(hplip_t)
+corenet_raw_sendrecv_generic_if(hplip_t)
+corenet_tcp_sendrecv_generic_node(hplip_t)
+corenet_udp_sendrecv_generic_node(hplip_t)
+corenet_raw_sendrecv_generic_node(hplip_t)
+corenet_tcp_sendrecv_all_ports(hplip_t)
+corenet_udp_sendrecv_all_ports(hplip_t)
+corenet_tcp_bind_generic_node(hplip_t)
+corenet_udp_bind_generic_node(hplip_t)
+corenet_tcp_bind_hplip_port(hplip_t)
+corenet_tcp_connect_hplip_port(hplip_t)
+corenet_tcp_connect_ipp_port(hplip_t)
+corenet_sendrecv_hplip_client_packets(hplip_t)
+corenet_receive_hplip_server_packets(hplip_t)
+corenet_udp_bind_howl_port(hplip_t)
+
+dev_read_sysfs(hplip_t)
+dev_rw_printer(hplip_t)
+dev_read_urand(hplip_t)
+dev_read_rand(hplip_t)
+dev_rw_generic_usb_dev(hplip_t)
+dev_rw_usbfs(hplip_t)
+
+fs_getattr_all_fs(hplip_t)
+fs_search_auto_mountpoints(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
+
+# for python
+corecmd_exec_bin(hplip_t)
+
+domain_use_interactive_fds(hplip_t)
+
+files_read_etc_files(hplip_t)
+files_read_etc_runtime_files(hplip_t)
+files_read_usr_files(hplip_t)
+
+logging_send_syslog_msg(hplip_t)
+
+miscfiles_read_localization(hplip_t)
+
+sysnet_read_config(hplip_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+userdom_dontaudit_search_user_home_dirs(hplip_t)
+userdom_dontaudit_search_user_home_content(hplip_t)
+
+lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
+
+optional_policy(`
+ dbus_system_bus_client(hplip_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hplip_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(hplip_t)
+')
+
+optional_policy(`
+ udev_read_db(hplip_t)
+')
+
+########################################
+#
+# PTAL local policy
+#
+
+allow ptal_t self:capability { chown sys_rawio };
+dontaudit ptal_t self:capability sys_tty_config;
+allow ptal_t self:fifo_file rw_fifo_file_perms;
+allow ptal_t self:unix_dgram_socket create_socket_perms;
+allow ptal_t self:unix_stream_socket create_stream_socket_perms;
+allow ptal_t self:tcp_socket create_stream_socket_perms;
+
+allow ptal_t ptal_etc_t:dir list_dir_perms;
+read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+files_search_etc(ptal_t)
+
+manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(ptal_t)
+kernel_list_proc(ptal_t)
+kernel_read_proc_symlinks(ptal_t)
+
+corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_all_recvfrom_netlabel(ptal_t)
+corenet_tcp_sendrecv_generic_if(ptal_t)
+corenet_tcp_sendrecv_generic_node(ptal_t)
+corenet_tcp_sendrecv_all_ports(ptal_t)
+corenet_tcp_bind_generic_node(ptal_t)
+corenet_tcp_bind_ptal_port(ptal_t)
+
+dev_read_sysfs(ptal_t)
+dev_read_usbfs(ptal_t)
+dev_rw_printer(ptal_t)
+
+fs_getattr_all_fs(ptal_t)
+fs_search_auto_mountpoints(ptal_t)
+
+domain_use_interactive_fds(ptal_t)
+
+files_read_etc_files(ptal_t)
+files_read_etc_runtime_files(ptal_t)
+
+logging_send_syslog_msg(ptal_t)
+
+miscfiles_read_localization(ptal_t)
+
+sysnet_read_config(ptal_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+userdom_dontaudit_search_user_home_content(ptal_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ptal_t)
+')
+
+optional_policy(`
+ udev_read_db(ptal_t)
+')
diff --git a/cvs.fc b/cvs.fc
new file mode 100644
index 0000000..48a30de
--- /dev/null
+++ b/cvs.fc
@@ -0,0 +1,10 @@
+
+/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
+
+/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+#CVSWeb file context
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
diff --git a/cvs.if b/cvs.if
new file mode 100644
index 0000000..c43ff4c
--- /dev/null
+++ b/cvs.if
@@ -0,0 +1,82 @@
+## Concurrent versions system
+
+########################################
+##
+## Read the CVS data and metadata.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cvs_read_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ list_dirs_pattern($1, cvs_data_t, cvs_data_t)
+ read_files_pattern($1, cvs_data_t, cvs_data_t)
+ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
+')
+
+########################################
+##
+## Allow the specified domain to execute cvs
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cvs_exec',`
+ gen_require(`
+ type cvs_exec_t;
+ ')
+
+ can_exec($1, cvs_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an cvs environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the cvs domain.
+##
+##
+##
+#
+interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t;
+ type cvs_data_t, cvs_var_run_t;
+ type cvs_initrc_exec_t;
+ ')
+
+ allow $1 cvs_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cvs_t)
+
+ # Allow cvs_t to restart the apache service
+ init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cvs_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cvs_tmp_t)
+
+ admin_pattern($1, cvs_data_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cvs_var_run_t)
+')
diff --git a/cvs.te b/cvs.te
new file mode 100644
index 0000000..88e7e97
--- /dev/null
+++ b/cvs.te
@@ -0,0 +1,115 @@
+policy_module(cvs, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow cvs daemon to read shadow
+##
+##
+gen_tunable(allow_cvs_read_shadow, false)
+
+type cvs_t;
+type cvs_exec_t;
+inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+application_executable_file(cvs_exec_t)
+role system_r types cvs_t;
+
+type cvs_data_t; # customizable
+files_type(cvs_data_t)
+
+type cvs_initrc_exec_t;
+init_script_file(cvs_initrc_exec_t)
+
+type cvs_tmp_t;
+files_tmp_file(cvs_tmp_t)
+
+type cvs_var_run_t;
+files_pid_file(cvs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cvs_t self:process signal_perms;
+allow cvs_t self:fifo_file rw_fifo_file_perms;
+allow cvs_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cvs_t self:capability { setuid setgid };
+
+manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+
+manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
+
+manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t)
+files_pid_filetrans(cvs_t, cvs_var_run_t, file)
+
+kernel_read_kernel_sysctls(cvs_t)
+kernel_read_system_state(cvs_t)
+kernel_read_network_state(cvs_t)
+
+corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+
+dev_read_urand(cvs_t)
+
+fs_getattr_xattr_fs(cvs_t)
+
+auth_domtrans_chk_passwd(cvs_t)
+auth_use_nsswitch(cvs_t)
+
+corecmd_exec_bin(cvs_t)
+corecmd_exec_shell(cvs_t)
+
+files_read_etc_files(cvs_t)
+files_read_etc_runtime_files(cvs_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(cvs_t)
+
+logging_send_syslog_msg(cvs_t)
+logging_send_audit_msgs(cvs_t)
+
+miscfiles_read_localization(cvs_t)
+
+mta_send_mail(cvs_t)
+
+# cjp: typeattribute doesnt work in conditionals yet
+auth_can_read_shadow_passwords(cvs_t)
+tunable_policy(`allow_cvs_read_shadow',`
+ allow cvs_t self:capability dac_override;
+ auth_tunable_read_shadow(cvs_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(cvs, cvs_t)
+ kerberos_read_config(cvs_t)
+ kerberos_dontaudit_write_config(cvs_t)
+')
+
+########################################
+#
+# CVSWeb policy
+#
+
+optional_policy(`
+ apache_content_template(cvs)
+
+ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+')
diff --git a/cyphesis.fc b/cyphesis.fc
new file mode 100644
index 0000000..c47a772
--- /dev/null
+++ b/cyphesis.fc
@@ -0,0 +1,5 @@
+/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0)
diff --git a/cyphesis.if b/cyphesis.if
new file mode 100644
index 0000000..9d44538
--- /dev/null
+++ b/cyphesis.if
@@ -0,0 +1,19 @@
+## Cyphesis WorldForge game server
+
+########################################
+##
+## Execute a domain transition to run cyphesis.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cyphesis_domtrans',`
+ gen_require(`
+ type cyphesis_t, cyphesis_exec_t;
+ ')
+
+ domtrans_pattern($1, cyphesis_exec_t, cyphesis_t)
+')
diff --git a/cyphesis.te b/cyphesis.te
new file mode 100644
index 0000000..25897c9
--- /dev/null
+++ b/cyphesis.te
@@ -0,0 +1,85 @@
+policy_module(cyphesis, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyphesis_t;
+type cyphesis_exec_t;
+init_daemon_domain(cyphesis_t, cyphesis_exec_t)
+
+type cyphesis_log_t;
+logging_log_file(cyphesis_log_t)
+
+type cyphesis_tmp_t;
+files_tmp_file(cyphesis_tmp_t)
+
+type cyphesis_var_run_t;
+files_pid_file(cyphesis_var_run_t)
+
+########################################
+#
+# cyphesis local policy
+#
+
+allow cyphesis_t self:process { setfscreate setsched signal };
+allow cyphesis_t self:fifo_file rw_fifo_file_perms;
+allow cyphesis_t self:tcp_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t)
+logging_log_filetrans(cyphesis_t, cyphesis_log_t, file)
+
+# DAN > Does cyphesis really create a sock_file in /tmp? Why?
+allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
+
+manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(cyphesis_t)
+kernel_read_kernel_sysctls(cyphesis_t)
+
+# DAN> What is cyphesis looking for in /bin?
+corecmd_search_bin(cyphesis_t)
+corecmd_getattr_bin_files(cyphesis_t)
+
+corenet_all_recvfrom_unlabeled(cyphesis_t)
+corenet_tcp_sendrecv_generic_if(cyphesis_t)
+corenet_tcp_sendrecv_generic_node(cyphesis_t)
+corenet_tcp_sendrecv_all_ports(cyphesis_t)
+corenet_tcp_bind_generic_node(cyphesis_t)
+corenet_tcp_bind_cyphesis_port(cyphesis_t)
+corenet_sendrecv_cyphesis_server_packets(cyphesis_t)
+
+dev_read_urand(cyphesis_t)
+
+# Init script handling
+domain_use_interactive_fds(cyphesis_t)
+
+files_read_etc_files(cyphesis_t)
+files_read_usr_files(cyphesis_t)
+
+logging_send_syslog_msg(cyphesis_t)
+
+miscfiles_read_localization(cyphesis_t)
+
+sysnet_dns_name_resolve(cyphesis_t)
+
+# cyphesis wants to talk to avahi via dbus
+optional_policy(`
+ avahi_dbus_chat(cyphesis_t)
+ dbus_system_bus_client(cyphesis_t)
+')
+
+optional_policy(`
+ kerberos_use(cyphesis_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(cyphesis_t)
+')
diff --git a/cyrus.fc b/cyrus.fc
new file mode 100644
index 0000000..25546bc
--- /dev/null
+++ b/cyrus.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
+
+/usr/lib(64)?/cyrus/master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+
+/var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
+/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/cyrus.if b/cyrus.if
new file mode 100644
index 0000000..e4e86d0
--- /dev/null
+++ b/cyrus.if
@@ -0,0 +1,81 @@
+## Cyrus is an IMAP service intended to be run on sealed servers
+
+########################################
+##
+## Allow caller to create, read, write,
+## and delete cyrus data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cyrus_manage_data',`
+ gen_require(`
+ type cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
+########################################
+##
+## Connect to Cyrus using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cyrus_stream_connect',`
+ gen_require(`
+ type cyrus_t, cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an cyrus environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the cyrus domain.
+##
+##
+##
+#
+interface(`cyrus_admin',`
+ gen_require(`
+ type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+ type cyrus_var_run_t, cyrus_initrc_exec_t;
+ ')
+
+ allow $1 cyrus_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cyrus_t)
+
+ init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cyrus_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cyrus_tmp_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cyrus_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cyrus_var_run_t)
+')
diff --git a/cyrus.te b/cyrus.te
new file mode 100644
index 0000000..2ced023
--- /dev/null
+++ b/cyrus.te
@@ -0,0 +1,145 @@
+policy_module(cyrus, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyrus_t;
+type cyrus_exec_t;
+init_daemon_domain(cyrus_t, cyrus_exec_t)
+
+type cyrus_initrc_exec_t;
+init_script_file(cyrus_initrc_exec_t)
+
+type cyrus_tmp_t;
+files_tmp_file(cyrus_tmp_t)
+
+type cyrus_var_lib_t;
+files_type(cyrus_var_lib_t)
+
+type cyrus_var_run_t;
+files_pid_file(cyrus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit cyrus_t self:capability sys_tty_config;
+allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow cyrus_t self:process setrlimit;
+allow cyrus_t self:fd use;
+allow cyrus_t self:fifo_file rw_fifo_file_perms;
+allow cyrus_t self:sock_file read_sock_file_perms;
+allow cyrus_t self:shm create_shm_perms;
+allow cyrus_t self:sem create_sem_perms;
+allow cyrus_t self:msgq create_msgq_perms;
+allow cyrus_t self:msg { send receive };
+allow cyrus_t self:unix_dgram_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
+allow cyrus_t self:unix_dgram_socket sendto;
+allow cyrus_t self:unix_stream_socket connectto;
+allow cyrus_t self:tcp_socket create_stream_socket_perms;
+allow cyrus_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
+
+manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+files_pid_filetrans(cyrus_t, cyrus_var_run_t, file)
+
+manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
+manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
+files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(cyrus_t)
+kernel_read_system_state(cyrus_t)
+kernel_read_all_sysctls(cyrus_t)
+
+corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_all_recvfrom_netlabel(cyrus_t)
+corenet_tcp_sendrecv_generic_if(cyrus_t)
+corenet_udp_sendrecv_generic_if(cyrus_t)
+corenet_tcp_sendrecv_generic_node(cyrus_t)
+corenet_udp_sendrecv_generic_node(cyrus_t)
+corenet_tcp_sendrecv_all_ports(cyrus_t)
+corenet_udp_sendrecv_all_ports(cyrus_t)
+corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_mail_port(cyrus_t)
+corenet_tcp_bind_lmtp_port(cyrus_t)
+corenet_tcp_bind_pop_port(cyrus_t)
+corenet_tcp_bind_sieve_port(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+corenet_sendrecv_mail_server_packets(cyrus_t)
+corenet_sendrecv_pop_server_packets(cyrus_t)
+corenet_sendrecv_lmtp_server_packets(cyrus_t)
+corenet_sendrecv_all_client_packets(cyrus_t)
+
+dev_read_rand(cyrus_t)
+dev_read_urand(cyrus_t)
+dev_read_sysfs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
+
+domain_use_interactive_fds(cyrus_t)
+
+files_list_var_lib(cyrus_t)
+files_read_etc_files(cyrus_t)
+files_read_etc_runtime_files(cyrus_t)
+files_read_usr_files(cyrus_t)
+
+auth_use_nsswitch(cyrus_t)
+
+libs_exec_lib_files(cyrus_t)
+
+logging_send_syslog_msg(cyrus_t)
+
+miscfiles_read_localization(cyrus_t)
+miscfiles_read_generic_certs(cyrus_t)
+
+sysnet_read_config(cyrus_t)
+
+userdom_use_unpriv_users_fds(cyrus_t)
+userdom_dontaudit_search_user_home_dirs(cyrus_t)
+
+mta_manage_spool(cyrus_t)
+mta_send_mail(cyrus_t)
+
+optional_policy(`
+ cron_system_entry(cyrus_t, cyrus_exec_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(cyrus, cyrus_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+ sasl_connect(cyrus_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cyrus_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+ udev_read_db(cyrus_t)
+')
diff --git a/daemontools.fc b/daemontools.fc
new file mode 100644
index 0000000..26df050
--- /dev/null
+++ b/daemontools.fc
@@ -0,0 +1,53 @@
+#
+# /service
+#
+
+/service -d gen_context(system_u:object_r:svc_svc_t,s0)
+/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0)
+/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+
+#
+# /var
+#
+
+/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+
+/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
+/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
+/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
diff --git a/daemontools.if b/daemontools.if
new file mode 100644
index 0000000..ce3e676
--- /dev/null
+++ b/daemontools.if
@@ -0,0 +1,212 @@
+## Collection of tools for managing UNIX services
+##
+##
+## Policy for DJB's daemontools
+##
+##
+
+########################################
+##
+## An ipc channel between the supervised domain and svc_start_t
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`daemontools_ipc_domain',`
+ gen_require(`
+ type svc_start_t;
+ ')
+
+ allow $1 svc_start_t:process sigchld;
+ allow $1 svc_start_t:fd use;
+ allow $1 svc_start_t:fifo_file { read write getattr };
+ allow svc_start_t $1:process signal;
+')
+
+########################################
+##
+## Define a specified domain as a supervised service.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`daemontools_service_domain',`
+ gen_require(`
+ type svc_run_t;
+ ')
+
+ domain_auto_trans(svc_run_t, $2, $1)
+ daemontools_ipc_domain($1)
+
+ allow svc_run_t $1:process signal;
+ allow $1 svc_run_t:fd use;
+')
+
+########################################
+##
+## Execute in the svc_start_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`daemontools_domtrans_start',`
+ gen_require(`
+ type svc_start_t, svc_start_exec_t;
+ ')
+
+ domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+')
+
+######################################
+##
+## Execute svc_start in the svc_start domain, and
+## allow the specified role the svc_start domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the svc_start domain.
+##
+##
+##
+#
+interface(`daemonstools_run_start',`
+ gen_require(`
+ type svc_start_t;
+ ')
+
+ daemontools_domtrans_start($1)
+ role $2 types svc_start_t;
+')
+
+########################################
+##
+## Execute in the svc_run_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`daemontools_domtrans_run',`
+ gen_require(`
+ type svc_run_t, svc_run_exec_t;
+ ')
+
+ domtrans_pattern($1, svc_run_exec_t, svc_run_t)
+')
+
+######################################
+##
+## Send a SIGCHLD signal to svc_run domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`daemontools_sigchld_run',`
+ gen_require(`
+ type svc_run_t;
+ ')
+
+ allow $1 svc_run_t:process sigchld;
+')
+
+########################################
+##
+## Execute in the svc_multilog_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`daemontools_domtrans_multilog',`
+ gen_require(`
+ type svc_multilog_t, svc_multilog_exec_t;
+ ')
+
+ domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
+')
+
+######################################
+##
+## Search svc_svc_t directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`daemontools_search_svc_dir',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Allow a domain to read svc_svc_t files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`daemontools_read_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir list_dir_perms;
+ allow $1 svc_svc_t:file read_file_perms;
+')
+
+########################################
+##
+## Allow a domain to create svc_svc_t files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`daemontools_manage_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir manage_dir_perms;
+ allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
+ allow $1 svc_svc_t:file manage_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+')
diff --git a/daemontools.te b/daemontools.te
new file mode 100644
index 0000000..dcc5f1c
--- /dev/null
+++ b/daemontools.te
@@ -0,0 +1,118 @@
+policy_module(daemontools, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type svc_conf_t;
+files_config_file(svc_conf_t)
+
+type svc_log_t;
+files_type(svc_log_t)
+
+type svc_multilog_t;
+type svc_multilog_exec_t;
+application_domain(svc_multilog_t, svc_multilog_exec_t)
+role system_r types svc_multilog_t;
+
+type svc_run_t;
+type svc_run_exec_t;
+application_domain(svc_run_t, svc_run_exec_t)
+role system_r types svc_run_t;
+
+type svc_start_t;
+type svc_start_exec_t;
+init_domain(svc_start_t, svc_start_exec_t)
+init_system_domain(svc_start_t, svc_start_exec_t)
+role system_r types svc_start_t;
+
+type svc_svc_t;
+files_type(svc_svc_t)
+
+########################################
+#
+# multilog local policy
+#
+
+# multilog creates /service/*/log/status
+manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+
+init_use_fds(svc_multilog_t)
+
+# writes to /var/log/*/*
+logging_manage_generic_logs(svc_multilog_t)
+
+daemontools_ipc_domain(svc_multilog_t)
+
+########################################
+#
+# local policy for binaries that impose
+# a given environment to supervised daemons
+# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+#
+
+allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+allow svc_run_t self:process setrlimit;
+allow svc_run_t self:fifo_file rw_fifo_file_perms;
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+
+allow svc_run_t svc_conf_t:dir list_dir_perms;
+allow svc_run_t svc_conf_t:file read_file_perms;
+
+can_exec(svc_run_t, svc_run_exec_t)
+
+kernel_read_system_state(svc_run_t)
+
+dev_read_urand(svc_run_t)
+
+corecmd_exec_bin(svc_run_t)
+corecmd_exec_shell(svc_run_t)
+
+files_read_etc_files(svc_run_t)
+files_read_etc_runtime_files(svc_run_t)
+files_search_pids(svc_run_t)
+files_search_var_lib(svc_run_t)
+
+init_use_script_fds(svc_run_t)
+init_use_fds(svc_run_t)
+
+daemontools_domtrans_multilog(svc_run_t)
+daemontools_read_svc(svc_run_t)
+
+optional_policy(`
+ qmail_read_config(svc_run_t)
+')
+
+########################################
+#
+# local policy for service monitoring programs
+# ie svc, svscan, supervise ...
+#
+
+allow svc_start_t svc_run_t:process { signal setrlimit };
+
+allow svc_start_t self:fifo_file rw_fifo_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:tcp_socket create_stream_socket_perms;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+can_exec(svc_start_t, svc_start_exec_t)
+
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
+corecmd_exec_bin(svc_start_t)
+corecmd_exec_shell(svc_start_t)
+
+files_read_etc_files(svc_start_t)
+files_read_etc_runtime_files(svc_start_t)
+files_search_var(svc_start_t)
+files_search_pids(svc_start_t)
+
+daemontools_domtrans_run(svc_start_t)
+daemontools_manage_svc(svc_start_t)
+
+logging_send_syslog_msg(svc_start_t)
+
+miscfiles_read_localization(svc_start_t)
diff --git a/dante.fc b/dante.fc
new file mode 100644
index 0000000..139171d
--- /dev/null
+++ b/dante.fc
@@ -0,0 +1,6 @@
+
+/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0)
+
+/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
+
+/var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0)
diff --git a/dante.if b/dante.if
new file mode 100644
index 0000000..704661c
--- /dev/null
+++ b/dante.if
@@ -0,0 +1 @@
+## Dante msproxy and socks4/5 proxy server
diff --git a/dante.te b/dante.te
new file mode 100644
index 0000000..a8b93c0
--- /dev/null
+++ b/dante.te
@@ -0,0 +1,79 @@
+policy_module(dante, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type dante_t;
+type dante_exec_t;
+init_daemon_domain(dante_t, dante_exec_t)
+
+type dante_conf_t;
+files_type(dante_conf_t)
+
+type dante_var_run_t;
+files_pid_file(dante_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dante_t self:capability { setuid setgid };
+dontaudit dante_t self:capability sys_tty_config;
+allow dante_t self:process signal_perms;
+allow dante_t self:fifo_file rw_fifo_file_perms;
+allow dante_t self:tcp_socket create_stream_socket_perms;
+allow dante_t self:udp_socket create_socket_perms;
+
+allow dante_t dante_conf_t:dir list_dir_perms;
+allow dante_t dante_conf_t:file read_file_perms;
+
+manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t)
+files_pid_filetrans(dante_t, dante_var_run_t, file)
+
+kernel_read_kernel_sysctls(dante_t)
+kernel_list_proc(dante_t)
+kernel_read_proc_symlinks(dante_t)
+
+corenet_all_recvfrom_unlabeled(dante_t)
+corenet_all_recvfrom_netlabel(dante_t)
+corenet_tcp_sendrecv_generic_if(dante_t)
+corenet_udp_sendrecv_generic_if(dante_t)
+corenet_tcp_sendrecv_generic_node(dante_t)
+corenet_udp_sendrecv_generic_node(dante_t)
+corenet_tcp_sendrecv_all_ports(dante_t)
+corenet_udp_sendrecv_all_ports(dante_t)
+corenet_tcp_bind_generic_node(dante_t)
+#TODO: no portcons for this type
+#allow dante_t socks_port_t:tcp_socket name_bind;
+
+dev_read_sysfs(dante_t)
+
+domain_use_interactive_fds(dante_t)
+
+files_read_etc_files(dante_t)
+files_read_etc_runtime_files(dante_t)
+
+fs_getattr_all_fs(dante_t)
+fs_search_auto_mountpoints(dante_t)
+
+init_write_utmp(dante_t)
+
+logging_send_syslog_msg(dante_t)
+
+miscfiles_read_localization(dante_t)
+
+sysnet_read_config(dante_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dante_t)
+userdom_dontaudit_search_user_home_dirs(dante_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dante_t)
+')
+
+optional_policy(`
+ udev_read_db(dante_t)
+')
diff --git a/dbadm.fc b/dbadm.fc
new file mode 100644
index 0000000..e6aa2fb
--- /dev/null
+++ b/dbadm.fc
@@ -0,0 +1 @@
+# No dbadm file contexts
diff --git a/dbadm.if b/dbadm.if
new file mode 100644
index 0000000..56f2af7
--- /dev/null
+++ b/dbadm.if
@@ -0,0 +1,50 @@
+## Database administrator role
+
+########################################
+##
+## Change to the database administrator role.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`dbadm_role_change',`
+ gen_require(`
+ role dbadm_r;
+ ')
+
+ allow $1 dbadm_r;
+')
+
+########################################
+##
+## Change from the database administrator role.
+##
+##
+##
+## Change from the database administrator role to
+## the specified role.
+##
+##
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`dbadm_role_change_to',`
+ gen_require(`
+ role dbadm_r;
+ ')
+
+ allow dbadm_r $1;
+')
diff --git a/dbadm.te b/dbadm.te
new file mode 100644
index 0000000..1875064
--- /dev/null
+++ b/dbadm.te
@@ -0,0 +1,60 @@
+policy_module(dbadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow dbadm to manage files in users home directories
+##
+##
+gen_tunable(dbadm_manage_user_files, false)
+
+##
+##
+## Allow dbadm to read files in users home directories
+##
+##
+gen_tunable(dbadm_read_user_files, false)
+
+role dbadm_r;
+
+userdom_base_user_template(dbadm)
+
+########################################
+#
+# database admin local policy
+#
+
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+ userdom_manage_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+ userdom_write_user_tmp_files(dbadm_t)
+')
+
+tunable_policy(`dbadm_read_user_files',`
+ userdom_read_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+')
+
+optional_policy(`
+ mysql_admin(dbadm_t, dbadm_r)
+')
+
+optional_policy(`
+ postgresql_admin(dbadm_t, dbadm_r)
+')
diff --git a/dbskk.fc b/dbskk.fc
new file mode 100644
index 0000000..7af2590
--- /dev/null
+++ b/dbskk.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/dbskk.if b/dbskk.if
new file mode 100644
index 0000000..9e71004
--- /dev/null
+++ b/dbskk.if
@@ -0,0 +1 @@
+## Dictionary server for the SKK Japanese input method system.
diff --git a/dbskk.te b/dbskk.te
new file mode 100644
index 0000000..1445f97
--- /dev/null
+++ b/dbskk.te
@@ -0,0 +1,69 @@
+policy_module(dbskk, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type dbskkd_t;
+type dbskkd_exec_t;
+inetd_service_domain(dbskkd_t, dbskkd_exec_t)
+role system_r types dbskkd_t;
+
+type dbskkd_tmp_t;
+files_tmp_file(dbskkd_tmp_t)
+
+type dbskkd_var_run_t;
+files_pid_file(dbskkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dbskkd_t self:process signal_perms;
+allow dbskkd_t self:fifo_file rw_fifo_file_perms;
+allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
+allow dbskkd_t self:udp_socket create_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow dbskkd_t self:capability { setuid setgid };
+files_search_home(dbskkd_t)
+optional_policy(`
+ kerberos_use(dbskkd_t)
+')
+#end for identd
+
+manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t)
+manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t)
+files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
+
+manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t)
+files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file)
+
+kernel_read_kernel_sysctls(dbskkd_t)
+kernel_read_system_state(dbskkd_t)
+kernel_read_network_state(dbskkd_t)
+
+corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_all_recvfrom_netlabel(dbskkd_t)
+corenet_tcp_sendrecv_generic_if(dbskkd_t)
+corenet_udp_sendrecv_generic_if(dbskkd_t)
+corenet_tcp_sendrecv_generic_node(dbskkd_t)
+corenet_udp_sendrecv_generic_node(dbskkd_t)
+corenet_tcp_sendrecv_all_ports(dbskkd_t)
+corenet_udp_sendrecv_all_ports(dbskkd_t)
+
+dev_read_urand(dbskkd_t)
+
+fs_getattr_xattr_fs(dbskkd_t)
+
+files_read_etc_files(dbskkd_t)
+
+auth_use_nsswitch(dbskkd_t)
+
+logging_send_syslog_msg(dbskkd_t)
+
+miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
new file mode 100644
index 0000000..81eba14
--- /dev/null
+++ b/dbus.fc
@@ -0,0 +1,17 @@
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+ifdef(`distro_redhat',`
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
new file mode 100644
index 0000000..1a1becd
--- /dev/null
+++ b/dbus.if
@@ -0,0 +1,500 @@
+## Desktop messaging bus
+
+########################################
+##
+## DBUS stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`dbus_stub',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+')
+
+########################################
+##
+## Role access for dbus
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+template(`dbus_role_template',`
+ gen_require(`
+ class dbus { send_msg acquire_svc };
+
+ attribute session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ ')
+
+ ##############################
+ #
+ # Delcarations
+ #
+
+ type $1_dbusd_t, session_bus_type;
+ domain_type($1_dbusd_t)
+ domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_dbusd_t self:process { getattr sigkill signal };
+ dontaudit $1_dbusd_t self:process ptrace;
+ allow $1_dbusd_t self:file { getattr read write };
+ allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+ allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+
+ # SE-DBus specific permissions
+ allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+ read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+ manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+ allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+ # cjp: this seems very broken
+ corecmd_bin_domtrans($1_dbusd_t, $3)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_dbusd_t:process sigchld;
+
+ kernel_read_system_state($1_dbusd_t)
+ kernel_read_kernel_sysctls($1_dbusd_t)
+
+ corecmd_list_bin($1_dbusd_t)
+ corecmd_read_bin_symlinks($1_dbusd_t)
+ corecmd_read_bin_files($1_dbusd_t)
+ corecmd_read_bin_pipes($1_dbusd_t)
+ corecmd_read_bin_sockets($1_dbusd_t)
+
+ corenet_all_recvfrom_unlabeled($1_dbusd_t)
+ corenet_all_recvfrom_netlabel($1_dbusd_t)
+ corenet_tcp_sendrecv_generic_if($1_dbusd_t)
+ corenet_tcp_sendrecv_generic_node($1_dbusd_t)
+ corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+ corenet_tcp_bind_generic_node($1_dbusd_t)
+ corenet_tcp_bind_reserved_port($1_dbusd_t)
+
+ dev_read_urand($1_dbusd_t)
+
+ domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
+
+ files_read_etc_files($1_dbusd_t)
+ files_list_home($1_dbusd_t)
+ files_read_usr_files($1_dbusd_t)
+ files_dontaudit_search_var($1_dbusd_t)
+
+ fs_getattr_romfs($1_dbusd_t)
+ fs_getattr_xattr_fs($1_dbusd_t)
+ fs_list_inotifyfs($1_dbusd_t)
+ fs_dontaudit_list_nfs($1_dbusd_t)
+
+ selinux_get_fs_mount($1_dbusd_t)
+ selinux_validate_context($1_dbusd_t)
+ selinux_compute_access_vector($1_dbusd_t)
+ selinux_compute_create_context($1_dbusd_t)
+ selinux_compute_relabel_context($1_dbusd_t)
+ selinux_compute_user_contexts($1_dbusd_t)
+
+ auth_read_pam_console_data($1_dbusd_t)
+ auth_use_nsswitch($1_dbusd_t)
+
+ logging_send_audit_msgs($1_dbusd_t)
+ logging_send_syslog_msg($1_dbusd_t)
+
+ miscfiles_read_localization($1_dbusd_t)
+
+ seutil_read_config($1_dbusd_t)
+ seutil_read_default_contexts($1_dbusd_t)
+
+ term_use_all_terms($1_dbusd_t)
+
+ userdom_read_user_home_content_files($1_dbusd_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ ')
+
+ optional_policy(`
+ hal_dbus_chat($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+')
+
+#######################################
+##
+## Template for creating connections to
+## the system DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_system_bus_client',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ class dbus send_msg;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow system_dbusd_t $1:dbus send_msg;
+
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+
+ # For connecting to the bus
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+ dbus_read_config($1)
+')
+
+#######################################
+##
+## Template for creating connections to
+## a user DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_session_bus_client',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { session_bus_type self }:dbus send_msg;
+
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Send a message the session DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_send_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ allow $1 session_bus_type:dbus send_msg;
+')
+
+########################################
+##
+## Read dbus configuration.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_read_config',`
+ gen_require(`
+ type dbusd_etc_t;
+ ')
+
+ allow $1 dbusd_etc_t:dir list_dir_perms;
+ allow $1 dbusd_etc_t:file read_file_perms;
+')
+
+########################################
+##
+## Read system dbus lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_read_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## system dbus lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_manage_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+##
+## Connect to the system DBUS
+## for service (acquire_svc).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_connect_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 session_bus_type:dbus acquire_svc;
+')
+
+########################################
+##
+## Allow a application domain to be started
+## by the session dbus.
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an
+## entry point to this domain.
+##
+##
+#
+interface(`dbus_session_domain',`
+ gen_require(`
+ attribute session_bus_type;
+ ')
+
+ domtrans_pattern(session_bus_type, $2, $1)
+
+ dbus_session_bus_client($1)
+ dbus_connect_session_bus($1)
+')
+
+########################################
+##
+## Connect to the system DBUS
+## for service (acquire_svc).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_connect_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 system_dbusd_t:dbus acquire_svc;
+')
+
+########################################
+##
+## Send a message on the system DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_send_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 system_dbusd_t:dbus send_msg;
+')
+
+########################################
+##
+## Allow unconfined access to the system DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+
+ allow $1 system_dbusd_t:dbus *;
+')
+
+########################################
+##
+## Create a domain for processes
+## which can be started by the system dbus
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
+ ps_process_pattern(system_dbusd_t, $1)
+
+ userdom_read_all_users_state($1)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ ')
+')
+
+########################################
+##
+## Use and inherit system DBUS file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_use_system_bus_fds',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+##
+## Dontaudit Read, and write system dbus TCP sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+##
+## Allow unconfined access to the system DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')
diff --git a/dbus.te b/dbus.te
new file mode 100644
index 0000000..7ef5158
--- /dev/null
+++ b/dbus.te
@@ -0,0 +1,162 @@
+policy_module(dbus, 1.15.0)
+
+gen_require(`
+ class dbus all_dbus_perms;
+')
+
+##############################
+#
+# Delcarations
+#
+
+attribute dbusd_unconfined;
+attribute session_bus_type;
+
+type dbusd_etc_t;
+files_config_file(dbusd_etc_t)
+
+type dbusd_exec_t;
+corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
+
+type session_dbusd_tmp_t;
+typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+files_tmp_file(session_dbusd_tmp_t)
+ubac_constrained(session_dbusd_tmp_t)
+
+type system_dbusd_t;
+init_system_domain(system_dbusd_t, dbusd_exec_t)
+
+type system_dbusd_tmp_t;
+files_tmp_file(system_dbusd_tmp_t)
+
+type system_dbusd_var_lib_t;
+files_type(system_dbusd_var_lib_t)
+
+type system_dbusd_var_run_t;
+files_pid_file(system_dbusd_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
+')
+
+##############################
+#
+# System bus local policy
+#
+
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+dontaudit system_dbusd_t self:capability sys_tty_config;
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
+allow system_dbusd_t self:dbus { send_msg acquire_svc };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
+allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+
+can_exec(system_dbusd_t, dbusd_exec_t)
+
+allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
+manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
+
+kernel_read_system_state(system_dbusd_t)
+kernel_read_kernel_sysctls(system_dbusd_t)
+
+dev_read_urand(system_dbusd_t)
+dev_read_sysfs(system_dbusd_t)
+
+fs_getattr_all_fs(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_search_auto_mountpoints(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
+
+mls_fd_use_all_levels(system_dbusd_t)
+mls_rangetrans_target(system_dbusd_t)
+mls_file_read_all_levels(system_dbusd_t)
+mls_socket_write_all_levels(system_dbusd_t)
+mls_socket_read_to_clearance(system_dbusd_t)
+mls_dbus_recv_all_levels(system_dbusd_t)
+
+selinux_get_fs_mount(system_dbusd_t)
+selinux_validate_context(system_dbusd_t)
+selinux_compute_access_vector(system_dbusd_t)
+selinux_compute_create_context(system_dbusd_t)
+selinux_compute_relabel_context(system_dbusd_t)
+selinux_compute_user_contexts(system_dbusd_t)
+
+term_dontaudit_use_console(system_dbusd_t)
+
+auth_use_nsswitch(system_dbusd_t)
+auth_read_pam_console_data(system_dbusd_t)
+
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_read_etc_files(system_dbusd_t)
+files_list_home(system_dbusd_t)
+files_read_usr_files(system_dbusd_t)
+
+init_use_fds(system_dbusd_t)
+init_use_script_ptys(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+
+logging_send_audit_msgs(system_dbusd_t)
+logging_send_syslog_msg(system_dbusd_t)
+
+miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_generic_certs(system_dbusd_t)
+
+seutil_read_config(system_dbusd_t)
+seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+
+optional_policy(`
+ bind_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
+optional_policy(`
+ udev_read_db(system_dbusd_t)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
diff --git a/dcc.fc b/dcc.fc
new file mode 100644
index 0000000..ecda170
--- /dev/null
+++ b/dcc.fc
@@ -0,0 +1,21 @@
+/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
+/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+
+/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+
+/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
+/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
diff --git a/dcc.if b/dcc.if
new file mode 100644
index 0000000..784753e
--- /dev/null
+++ b/dcc.if
@@ -0,0 +1,173 @@
+## Distributed checksum clearinghouse spam filtering
+
+########################################
+##
+## Execute cdcc in the cdcc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dcc_domtrans_cdcc',`
+ gen_require(`
+ type cdcc_t, cdcc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cdcc_exec_t, cdcc_t)
+')
+
+########################################
+##
+## Execute cdcc in the cdcc domain, and
+## allow the specified role the cdcc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`dcc_run_cdcc',`
+ gen_require(`
+ type cdcc_t;
+ ')
+
+ dcc_domtrans_cdcc($1)
+ role $2 types cdcc_t;
+')
+
+########################################
+##
+## Execute dcc_client in the dcc_client domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dcc_domtrans_client',`
+ gen_require(`
+ type dcc_client_t, dcc_client_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
+')
+
+########################################
+##
+## Send a signal to the dcc_client.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dcc_signal_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ allow $1 dcc_client_t:process signal;
+')
+
+########################################
+##
+## Execute dcc_client in the dcc_client domain, and
+## allow the specified role the dcc_client domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`dcc_run_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ dcc_domtrans_client($1)
+ role $2 types dcc_client_t;
+')
+
+########################################
+##
+## Execute dbclean in the dcc_dbclean domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dcc_domtrans_dbclean',`
+ gen_require(`
+ type dcc_dbclean_t, dcc_dbclean_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t)
+')
+
+########################################
+##
+## Execute dbclean in the dcc_dbclean domain, and
+## allow the specified role the dcc_dbclean domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`dcc_run_dbclean',`
+ gen_require(`
+ type dcc_dbclean_t;
+ ')
+
+ dcc_domtrans_dbclean($1)
+ role $2 types dcc_dbclean_t;
+')
+
+########################################
+##
+## Connect to dccifd over a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dcc_stream_connect_dccifd',`
+ gen_require(`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+ files_search_var($1)
+ stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+')
diff --git a/dcc.te b/dcc.te
new file mode 100644
index 0000000..ec19ff4
--- /dev/null
+++ b/dcc.te
@@ -0,0 +1,404 @@
+policy_module(dcc, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type cdcc_t;
+type cdcc_exec_t;
+application_domain(cdcc_t, cdcc_exec_t)
+role system_r types cdcc_t;
+
+type cdcc_tmp_t;
+files_tmp_file(cdcc_tmp_t)
+
+type dcc_client_t;
+type dcc_client_exec_t;
+application_domain(dcc_client_t, dcc_client_exec_t)
+role system_r types dcc_client_t;
+
+type dcc_client_map_t;
+files_type(dcc_client_map_t)
+
+type dcc_client_tmp_t;
+files_tmp_file(dcc_client_tmp_t)
+
+type dcc_dbclean_t;
+type dcc_dbclean_exec_t;
+application_domain(dcc_dbclean_t, dcc_dbclean_exec_t)
+role system_r types dcc_dbclean_t;
+
+type dcc_dbclean_tmp_t;
+files_tmp_file(dcc_dbclean_tmp_t)
+
+type dcc_var_t;
+files_type(dcc_var_t)
+
+type dcc_var_run_t;
+files_type(dcc_var_run_t)
+
+type dccd_t;
+type dccd_exec_t;
+init_daemon_domain(dccd_t, dccd_exec_t)
+
+type dccd_tmp_t;
+files_tmp_file(dccd_tmp_t)
+
+type dccd_var_run_t;
+files_pid_file(dccd_var_run_t)
+
+type dccifd_t;
+type dccifd_exec_t;
+init_daemon_domain(dccifd_t, dccifd_exec_t)
+
+type dccifd_tmp_t;
+files_tmp_file(dccifd_tmp_t)
+
+type dccifd_var_run_t;
+files_pid_file(dccifd_var_run_t)
+
+type dccm_t;
+type dccm_exec_t;
+init_daemon_domain(dccm_t, dccm_exec_t)
+
+type dccm_tmp_t;
+files_tmp_file(dccm_tmp_t)
+
+type dccm_var_run_t;
+files_pid_file(dccm_var_run_t)
+
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc. For now this policy supports both directories being
+# writable.
+
+# cjp: dccifd and dccm should be merged, as
+# they have the same rules.
+
+########################################
+#
+# dcc daemon controller local policy
+#
+
+allow cdcc_t self:capability { setuid setgid };
+allow cdcc_t self:unix_dgram_socket create_socket_perms;
+allow cdcc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
+manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
+files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
+
+allow cdcc_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow cdcc_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+
+corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
+files_read_etc_files(cdcc_t)
+files_read_etc_runtime_files(cdcc_t)
+
+auth_use_nsswitch(cdcc_t)
+
+logging_send_syslog_msg(cdcc_t)
+
+miscfiles_read_localization(cdcc_t)
+
+userdom_use_user_terminals(cdcc_t)
+
+########################################
+#
+# dcc procmail interface local policy
+#
+
+allow dcc_client_t self:capability { setuid setgid };
+allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+allow dcc_client_t self:udp_socket create_socket_perms;
+
+allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+
+# Access files in /var/dcc. The map file can be updated
+allow dcc_client_t dcc_var_t:dir list_dir_perms;
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+
+kernel_read_system_state(dcc_client_t)
+
+corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
+files_read_etc_files(dcc_client_t)
+files_read_etc_runtime_files(dcc_client_t)
+
+fs_getattr_all_fs(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
+
+logging_send_syslog_msg(dcc_client_t)
+
+miscfiles_read_localization(dcc_client_t)
+
+userdom_use_user_terminals(dcc_client_t)
+
+optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
+ spamassassin_read_spamd_tmp_files(dcc_client_t)
+')
+
+########################################
+#
+# Database cleanup tool local policy
+#
+
+allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
+allow dcc_dbclean_t self:udp_socket create_socket_perms;
+
+allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
+manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
+files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
+
+manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+
+kernel_read_system_state(dcc_dbclean_t)
+
+corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
+files_read_etc_files(dcc_dbclean_t)
+files_read_etc_runtime_files(dcc_dbclean_t)
+
+auth_use_nsswitch(dcc_dbclean_t)
+
+logging_send_syslog_msg(dcc_dbclean_t)
+
+miscfiles_read_localization(dcc_dbclean_t)
+
+userdom_use_user_terminals(dcc_dbclean_t)
+
+########################################
+#
+# Server daemon local policy
+#
+
+allow dccd_t self:capability net_admin;
+dontaudit dccd_t self:capability sys_tty_config;
+allow dccd_t self:process signal_perms;
+allow dccd_t self:unix_stream_socket create_socket_perms;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow dccd_t self:udp_socket create_socket_perms;
+
+allow dccd_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow dccd_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+
+# Runs the dbclean program
+domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+corecmd_search_bin(dccd_t)
+
+# Updating dcc_db, flod, ...
+manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
+manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
+files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
+
+manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
+manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
+files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+
+kernel_read_system_state(dccd_t)
+kernel_read_kernel_sysctls(dccd_t)
+
+corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_all_recvfrom_netlabel(dccd_t)
+corenet_udp_sendrecv_generic_if(dccd_t)
+corenet_udp_sendrecv_generic_node(dccd_t)
+corenet_udp_sendrecv_all_ports(dccd_t)
+corenet_udp_bind_generic_node(dccd_t)
+corenet_udp_bind_dcc_port(dccd_t)
+corenet_sendrecv_dcc_server_packets(dccd_t)
+
+dev_read_sysfs(dccd_t)
+
+domain_use_interactive_fds(dccd_t)
+
+files_read_etc_files(dccd_t)
+files_read_etc_runtime_files(dccd_t)
+
+fs_getattr_all_fs(dccd_t)
+fs_search_auto_mountpoints(dccd_t)
+
+auth_use_nsswitch(dccd_t)
+
+logging_send_syslog_msg(dccd_t)
+
+miscfiles_read_localization(dccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+userdom_dontaudit_search_user_home_dirs(dccd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dccd_t)
+')
+
+optional_policy(`
+ udev_read_db(dccd_t)
+')
+
+########################################
+#
+# Spamassassin and general MTA persistent client local policy
+#
+
+dontaudit dccifd_t self:capability sys_tty_config;
+allow dccifd_t self:process signal_perms;
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+allow dccifd_t self:unix_dgram_socket create_socket_perms;
+allow dccifd_t self:udp_socket create_socket_perms;
+
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# Updating dcc_db, flod, ...
+manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
+manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
+files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
+
+manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
+manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
+filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file })
+files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+
+kernel_read_system_state(dccifd_t)
+kernel_read_kernel_sysctls(dccifd_t)
+
+corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
+dev_read_sysfs(dccifd_t)
+
+domain_use_interactive_fds(dccifd_t)
+
+files_read_etc_files(dccifd_t)
+files_read_etc_runtime_files(dccifd_t)
+
+fs_getattr_all_fs(dccifd_t)
+fs_search_auto_mountpoints(dccifd_t)
+
+auth_use_nsswitch(dccifd_t)
+
+logging_send_syslog_msg(dccifd_t)
+
+miscfiles_read_localization(dccifd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+userdom_dontaudit_search_user_home_dirs(dccifd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dccifd_t)
+')
+
+optional_policy(`
+ udev_read_db(dccifd_t)
+')
+
+########################################
+#
+# sendmail milter client local policy
+#
+
+dontaudit dccm_t self:capability sys_tty_config;
+allow dccm_t self:process signal_perms;
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+allow dccm_t self:unix_dgram_socket create_socket_perms;
+allow dccm_t self:udp_socket create_socket_perms;
+
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
+manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
+files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
+
+manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
+manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
+filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file })
+files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+
+kernel_read_system_state(dccm_t)
+kernel_read_kernel_sysctls(dccm_t)
+
+corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
+dev_read_sysfs(dccm_t)
+
+domain_use_interactive_fds(dccm_t)
+
+files_read_etc_files(dccm_t)
+files_read_etc_runtime_files(dccm_t)
+
+fs_getattr_all_fs(dccm_t)
+fs_search_auto_mountpoints(dccm_t)
+
+auth_use_nsswitch(dccm_t)
+
+logging_send_syslog_msg(dccm_t)
+
+miscfiles_read_localization(dccm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+userdom_dontaudit_search_user_home_dirs(dccm_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dccm_t)
+')
+
+optional_policy(`
+ udev_read_db(dccm_t)
+')
diff --git a/ddclient.fc b/ddclient.fc
new file mode 100644
index 0000000..083c135
--- /dev/null
+++ b/ddclient.fc
@@ -0,0 +1,12 @@
+/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
+
+/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+
+/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0)
+/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0)
+/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0)
+/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
+/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
diff --git a/ddclient.if b/ddclient.if
new file mode 100644
index 0000000..0a1a61b
--- /dev/null
+++ b/ddclient.if
@@ -0,0 +1,93 @@
+## Update dynamic IP address at DynDNS.org
+
+#######################################
+##
+## Execute ddclient in the ddclient domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ddclient_domtrans',`
+ gen_require(`
+ type ddclient_t, ddclient_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ddclient_exec_t, ddclient_t)
+')
+
+########################################
+##
+## Execute ddclient daemon on behalf of a user or staff type.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ddclient_run',`
+ gen_require(`
+ type ddclient_t;
+ ')
+
+ ddclient_domtrans($1)
+ role $2 types ddclient_t;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ddclient environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ddclient domain.
+##
+##
+##
+#
+interface(`ddclient_admin',`
+ gen_require(`
+ type ddclient_t, ddclient_etc_t, ddclient_log_t;
+ type ddclient_var_t, ddclient_var_lib_t;
+ type ddclient_var_run_t, ddclient_initrc_exec_t;
+ ')
+
+ allow $1 ddclient_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ddclient_t)
+
+ init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ddclient_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ddclient_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ddclient_log_t)
+
+ files_list_var($1)
+ admin_pattern($1, ddclient_var_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, ddclient_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ddclient_var_run_t)
+')
diff --git a/ddclient.te b/ddclient.te
new file mode 100644
index 0000000..24ba98a
--- /dev/null
+++ b/ddclient.te
@@ -0,0 +1,108 @@
+policy_module(ddclient, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddclient_t;
+type ddclient_exec_t;
+init_daemon_domain(ddclient_t, ddclient_exec_t)
+
+type ddclient_etc_t;
+files_config_file(ddclient_etc_t)
+
+type ddclient_initrc_exec_t;
+init_script_file(ddclient_initrc_exec_t)
+
+type ddclient_log_t;
+logging_log_file(ddclient_log_t)
+
+type ddclient_var_t;
+files_type(ddclient_var_t)
+
+type ddclient_var_lib_t;
+files_type(ddclient_var_lib_t)
+
+type ddclient_var_run_t;
+files_pid_file(ddclient_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+dontaudit ddclient_t self:capability sys_tty_config;
+allow ddclient_t self:process signal_perms;
+allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+
+allow ddclient_t ddclient_etc_t:file read_file_perms;
+
+allow ddclient_t ddclient_log_t:file manage_file_perms;
+logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+
+manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file })
+
+manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t)
+files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file)
+
+manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t)
+files_pid_filetrans(ddclient_t, ddclient_var_run_t, file)
+
+kernel_read_system_state(ddclient_t)
+kernel_read_network_state(ddclient_t)
+kernel_read_software_raid_state(ddclient_t)
+kernel_getattr_core_if(ddclient_t)
+kernel_getattr_message_if(ddclient_t)
+kernel_read_kernel_sysctls(ddclient_t)
+
+corecmd_exec_shell(ddclient_t)
+corecmd_exec_bin(ddclient_t)
+
+corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_all_recvfrom_netlabel(ddclient_t)
+corenet_tcp_sendrecv_generic_if(ddclient_t)
+corenet_udp_sendrecv_generic_if(ddclient_t)
+corenet_tcp_sendrecv_generic_node(ddclient_t)
+corenet_udp_sendrecv_generic_node(ddclient_t)
+corenet_tcp_sendrecv_all_ports(ddclient_t)
+corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_connect_all_ports(ddclient_t)
+corenet_sendrecv_all_client_packets(ddclient_t)
+
+dev_read_sysfs(ddclient_t)
+dev_read_urand(ddclient_t)
+
+domain_use_interactive_fds(ddclient_t)
+
+files_read_etc_files(ddclient_t)
+files_read_etc_runtime_files(ddclient_t)
+files_read_usr_files(ddclient_t)
+
+fs_getattr_all_fs(ddclient_t)
+fs_search_auto_mountpoints(ddclient_t)
+
+logging_send_syslog_msg(ddclient_t)
+
+miscfiles_read_localization(ddclient_t)
+
+sysnet_exec_ifconfig(ddclient_t)
+sysnet_read_config(ddclient_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
+userdom_dontaudit_search_user_home_dirs(ddclient_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ddclient_t)
+')
+
+optional_policy(`
+ udev_read_db(ddclient_t)
+')
diff --git a/ddcprobe.fc b/ddcprobe.fc
new file mode 100644
index 0000000..49e6a25
--- /dev/null
+++ b/ddcprobe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/ddcprobe.if b/ddcprobe.if
new file mode 100644
index 0000000..9868652
--- /dev/null
+++ b/ddcprobe.if
@@ -0,0 +1,45 @@
+## ddcprobe retrieves monitor and graphics card information
+
+########################################
+##
+## Execute ddcprobe in the ddcprobe domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ddcprobe_domtrans',`
+ gen_require(`
+ type ddcprobe_t, ddcprobe_exec_t;
+ ')
+
+ domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
+')
+
+########################################
+##
+## Execute ddcprobe in the ddcprobe domain, and
+## allow the specified role the ddcprobe domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role to be authenticated for ddcprobe domain.
+##
+##
+##
+#
+interface(`ddcprobe_run',`
+ gen_require(`
+ type ddcprobe_t;
+ ')
+
+ ddcprobe_domtrans($1)
+ role $2 types ddcprobe_t;
+')
diff --git a/ddcprobe.te b/ddcprobe.te
new file mode 100644
index 0000000..5e062bc
--- /dev/null
+++ b/ddcprobe.te
@@ -0,0 +1,51 @@
+policy_module(ddcprobe, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddcprobe_t;
+type ddcprobe_exec_t;
+application_domain(ddcprobe_t, ddcprobe_exec_t)
+role system_r types ddcprobe_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:process execmem;
+
+kernel_read_system_state(ddcprobe_t)
+kernel_read_kernel_sysctls(ddcprobe_t)
+kernel_change_ring_buffer_level(ddcprobe_t)
+
+files_search_kernel_modules(ddcprobe_t)
+
+corecmd_list_bin(ddcprobe_t)
+corecmd_exec_bin(ddcprobe_t)
+
+dev_read_urand(ddcprobe_t)
+dev_read_raw_memory(ddcprobe_t)
+dev_wx_raw_memory(ddcprobe_t)
+
+files_read_etc_files(ddcprobe_t)
+files_read_etc_runtime_files(ddcprobe_t)
+files_read_usr_files(ddcprobe_t)
+
+term_use_all_ttys(ddcprobe_t)
+term_use_all_ptys(ddcprobe_t)
+
+libs_read_lib_files(ddcprobe_t)
+
+miscfiles_read_localization(ddcprobe_t)
+
+modutils_read_module_deps(ddcprobe_t)
+
+userdom_use_user_terminals(ddcprobe_t)
+userdom_use_all_users_fds(ddcprobe_t)
+
+#reh why? this does not seem even necessary to function properly
+kudzu_getattr_exec_files(ddcprobe_t)
diff --git a/denyhosts.fc b/denyhosts.fc
new file mode 100644
index 0000000..257fef6
--- /dev/null
+++ b/denyhosts.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)
+
+/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0)
+
+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
+/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0)
diff --git a/denyhosts.if b/denyhosts.if
new file mode 100644
index 0000000..567865f
--- /dev/null
+++ b/denyhosts.if
@@ -0,0 +1,85 @@
+## DenyHosts SSH dictionary attack mitigation
+##
+##
+## DenyHosts is a script intended to be run by Linux
+## system administrators to help thwart SSH server attacks
+## (also known as dictionary based attacks and brute force
+## attacks).
+##
+##
+
+########################################
+##
+## Execute a domain transition to run denyhosts.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`denyhosts_domtrans', `
+ gen_require(`
+ type denyhosts_t, denyhosts_exec_t;
+ ')
+
+ domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
+')
+
+########################################
+##
+## Execute denyhost server in the denyhost domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`denyhosts_initrc_domtrans', `
+ gen_require(`
+ type denyhosts_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an denyhosts environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`denyhosts_admin', `
+ gen_require(`
+ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+ ')
+
+ allow $1 denyhosts_t:process { ptrace signal_perms };
+ ps_process_pattern($1, denyhosts_t)
+
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, denyhosts_var_lib_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
+
+ files_search_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+')
diff --git a/denyhosts.te b/denyhosts.te
new file mode 100644
index 0000000..8ba9425
--- /dev/null
+++ b/denyhosts.te
@@ -0,0 +1,72 @@
+policy_module(denyhosts, 1.0.0)
+
+########################################
+#
+# DenyHosts personal declarations.
+#
+
+type denyhosts_t;
+type denyhosts_exec_t;
+init_daemon_domain(denyhosts_t, denyhosts_exec_t)
+
+type denyhosts_initrc_exec_t;
+init_script_file(denyhosts_initrc_exec_t)
+
+type denyhosts_var_lib_t;
+files_type(denyhosts_var_lib_t)
+
+type denyhosts_var_lock_t;
+files_lock_file(denyhosts_var_lock_t)
+
+type denyhosts_var_log_t;
+logging_log_file(denyhosts_var_log_t)
+
+########################################
+#
+# DenyHosts personal policy.
+#
+
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
+files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
+
+manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
+
+append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+kernel_read_system_state(denyhosts_t)
+
+corecmd_exec_bin(denyhosts_t)
+
+corenet_all_recvfrom_unlabeled(denyhosts_t)
+corenet_all_recvfrom_netlabel(denyhosts_t)
+corenet_tcp_sendrecv_generic_if(denyhosts_t)
+corenet_tcp_sendrecv_generic_node(denyhosts_t)
+corenet_tcp_bind_generic_node(denyhosts_t)
+corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_sendrecv_smtp_client_packets(denyhosts_t)
+
+dev_read_urand(denyhosts_t)
+
+files_read_etc_files(denyhosts_t)
+
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
+
+miscfiles_read_localization(denyhosts_t)
+
+sysnet_manage_config(denyhosts_t)
+sysnet_etc_filetrans_config(denyhosts_t)
+
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
diff --git a/devicekit.fc b/devicekit.fc
new file mode 100644
index 0000000..418a5a0
--- /dev/null
+++ b/devicekit.fc
@@ -0,0 +1,14 @@
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+
+/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/devicekit.if b/devicekit.if
new file mode 100644
index 0000000..f706b99
--- /dev/null
+++ b/devicekit.if
@@ -0,0 +1,185 @@
+## Devicekit modular hardware abstraction layer
+
+########################################
+##
+## Execute a domain transition to run devicekit.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`devicekit_domtrans',`
+ gen_require(`
+ type devicekit_t, devicekit_exec_t;
+ ')
+
+ domtrans_pattern($1, devicekit_exec_t, devicekit_t)
+')
+
+########################################
+##
+## Send to devicekit over a unix domain
+## datagram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dgram_send',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+ allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit disk over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+ allow devicekit_disk_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send signal devicekit power
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_signal_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:process signal;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit power over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Read devicekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an devicekit environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the devicekit domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t, devicekit_disk_t, devicekit_power_t;
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, devicekit_t)
+
+ allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, devicekit_disk_t)
+
+ allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, devicekit_power_t)
+
+ admin_pattern($1, devicekit_tmp_t)
+ files_search_tmp($1)
+
+ admin_pattern($1, devicekit_var_lib_t)
+ files_search_var_lib($1)
+
+ admin_pattern($1, devicekit_var_run_t)
+ files_search_pids($1)
+')
diff --git a/devicekit.te b/devicekit.te
new file mode 100644
index 0000000..f231f17
--- /dev/null
+++ b/devicekit.te
@@ -0,0 +1,284 @@
+policy_module(devicekit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+type devicekit_disk_t;
+type devicekit_disk_exec_t;
+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+type devicekit_tmp_t;
+files_tmp_file(devicekit_tmp_t)
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+type devicekit_var_lib_t;
+files_type(devicekit_var_lib_t)
+
+########################################
+#
+# DeviceKit local policy
+#
+
+allow devicekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
+
+kernel_read_system_state(devicekit_t)
+
+dev_read_sysfs(devicekit_t)
+dev_read_urand(devicekit_t)
+
+files_read_etc_files(devicekit_t)
+
+miscfiles_read_localization(devicekit_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_t)
+
+ allow devicekit_t devicekit_disk_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
+')
+
+optional_policy(`
+ udev_read_db(devicekit_t)
+')
+
+########################################
+#
+# DeviceKit disk local policy
+#
+
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+
+kernel_getattr_message_if(devicekit_disk_t)
+kernel_read_fs_sysctls(devicekit_disk_t)
+kernel_read_network_state(devicekit_disk_t)
+kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
+kernel_request_load_module(devicekit_disk_t)
+kernel_setsched(devicekit_disk_t)
+
+corecmd_exec_bin(devicekit_disk_t)
+corecmd_exec_shell(devicekit_disk_t)
+corecmd_getattr_all_executables(devicekit_disk_t)
+
+dev_rw_sysfs(devicekit_disk_t)
+dev_read_urand(devicekit_disk_t)
+dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
+dev_getattr_all_chr_files(devicekit_disk_t)
+dev_getattr_mtrr_dev(devicekit_disk_t)
+
+domain_getattr_all_pipes(devicekit_disk_t)
+domain_getattr_all_sockets(devicekit_disk_t)
+domain_getattr_all_stream_sockets(devicekit_disk_t)
+domain_read_all_domains_state(devicekit_disk_t)
+
+files_dontaudit_read_all_symlinks(devicekit_disk_t)
+files_getattr_all_sockets(devicekit_disk_t)
+files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
+files_manage_isid_type_dirs(devicekit_disk_t)
+files_manage_mnt_dirs(devicekit_disk_t)
+files_read_etc_files(devicekit_disk_t)
+files_read_etc_runtime_files(devicekit_disk_t)
+files_read_usr_files(devicekit_disk_t)
+
+fs_list_inotifyfs(devicekit_disk_t)
+fs_manage_fusefs_dirs(devicekit_disk_t)
+fs_mount_all_fs(devicekit_disk_t)
+fs_unmount_all_fs(devicekit_disk_t)
+fs_search_all(devicekit_disk_t)
+
+mls_file_read_all_levels(devicekit_disk_t)
+mls_file_write_to_clearance(devicekit_disk_t)
+
+storage_raw_read_fixed_disk(devicekit_disk_t)
+storage_raw_write_fixed_disk(devicekit_disk_t)
+storage_raw_read_removable_device(devicekit_disk_t)
+storage_raw_write_removable_device(devicekit_disk_t)
+
+term_use_all_terms(devicekit_disk_t)
+
+auth_use_nsswitch(devicekit_disk_t)
+
+miscfiles_read_localization(devicekit_disk_t)
+
+userdom_read_all_users_state(devicekit_disk_t)
+userdom_search_user_home_dirs(devicekit_disk_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_disk_t)
+
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_disk_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ lvm_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ mount_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(devicekit_disk_t)
+ policykit_domtrans_auth(devicekit_disk_t)
+ policykit_read_lib(devicekit_disk_t)
+ policykit_read_reload(devicekit_disk_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(devicekit_disk_t)
+')
+
+optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+')
+
+optional_policy(`
+ virt_manage_images(devicekit_disk_t)
+')
+
+########################################
+#
+# DeviceKit-Power local policy
+#
+
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
+kernel_read_network_state(devicekit_power_t)
+kernel_read_system_state(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_search_debugfs(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
+
+corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t)
+
+consoletype_exec(devicekit_power_t)
+
+domain_read_all_domains_state(devicekit_power_t)
+
+dev_read_input(devicekit_power_t)
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_generic_chr_files(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
+
+files_read_kernel_img(devicekit_power_t)
+files_read_etc_files(devicekit_power_t)
+files_read_usr_files(devicekit_power_t)
+
+fs_list_inotifyfs(devicekit_power_t)
+
+term_use_all_terms(devicekit_power_t)
+
+auth_use_nsswitch(devicekit_power_t)
+
+miscfiles_read_localization(devicekit_power_t)
+
+sysnet_read_config(devicekit_power_t)
+sysnet_domtrans_ifconfig(devicekit_power_t)
+
+userdom_read_all_users_state(devicekit_power_t)
+
+optional_policy(`
+ bootloader_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_power_t)
+
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(devicekit_power_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+ hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(devicekit_power_t)
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+ policykit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+ udev_read_db(devicekit_power_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+')
diff --git a/dhcp.fc b/dhcp.fc
new file mode 100644
index 0000000..767e0c7
--- /dev/null
+++ b/dhcp.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
+/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/dhcp.if b/dhcp.if
new file mode 100644
index 0000000..5e2cea8
--- /dev/null
+++ b/dhcp.if
@@ -0,0 +1,99 @@
+## Dynamic host configuration protocol (DHCP) server
+
+########################################
+##
+## Transition to dhcpd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dhcpd_domtrans',`
+ gen_require(`
+ type dhcpd_t, dhcpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
+')
+
+########################################
+##
+## Set the attributes of the DCHP
+## server state files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dhcpd_setattr_state_files',`
+ gen_require(`
+ type dhcpd_state_t;
+ ')
+
+ sysnet_search_dhcp_state($1)
+ allow $1 dhcpd_state_t:file setattr;
+')
+
+########################################
+##
+## Execute dhcp server in the dhcp domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+#
+interface(`dhcpd_initrc_domtrans',`
+ gen_require(`
+ type dhcpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an dhcp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dhcp domain.
+##
+##
+##
+#
+interface(`dhcpd_admin',`
+ gen_require(`
+ type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
+ type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ ')
+
+ allow $1 dhcpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dhcpd_t)
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dhcpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, dhcpd_tmp_t)
+
+ admin_pattern($1, dhcpd_state_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dhcpd_var_run_t)
+')
diff --git a/dhcp.te b/dhcp.te
new file mode 100644
index 0000000..d4424ad
--- /dev/null
+++ b/dhcp.te
@@ -0,0 +1,124 @@
+policy_module(dhcp, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type dhcpd_t;
+type dhcpd_exec_t;
+init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+
+type dhcpd_initrc_exec_t;
+init_script_file(dhcpd_initrc_exec_t)
+
+type dhcpd_state_t;
+files_type(dhcpd_state_t)
+
+type dhcpd_tmp_t;
+files_tmp_file(dhcpd_tmp_t)
+
+type dhcpd_var_run_t;
+files_pid_file(dhcpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dhcpd_t self:capability { net_raw sys_resource };
+dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:fifo_file rw_fifo_file_perms;
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:tcp_socket create_stream_socket_perms;
+allow dhcpd_t self:udp_socket create_socket_perms;
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+can_exec(dhcpd_t, dhcpd_exec_t)
+
+manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
+sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)
+
+manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
+manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
+files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
+
+manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
+files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
+
+kernel_read_system_state(dhcpd_t)
+kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
+
+corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_all_recvfrom_netlabel(dhcpd_t)
+corenet_tcp_sendrecv_generic_if(dhcpd_t)
+corenet_udp_sendrecv_generic_if(dhcpd_t)
+corenet_raw_sendrecv_generic_if(dhcpd_t)
+corenet_tcp_sendrecv_generic_node(dhcpd_t)
+corenet_udp_sendrecv_generic_node(dhcpd_t)
+corenet_raw_sendrecv_generic_node(dhcpd_t)
+corenet_tcp_sendrecv_all_ports(dhcpd_t)
+corenet_udp_sendrecv_all_ports(dhcpd_t)
+corenet_tcp_bind_generic_node(dhcpd_t)
+corenet_udp_bind_generic_node(dhcpd_t)
+corenet_tcp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_pxe_port(dhcpd_t)
+corenet_tcp_connect_all_ports(dhcpd_t)
+corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+corenet_sendrecv_pxe_server_packets(dhcpd_t)
+corenet_sendrecv_all_client_packets(dhcpd_t)
+
+dev_read_sysfs(dhcpd_t)
+dev_read_rand(dhcpd_t)
+dev_read_urand(dhcpd_t)
+
+fs_getattr_all_fs(dhcpd_t)
+fs_search_auto_mountpoints(dhcpd_t)
+
+corecmd_exec_bin(dhcpd_t)
+
+domain_use_interactive_fds(dhcpd_t)
+
+files_read_etc_files(dhcpd_t)
+files_read_usr_files(dhcpd_t)
+files_read_etc_runtime_files(dhcpd_t)
+files_search_var_lib(dhcpd_t)
+
+auth_use_nsswitch(dhcpd_t)
+
+logging_send_syslog_msg(dhcpd_t)
+
+miscfiles_read_localization(dhcpd_t)
+
+sysnet_read_dhcp_config(dhcpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
+userdom_dontaudit_search_user_home_dirs(dhcpd_t)
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
+optional_policy(`
+ # used for dynamic DNS
+ bind_read_dnssec_keys(dhcpd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(dhcpd_t)
+ dbus_connect_system_bus(dhcpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dhcpd_t)
+')
+
+optional_policy(`
+ udev_read_db(dhcpd_t)
+')
diff --git a/dictd.fc b/dictd.fc
new file mode 100644
index 0000000..54f88c8
--- /dev/null
+++ b/dictd.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
+
+/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
+
+/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
+
+/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
+
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --git a/dictd.if b/dictd.if
new file mode 100644
index 0000000..a0d23ce
--- /dev/null
+++ b/dictd.if
@@ -0,0 +1,57 @@
+## Dictionary daemon
+
+########################################
+##
+## Use dictionary services by connecting
+## over TCP. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dictd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an dictd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dictd domain.
+##
+##
+##
+#
+interface(`dictd_admin',`
+ gen_require(`
+ type dictd_t, dictd_etc_t, dictd_var_lib_t;
+ type dictd_var_run_t, dictd_initrc_exec_t;
+ ')
+
+ allow $1 dictd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dictd_t)
+
+ init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dictd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dictd_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dictd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dictd_var_run_t)
+')
diff --git a/dictd.te b/dictd.te
new file mode 100644
index 0000000..d2d9359
--- /dev/null
+++ b/dictd.te
@@ -0,0 +1,98 @@
+policy_module(dictd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type dictd_t;
+type dictd_exec_t;
+init_daemon_domain(dictd_t, dictd_exec_t)
+
+type dictd_etc_t;
+files_config_file(dictd_etc_t)
+
+type dictd_initrc_exec_t;
+init_script_file(dictd_initrc_exec_t)
+
+type dictd_var_lib_t alias var_lib_dictd_t;
+files_type(dictd_var_lib_t)
+
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dictd_t self:capability { setuid setgid };
+dontaudit dictd_t self:capability sys_tty_config;
+allow dictd_t self:process { signal_perms setpgid };
+allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+allow dictd_t self:tcp_socket create_stream_socket_perms;
+allow dictd_t self:udp_socket create_socket_perms;
+
+allow dictd_t dictd_etc_t:file read_file_perms;
+files_search_etc(dictd_t)
+
+allow dictd_t dictd_var_lib_t:dir list_dir_perms;
+allow dictd_t dictd_var_lib_t:file read_file_perms;
+
+manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
+files_pid_filetrans(dictd_t, dictd_var_run_t, file)
+
+kernel_read_system_state(dictd_t)
+kernel_read_kernel_sysctls(dictd_t)
+
+corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_all_recvfrom_netlabel(dictd_t)
+corenet_tcp_sendrecv_generic_if(dictd_t)
+corenet_raw_sendrecv_generic_if(dictd_t)
+corenet_udp_sendrecv_generic_if(dictd_t)
+corenet_tcp_sendrecv_generic_node(dictd_t)
+corenet_udp_sendrecv_generic_node(dictd_t)
+corenet_raw_sendrecv_generic_node(dictd_t)
+corenet_tcp_sendrecv_all_ports(dictd_t)
+corenet_udp_sendrecv_all_ports(dictd_t)
+corenet_tcp_bind_generic_node(dictd_t)
+corenet_tcp_bind_dict_port(dictd_t)
+corenet_sendrecv_dict_server_packets(dictd_t)
+
+dev_read_sysfs(dictd_t)
+
+fs_getattr_xattr_fs(dictd_t)
+fs_search_auto_mountpoints(dictd_t)
+
+domain_use_interactive_fds(dictd_t)
+
+files_read_etc_files(dictd_t)
+files_read_etc_runtime_files(dictd_t)
+files_read_usr_files(dictd_t)
+files_search_var_lib(dictd_t)
+# for checking for nscd
+files_dontaudit_search_pids(dictd_t)
+
+logging_send_syslog_msg(dictd_t)
+
+miscfiles_read_localization(dictd_t)
+
+sysnet_read_config(dictd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+
+optional_policy(`
+ nis_use_ypbind(dictd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dictd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dictd_t)
+')
+
+optional_policy(`
+ udev_read_db(dictd_t)
+')
diff --git a/distcc.fc b/distcc.fc
new file mode 100644
index 0000000..6ce6b00
--- /dev/null
+++ b/distcc.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0)
diff --git a/distcc.if b/distcc.if
new file mode 100644
index 0000000..926e959
--- /dev/null
+++ b/distcc.if
@@ -0,0 +1 @@
+## Distributed compiler daemon
diff --git a/distcc.te b/distcc.te
new file mode 100644
index 0000000..54d93e8
--- /dev/null
+++ b/distcc.te
@@ -0,0 +1,93 @@
+policy_module(distcc, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type distccd_t;
+type distccd_exec_t;
+init_daemon_domain(distccd_t, distccd_exec_t)
+
+type distccd_log_t;
+logging_log_file(distccd_log_t)
+
+type distccd_tmp_t;
+files_tmp_file(distccd_tmp_t)
+
+type distccd_var_run_t;
+files_pid_file(distccd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow distccd_t self:capability { setgid setuid };
+dontaudit distccd_t self:capability sys_tty_config;
+allow distccd_t self:process { signal_perms setsched };
+allow distccd_t self:fifo_file rw_fifo_file_perms;
+allow distccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow distccd_t self:tcp_socket create_stream_socket_perms;
+allow distccd_t self:udp_socket create_socket_perms;
+
+allow distccd_t distccd_log_t:file manage_file_perms;
+logging_log_filetrans(distccd_t, distccd_log_t, file)
+
+manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)
+manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)
+files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
+
+manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t)
+files_pid_filetrans(distccd_t, distccd_var_run_t, file)
+
+kernel_read_system_state(distccd_t)
+kernel_read_kernel_sysctls(distccd_t)
+
+corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_all_recvfrom_netlabel(distccd_t)
+corenet_tcp_sendrecv_generic_if(distccd_t)
+corenet_udp_sendrecv_generic_if(distccd_t)
+corenet_tcp_sendrecv_generic_node(distccd_t)
+corenet_udp_sendrecv_generic_node(distccd_t)
+corenet_tcp_sendrecv_all_ports(distccd_t)
+corenet_udp_sendrecv_all_ports(distccd_t)
+corenet_tcp_bind_generic_node(distccd_t)
+corenet_tcp_bind_distccd_port(distccd_t)
+corenet_sendrecv_distccd_server_packets(distccd_t)
+
+dev_read_sysfs(distccd_t)
+
+fs_getattr_all_fs(distccd_t)
+fs_search_auto_mountpoints(distccd_t)
+
+corecmd_exec_bin(distccd_t)
+corecmd_read_bin_symlinks(distccd_t)
+
+domain_use_interactive_fds(distccd_t)
+
+files_read_etc_files(distccd_t)
+files_read_etc_runtime_files(distccd_t)
+
+libs_exec_lib_files(distccd_t)
+
+logging_send_syslog_msg(distccd_t)
+
+miscfiles_read_localization(distccd_t)
+
+sysnet_read_config(distccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(distccd_t)
+userdom_dontaudit_search_user_home_dirs(distccd_t)
+
+optional_policy(`
+ nis_use_ypbind(distccd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(distccd_t)
+')
+
+optional_policy(`
+ udev_read_db(distccd_t)
+')
diff --git a/djbdns.fc b/djbdns.fc
new file mode 100644
index 0000000..fdb6652
--- /dev/null
+++ b/djbdns.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
+/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
+/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
+
+/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
+/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
+/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
+
diff --git a/djbdns.if b/djbdns.if
new file mode 100644
index 0000000..ade3079
--- /dev/null
+++ b/djbdns.if
@@ -0,0 +1,90 @@
+## small and secure DNS daemon
+
+########################################
+##
+## Create a set of derived types for djbdns
+## components that are directly supervised by daemontools.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
+template(`djbdns_daemontools_domain_template',`
+
+ type djbdns_$1_t;
+ type djbdns_$1_exec_t;
+ type djbdns_$1_conf_t;
+ files_config_file(djbdns_$1_conf_t)
+
+ domain_type(djbdns_$1_t)
+ domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t)
+ role system_r types djbdns_$1_t;
+
+ daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
+ daemontools_read_svc(djbdns_$1_t)
+
+ allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+ allow djbdns_$1_t self:process signal;
+ allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
+ allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+ allow djbdns_$1_t self:udp_socket create_socket_perms;
+
+ allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+ corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_tcp_bind_generic_node(djbdns_$1_t)
+ corenet_udp_bind_generic_node(djbdns_$1_t)
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_generic_port(djbdns_$1_t)
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+ files_search_var(djbdns_$1_t)
+')
+
+#####################################
+##
+## Allow search the djbdns-tinydns key ring.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`djbdns_search_tinydns_keys',`
+ gen_require(`
+ type djbdns_tinydns_t;
+ ')
+
+ allow $1 djbdns_tinydns_t:key search;
+')
+
+#####################################
+##
+## Allow link to the djbdns-tinydns key ring.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`djbdns_link_tinydns_keys',`
+ gen_require(`
+ type djbdns_tinydn_t;
+ ')
+
+ allow $1 djbdns_tinydn_t:key link;
+')
diff --git a/djbdns.te b/djbdns.te
new file mode 100644
index 0000000..03b5286
--- /dev/null
+++ b/djbdns.te
@@ -0,0 +1,49 @@
+policy_module(djbdns, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type djbdns_axfrdns_t;
+type djbdns_axfrdns_exec_t;
+domain_type(djbdns_axfrdns_t)
+domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+role system_r types djbdns_axfrdns_t;
+
+type djbdns_axfrdns_conf_t;
+files_config_file(djbdns_axfrdns_conf_t)
+
+djbdns_daemontools_domain_template(dnscache)
+
+djbdns_daemontools_domain_template(tinydns)
+
+########################################
+#
+# Local policy for axfrdns component
+#
+
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
+
+files_search_var(djbdns_axfrdns_t)
+
+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+
+########################################
+#
+# Local policy for tinydns
+#
+
+init_dontaudit_use_script_fds(djbdns_tinydns_t)
diff --git a/dkim.fc b/dkim.fc
new file mode 100644
index 0000000..dc1056c
--- /dev/null
+++ b/dkim.fc
@@ -0,0 +1,9 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+
+/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/dkim.if b/dkim.if
new file mode 100644
index 0000000..32d108a
--- /dev/null
+++ b/dkim.if
@@ -0,0 +1 @@
+## DomainKeys Identified Mail milter.
diff --git a/dkim.te b/dkim.te
new file mode 100644
index 0000000..1b4983d
--- /dev/null
+++ b/dkim.te
@@ -0,0 +1,31 @@
+policy_module(dkim, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+milter_template(dkim)
+
+# Type for the private key of dkim-filter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dkim_milter_t self:capability { setgid setuid };
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+dev_read_urand(dkim_milter_t)
+
+files_read_etc_files(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
diff --git a/dmidecode.fc b/dmidecode.fc
new file mode 100644
index 0000000..016e6b8
--- /dev/null
+++ b/dmidecode.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/dmidecode.if b/dmidecode.if
new file mode 100644
index 0000000..4bf435c
--- /dev/null
+++ b/dmidecode.if
@@ -0,0 +1,50 @@
+## Decode DMI data for x86/ia64 bioses.
+
+########################################
+##
+## Execute dmidecode in the dmidecode domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dmidecode_domtrans',`
+ gen_require(`
+ type dmidecode_t, dmidecode_exec_t;
+ ')
+
+ domain_auto_trans($1, dmidecode_exec_t, dmidecode_t)
+
+ allow $1 dmidecode_t:fd use;
+ allow dmidecode_t $1:fd use;
+ allow dmidecode_t $1:fifo_file rw_file_perms;
+ allow dmidecode_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute dmidecode in the dmidecode domain, and
+## allow the specified role the dmidecode domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`dmidecode_run',`
+ gen_require(`
+ type dmidecode_t;
+ ')
+
+ dmidecode_domtrans($1)
+ role $2 types dmidecode_t;
+')
diff --git a/dmidecode.te b/dmidecode.te
new file mode 100644
index 0000000..d6356b5
--- /dev/null
+++ b/dmidecode.te
@@ -0,0 +1,30 @@
+policy_module(dmidecode, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type dmidecode_t;
+type dmidecode_exec_t;
+application_domain(dmidecode_t, dmidecode_exec_t)
+role system_r types dmidecode_t;
+
+########################################
+#
+# Local policy
+#
+
+allow dmidecode_t self:capability sys_rawio;
+
+dev_read_sysfs(dmidecode_t)
+# Allow dmidecode to read /dev/mem
+dev_read_raw_memory(dmidecode_t)
+
+mls_file_read_all_levels(dmidecode_t)
+
+files_list_usr(dmidecode_t)
+
+locallogin_use_fds(dmidecode_t)
+
+userdom_use_user_terminals(dmidecode_t)
diff --git a/dnsmasq.fc b/dnsmasq.fc
new file mode 100644
index 0000000..b886676
--- /dev/null
+++ b/dnsmasq.fc
@@ -0,0 +1,12 @@
+/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
+/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
+/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
+/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
+/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
new file mode 100644
index 0000000..9bd812b
--- /dev/null
+++ b/dnsmasq.if
@@ -0,0 +1,211 @@
+## dnsmasq DNS forwarder and DHCP server
+
+########################################
+##
+## Execute dnsmasq server in the dnsmasq domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+#
+interface(`dnsmasq_domtrans',`
+ gen_require(`
+ type dnsmasq_exec_t, dnsmasq_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+')
+
+########################################
+##
+## Execute the dnsmasq init script in the init script domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+#
+interface(`dnsmasq_initrc_domtrans',`
+ gen_require(`
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+')
+
+########################################
+##
+## Send dnsmasq a signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_signal',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process signal;
+')
+
+########################################
+##
+## Send dnsmasq a signull
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_signull',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process signull;
+')
+
+########################################
+##
+## Send dnsmasq a kill signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_kill',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process sigkill;
+')
+
+########################################
+##
+## Read dnsmasq config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnsmasq_read_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+##
+## Write to dnsmasq config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dnsmasq_write_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+##
+## Delete dnsmasq pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+##
+## Read dnsmasq pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_read_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an dnsmasq environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dnsmasq domain.
+##
+##
+##
+#
+interface(`dnsmasq_admin',`
+ gen_require(`
+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ allow $1 dnsmasq_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dnsmasq_t)
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dnsmasq_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, dnsmasq_lease_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dnsmasq_var_run_t)
+')
diff --git a/dnsmasq.te b/dnsmasq.te
new file mode 100644
index 0000000..fdaeeba
--- /dev/null
+++ b/dnsmasq.te
@@ -0,0 +1,117 @@
+policy_module(dnsmasq, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnsmasq_t;
+type dnsmasq_exec_t;
+init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
+
+type dnsmasq_initrc_exec_t;
+init_script_file(dnsmasq_initrc_exec_t)
+
+type dnsmasq_etc_t;
+files_config_file(dnsmasq_etc_t)
+
+type dnsmasq_lease_t;
+files_type(dnsmasq_lease_t)
+
+type dnsmasq_var_log_t;
+logging_log_file(dnsmasq_var_log_t)
+
+type dnsmasq_var_run_t;
+files_pid_file(dnsmasq_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
+dontaudit dnsmasq_t self:capability sys_tty_config;
+allow dnsmasq_t self:process { getcap setcap signal_perms };
+allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
+allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
+allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
+allow dnsmasq_t self:udp_socket create_socket_perms;
+allow dnsmasq_t self:packet_socket create_socket_perms;
+allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+
+# dhcp leases
+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+
+manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
+manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
+
+kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_system_state(dnsmasq_t)
+
+corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_all_recvfrom_netlabel(dnsmasq_t)
+corenet_tcp_sendrecv_generic_if(dnsmasq_t)
+corenet_udp_sendrecv_generic_if(dnsmasq_t)
+corenet_raw_sendrecv_generic_if(dnsmasq_t)
+corenet_tcp_sendrecv_generic_node(dnsmasq_t)
+corenet_udp_sendrecv_generic_node(dnsmasq_t)
+corenet_raw_sendrecv_generic_node(dnsmasq_t)
+corenet_tcp_sendrecv_all_ports(dnsmasq_t)
+corenet_udp_sendrecv_all_ports(dnsmasq_t)
+corenet_tcp_bind_generic_node(dnsmasq_t)
+corenet_udp_bind_generic_node(dnsmasq_t)
+corenet_tcp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
+corenet_sendrecv_dns_server_packets(dnsmasq_t)
+corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
+
+dev_read_sysfs(dnsmasq_t)
+dev_read_urand(dnsmasq_t)
+
+domain_use_interactive_fds(dnsmasq_t)
+
+files_read_etc_files(dnsmasq_t)
+files_read_etc_runtime_files(dnsmasq_t)
+
+fs_getattr_all_fs(dnsmasq_t)
+fs_search_auto_mountpoints(dnsmasq_t)
+
+auth_use_nsswitch(dnsmasq_t)
+
+logging_send_syslog_msg(dnsmasq_t)
+
+miscfiles_read_localization(dnsmasq_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
+
+optional_policy(`
+ cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dnsmasq_t)
+')
+
+optional_policy(`
+ tftp_read_content(dnsmasq_t)
+')
+
+optional_policy(`
+ udev_read_db(dnsmasq_t)
+')
+
+optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
+')
diff --git a/dovecot.fc b/dovecot.fc
new file mode 100644
index 0000000..bfc880b
--- /dev/null
+++ b/dovecot.fc
@@ -0,0 +1,43 @@
+
+#
+# /etc
+#
+/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
new file mode 100644
index 0000000..e1d7dc5
--- /dev/null
+++ b/dovecot.if
@@ -0,0 +1,130 @@
+## Dovecot POP and IMAP mail server
+
+########################################
+##
+## Connect to dovecot auth unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`dovecot_stream_connect_auth',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+')
+
+########################################
+##
+## Execute dovecot_deliver in the dovecot_deliver domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the dovecot spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dovecot_manage_spool',`
+ gen_require(`
+ type dovecot_spool_t;
+ ')
+
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+')
+
+########################################
+##
+## Do not audit attempts to delete dovecot lib files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dovecot_dontaudit_unlink_lib_files',`
+ gen_require(`
+ type dovecot_var_lib_t;
+ ')
+
+ dontaudit $1 dovecot_var_lib_t:file unlink;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an dovecot environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dovecot domain.
+##
+##
+##
+#
+interface(`dovecot_admin',`
+ gen_require(`
+ type dovecot_t, dovecot_etc_t, dovecot_log_t;
+ type dovecot_spool_t, dovecot_var_lib_t;
+ type dovecot_var_run_t;
+
+ type dovecot_cert_t, dovecot_passwd_t;
+ type dovecot_initrc_exec_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dovecot_t)
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dovecot_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, dovecot_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
+')
diff --git a/dovecot.te b/dovecot.te
new file mode 100644
index 0000000..bc04813
--- /dev/null
+++ b/dovecot.te
@@ -0,0 +1,306 @@
+policy_module(dovecot, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+type dovecot_t;
+type dovecot_exec_t;
+init_daemon_domain(dovecot_t, dovecot_exec_t)
+
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
+type dovecot_cert_t;
+files_type(dovecot_cert_t)
+
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
+type dovecot_etc_t;
+files_config_file(dovecot_etc_t)
+
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
+type dovecot_passwd_t;
+files_type(dovecot_passwd_t)
+
+type dovecot_spool_t;
+files_type(dovecot_spool_t)
+
+type dovecot_tmp_t;
+files_tmp_file(dovecot_tmp_t)
+
+# /var/lib/dovecot holds SSL parameters file
+type dovecot_var_lib_t;
+files_type(dovecot_var_lib_t)
+
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
+type dovecot_var_run_t;
+files_pid_file(dovecot_var_run_t)
+
+########################################
+#
+# dovecot local policy
+#
+
+allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+dontaudit dovecot_t self:capability sys_tty_config;
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:fifo_file rw_fifo_file_perms;
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
+
+allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:file read_file_perms;
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
+
+manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+
+# Allow dovecot to create and read SSL parameters file
+manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
+
+manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+
+manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+
+manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+
+kernel_read_kernel_sysctls(dovecot_t)
+kernel_read_system_state(dovecot_t)
+
+corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_all_recvfrom_netlabel(dovecot_t)
+corenet_tcp_sendrecv_generic_if(dovecot_t)
+corenet_tcp_sendrecv_generic_node(dovecot_t)
+corenet_tcp_sendrecv_all_ports(dovecot_t)
+corenet_tcp_bind_generic_node(dovecot_t)
+corenet_tcp_bind_mail_port(dovecot_t)
+corenet_tcp_bind_pop_port(dovecot_t)
+corenet_tcp_bind_sieve_port(dovecot_t)
+corenet_tcp_connect_all_ports(dovecot_t)
+corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+dev_read_sysfs(dovecot_t)
+dev_read_urand(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
+
+corecmd_exec_bin(dovecot_t)
+
+domain_use_interactive_fds(dovecot_t)
+
+files_read_etc_files(dovecot_t)
+files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
+files_dontaudit_list_default(dovecot_t)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+files_read_etc_runtime_files(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
+
+init_getattr_utmp(dovecot_t)
+
+auth_use_nsswitch(dovecot_t)
+
+logging_send_syslog_msg(dovecot_t)
+
+miscfiles_read_generic_certs(dovecot_t)
+miscfiles_read_localization(dovecot_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
+
+mta_manage_spool(dovecot_t)
+
+optional_policy(`
+ kerberos_keytab_template(dovecot, dovecot_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(dovecot_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dovecot_t)
+')
+
+optional_policy(`
+ squid_dontaudit_search_cache(dovecot_t)
+')
+
+optional_policy(`
+ udev_read_db(dovecot_t)
+')
+
+########################################
+#
+# dovecot auth local policy
+#
+
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
+allow dovecot_auth_t self:process { signal_perms getcap setcap };
+allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
+allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+
+allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
+
+kernel_read_all_sysctls(dovecot_auth_t)
+kernel_read_system_state(dovecot_auth_t)
+
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
+dev_read_urand(dovecot_auth_t)
+
+auth_domtrans_chk_passwd(dovecot_auth_t)
+auth_use_nsswitch(dovecot_auth_t)
+
+files_read_etc_files(dovecot_auth_t)
+files_read_etc_runtime_files(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
+files_read_var_lib_files(dovecot_t)
+
+init_rw_utmp(dovecot_auth_t)
+
+miscfiles_read_localization(dovecot_auth_t)
+
+seutil_dontaudit_search_config(dovecot_auth_t)
+
+optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
+ # for gssapi (kerberos)
+ userdom_list_user_tmp(dovecot_auth_t)
+ userdom_read_user_tmp_files(dovecot_auth_t)
+ userdom_read_user_tmp_symlinks(dovecot_auth_t)
+')
+
+optional_policy(`
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_search_spool(dovecot_auth_t)
+')
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+logging_search_logs(dovecot_auth_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_stream_connect_auth(dovecot_deliver_t)
+
+files_search_tmp(dovecot_deliver_t)
+
+fs_getattr_all_fs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(dovecot_deliver_t)
+ fs_manage_nfs_files(dovecot_deliver_t)
+ fs_manage_nfs_symlinks(dovecot_deliver_t)
+ fs_manage_nfs_dirs(dovecot_t)
+ fs_manage_nfs_files(dovecot_t)
+ fs_manage_nfs_symlinks(dovecot_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(dovecot_deliver_t)
+ fs_manage_cifs_files(dovecot_deliver_t)
+ fs_manage_cifs_symlinks(dovecot_deliver_t)
+ fs_manage_cifs_dirs(dovecot_t)
+ fs_manage_cifs_files(dovecot_t)
+ fs_manage_cifs_symlinks(dovecot_t)
+')
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+')
diff --git a/dpkg.fc b/dpkg.fc
new file mode 100644
index 0000000..6d0f9ee
--- /dev/null
+++ b/dpkg.fc
@@ -0,0 +1,12 @@
+# Debian package manager
+/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+# not sure if dselect should be in apt instead?
+/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+
+/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
+# lockfile is treated specially, since used by apt, too
+/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
+
+/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
diff --git a/dpkg.if b/dpkg.if
new file mode 100644
index 0000000..9317171
--- /dev/null
+++ b/dpkg.if
@@ -0,0 +1,226 @@
+## Policy for the Debian package manager.
+# TODO: need debconf policy
+# TODO: need install-menu policy
+
+########################################
+##
+## Execute dpkg programs in the dpkg domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dpkg_domtrans',`
+ gen_require(`
+ type dpkg_t, dpkg_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dpkg_exec_t, dpkg_t)
+')
+
+########################################
+##
+## Execute dpkg_script programs in the dpkg_script domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dpkg_domtrans_script',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ # transition to dpkg script:
+ corecmd_shell_domtrans($1, dpkg_script_t)
+ allow dpkg_script_t $1:fd use;
+ allow dpkg_script_t $1:fifo_file rw_file_perms;
+ allow dpkg_script_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute dpkg programs in the dpkg domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the dpkg domain.
+##
+##
+##
+#
+interface(`dpkg_run',`
+ gen_require(`
+ type dpkg_t, dpkg_script_t;
+ ')
+
+ dpkg_domtrans($1)
+ role $2 types dpkg_t;
+ role $2 types dpkg_script_t;
+ seutil_run_loadpolicy(dpkg_script_t, $2)
+')
+
+########################################
+##
+## Inherit and use file descriptors from dpkg.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_use_fds',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fd use;
+')
+
+########################################
+##
+## Read from an unnamed dpkg pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_read_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+##
+## Read and write an unnamed dpkg pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_rw_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Inherit and use file descriptors from dpkg scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_use_script_fds',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+')
+
+########################################
+##
+## Read the dpkg package database.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_read_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+ read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the dpkg package database.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+ manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+')
+
+########################################
+##
+## Do not audit attempts to create, read,
+## write, and delete the dpkg package database.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dpkg_dontaudit_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
+ dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+##
+## Lock the dpkg package database.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_lock_db',`
+ gen_require(`
+ type dpkg_lock_t, dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir list_dir_perms;
+ allow $1 dpkg_lock_t:file manage_file_perms;
+')
diff --git a/dpkg.te b/dpkg.te
new file mode 100644
index 0000000..633d2fc
--- /dev/null
+++ b/dpkg.te
@@ -0,0 +1,338 @@
+policy_module(dpkg, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type dpkg_t;
+type dpkg_exec_t;
+# dpkg can start/stop services
+init_system_domain(dpkg_t, dpkg_exec_t)
+# dpkg can change file labels, roles, IO
+domain_obj_id_change_exemption(dpkg_t)
+domain_role_change_exemption(dpkg_t)
+domain_system_change_exemption(dpkg_t)
+domain_interactive_fd(dpkg_t)
+role system_r types dpkg_t;
+
+# lockfile
+type dpkg_lock_t;
+files_type(dpkg_lock_t)
+
+type dpkg_tmp_t;
+files_tmp_file(dpkg_tmp_t)
+
+type dpkg_tmpfs_t;
+files_tmpfs_file(dpkg_tmpfs_t)
+
+# status files
+type dpkg_var_lib_t alias var_lib_dpkg_t;
+files_type(dpkg_var_lib_t)
+
+# package scripts
+type dpkg_script_t;
+domain_type(dpkg_script_t)
+domain_entry_file(dpkg_t, dpkg_var_lib_t)
+corecmd_shell_entry_type(dpkg_script_t)
+domain_obj_id_change_exemption(dpkg_script_t)
+domain_system_change_exemption(dpkg_script_t)
+domain_interactive_fd(dpkg_script_t)
+role system_r types dpkg_script_t;
+
+type dpkg_script_tmp_t;
+files_tmp_file(dpkg_script_tmp_t)
+
+type dpkg_script_tmpfs_t;
+files_tmpfs_file(dpkg_script_tmpfs_t)
+
+########################################
+#
+# dpkg Local policy
+#
+
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:fd use;
+allow dpkg_t self:fifo_file rw_fifo_file_perms;
+allow dpkg_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_t self:unix_dgram_socket sendto;
+allow dpkg_t self:unix_stream_socket connectto;
+allow dpkg_t self:udp_socket { connect create_socket_perms };
+allow dpkg_t self:tcp_socket create_stream_socket_perms;
+allow dpkg_t self:shm create_shm_perms;
+allow dpkg_t self:sem create_sem_perms;
+allow dpkg_t self:msgq create_msgq_perms;
+allow dpkg_t self:msg { send receive };
+
+allow dpkg_t dpkg_lock_t:file manage_file_perms;
+
+manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+
+manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/dpkg files
+manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
+files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
+
+kernel_read_system_state(dpkg_t)
+kernel_read_kernel_sysctls(dpkg_t)
+
+corecmd_exec_all_executables(dpkg_t)
+
+# TODO: do we really need all networking?
+corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_all_recvfrom_netlabel(dpkg_t)
+corenet_tcp_sendrecv_generic_if(dpkg_t)
+corenet_raw_sendrecv_generic_if(dpkg_t)
+corenet_udp_sendrecv_generic_if(dpkg_t)
+corenet_tcp_sendrecv_generic_node(dpkg_t)
+corenet_raw_sendrecv_generic_node(dpkg_t)
+corenet_udp_sendrecv_generic_node(dpkg_t)
+corenet_tcp_sendrecv_all_ports(dpkg_t)
+corenet_udp_sendrecv_all_ports(dpkg_t)
+corenet_tcp_connect_all_ports(dpkg_t)
+corenet_sendrecv_all_client_packets(dpkg_t)
+
+dev_list_sysfs(dpkg_t)
+dev_list_usbfs(dpkg_t)
+dev_read_urand(dpkg_t)
+#devices_manage_all_device_types(dpkg_t)
+
+domain_read_all_domains_state(dpkg_t)
+domain_getattr_all_domains(dpkg_t)
+domain_dontaudit_ptrace_all_domains(dpkg_t)
+domain_use_interactive_fds(dpkg_t)
+domain_dontaudit_getattr_all_pipes(dpkg_t)
+domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
+domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
+domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
+domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
+
+fs_manage_nfs_dirs(dpkg_t)
+fs_manage_nfs_files(dpkg_t)
+fs_manage_nfs_symlinks(dpkg_t)
+fs_getattr_all_fs(dpkg_t)
+fs_search_auto_mountpoints(dpkg_t)
+
+mls_file_read_all_levels(dpkg_t)
+mls_file_write_all_levels(dpkg_t)
+mls_file_upgrade(dpkg_t)
+
+selinux_get_fs_mount(dpkg_t)
+selinux_validate_context(dpkg_t)
+selinux_compute_access_vector(dpkg_t)
+selinux_compute_create_context(dpkg_t)
+selinux_compute_relabel_context(dpkg_t)
+selinux_compute_user_contexts(dpkg_t)
+
+storage_raw_write_fixed_disk(dpkg_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(dpkg_t)
+
+auth_relabel_all_files_except_auth_files(dpkg_t)
+auth_manage_all_files_except_auth_files(dpkg_t)
+auth_dontaudit_read_shadow(dpkg_t)
+
+files_exec_etc_files(dpkg_t)
+
+init_domtrans_script(dpkg_t)
+init_use_script_ptys(dpkg_t)
+
+libs_exec_ld_so(dpkg_t)
+libs_exec_lib_files(dpkg_t)
+libs_domtrans_ldconfig(dpkg_t)
+
+logging_send_syslog_msg(dpkg_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(dpkg_t)
+seutil_manage_bin_policy(dpkg_t)
+
+sysnet_read_config(dpkg_t)
+
+userdom_use_user_terminals(dpkg_t)
+userdom_use_unpriv_users_fds(dpkg_t)
+
+# transition to dpkg script:
+dpkg_domtrans_script(dpkg_t)
+# since the scripts aren't labeled correctly yet...
+allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+
+optional_policy(`
+ apt_use_ptys(dpkg_t)
+')
+
+# TODO: allow?
+#optional_policy(`
+# cron_system_entry(dpkg_t,dpkg_exec_t)
+#')
+
+optional_policy(`
+ nis_use_ypbind(dpkg_t)
+')
+
+optional_policy(`
+ unconfined_domain(dpkg_t)
+')
+
+# TODO: the following was copied from dpkg_script_t, and could probably
+# be removed again when dpkg_script_t is actually used...
+domain_signal_all_domains(dpkg_t)
+domain_signull_all_domains(dpkg_t)
+files_read_etc_runtime_files(dpkg_t)
+files_exec_usr_files(dpkg_t)
+miscfiles_read_localization(dpkg_t)
+modutils_domtrans_depmod(dpkg_t)
+modutils_domtrans_insmod(dpkg_t)
+seutil_domtrans_loadpolicy(dpkg_t)
+seutil_domtrans_setfiles(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+ mta_send_mail(dpkg_t)
+')
+optional_policy(`
+ usermanage_domtrans_groupadd(dpkg_t)
+ usermanage_domtrans_useradd(dpkg_t)
+')
+
+########################################
+#
+# dpkg-script Local policy
+#
+# TODO: actually use dpkg_script_t
+
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:fd use;
+allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
+allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_script_t self:unix_dgram_socket sendto;
+allow dpkg_script_t self:unix_stream_socket connectto;
+allow dpkg_script_t self:shm create_shm_perms;
+allow dpkg_script_t self:sem create_sem_perms;
+allow dpkg_script_t self:msgq create_msgq_perms;
+allow dpkg_script_t self:msg { send receive };
+
+allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
+
+allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
+allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
+
+allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(dpkg_script_t)
+kernel_read_system_state(dpkg_script_t)
+
+corecmd_exec_all_executables(dpkg_script_t)
+
+dev_list_sysfs(dpkg_script_t)
+# ideally we would not need this
+dev_manage_generic_blk_files(dpkg_script_t)
+dev_manage_generic_chr_files(dpkg_script_t)
+dev_manage_all_blk_files(dpkg_script_t)
+dev_manage_all_chr_files(dpkg_script_t)
+
+domain_read_all_domains_state(dpkg_script_t)
+domain_getattr_all_domains(dpkg_script_t)
+domain_dontaudit_ptrace_all_domains(dpkg_script_t)
+domain_use_interactive_fds(dpkg_script_t)
+domain_signal_all_domains(dpkg_script_t)
+domain_signull_all_domains(dpkg_script_t)
+
+files_exec_etc_files(dpkg_script_t)
+files_read_etc_runtime_files(dpkg_script_t)
+files_exec_usr_files(dpkg_script_t)
+
+fs_manage_nfs_files(dpkg_script_t)
+fs_getattr_nfs(dpkg_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(dpkg_script_t)
+fs_mount_xattr_fs(dpkg_script_t)
+fs_unmount_xattr_fs(dpkg_script_t)
+fs_search_auto_mountpoints(dpkg_script_t)
+
+mls_file_read_all_levels(dpkg_script_t)
+mls_file_write_all_levels(dpkg_script_t)
+
+selinux_get_fs_mount(dpkg_script_t)
+selinux_validate_context(dpkg_script_t)
+selinux_compute_access_vector(dpkg_script_t)
+selinux_compute_create_context(dpkg_script_t)
+selinux_compute_relabel_context(dpkg_script_t)
+selinux_compute_user_contexts(dpkg_script_t)
+
+storage_raw_read_fixed_disk(dpkg_script_t)
+storage_raw_write_fixed_disk(dpkg_script_t)
+
+term_use_all_terms(dpkg_script_t)
+
+auth_dontaudit_getattr_shadow(dpkg_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_auth_files(dpkg_script_t)
+
+init_domtrans_script(dpkg_script_t)
+init_use_script_fds(dpkg_script_t)
+
+libs_exec_ld_so(dpkg_script_t)
+libs_exec_lib_files(dpkg_script_t)
+libs_domtrans_ldconfig(dpkg_script_t)
+
+logging_send_syslog_msg(dpkg_script_t)
+
+miscfiles_read_localization(dpkg_script_t)
+
+modutils_domtrans_depmod(dpkg_script_t)
+modutils_domtrans_insmod(dpkg_script_t)
+
+seutil_domtrans_loadpolicy(dpkg_script_t)
+seutil_domtrans_setfiles(dpkg_script_t)
+
+userdom_use_all_users_fds(dpkg_script_t)
+
+tunable_policy(`allow_execmem',`
+ allow dpkg_script_t self:process execmem;
+')
+
+optional_policy(`
+ apt_rw_pipes(dpkg_script_t)
+ apt_use_fds(dpkg_script_t)
+')
+
+optional_policy(`
+ bootloader_domtrans(dpkg_script_t)
+')
+
+optional_policy(`
+ mta_send_mail(dpkg_script_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dpkg_script_t)
+')
+
+optional_policy(`
+ unconfined_domain(dpkg_script_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(dpkg_script_t)
+ usermanage_domtrans_useradd(dpkg_script_t)
+')
diff --git a/entropyd.fc b/entropyd.fc
new file mode 100644
index 0000000..d2d8ce3
--- /dev/null
+++ b/entropyd.fc
@@ -0,0 +1,8 @@
+#
+# /usr
+#
+/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+
+/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --git a/entropyd.if b/entropyd.if
new file mode 100644
index 0000000..67906f0
--- /dev/null
+++ b/entropyd.if
@@ -0,0 +1 @@
+## Generate entropy from audio input
diff --git a/entropyd.te b/entropyd.te
new file mode 100644
index 0000000..b6ac808
--- /dev/null
+++ b/entropyd.te
@@ -0,0 +1,80 @@
+policy_module(entropyd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow the use of the audio devices as the source for the entropy feeds
+##
+##
+gen_tunable(entropyd_use_audio, false)
+
+type entropyd_t;
+type entropyd_exec_t;
+init_daemon_domain(entropyd_t, entropyd_exec_t)
+
+type entropyd_var_run_t;
+files_pid_file(entropyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
+dontaudit entropyd_t self:capability sys_tty_config;
+allow entropyd_t self:process signal_perms;
+allow entropyd_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
+files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+
+kernel_rw_kernel_sysctl(entropyd_t)
+kernel_list_proc(entropyd_t)
+kernel_read_proc_symlinks(entropyd_t)
+
+dev_read_sysfs(entropyd_t)
+dev_read_urand(entropyd_t)
+dev_write_urand(entropyd_t)
+dev_read_rand(entropyd_t)
+dev_write_rand(entropyd_t)
+
+files_read_etc_files(entropyd_t)
+files_read_usr_files(entropyd_t)
+
+fs_getattr_all_fs(entropyd_t)
+fs_search_auto_mountpoints(entropyd_t)
+
+domain_use_interactive_fds(entropyd_t)
+
+logging_send_syslog_msg(entropyd_t)
+
+miscfiles_read_localization(entropyd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+userdom_dontaudit_search_user_home_dirs(entropyd_t)
+
+tunable_policy(`entropyd_use_audio',`
+ dev_read_sound(entropyd_t)
+ # set sound card parameters such as sample format, number of channels
+ # and sample rate.
+ dev_write_sound(entropyd_t)
+')
+
+optional_policy(`
+ tunable_policy(`entropyd_use_audio',`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(entropyd_t)
+')
+
+optional_policy(`
+ udev_read_db(entropyd_t)
+')
diff --git a/evolution.fc b/evolution.fc
new file mode 100644
index 0000000..c011277
--- /dev/null
+++ b/evolution.fc
@@ -0,0 +1,21 @@
+#
+# HOME_DIR/
+#
+
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+
+#
+# /tmp
+#
+/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
+
+#
+# /usr
+#
+/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0)
+
+/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
+/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0)
+/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
diff --git a/evolution.if b/evolution.if
new file mode 100644
index 0000000..1cb204c
--- /dev/null
+++ b/evolution.if
@@ -0,0 +1,153 @@
+## Evolution email client
+
+########################################
+##
+## Role access for evolution
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`evolution_role',`
+ gen_require(`
+ type evolution_t, evolution_exec_t, evolution_home_t;
+ type evolution_alarm_t, evolution_alarm_exec_t;
+ type evolution_exchange_t, evolution_exchange_exec_t;
+ type evolution_exchange_orbit_tmp_t;
+ type evolution_server_t, evolution_server_exec_t;
+ type evolution_webcal_t, evolution_webcal_exec_t;
+ ')
+
+ role $1 types { evolution_t evolution_alarm_t evolution_exchange_t };
+ role $1 types { evolution_server_t evolution_webcal_t };
+
+ domtrans_pattern($2, evolution_exec_t, evolution_t)
+ domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
+ domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
+ domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
+ domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
+
+ ps_process_pattern($2, evolution_t)
+ ps_process_pattern($2, evolution_alarm_t)
+ ps_process_pattern($2, evolution_exchange_t)
+ ps_process_pattern($2, evolution_server_t)
+ ps_process_pattern($2, evolution_webcal_t)
+
+ allow evolution_t $2:dir search;
+ allow evolution_t $2:file read;
+ allow evolution_t $2:lnk_file read;
+ allow evolution_t $2:unix_stream_socket connectto;
+
+ allow $2 evolution_t:unix_stream_socket connectto;
+ allow $2 evolution_t:process noatsecure;
+ allow $2 evolution_t:process signal_perms;
+
+ # Access .evolution
+ allow $2 evolution_home_t:dir manage_dir_perms;
+ allow $2 evolution_home_t:file manage_file_perms;
+ allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
+ allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ allow evolution_exchange_t $2:unix_stream_socket connectto;
+
+ # Clock applet talks to exchange (FIXME: Needs policy)
+ allow $2 evolution_exchange_t:unix_stream_socket connectto;
+ allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
+')
+
+########################################
+##
+## Create objects in users evolution home folders.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`evolution_home_filetrans',`
+ gen_require(`
+ type evolution_home_t;
+ ')
+
+ allow $1 evolution_home_t:dir rw_dir_perms;
+ type_transition $1 evolution_home_t:$3 $2;
+')
+
+########################################
+##
+## Connect to evolution unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`evolution_stream_connect',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ allow $1 evolution_t:unix_stream_socket connectto;
+ allow $1 evolution_home_t:dir search;
+')
+
+########################################
+##
+## Send and receive messages from
+## evolution over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`evolution_dbus_chat',`
+ gen_require(`
+ type evolution_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 evolution_t:dbus send_msg;
+ allow evolution_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## evolution_alarm over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`evolution_alarm_dbus_chat',`
+ gen_require(`
+ type evolution_alarm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 evolution_alarm_t:dbus send_msg;
+ allow evolution_alarm_t $1:dbus send_msg;
+')
diff --git a/evolution.te b/evolution.te
new file mode 100644
index 0000000..cd70958
--- /dev/null
+++ b/evolution.te
@@ -0,0 +1,618 @@
+policy_module(evolution, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type evolution_t;
+type evolution_exec_t;
+typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
+typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
+application_domain(evolution_t, evolution_exec_t)
+ubac_constrained(evolution_t)
+
+type evolution_alarm_t;
+type evolution_alarm_exec_t;
+typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
+typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
+application_domain(evolution_alarm_t, evolution_alarm_exec_t)
+ubac_constrained(evolution_alarm_t)
+
+type evolution_alarm_tmpfs_t;
+typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
+typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
+files_tmpfs_file(evolution_alarm_tmpfs_t)
+ubac_constrained(evolution_alarm_tmpfs_t)
+
+type evolution_alarm_orbit_tmp_t;
+typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
+typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
+files_tmp_file(evolution_alarm_orbit_tmp_t)
+ubac_constrained(evolution_alarm_orbit_tmp_t)
+
+type evolution_exchange_t;
+type evolution_exchange_exec_t;
+typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
+typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
+application_domain(evolution_exchange_t, evolution_exchange_exec_t)
+ubac_constrained(evolution_exchange_t)
+
+type evolution_exchange_tmpfs_t;
+typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
+typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
+files_tmpfs_file(evolution_exchange_tmpfs_t)
+ubac_constrained(evolution_exchange_tmpfs_t)
+
+type evolution_exchange_tmp_t;
+typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
+typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
+files_tmp_file(evolution_exchange_tmp_t)
+ubac_constrained(evolution_exchange_tmp_t)
+
+type evolution_exchange_orbit_tmp_t;
+typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
+typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
+files_tmp_file(evolution_exchange_orbit_tmp_t)
+ubac_constrained(evolution_exchange_orbit_tmp_t)
+
+type evolution_home_t;
+typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
+typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
+userdom_user_home_content(evolution_home_t)
+
+type evolution_orbit_tmp_t;
+typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
+typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
+files_tmp_file(evolution_orbit_tmp_t)
+ubac_constrained(evolution_orbit_tmp_t)
+
+type evolution_server_t;
+type evolution_server_exec_t;
+typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
+typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
+application_domain(evolution_server_t, evolution_server_exec_t)
+ubac_constrained(evolution_server_t)
+
+type evolution_server_orbit_tmp_t;
+typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
+typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
+files_tmp_file(evolution_server_orbit_tmp_t)
+ubac_constrained(evolution_server_orbit_tmp_t)
+
+type evolution_tmpfs_t;
+typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
+typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
+files_tmpfs_file(evolution_tmpfs_t)
+ubac_constrained(evolution_tmpfs_t)
+
+type evolution_webcal_t;
+type evolution_webcal_exec_t;
+typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
+typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
+application_domain(evolution_webcal_t, evolution_webcal_exec_t)
+ubac_constrained(evolution_webcal_t)
+
+type evolution_webcal_tmpfs_t;
+typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
+typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
+files_tmpfs_file(evolution_webcal_tmpfs_t)
+ubac_constrained(evolution_webcal_tmpfs_t)
+
+########################################
+#
+# Evolution local policy
+#
+
+allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:process { signal getsched setsched };
+allow evolution_t self:fifo_file rw_file_perms;
+allow evolution_t self:tcp_socket create_socket_perms;
+allow evolution_t self:udp_socket create_socket_perms;
+
+allow evolution_t evolution_alarm_t:dir search_dir_perms;
+allow evolution_t evolution_alarm_t:file read;
+
+allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_alarm_exec_t)
+
+allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+allow evolution_t evolution_home_t:dir manage_dir_perms;
+allow evolution_t evolution_home_t:file manage_file_perms;
+allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_search_user_home_dirs(evolution_t)
+
+allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_t evolution_server_t:dir search_dir_perms;
+allow evolution_t evolution_server_t:file read;
+
+allow evolution_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_server_exec_t)
+
+allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
+allow evolution_t evolution_tmpfs_t:file manage_file_perms;
+allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+#FIXME check to see if really needed
+kernel_read_kernel_sysctls(evolution_t)
+kernel_read_system_state(evolution_t)
+# Allow netstat
+kernel_read_network_state(evolution_t)
+kernel_read_net_sysctls(evolution_t)
+
+corecmd_exec_shell(evolution_t)
+# Run various programs
+corecmd_exec_bin(evolution_t)
+
+corenet_all_recvfrom_unlabeled(evolution_t)
+corenet_all_recvfrom_netlabel(evolution_t)
+corenet_tcp_sendrecv_generic_if(evolution_t)
+corenet_udp_sendrecv_generic_if(evolution_t)
+corenet_raw_sendrecv_generic_if(evolution_t)
+corenet_tcp_sendrecv_generic_node(evolution_t)
+corenet_udp_sendrecv_generic_node(evolution_t)
+corenet_tcp_sendrecv_pop_port(evolution_t)
+corenet_udp_sendrecv_pop_port(evolution_t)
+corenet_tcp_sendrecv_smtp_port(evolution_t)
+corenet_udp_sendrecv_smtp_port(evolution_t)
+corenet_tcp_sendrecv_innd_port(evolution_t)
+corenet_udp_sendrecv_innd_port(evolution_t)
+corenet_tcp_sendrecv_ldap_port(evolution_t)
+corenet_udp_sendrecv_ldap_port(evolution_t)
+corenet_tcp_sendrecv_ipp_port(evolution_t)
+corenet_udp_sendrecv_ipp_port(evolution_t)
+corenet_tcp_connect_pop_port(evolution_t)
+corenet_tcp_connect_smtp_port(evolution_t)
+corenet_tcp_connect_innd_port(evolution_t)
+corenet_tcp_connect_ldap_port(evolution_t)
+corenet_tcp_connect_ipp_port(evolution_t)
+corenet_sendrecv_pop_client_packets(evolution_t)
+corenet_sendrecv_smtp_client_packets(evolution_t)
+corenet_sendrecv_innd_client_packets(evolution_t)
+corenet_sendrecv_ldap_client_packets(evolution_t)
+corenet_sendrecv_ipp_client_packets(evolution_t)
+# not sure about this bind
+corenet_udp_bind_generic_node(evolution_t)
+corenet_udp_bind_generic_port(evolution_t)
+
+dev_read_urand(evolution_t)
+
+domain_dontaudit_read_all_domains_state(evolution_t)
+
+files_read_etc_files(evolution_t)
+files_read_usr_files(evolution_t)
+files_read_usr_symlinks(evolution_t)
+files_read_var_files(evolution_t)
+
+fs_search_auto_mountpoints(evolution_t)
+
+logging_send_syslog_msg(evolution_t)
+
+miscfiles_read_localization(evolution_t)
+
+sysnet_read_config(evolution_t)
+sysnet_dns_name_resolve(evolution_t)
+
+udev_read_state(evolution_t)
+
+userdom_rw_user_tmp_files(evolution_t)
+userdom_manage_user_tmp_dirs(evolution_t)
+userdom_manage_user_tmp_sockets(evolution_t)
+userdom_manage_user_tmp_files(evolution_t)
+userdom_use_user_terminals(evolution_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_t)
+
+mta_read_config(evolution_t)
+
+xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+xserver_read_xdm_tmp_files(evolution_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(evolution_t)
+ fs_manage_nfs_files(evolution_t)
+ fs_manage_nfs_symlinks(evolution_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(evolution_t)
+ fs_manage_cifs_files(evolution_t)
+ fs_manage_cifs_symlinks(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(evolution_t)
+ files_list_home(evolution_t)
+ fs_read_nfs_files(evolution_t)
+ fs_read_nfs_symlinks(evolution_t)
+
+',`
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_auto_mountpoints(evolution_t)
+ fs_dontaudit_read_nfs_files(evolution_t)
+ fs_dontaudit_list_nfs(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(evolution_t)
+ files_list_home(evolution_t)
+ fs_read_cifs_files(evolution_t)
+ fs_read_cifs_symlinks(evolution_t)
+',`
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_auto_mountpoints(evolution_t)
+ fs_dontaudit_read_cifs_files(evolution_t)
+ fs_dontaudit_list_cifs(evolution_t)
+')
+
+tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp(evolution_t)
+ userdom_read_user_tmp_files(evolution_t)
+ userdom_read_user_tmp_symlinks(evolution_t)
+ userdom_read_user_home_content_files(evolution_t)
+ userdom_read_user_home_content_symlinks(evolution_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(evolution_t)
+ fs_read_removable_files(evolution_t)
+ fs_read_removable_symlinks(evolution_t)
+ ')
+',`
+ files_dontaudit_list_tmp(evolution_t)
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_removable(evolution_t)
+ fs_dontaudit_read_removable_files(evolution_t)
+ userdom_dontaudit_list_user_tmp(evolution_t)
+ userdom_dontaudit_read_user_tmp_files(evolution_t)
+ userdom_dontaudit_list_user_home_dirs(evolution_t)
+ userdom_dontaudit_read_user_home_content_files(evolution_t)
+')
+
+optional_policy(`
+ automount_read_state(evolution_t)
+')
+
+# Allow printing the mail
+optional_policy(`
+ cups_read_rw_config(evolution_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(evolution_t)
+ dbus_session_bus_client(evolution_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_t)
+')
+
+# Encrypt mail
+optional_policy(`
+ gpg_domtrans(evolution_t)
+ gpg_signal(evolution_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(evolution_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(evolution_t)
+ mozilla_domtrans(evolution_t)
+')
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+optional_policy(`
+ nis_use_ypbind(evolution_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_t)
+')
+
+### Junk mail filtering (start spamd)
+optional_policy(`
+ spamassassin_exec_spamd(evolution_t)
+ spamassassin_domtrans_client(evolution_t)
+ spamassassin_domtrans_local_client(evolution_t)
+ # Allow evolution to signal the daemon
+ # FIXME: Now evolution can read spamd temp files
+ spamassassin_read_spamd_tmp_files(evolution_t)
+ spamassassin_signal_spamd(evolution_t)
+ spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
+')
+
+########################################
+#
+# Evolution alarm local policy
+#
+
+allow evolution_alarm_t self:process { signal getsched };
+allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
+allow evolution_alarm_t evolution_home_t:file manage_file_perms;
+allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+dev_read_urand(evolution_alarm_t)
+
+files_read_etc_files(evolution_alarm_t)
+files_read_usr_files(evolution_alarm_t)
+
+fs_search_auto_mountpoints(evolution_alarm_t)
+
+miscfiles_read_localization(evolution_alarm_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_alarm_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+
+xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_alarm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_alarm_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(evolution_alarm_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_alarm_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_alarm_t)
+')
+
+########################################
+#
+# Evolution exchange connector local policy
+#
+
+allow evolution_exchange_t self:process getsched;
+allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_exchange_t self:tcp_socket create_socket_perms;
+allow evolution_exchange_t self:udp_socket create_socket_perms;
+
+allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_home_t:file manage_file_perms;
+allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
+
+# /tmp/.exchange-$USER
+allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
+
+allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_network_state(evolution_exchange_t)
+kernel_read_net_sysctls(evolution_exchange_t)
+
+# Allow netstat
+corecmd_exec_bin(evolution_exchange_t)
+
+dev_read_urand(evolution_exchange_t)
+
+files_read_etc_files(evolution_exchange_t)
+files_read_usr_files(evolution_exchange_t)
+
+# Access evolution home
+fs_search_auto_mountpoints(evolution_exchange_t)
+
+miscfiles_read_localization(evolution_exchange_t)
+
+userdom_write_user_tmp_sockets(evolution_exchange_t)
+# Access evolution home
+userdom_search_user_home_dirs(evolution_exchange_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
+
+xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_exchange_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_exchange_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_exchange_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_exchange_t)
+')
+
+########################################
+#
+# Evolution data server local policy
+#
+
+allow evolution_server_t self:process { getsched signal };
+
+allow evolution_server_t self:fifo_file { read write };
+allow evolution_server_t self:unix_stream_socket { accept connectto };
+# Talk to ldap (address book),
+# Obtain weather data via http (read server name from xml file in /usr)
+allow evolution_server_t self:tcp_socket create_socket_perms;
+
+allow evolution_server_t evolution_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_server_t evolution_home_t:dir manage_dir_perms;
+allow evolution_server_t evolution_home_t:file manage_file_perms;
+allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+kernel_read_system_state(evolution_server_t)
+
+corecmd_exec_shell(evolution_server_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+corenet_all_recvfrom_unlabeled(evolution_server_t)
+corenet_all_recvfrom_netlabel(evolution_server_t)
+corenet_tcp_sendrecv_generic_if(evolution_server_t)
+corenet_tcp_sendrecv_generic_node(evolution_server_t)
+corenet_tcp_sendrecv_http_port(evolution_server_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_port(evolution_server_t)
+corenet_sendrecv_http_client_packets(evolution_server_t)
+corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+dev_read_urand(evolution_server_t)
+
+files_read_etc_files(evolution_server_t)
+# Obtain weather data via http (read server name from xml file in /usr)
+files_read_usr_files(evolution_server_t)
+
+fs_search_auto_mountpoints(evolution_server_t)
+
+miscfiles_read_localization(evolution_server_t)
+# Look in /etc/pki
+miscfiles_read_generic_certs(evolution_server_t)
+
+# Talk to ldap (address book)
+sysnet_read_config(evolution_server_t)
+sysnet_dns_name_resolve(evolution_server_t)
+sysnet_use_ldap(evolution_server_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_server_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_server_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_server_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_server_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_server_t)
+')
+
+########################################
+#
+# Evolution webcal local policy
+#
+
+allow evolution_webcal_t self:tcp_socket create_socket_perms;
+
+# X/evolution common stuff
+allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+corenet_all_recvfrom_netlabel(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+corenet_raw_sendrecv_generic_if(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_node(evolution_webcal_t)
+corenet_raw_sendrecv_generic_node(evolution_webcal_t)
+corenet_tcp_sendrecv_http_port(evolution_webcal_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_port(evolution_webcal_t)
+corenet_sendrecv_http_client_packets(evolution_webcal_t)
+corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+# Networking capability - connect to website and handle ics link
+sysnet_read_config(evolution_webcal_t)
+sysnet_dns_name_resolve(evolution_webcal_t)
+
+# Search home directory (?)
+userdom_search_user_home_dirs(evolution_webcal_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+
+optional_policy(`
+ nscd_socket_use(evolution_webcal_t)
+')
diff --git a/exim.fc b/exim.fc
new file mode 100644
index 0000000..298f066
--- /dev/null
+++ b/exim.fc
@@ -0,0 +1,8 @@
+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
+')
diff --git a/exim.if b/exim.if
new file mode 100644
index 0000000..6bef7f8
--- /dev/null
+++ b/exim.if
@@ -0,0 +1,196 @@
+## Exim mail transfer agent
+
+########################################
+##
+## Execute a domain transition to run exim.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`exim_domtrans',`
+ gen_require(`
+ type exim_t, exim_exec_t;
+ ')
+
+ domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
+########################################
+##
+## Do not audit attempts to read,
+## exim tmp files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`exim_dontaudit_read_tmp_files',`
+ gen_require(`
+ type exim_tmp_t;
+ ')
+
+ dontaudit $1 exim_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## Allow domain to read, exim tmp files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_read_tmp_files',`
+ gen_require(`
+ type exim_tmp_t;
+ ')
+
+ allow $1 exim_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Read exim PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_read_pid_files',`
+ gen_require(`
+ type exim_var_run_t;
+ ')
+
+ allow $1 exim_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Allow the specified domain to read exim's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`exim_read_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ read_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## exim log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_append_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ append_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## Allow the specified domain to manage exim's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`exim_manage_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ manage_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## exim spool dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_manage_spool_dirs',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+##
+## Read exim spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_read_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ allow $1 exim_spool_t:file read_file_perms;
+ allow $1 exim_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## exim spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_manage_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
diff --git a/exim.te b/exim.te
new file mode 100644
index 0000000..f28f64b
--- /dev/null
+++ b/exim.te
@@ -0,0 +1,203 @@
+policy_module(exim, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow exim to connect to databases (postgres, mysql)
+##
+##
+gen_tunable(exim_can_connect_db, false)
+
+##
+##
+## Allow exim to read unprivileged user files.
+##
+##
+gen_tunable(exim_read_user_files, false)
+
+##
+##
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+##
+##
+gen_tunable(exim_manage_user_files, false)
+
+type exim_t;
+type exim_exec_t;
+init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_agent_executable(exim_exec_t)
+
+type exim_log_t;
+logging_log_file(exim_log_t)
+
+type exim_spool_t;
+files_type(exim_spool_t)
+
+type exim_tmp_t;
+files_tmp_file(exim_tmp_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
+
+########################################
+#
+# exim local policy
+#
+
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
+allow exim_t self:fifo_file rw_fifo_file_perms;
+allow exim_t self:unix_stream_socket create_stream_socket_perms;
+allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
+
+can_exec(exim_t, exim_exec_t)
+
+manage_files_pattern(exim_t, exim_log_t, exim_log_t)
+logging_log_filetrans(exim_t, exim_log_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(exim_t)
+kernel_read_network_state(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
+
+corecmd_search_bin(exim_t)
+
+corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
+corenet_tcp_sendrecv_generic_if(exim_t)
+corenet_udp_sendrecv_generic_if(exim_t)
+corenet_tcp_sendrecv_generic_node(exim_t)
+corenet_udp_sendrecv_generic_node(exim_t)
+corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_generic_node(exim_t)
+corenet_tcp_bind_smtp_port(exim_t)
+corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_connect_ldap_port(exim_t)
+corenet_tcp_connect_inetd_child_port(exim_t)
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
+
+dev_read_rand(exim_t)
+dev_read_urand(exim_t)
+
+# Init script handling
+domain_use_interactive_fds(exim_t)
+
+files_search_usr(exim_t)
+files_search_var(exim_t)
+files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
+
+fs_getattr_xattr_fs(exim_t)
+fs_list_inotifyfs(exim_t)
+
+auth_use_nsswitch(exim_t)
+
+logging_send_syslog_msg(exim_t)
+
+miscfiles_read_localization(exim_t)
+miscfiles_read_generic_certs(exim_t)
+
+userdom_dontaudit_search_user_home_dirs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+tunable_policy(`exim_can_connect_db',`
+ corenet_tcp_connect_mysqld_port(exim_t)
+ corenet_sendrecv_mysqld_client_packets(exim_t)
+ corenet_tcp_connect_postgresql_port(exim_t)
+ corenet_sendrecv_postgresql_client_packets(exim_t)
+')
+
+tunable_policy(`exim_read_user_files',`
+ userdom_read_user_home_content_files(exim_t)
+ userdom_read_user_tmp_files(exim_t)
+')
+
+tunable_policy(`exim_manage_user_files',`
+ userdom_manage_user_home_content_dirs(exim_t)
+ userdom_read_user_tmp_files(exim_t)
+ userdom_write_user_tmp_files(exim_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
+ clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+ cron_read_pipes(exim_t)
+ cron_rw_system_job_pipes(exim_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+')
+
+optional_policy(`
+ mailman_read_data_files(exim_t)
+ mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ postgresql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+ sasl_connect(exim_t)
+')
+
+optional_policy(`
+ # https://bugzilla.redhat.com/show_bug.cgi?id=512710
+ # uses sendmail for outgoing mail and exim
+ # for incoming mail
+ sendmail_manage_tmp_files(exim_t)
+')
+
+optional_policy(`
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
+')
diff --git a/fail2ban.fc b/fail2ban.fc
new file mode 100644
index 0000000..0de2b83
--- /dev/null
+++ b/fail2ban.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
+
+/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+
+/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/fail2ban.if b/fail2ban.if
new file mode 100644
index 0000000..f590a1f
--- /dev/null
+++ b/fail2ban.if
@@ -0,0 +1,175 @@
+## Update firewall filtering to ban IP addresses with too many password failures.
+
+########################################
+##
+## Execute a domain transition to run fail2ban.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`fail2ban_domtrans',`
+ gen_require(`
+ type fail2ban_t, fail2ban_exec_t;
+ ')
+
+ domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
+')
+
+#####################################
+##
+## Connect to fail2ban over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fail2ban_stream_connect',`
+ gen_require(`
+ type fail2ban_t, fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+')
+
+########################################
+##
+## Read and write to an fail2ban unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fail2ban_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+##
+## Read fail2ban lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fail2ban_read_lib_files',`
+ gen_require(`
+ type fail2ban_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 fail2ban_var_lib_t:file read_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to read fail2ban's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fail2ban_read_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file read_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to append
+## fail2ban log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fail2ban_append_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file append_file_perms;
+')
+
+########################################
+##
+## Read fail2ban PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fail2ban_read_pid_files',`
+ gen_require(`
+ type fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 fail2ban_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an fail2ban environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the fail2ban domain.
+##
+##
+##
+#
+interface(`fail2ban_admin',`
+ gen_require(`
+ type fail2ban_t, fail2ban_log_t;
+ type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+ ')
+
+ allow $1 fail2ban_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fail2ban_t)
+
+ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fail2ban_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, fail2ban_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
+')
diff --git a/fail2ban.te b/fail2ban.te
new file mode 100644
index 0000000..2a69e5e
--- /dev/null
+++ b/fail2ban.te
@@ -0,0 +1,98 @@
+policy_module(fail2ban, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type fail2ban_t;
+type fail2ban_exec_t;
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+type fail2ban_initrc_exec_t;
+init_script_file(fail2ban_initrc_exec_t)
+
+# log files
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
+# pid files
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+########################################
+#
+# fail2ban local policy
+#
+
+allow fail2ban_t self:capability { sys_tty_config };
+allow fail2ban_t self:process signal;
+allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+
+# log files
+allow fail2ban_t fail2ban_log_t:dir setattr;
+manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
+
+# pid file
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(fail2ban_t)
+
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+corenet_all_recvfrom_unlabeled(fail2ban_t)
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_generic_node(fail2ban_t)
+corenet_tcp_sendrecv_all_ports(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+
+domain_use_interactive_fds(fail2ban_t)
+
+files_read_etc_files(fail2ban_t)
+files_read_etc_runtime_files(fail2ban_t)
+files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
+
+logging_read_all_logs(fail2ban_t)
+logging_send_syslog_msg(fail2ban_t)
+
+miscfiles_read_localization(fail2ban_t)
+
+mta_send_mail(fail2ban_t)
+
+optional_policy(`
+ apache_read_log(fail2ban_t)
+')
+
+optional_policy(`
+ ftp_read_log(fail2ban_t)
+')
+
+optional_policy(`
+ iptables_domtrans(fail2ban_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
new file mode 100644
index 0000000..455c620
--- /dev/null
+++ b/fetchmail.fc
@@ -0,0 +1,19 @@
+
+#
+# /etc
+#
+
+/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
new file mode 100644
index 0000000..6537214
--- /dev/null
+++ b/fetchmail.if
@@ -0,0 +1,30 @@
+## Remote-mail retrieval and forwarding utility
+
+########################################
+##
+## All of the rules required to administrate
+## an fetchmail environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fetchmail_admin',`
+ gen_require(`
+ type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
+ type fetchmail_var_run_t;
+ ')
+
+ ps_process_pattern($1, fetchmail_t)
+
+ files_list_etc($1)
+ admin_pattern($1, fetchmail_etc_t)
+
+ admin_pattern($1, fetchmail_uidl_cache_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fetchmail_var_run_t)
+')
diff --git a/fetchmail.te b/fetchmail.te
new file mode 100644
index 0000000..3459d93
--- /dev/null
+++ b/fetchmail.te
@@ -0,0 +1,104 @@
+policy_module(fetchmail, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type fetchmail_t;
+type fetchmail_exec_t;
+init_daemon_domain(fetchmail_t, fetchmail_exec_t)
+application_executable_file(fetchmail_exec_t)
+
+type fetchmail_var_run_t;
+files_pid_file(fetchmail_var_run_t)
+
+type fetchmail_etc_t;
+files_config_file(fetchmail_etc_t)
+
+type fetchmail_uidl_cache_t;
+files_type(fetchmail_uidl_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit fetchmail_t self:capability sys_tty_config;
+allow fetchmail_t self:process { signal_perms setrlimit };
+allow fetchmail_t self:unix_dgram_socket create_socket_perms;
+allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
+allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
+allow fetchmail_t self:tcp_socket create_socket_perms;
+allow fetchmail_t self:udp_socket create_socket_perms;
+
+allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+
+allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
+mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+
+manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(fetchmail_t)
+kernel_list_proc(fetchmail_t)
+kernel_getattr_proc_files(fetchmail_t)
+kernel_read_proc_symlinks(fetchmail_t)
+kernel_dontaudit_read_system_state(fetchmail_t)
+
+#looks like it uses system command - calls uname
+corecmd_exec_bin(fetchmail_t)
+corecmd_exec_shell(fetchmail_t)
+
+corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_all_recvfrom_netlabel(fetchmail_t)
+corenet_tcp_sendrecv_generic_if(fetchmail_t)
+corenet_udp_sendrecv_generic_if(fetchmail_t)
+corenet_tcp_sendrecv_generic_node(fetchmail_t)
+corenet_udp_sendrecv_generic_node(fetchmail_t)
+corenet_tcp_sendrecv_dns_port(fetchmail_t)
+corenet_udp_sendrecv_dns_port(fetchmail_t)
+corenet_tcp_sendrecv_pop_port(fetchmail_t)
+corenet_tcp_sendrecv_smtp_port(fetchmail_t)
+corenet_tcp_connect_all_ports(fetchmail_t)
+corenet_sendrecv_all_client_packets(fetchmail_t)
+
+dev_read_sysfs(fetchmail_t)
+dev_read_rand(fetchmail_t)
+dev_read_urand(fetchmail_t)
+
+files_read_etc_files(fetchmail_t)
+files_read_etc_runtime_files(fetchmail_t)
+files_dontaudit_search_home(fetchmail_t)
+
+fs_getattr_all_fs(fetchmail_t)
+fs_search_auto_mountpoints(fetchmail_t)
+
+domain_use_interactive_fds(fetchmail_t)
+
+logging_send_syslog_msg(fetchmail_t)
+
+miscfiles_read_localization(fetchmail_t)
+miscfiles_read_generic_certs(fetchmail_t)
+
+sysnet_read_config(fetchmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+ procmail_domtrans(fetchmail_t)
+')
+
+optional_policy(`
+ sendmail_manage_log(fetchmail_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(fetchmail_t)
+')
+
+optional_policy(`
+ udev_read_db(fetchmail_t)
+')
diff --git a/finger.fc b/finger.fc
new file mode 100644
index 0000000..c861192
--- /dev/null
+++ b/finger.fc
@@ -0,0 +1,19 @@
+# fingerd
+
+#
+# /etc
+#
+/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
+
+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/finger.if b/finger.if
new file mode 100644
index 0000000..b5dd671
--- /dev/null
+++ b/finger.if
@@ -0,0 +1,33 @@
+## Finger user information service.
+
+########################################
+##
+## Execute fingerd in the fingerd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`finger_domtrans',`
+ gen_require(`
+ type fingerd_t, fingerd_exec_t;
+ ')
+
+ domtrans_pattern($1, fingerd_exec_t, fingerd_t)
+')
+
+########################################
+##
+## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`finger_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/finger.te b/finger.te
new file mode 100644
index 0000000..9b7036a
--- /dev/null
+++ b/finger.te
@@ -0,0 +1,121 @@
+policy_module(finger, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type fingerd_t;
+type fingerd_exec_t;
+init_daemon_domain(fingerd_t, fingerd_exec_t)
+inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
+
+type fingerd_etc_t;
+files_config_file(fingerd_etc_t)
+
+type fingerd_log_t;
+logging_log_file(fingerd_log_t)
+
+type fingerd_var_run_t;
+files_pid_file(fingerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fingerd_t self:capability { setgid setuid };
+dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+allow fingerd_t self:process signal_perms;
+allow fingerd_t self:fifo_file rw_fifo_file_perms;
+allow fingerd_t self:tcp_socket connected_stream_socket_perms;
+allow fingerd_t self:udp_socket create_socket_perms;
+allow fingerd_t self:unix_dgram_socket create_socket_perms;
+allow fingerd_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
+files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
+
+allow fingerd_t fingerd_etc_t:dir list_dir_perms;
+read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
+read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
+
+allow fingerd_t fingerd_log_t:file manage_file_perms;
+logging_log_filetrans(fingerd_t, fingerd_log_t, file)
+
+kernel_read_kernel_sysctls(fingerd_t)
+kernel_read_system_state(fingerd_t)
+
+corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_all_recvfrom_netlabel(fingerd_t)
+corenet_tcp_sendrecv_generic_if(fingerd_t)
+corenet_udp_sendrecv_generic_if(fingerd_t)
+corenet_tcp_sendrecv_generic_node(fingerd_t)
+corenet_udp_sendrecv_generic_node(fingerd_t)
+corenet_tcp_sendrecv_all_ports(fingerd_t)
+corenet_udp_sendrecv_all_ports(fingerd_t)
+corenet_tcp_bind_generic_node(fingerd_t)
+corenet_tcp_bind_fingerd_port(fingerd_t)
+
+dev_read_sysfs(fingerd_t)
+
+fs_getattr_all_fs(fingerd_t)
+fs_search_auto_mountpoints(fingerd_t)
+
+term_getattr_all_ttys(fingerd_t)
+term_getattr_all_ptys(fingerd_t)
+
+auth_read_lastlog(fingerd_t)
+
+corecmd_exec_bin(fingerd_t)
+corecmd_exec_shell(fingerd_t)
+
+domain_use_interactive_fds(fingerd_t)
+
+files_search_home(fingerd_t)
+files_read_etc_files(fingerd_t)
+files_read_etc_runtime_files(fingerd_t)
+
+init_read_utmp(fingerd_t)
+init_dontaudit_write_utmp(fingerd_t)
+
+logging_send_syslog_msg(fingerd_t)
+
+mta_getattr_spool(fingerd_t)
+
+sysnet_read_config(fingerd_t)
+
+miscfiles_read_localization(fingerd_t)
+
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+userdom_read_user_home_content_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
+
+optional_policy(`
+ cron_system_entry(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
+ logrotate_exec(fingerd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(fingerd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(fingerd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(fingerd_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
+ udev_read_db(fingerd_t)
+')
diff --git a/firstboot.fc b/firstboot.fc
new file mode 100644
index 0000000..ba614e4
--- /dev/null
+++ b/firstboot.fc
@@ -0,0 +1,3 @@
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
new file mode 100644
index 0000000..8fa451c
--- /dev/null
+++ b/firstboot.if
@@ -0,0 +1,157 @@
+##
+## Final system configuration run during the first boot
+## after installation of Red Hat/Fedora systems.
+##
+
+########################################
+##
+## Execute firstboot in the firstboot domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`firstboot_domtrans',`
+ gen_require(`
+ type firstboot_t, firstboot_exec_t;
+ ')
+
+ domtrans_pattern($1, firstboot_exec_t, firstboot_t)
+')
+
+########################################
+##
+## Execute firstboot in the firstboot domain, and
+## allow the specified role the firstboot domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`firstboot_run',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ firstboot_domtrans($1)
+ role $2 types firstboot_t;
+')
+
+########################################
+##
+## Inherit and use a file descriptor from firstboot.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`firstboot_use_fds',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit a
+## file descriptor from firstboot.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`firstboot_dontaudit_use_fds',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:fd use;
+')
+
+########################################
+##
+## Write to a firstboot unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`firstboot_write_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fifo_file write;
+')
+
+########################################
+##
+## Read and Write to a firstboot unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`firstboot_rw_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fifo_file { read write };
+')
+
+########################################
+##
+## Do not audit attemps to read and write to a firstboot unnamed pipe.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`firstboot_dontaudit_rw_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:fifo_file { read write };
+')
+
+########################################
+##
+## Do not audit attemps to read and write to a firstboot
+## unix domain stream socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`firstboot_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:unix_stream_socket { read write };
+')
diff --git a/firstboot.te b/firstboot.te
new file mode 100644
index 0000000..c4d8998
--- /dev/null
+++ b/firstboot.te
@@ -0,0 +1,135 @@
+policy_module(firstboot, 1.12.0)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+type firstboot_t;
+type firstboot_exec_t;
+init_system_domain(firstboot_t, firstboot_exec_t)
+domain_obj_id_change_exemption(firstboot_t)
+domain_subj_id_change_exemption(firstboot_t)
+role system_r types firstboot_t;
+
+type firstboot_etc_t;
+files_config_file(firstboot_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:process setfscreate;
+allow firstboot_t self:fifo_file rw_fifo_file_perms;
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t self:passwd rootok;
+
+allow firstboot_t firstboot_etc_t:file read_file_perms;
+
+kernel_read_system_state(firstboot_t)
+kernel_read_kernel_sysctls(firstboot_t)
+
+corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
+
+dev_read_urand(firstboot_t)
+
+selinux_get_fs_mount(firstboot_t)
+selinux_validate_context(firstboot_t)
+selinux_compute_access_vector(firstboot_t)
+selinux_compute_create_context(firstboot_t)
+selinux_compute_relabel_context(firstboot_t)
+selinux_compute_user_contexts(firstboot_t)
+
+auth_dontaudit_getattr_shadow(firstboot_t)
+
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+
+init_domtrans_script(firstboot_t)
+init_rw_utmp(firstboot_t)
+
+libs_exec_ld_so(firstboot_t)
+libs_exec_lib_files(firstboot_t)
+
+locallogin_use_fds(firstboot_t)
+
+logging_send_syslog_msg(firstboot_t)
+
+miscfiles_read_localization(firstboot_t)
+
+modutils_domtrans_insmod(firstboot_t)
+modutils_domtrans_depmod(firstboot_t)
+modutils_read_module_config(firstboot_t)
+modutils_read_module_deps(firstboot_t)
+
+userdom_use_user_terminals(firstboot_t)
+# Add/remove user home directories
+userdom_manage_user_home_content_dirs(firstboot_t)
+userdom_manage_user_home_content_files(firstboot_t)
+userdom_manage_user_home_content_symlinks(firstboot_t)
+userdom_manage_user_home_content_pipes(firstboot_t)
+userdom_manage_user_home_content_sockets(firstboot_t)
+userdom_home_filetrans_user_home_dir(firstboot_t)
+userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ consoletype_domtrans(firstboot_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(firstboot_t)
+
+ optional_policy(`
+ hal_dbus_chat(firstboot_t)
+ ')
+')
+
+optional_policy(`
+ nis_use_ypbind(firstboot_t)
+')
+
+optional_policy(`
+ samba_rw_config(firstboot_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(firstboot_t)
+ # The big hammer
+ unconfined_domain(firstboot_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_chfn(firstboot_t)
+ usermanage_domtrans_groupadd(firstboot_t)
+ usermanage_domtrans_passwd(firstboot_t)
+ usermanage_domtrans_useradd(firstboot_t)
+ usermanage_domtrans_admin_passwd(firstboot_t)
+')
+
+optional_policy(`
+ gnome_manage_config(firstboot_t)
+')
+
+optional_policy(`
+ xserver_domtrans(firstboot_t)
+ xserver_rw_shm(firstboot_t)
+ xserver_unconfined(firstboot_t)
+')
diff --git a/fprintd.fc b/fprintd.fc
new file mode 100644
index 0000000..a4f5fb1
--- /dev/null
+++ b/fprintd.fc
@@ -0,0 +1,2 @@
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
+/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
diff --git a/fprintd.if b/fprintd.if
new file mode 100644
index 0000000..ebad8c4
--- /dev/null
+++ b/fprintd.if
@@ -0,0 +1,41 @@
+## DBus fingerprint reader service
+
+########################################
+##
+## Execute a domain transition to run fprintd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`fprintd_domtrans',`
+ gen_require(`
+ type fprintd_t, fprintd_exec_t;
+ ')
+
+ domtrans_pattern($1, fprintd_exec_t, fprintd_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## fprintd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fprintd_dbus_chat',`
+ gen_require(`
+ type fprintd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 fprintd_t:dbus send_msg;
+ allow fprintd_t $1:dbus send_msg;
+')
+
diff --git a/fprintd.te b/fprintd.te
new file mode 100644
index 0000000..7df52c7
--- /dev/null
+++ b/fprintd.te
@@ -0,0 +1,57 @@
+policy_module(fprintd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type fprintd_t;
+type fprintd_exec_t;
+dbus_system_domain(fprintd_t, fprintd_exec_t)
+
+type fprintd_var_lib_t;
+files_type(fprintd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:process { getsched signal };
+
+manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
+
+kernel_read_system_state(fprintd_t)
+
+corecmd_search_bin(fprintd_t)
+
+dev_list_usbfs(fprintd_t)
+dev_rw_generic_usb_dev(fprintd_t)
+dev_read_sysfs(fprintd_t)
+
+files_read_etc_files(fprintd_t)
+files_read_usr_files(fprintd_t)
+
+fs_getattr_all_fs(fprintd_t)
+
+auth_use_nsswitch(fprintd_t)
+
+miscfiles_read_localization(fprintd_t)
+
+userdom_use_user_ptys(fprintd_t)
+userdom_read_all_users_state(fprintd_t)
+
+optional_policy(`
+ consolekit_dbus_chat(fprintd_t)
+')
+
+optional_policy(`
+ policykit_read_reload(fprintd_t)
+ policykit_read_lib(fprintd_t)
+ policykit_dbus_chat(fprintd_t)
+ policykit_domtrans_auth(fprintd_t)
+')
diff --git a/ftp.fc b/ftp.fc
new file mode 100644
index 0000000..69dcd2a
--- /dev/null
+++ b/ftp.fc
@@ -0,0 +1,31 @@
+#
+# /etc
+#
+/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
+
+/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
+
+/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/ftp.if b/ftp.if
new file mode 100644
index 0000000..9d3201b
--- /dev/null
+++ b/ftp.if
@@ -0,0 +1,206 @@
+## File transfer protocol service
+
+#######################################
+##
+## Allow domain dyntransition to sftpd_anon domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ftp_dyntrans_anon_sftpd',`
+ gen_require(`
+ type anon_sftpd_t;
+ ')
+
+ dyntrans_pattern($1, anon_sftpd_t)
+')
+
+########################################
+##
+## Use ftp by connecting over TCP. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ftp_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Read ftpd etc files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ftp_read_config',`
+ gen_require(`
+ type ftpd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ftpd_etc_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute FTP daemon entry point programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ftp_check_exec',`
+ gen_require(`
+ type ftpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 ftpd_exec_t:file { getattr execute };
+')
+
+########################################
+##
+## Read FTP transfer logs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ftp_read_log',`
+ gen_require(`
+ type xferlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xferlog_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute the ftpdctl program in the ftpdctl domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ftp_domtrans_ftpdctl',`
+ gen_require(`
+ type ftpdctl_t, ftpdctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
+')
+
+########################################
+##
+## Execute the ftpdctl program in the ftpdctl domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the ftpdctl domain.
+##
+##
+##
+#
+interface(`ftp_run_ftpdctl',`
+ gen_require(`
+ type ftpdctl_t;
+ ')
+
+ ftp_domtrans_ftpdctl($1)
+ role $2 types ftpdctl_t;
+')
+
+#######################################
+##
+## Allow domain dyntransition to sftpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ftp_dyntrans_sftpd',`
+ gen_require(`
+ type sftpd_t;
+ ')
+
+ dyntrans_pattern($1, sftpd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ftp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ftp domain.
+##
+##
+##
+#
+interface(`ftp_admin',`
+ gen_require(`
+ type ftpd_t, ftpdctl_t, ftpd_tmp_t;
+ type ftpd_etc_t, ftpd_lock_t;
+ type ftpd_var_run_t, xferlog_t;
+ type ftpd_initrc_exec_t;
+ ')
+
+ allow $1 ftpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ftpd_t)
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ftpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ ps_process_pattern($1, ftpdctl_t)
+ ftp_run_ftpdctl($1, $2)
+
+ miscfiles_manage_public_files($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, ftpd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, ftpd_etc_t)
+
+ files_list_var($1)
+ admin_pattern($1, ftpd_lock_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ftpd_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, xferlog_t)
+')
diff --git a/ftp.te b/ftp.te
new file mode 100644
index 0000000..02ffdfb
--- /dev/null
+++ b/ftp.te
@@ -0,0 +1,412 @@
+policy_module(ftp, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow ftp servers to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+##
+##
+gen_tunable(allow_ftpd_anon_write, false)
+
+##
+##
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+##
+##
+gen_tunable(allow_ftpd_full_access, false)
+
+##
+##
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_ftpd_use_cifs, false)
+
+##
+##
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+##
+##
+gen_tunable(allow_ftpd_use_nfs, false)
+
+##
+##
+## Allow ftp to read and write files in the user home directories
+##
+##
+gen_tunable(ftp_home_dir, false)
+
+##
+##
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+##
+##
+gen_tunable(sftpd_anon_write, false)
+
+##
+##
+## Allow sftp-internal to read and write files
+## in the user home directories
+##
+##
+gen_tunable(sftpd_enable_homedirs, false)
+
+##
+##
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+##
+##
+gen_tunable(sftpd_full_access, false)
+
+type anon_sftpd_t;
+typealias anon_sftpd_t alias sftpd_anon_t;
+domain_type(anon_sftpd_t)
+role system_r types anon_sftpd_t;
+
+type ftpd_t;
+type ftpd_exec_t;
+init_daemon_domain(ftpd_t, ftpd_exec_t)
+
+type ftpd_etc_t;
+files_config_file(ftpd_etc_t)
+
+type ftpd_initrc_exec_t;
+init_script_file(ftpd_initrc_exec_t)
+
+type ftpd_lock_t;
+files_lock_file(ftpd_lock_t)
+
+type ftpd_tmp_t;
+files_tmp_file(ftpd_tmp_t)
+
+type ftpd_tmpfs_t;
+files_tmpfs_file(ftpd_tmpfs_t)
+
+type ftpd_var_run_t;
+files_pid_file(ftpd_var_run_t)
+
+type ftpdctl_t;
+type ftpdctl_exec_t;
+init_system_domain(ftpdctl_t, ftpdctl_exec_t)
+
+type ftpdctl_tmp_t;
+files_tmp_file(ftpdctl_tmp_t)
+
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
+type xferlog_t;
+logging_log_file(xferlog_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# anon-sftp local policy
+#
+
+files_read_etc_files(anon_sftpd_t)
+
+miscfiles_read_public_files(anon_sftpd_t)
+
+tunable_policy(`sftpd_anon_write',`
+ miscfiles_manage_public_files(anon_sftpd_t)
+')
+
+########################################
+#
+# ftpd local policy
+#
+
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit ftpd_t self:capability sys_tty_config;
+allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
+allow ftpd_t self:fifo_file rw_fifo_file_perms;
+allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+allow ftpd_t self:tcp_socket create_stream_socket_perms;
+allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
+allow ftpd_t self:key manage_key_perms;
+
+allow ftpd_t ftpd_etc_t:file read_file_perms;
+
+allow ftpd_t ftpd_lock_t:file manage_file_perms;
+files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+
+manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
+
+# proftpd requires the client side to bind a socket so that
+# it can stat the socket to perform access control decisions,
+# since getsockopt with SO_PEERCRED is not available on all
+# proftpd-supported OSs
+allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+
+# Create and modify /var/log/xferlog.
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+kernel_read_kernel_sysctls(ftpd_t)
+kernel_read_system_state(ftpd_t)
+kernel_search_network_state(ftpd_t)
+
+dev_read_sysfs(ftpd_t)
+dev_read_urand(ftpd_t)
+
+corecmd_exec_bin(ftpd_t)
+
+corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_all_recvfrom_netlabel(ftpd_t)
+corenet_tcp_sendrecv_generic_if(ftpd_t)
+corenet_udp_sendrecv_generic_if(ftpd_t)
+corenet_tcp_sendrecv_generic_node(ftpd_t)
+corenet_udp_sendrecv_generic_node(ftpd_t)
+corenet_tcp_sendrecv_all_ports(ftpd_t)
+corenet_udp_sendrecv_all_ports(ftpd_t)
+corenet_tcp_bind_generic_node(ftpd_t)
+corenet_tcp_bind_ftp_port(ftpd_t)
+corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
+corenet_tcp_connect_all_ports(ftpd_t)
+corenet_sendrecv_ftp_server_packets(ftpd_t)
+
+domain_use_interactive_fds(ftpd_t)
+
+files_search_etc(ftpd_t)
+files_read_etc_files(ftpd_t)
+files_read_etc_runtime_files(ftpd_t)
+files_search_var_lib(ftpd_t)
+
+fs_search_auto_mountpoints(ftpd_t)
+fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs(ftpd_t)
+
+auth_use_nsswitch(ftpd_t)
+auth_domtrans_chk_passwd(ftpd_t)
+# Append to /var/log/wtmp.
+auth_append_login_records(ftpd_t)
+#kerberized ftp requires the following
+auth_write_login_records(ftpd_t)
+auth_rw_faillog(ftpd_t)
+
+init_rw_utmp(ftpd_t)
+
+logging_send_audit_msgs(ftpd_t)
+logging_send_syslog_msg(ftpd_t)
+logging_set_loginuid(ftpd_t)
+
+miscfiles_read_localization(ftpd_t)
+miscfiles_read_public_files(ftpd_t)
+
+seutil_dontaudit_search_config(ftpd_t)
+
+sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
+userdom_dontaudit_search_user_home_dirs(ftpd_t)
+
+tunable_policy(`allow_ftpd_anon_write',`
+ miscfiles_manage_public_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs',`
+ fs_read_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+ fs_manage_cifs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs',`
+ fs_read_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+ fs_manage_nfs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_full_access',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+ auth_manage_all_files_except_auth_files(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(ftpd_t)
+ userdom_read_user_home_content_files(ftpd_t)
+ userdom_manage_user_home_content_dirs(ftpd_t)
+ userdom_manage_user_home_content_files(ftpd_t)
+ userdom_manage_user_home_content_symlinks(ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+')
+
+tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+ fs_manage_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+ fs_manage_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`ftp_home_dir',`
+ apache_search_sys_content(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ corecmd_exec_shell(ftpd_t)
+
+ files_read_usr_files(ftpd_t)
+
+ cron_system_entry(ftpd_t, ftpd_exec_t)
+
+ optional_policy(`
+ logrotate_exec(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ daemontools_service_domain(ftpd_t, ftpd_exec_t)
+')
+
+optional_policy(`
+ selinux_validate_context(ftpd_t)
+
+ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
+')
+
+optional_policy(`
+ inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
+
+ optional_policy(`
+ tcpd_domtrans(tcpd_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client(ftpd_t)
+
+ optional_policy(`
+ oddjob_dbus_chat(ftpd_t)
+ oddjob_domtrans_mkhomedir(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ftpd_t)
+')
+
+optional_policy(`
+ udev_read_db(ftpd_t)
+')
+
+########################################
+#
+# ftpdctl local policy
+#
+
+# Allow ftpdctl to talk to ftpd over a socket connection
+stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+
+# ftpdctl creates a socket so that the daemon can perform
+# access control decisions (see comments in ftpd_t rules above)
+allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+
+# Allow ftpdctl to read config files
+files_read_etc_files(ftpdctl_t)
+
+userdom_use_user_terminals(ftpdctl_t)
+
+########################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+
+tunable_policy(`sftpd_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(sftpd_t)
+ userdom_manage_user_home_content_files(sftpd_t)
+ userdom_manage_user_home_content_dirs(sftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(sftpd_t)
+ fs_manage_nfs_files(sftpd_t)
+ fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_dirs(sftpd_t)
+ fs_manage_cifs_files(sftpd_t)
+ fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_auth_files(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ # allow read access to /home by default
+ fs_list_cifs(sftpd_t)
+ fs_read_cifs_files(sftpd_t)
+ fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ # allow read access to /home by default
+ fs_list_nfs(sftpd_t)
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
diff --git a/games.fc b/games.fc
new file mode 100644
index 0000000..78dc515
--- /dev/null
+++ b/games.fc
@@ -0,0 +1,66 @@
+#
+# /usr
+#
+/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+
+ifndef(`distro_debian',`
+/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
+')dnl end non-Debian section
diff --git a/games.if b/games.if
new file mode 100644
index 0000000..7ac736d
--- /dev/null
+++ b/games.if
@@ -0,0 +1,51 @@
+## Games
+
+############################################################
+##
+## Role access for games
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`games_role',`
+ gen_require(`
+ type games_t, games_exec_t;
+ ')
+
+ role $1 types games_t;
+
+ domtrans_pattern($2, games_exec_t, games_t)
+ allow $2 games_t:unix_stream_socket connectto;
+ allow games_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, games_t)
+ allow $2 games_t:process signal_perms;
+')
+
+########################################
+##
+## Allow the specified domain to read/write
+## games data.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`games_rw_data',`
+ gen_require(`
+ type games_data_t;
+ ')
+
+ rw_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/games.te b/games.te
new file mode 100644
index 0000000..ac4f509
--- /dev/null
+++ b/games.te
@@ -0,0 +1,181 @@
+policy_module(games, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type games_t;
+type games_exec_t;
+typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
+typealias games_t alias { auditadm_games_t secadm_games_t };
+application_domain(games_t, games_exec_t)
+ubac_constrained(games_t)
+
+type games_data_t;
+typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
+typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
+files_type(games_data_t)
+ubac_constrained(games_data_t)
+
+type games_devpts_t;
+typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
+typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
+term_pty(games_devpts_t)
+ubac_constrained(games_devpts_t)
+
+# games_srv_t is for system operation of games, generic games daemons and
+# games recovery scripts
+type games_srv_t;
+init_system_domain(games_srv_t, games_exec_t)
+
+type games_srv_var_run_t;
+files_pid_file(games_srv_var_run_t)
+
+type games_tmp_t;
+typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
+typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
+files_tmp_file(games_tmp_t)
+ubac_constrained(games_tmp_t)
+
+type games_tmpfs_t;
+typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
+typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
+files_tmpfs_file(games_tmpfs_t)
+ubac_constrained(games_tmpfs_t)
+
+########################################
+#
+# Server local policy
+#
+
+dontaudit games_srv_t self:capability sys_tty_config;
+allow games_srv_t self:process signal_perms;
+
+manage_files_pattern(games_srv_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
+
+manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
+files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
+
+can_exec(games_srv_t, games_exec_t)
+
+kernel_read_kernel_sysctls(games_srv_t)
+kernel_list_proc(games_srv_t)
+kernel_read_proc_symlinks(games_srv_t)
+
+dev_read_sysfs(games_srv_t)
+
+fs_getattr_all_fs(games_srv_t)
+fs_search_auto_mountpoints(games_srv_t)
+
+term_dontaudit_use_console(games_srv_t)
+
+domain_use_interactive_fds(games_srv_t)
+
+init_use_fds(games_srv_t)
+init_use_script_ptys(games_srv_t)
+
+logging_send_syslog_msg(games_srv_t)
+
+miscfiles_read_localization(games_srv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+userdom_dontaudit_search_user_home_dirs(games_srv_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(games_srv_t)
+')
+
+optional_policy(`
+ udev_read_db(games_srv_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow games_t self:sem create_sem_perms;
+allow games_t self:tcp_socket create_stream_socket_perms;
+allow games_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(games_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+
+allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(games_t, games_devpts_t)
+
+manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
+manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+files_tmp_filetrans(games_t, games_tmp_t, { file dir })
+
+manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(games_t, games_exec_t)
+
+kernel_read_system_state(games_t)
+
+corecmd_exec_bin(games_t)
+
+corenet_all_recvfrom_unlabeled(games_t)
+corenet_all_recvfrom_netlabel(games_t)
+corenet_tcp_sendrecv_generic_if(games_t)
+corenet_udp_sendrecv_generic_if(games_t)
+corenet_tcp_sendrecv_generic_node(games_t)
+corenet_udp_sendrecv_generic_node(games_t)
+corenet_tcp_sendrecv_all_ports(games_t)
+corenet_udp_sendrecv_all_ports(games_t)
+corenet_tcp_bind_generic_node(games_t)
+corenet_tcp_bind_generic_port(games_t)
+corenet_tcp_connect_generic_port(games_t)
+corenet_sendrecv_generic_client_packets(games_t)
+corenet_sendrecv_generic_server_packets(games_t)
+
+dev_read_sound(games_t)
+dev_write_sound(games_t)
+dev_read_input(games_t)
+dev_read_mouse(games_t)
+dev_read_urand(games_t)
+
+files_list_var(games_t)
+files_search_var_lib(games_t)
+files_dontaudit_search_var(games_t)
+files_read_etc_files(games_t)
+files_read_usr_files(games_t)
+files_read_var_files(games_t)
+
+init_dontaudit_rw_utmp(games_t)
+
+logging_dontaudit_search_logs(games_t)
+
+miscfiles_read_man_pages(games_t)
+miscfiles_read_localization(games_t)
+
+sysnet_read_config(games_t)
+
+userdom_manage_user_tmp_dirs(games_t)
+userdom_manage_user_tmp_files(games_t)
+userdom_manage_user_tmp_symlinks(games_t)
+userdom_manage_user_tmp_sockets(games_t)
+# Suppress .icons denial until properly implemented
+userdom_dontaudit_read_user_home_content_files(games_t)
+
+tunable_policy(`allow_execmem',`
+ allow games_t self:process execmem;
+')
+
+optional_policy(`
+ nscd_socket_use(games_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(games_t)
+ xserver_read_xdm_lib_files(games_t)
+')
diff --git a/gatekeeper.fc b/gatekeeper.fc
new file mode 100644
index 0000000..d6ef025
--- /dev/null
+++ b/gatekeeper.fc
@@ -0,0 +1,8 @@
+/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0)
+
+/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+
+/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0)
+/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
diff --git a/gatekeeper.if b/gatekeeper.if
new file mode 100644
index 0000000..311cb06
--- /dev/null
+++ b/gatekeeper.if
@@ -0,0 +1 @@
+## OpenH.323 Voice-Over-IP Gatekeeper
diff --git a/gatekeeper.te b/gatekeeper.te
new file mode 100644
index 0000000..99a94de
--- /dev/null
+++ b/gatekeeper.te
@@ -0,0 +1,99 @@
+policy_module(gatekeeper, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type gatekeeper_t;
+type gatekeeper_exec_t;
+init_daemon_domain(gatekeeper_t, gatekeeper_exec_t)
+
+type gatekeeper_etc_t;
+files_config_file(gatekeeper_etc_t)
+
+type gatekeeper_log_t;
+logging_log_file(gatekeeper_log_t)
+
+# for stupid symlinks
+type gatekeeper_tmp_t;
+files_tmp_file(gatekeeper_tmp_t)
+
+type gatekeeper_var_run_t;
+files_pid_file(gatekeeper_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit gatekeeper_t self:capability sys_tty_config;
+allow gatekeeper_t self:process { setsched signal_perms };
+allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
+allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
+allow gatekeeper_t self:udp_socket create_socket_perms;
+
+allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
+files_search_etc(gatekeeper_t)
+
+manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
+logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir })
+
+manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
+manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
+files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
+
+manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t)
+files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file)
+
+kernel_read_system_state(gatekeeper_t)
+kernel_read_kernel_sysctls(gatekeeper_t)
+
+corecmd_list_bin(gatekeeper_t)
+
+corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_all_recvfrom_netlabel(gatekeeper_t)
+corenet_tcp_sendrecv_generic_if(gatekeeper_t)
+corenet_udp_sendrecv_generic_if(gatekeeper_t)
+corenet_tcp_sendrecv_generic_node(gatekeeper_t)
+corenet_udp_sendrecv_generic_node(gatekeeper_t)
+corenet_tcp_sendrecv_all_ports(gatekeeper_t)
+corenet_udp_sendrecv_all_ports(gatekeeper_t)
+corenet_tcp_bind_generic_node(gatekeeper_t)
+corenet_udp_bind_generic_node(gatekeeper_t)
+corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
+corenet_udp_bind_gatekeeper_port(gatekeeper_t)
+corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
+
+dev_read_sysfs(gatekeeper_t)
+# for SSP
+dev_read_urand(gatekeeper_t)
+
+domain_use_interactive_fds(gatekeeper_t)
+
+files_read_etc_files(gatekeeper_t)
+
+fs_getattr_all_fs(gatekeeper_t)
+fs_search_auto_mountpoints(gatekeeper_t)
+
+logging_send_syslog_msg(gatekeeper_t)
+
+miscfiles_read_localization(gatekeeper_t)
+
+sysnet_read_config(gatekeeper_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+userdom_dontaudit_search_user_home_dirs(gatekeeper_t)
+
+optional_policy(`
+ nis_use_ypbind(gatekeeper_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(gatekeeper_t)
+')
+
+optional_policy(`
+ udev_read_db(gatekeeper_t)
+')
diff --git a/gift.fc b/gift.fc
new file mode 100644
index 0000000..df7ced4
--- /dev/null
+++ b/gift.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0)
+
+/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
+/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0)
diff --git a/gift.if b/gift.if
new file mode 100644
index 0000000..c9b90d3
--- /dev/null
+++ b/gift.if
@@ -0,0 +1,42 @@
+## giFT peer to peer file sharing tool
+
+############################################################
+##
+## Role access for gift
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`gift_role',`
+ gen_require(`
+ type gift_t, gift_exec_t;
+ type giftd_t, giftd_exec_t;
+ type gift_home_t;
+ ')
+
+ role $1 types { gift_t giftd_t };
+
+ # transition from user domain
+ domtrans_pattern($2, gift_exec_t, gift_t)
+ domtrans_pattern($2, giftd_exec_t, giftd_t)
+
+ # user managed content
+ manage_dirs_pattern($2, gift_home_t, gift_home_t)
+ manage_files_pattern($2, gift_home_t, gift_home_t)
+ manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
+ relabel_dirs_pattern($2, gift_home_t, gift_home_t)
+ relabel_files_pattern($2, gift_home_t, gift_home_t)
+ relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, { gift_t giftd_t })
+ allow $2 { gift_t giftd_t }:process signal_perms;
+')
diff --git a/gift.te b/gift.te
new file mode 100644
index 0000000..6e4add5
--- /dev/null
+++ b/gift.te
@@ -0,0 +1,147 @@
+policy_module(gift, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type gift_t;
+type gift_exec_t;
+typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
+typealias gift_t alias { auditadm_gift_t secadm_gift_t };
+application_domain(gift_t, gift_exec_t)
+ubac_constrained(gift_t)
+
+type gift_home_t;
+typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
+typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
+userdom_user_home_content(gift_home_t)
+
+type gift_tmpfs_t;
+typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
+typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
+files_tmpfs_file(gift_tmpfs_t)
+ubac_constrained(gift_tmpfs_t)
+
+type giftd_t;
+type giftd_exec_t;
+typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
+typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
+application_domain(giftd_t, giftd_exec_t)
+ubac_constrained(giftd_t)
+
+##############################
+#
+# giFT user interface local policy
+#
+
+allow gift_t self:tcp_socket create_socket_perms;
+
+manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
+manage_files_pattern(gift_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
+
+# Launch gift daemon
+domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+
+# Read /proc/meminfo
+kernel_read_system_state(gift_t)
+
+# Connect to gift daemon
+corenet_all_recvfrom_unlabeled(gift_t)
+corenet_all_recvfrom_netlabel(gift_t)
+corenet_tcp_sendrecv_generic_if(gift_t)
+corenet_tcp_sendrecv_generic_node(gift_t)
+corenet_tcp_sendrecv_giftd_port(gift_t)
+corenet_tcp_connect_giftd_port(gift_t)
+corenet_sendrecv_giftd_client_packets(gift_t)
+
+fs_search_auto_mountpoints(gift_t)
+
+sysnet_read_config(gift_t)
+
+# giftui looks in .icons, .themes.
+userdom_dontaudit_read_user_home_content_files(gift_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gift_t)
+ fs_manage_nfs_files(gift_t)
+ fs_manage_nfs_symlinks(gift_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gift_t)
+ fs_manage_cifs_files(gift_t)
+ fs_manage_cifs_symlinks(gift_t)
+')
+
+optional_policy(`
+ nscd_socket_use(gift_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+')
+
+##############################
+#
+# giFT server local policy
+#
+
+allow giftd_t self:process { signal setsched };
+allow giftd_t self:unix_stream_socket create_socket_perms;
+allow giftd_t self:tcp_socket create_stream_socket_perms;
+allow giftd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
+
+kernel_read_system_state(giftd_t)
+kernel_read_kernel_sysctls(giftd_t)
+
+# Serve content on various p2p networks. Ports can be random.
+corenet_all_recvfrom_unlabeled(giftd_t)
+corenet_all_recvfrom_netlabel(giftd_t)
+corenet_tcp_sendrecv_generic_if(giftd_t)
+corenet_udp_sendrecv_generic_if(giftd_t)
+corenet_tcp_sendrecv_generic_node(giftd_t)
+corenet_udp_sendrecv_generic_node(giftd_t)
+corenet_tcp_sendrecv_all_ports(giftd_t)
+corenet_udp_sendrecv_all_ports(giftd_t)
+corenet_tcp_bind_generic_node(giftd_t)
+corenet_udp_bind_generic_node(giftd_t)
+corenet_tcp_bind_all_ports(giftd_t)
+corenet_udp_bind_all_ports(giftd_t)
+corenet_tcp_connect_all_ports(giftd_t)
+corenet_sendrecv_all_client_packets(giftd_t)
+
+files_read_usr_files(giftd_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(giftd_t)
+
+miscfiles_read_localization(giftd_t)
+
+sysnet_read_config(giftd_t)
+
+userdom_use_user_terminals(giftd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(giftd_t)
+ fs_manage_nfs_files(giftd_t)
+ fs_manage_nfs_symlinks(giftd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(giftd_t)
+ fs_manage_cifs_files(giftd_t)
+ fs_manage_cifs_symlinks(giftd_t)
+')
diff --git a/git.fc b/git.fc
new file mode 100644
index 0000000..13e72a7
--- /dev/null
+++ b/git.fc
@@ -0,0 +1,11 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/git.if b/git.if
new file mode 100644
index 0000000..b0242d9
--- /dev/null
+++ b/git.if
@@ -0,0 +1,50 @@
+## GIT revision control system.
+
+########################################
+##
+## Role access for Git session.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+##
+## User domain for the role.
+##
+##
+#
+template(`git_role',`
+ gen_require(`
+ type git_session_t, gitd_exec_t, git_user_content_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
+ relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
+
+ exec_files_pattern($2, git_user_content_t, git_user_content_t)
+ manage_files_pattern($2, git_user_content_t, git_user_content_t)
+ relabel_files_pattern($2, git_user_content_t, git_user_content_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+
+ tunable_policy(`git_session_users',`
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+ ',`
+ can_exec($2, gitd_exec_t)
+ ')
+')
diff --git a/git.te b/git.te
new file mode 100644
index 0000000..c05bec3
--- /dev/null
+++ b/git.te
@@ -0,0 +1,227 @@
+policy_module(git, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Determine whether Git CGI
+## can search home directories.
+##
+##
+gen_tunable(git_cgi_enable_homedirs, false)
+
+##
+##
+## Determine whether Git CGI
+## can access cifs file systems.
+##
+##
+gen_tunable(git_cgi_use_cifs, false)
+
+##
+##
+## Determine whether Git CGI
+## can access nfs file systems.
+##
+##
+gen_tunable(git_cgi_use_nfs, false)
+
+##
+##
+## Determine whether calling user domains
+## can execute Git daemon in the
+## git_session_t domain.
+##
+##
+gen_tunable(git_session_users, false)
+
+##
+##
+## Determine whether Git session daemons
+## can send syslog messages.
+##
+##
+gen_tunable(git_session_send_syslog_msg, false)
+
+##
+##
+## Determine whether Git system daemon
+## can search home directories.
+##
+##
+gen_tunable(git_system_enable_homedirs, false)
+
+##
+##
+## Determine whether Git system daemon
+## can access cifs file systems.
+##
+##
+gen_tunable(git_system_use_cifs, false)
+
+##
+##
+## Determine whether Git system daemon
+## can access nfs file systems.
+##
+##
+gen_tunable(git_system_use_nfs, false)
+
+attribute git_daemon;
+
+apache_content_template(git)
+
+type git_system_t, git_daemon;
+type gitd_exec_t;
+inetd_service_domain(git_system_t, gitd_exec_t)
+
+type git_session_t, git_daemon;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_sys_content_t;
+files_type(git_sys_content_t)
+
+type git_user_content_t;
+userdom_user_home_content(git_user_content_t)
+
+########################################
+#
+# Git session policy
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+corenet_all_recvfrom_netlabel(git_session_t)
+corenet_all_recvfrom_unlabeled(git_session_t)
+corenet_tcp_bind_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_if(git_session_t)
+corenet_tcp_sendrecv_generic_node(git_session_t)
+corenet_tcp_sendrecv_generic_port(git_session_t)
+corenet_tcp_bind_git_port(git_session_t)
+corenet_tcp_sendrecv_git_port(git_session_t)
+corenet_sendrecv_git_server_packets(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_send_syslog_msg',`
+ logging_send_syslog_msg(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(git_session_t)
+',`
+ fs_dontaudit_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(git_session_t)
+',`
+ fs_dontaudit_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# Git system policy
+#
+
+list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+files_search_var_lib(git_system_t)
+
+logging_send_syslog_msg(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(git_system_t)
+',`
+ fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(git_system_t)
+',`
+ fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+ fs_read_cifs_files(git_system_t)
+',`
+ fs_dontaudit_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+ fs_read_nfs_files(git_system_t)
+',`
+ fs_dontaudit_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git CGI policy
+#
+
+list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(httpd_git_script_t)
+
+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+
+auth_use_nsswitch(httpd_git_script_t)
+
+tunable_policy(`git_cgi_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_cifs',`
+ fs_read_cifs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_cifs_files(httpd_git_script_t)
+')
+
+tunable_policy(`git_cgi_use_nfs',`
+ fs_read_nfs_files(httpd_git_script_t)
+',`
+ fs_dontaudit_read_nfs_files(httpd_git_script_t)
+')
+
+########################################
+#
+# Git global policy
+#
+
+allow git_daemon self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(git_daemon)
+
+corecmd_exec_bin(git_daemon)
+
+files_read_usr_files(git_daemon)
+
+fs_search_auto_mountpoints(git_daemon)
+
+auth_use_nsswitch(git_daemon)
+
+miscfiles_read_localization(git_daemon)
diff --git a/gitosis.fc b/gitosis.fc
new file mode 100644
index 0000000..7e90e45
--- /dev/null
+++ b/gitosis.fc
@@ -0,0 +1,5 @@
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --git a/gitosis.if b/gitosis.if
new file mode 100644
index 0000000..e898b91
--- /dev/null
+++ b/gitosis.if
@@ -0,0 +1,86 @@
+## Tools for managing and hosting git repositories.
+
+#######################################
+##
+## Execute a domain transition to run gitosis.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gitosis_domtrans',`
+ gen_require(`
+ type gitosis_t, gitosis_exec_t;
+ ')
+
+ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+##
+## Execute gitosis-serve in the gitosis domain, and
+## allow the specified role the gitosis domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`gitosis_run',`
+ gen_require(`
+ type gitosis_t;
+ ')
+
+ gitosis_domtrans($1)
+ role $2 types gitosis_t;
+')
+
+#######################################
+##
+## Allow the specified domain to read
+## gitosis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gitosis_read_lib_files',`
+ gen_require(`
+ type gitosis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+##
+## Allow the specified domain to manage
+## gitosis lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gitosis_manage_lib_files',`
+ gen_require(`
+ type gitosis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff --git a/gitosis.te b/gitosis.te
new file mode 100644
index 0000000..4a2e63b
--- /dev/null
+++ b/gitosis.te
@@ -0,0 +1,41 @@
+policy_module(gitosis, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+
+kernel_read_system_state(gitosis_t)
+
+corecmd_exec_bin(gitosis_t)
+corecmd_exec_shell(gitosis_t)
+
+dev_read_urand(gitosis_t)
+
+files_read_etc_files(gitosis_t)
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+sysnet_read_config(gitosis_t)
diff --git a/gnome.fc b/gnome.fc
new file mode 100644
index 0000000..00a19e3
--- /dev/null
+++ b/gnome.fc
@@ -0,0 +1,9 @@
+HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+
+/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --git a/gnome.if b/gnome.if
new file mode 100644
index 0000000..f5afe78
--- /dev/null
+++ b/gnome.if
@@ -0,0 +1,190 @@
+## GNU network object model environment (GNOME)
+
+############################################################
+##
+## Role access for gnome
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`gnome_role',`
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ type gconf_tmp_t;
+ ')
+
+ role $1 types gconfd_t;
+
+ domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+ allow gconfd_t $2:fd use;
+ allow gconfd_t $2:fifo_file write;
+ allow gconfd_t $2:unix_stream_socket connectto;
+
+ ps_process_pattern($2, gconfd_t)
+
+ #gnome_stream_connect_gconf_template($1, $2)
+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+ allow $2 gconfd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Execute gconf programs in
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+##
+## Read gconf config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+##
+## Create, read, write, and delete gconf config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+##
+## gconf connection template.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_stream_connect_gconf',`
+ gen_require(`
+ type gconfd_t, gconf_tmp_t;
+ ')
+
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Run gconfd in gconfd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_domtrans_gconfd',`
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ ')
+
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+')
+
+########################################
+##
+## Set attributes of Gnome config dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ files_search_home($1)
+')
+
+########################################
+##
+## Read gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`gnome_read_config',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ read_files_pattern($1, gnome_home_t, gnome_home_t)
+ read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+##
+## manage gnome homedir content (.config)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_manage_config',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ allow $1 gnome_home_t:dir manage_dir_perms;
+ allow $1 gnome_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+')
diff --git a/gnome.te b/gnome.te
new file mode 100644
index 0000000..2505654
--- /dev/null
+++ b/gnome.te
@@ -0,0 +1,77 @@
+policy_module(gnome, 2.1.0)
+
+##############################
+#
+# Declarations
+#
+
+attribute gnomedomain;
+
+type gconf_etc_t;
+files_config_file(gconf_etc_t)
+
+type gconf_home_t;
+typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
+userdom_user_home_content(gconf_home_t)
+
+type gconf_tmp_t;
+typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
+typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+files_tmp_file(gconf_tmp_t)
+ubac_constrained(gconf_tmp_t)
+
+type gconfd_t, gnomedomain;
+type gconfd_exec_t;
+typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+application_domain(gconfd_t, gconfd_exec_t)
+ubac_constrained(gconfd_t)
+
+type gnome_home_t;
+typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
+userdom_user_home_content(gnome_home_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
+
+files_read_etc_files(gconfd_t)
+
+miscfiles_read_localization(gconfd_t)
+
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfd_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
+')
diff --git a/gnomeclock.fc b/gnomeclock.fc
new file mode 100644
index 0000000..462de63
--- /dev/null
+++ b/gnomeclock.fc
@@ -0,0 +1,2 @@
+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff --git a/gnomeclock.if b/gnomeclock.if
new file mode 100644
index 0000000..671d8fd
--- /dev/null
+++ b/gnomeclock.if
@@ -0,0 +1,65 @@
+## Gnome clock handler for setting the time.
+
+########################################
+##
+## Execute a domain transition to run gnomeclock.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gnomeclock_domtrans',`
+ gen_require(`
+ type gnomeclock_t, gnomeclock_exec_t;
+ ')
+
+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
+')
+
+########################################
+##
+## Execute gnomeclock in the gnomeclock domain, and
+## allow the specified role the gnomeclock domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`gnomeclock_run',`
+ gen_require(`
+ type gnomeclock_t;
+ ')
+
+ gnomeclock_domtrans($1)
+ role $2 types gnomeclock_t;
+')
+
+########################################
+##
+## Send and receive messages from
+## gnomeclock over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnomeclock_dbus_chat',`
+ gen_require(`
+ type gnomeclock_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gnomeclock_t:dbus send_msg;
+ allow gnomeclock_t $1:dbus send_msg;
+')
diff --git a/gnomeclock.te b/gnomeclock.te
new file mode 100644
index 0000000..4fde46b
--- /dev/null
+++ b/gnomeclock.te
@@ -0,0 +1,46 @@
+policy_module(gnomeclock, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gnomeclock_t;
+type gnomeclock_exec_t;
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+
+########################################
+#
+# gnomeclock local policy
+#
+
+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:process { getattr getsched };
+allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_bin(gnomeclock_t)
+
+files_read_etc_files(gnomeclock_t)
+files_read_usr_files(gnomeclock_t)
+
+auth_use_nsswitch(gnomeclock_t)
+
+clock_domtrans(gnomeclock_t)
+
+miscfiles_read_localization(gnomeclock_t)
+miscfiles_manage_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
+
+userdom_read_all_users_state(gnomeclock_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomeclock_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
+ policykit_domtrans_auth(gnomeclock_t)
+ policykit_read_lib(gnomeclock_t)
+ policykit_read_reload(gnomeclock_t)
+')
diff --git a/gpg.fc b/gpg.fc
new file mode 100644
index 0000000..e9853d4
--- /dev/null
+++ b/gpg.fc
@@ -0,0 +1,9 @@
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+
+/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
new file mode 100644
index 0000000..6d50300
--- /dev/null
+++ b/gpg.if
@@ -0,0 +1,181 @@
+## Policy for GNU Privacy Guard and related programs.
+
+############################################################
+##
+## Role access for gpg
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`gpg_role',`
+ gen_require(`
+ type gpg_t, gpg_exec_t;
+ type gpg_agent_t, gpg_agent_exec_t;
+ type gpg_agent_tmp_t;
+ type gpg_helper_t, gpg_pinentry_t;
+ type gpg_pinentry_tmp_t;
+ ')
+
+ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
+
+ # transition from the userdomain to the derived domain
+ domtrans_pattern($2, gpg_exec_t, gpg_t)
+
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
+
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+ allow gpg_helper_t $2:fifo_file write;
+
+ # allow ps to show gpg-agent
+ ps_process_pattern($2, gpg_agent_t)
+
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 gpg_agent_t:process { signal sigkill };
+
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+ optional_policy(`
+ gpg_pinentry_dbus_chat($2)
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+ dontaudit gpg_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ ')
+')
+
+########################################
+##
+## Transition to a user gpg domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gpg_domtrans',`
+ gen_require(`
+ type gpg_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_t)
+')
+
+########################################
+##
+## Execute the gpg application without transitioning
+##
+##
+##
+## Domain allowed to execute gpg
+##
+##
+#
+interface(`gpg_exec',`
+ gen_require(`
+ type gpg_exec_t;
+ ')
+
+ can_exec($1, gpg_exec_t)
+')
+
+########################################
+##
+## Send generic signals to user gpg processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_signal',`
+ gen_require(`
+ type gpg_t;
+ ')
+
+ allow $1 gpg_t:process signal;
+')
+
+########################################
+##
+## Read and write GPG agent pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_rw_agent_pipes',`
+ # Just wants read/write could this be a leak?
+ gen_require(`
+ type gpg_agent_t;
+ ')
+
+ allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Send messages to and from GPG
+## Pinentry over DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_pinentry_dbus_chat',`
+ gen_require(`
+ type gpg_pinentry_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gpg_pinentry_t:dbus send_msg;
+ allow gpg_pinentry_t $1:dbus send_msg;
+')
+
+########################################
+##
+## List Gnu Privacy Guard user secrets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_list_user_secrets',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/gpg.te b/gpg.te
new file mode 100644
index 0000000..ebd6791
--- /dev/null
+++ b/gpg.te
@@ -0,0 +1,359 @@
+policy_module(gpg, 2.4.1)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow usage of the gpg-agent --write-env-file option.
+## This also allows gpg-agent to manage user files.
+##
+##
+gen_tunable(gpg_agent_env_file, false)
+
+type gpg_t;
+type gpg_exec_t;
+typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
+typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
+application_domain(gpg_t, gpg_exec_t)
+ubac_constrained(gpg_t)
+role system_r types gpg_t;
+
+type gpg_agent_t;
+type gpg_agent_exec_t;
+typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
+typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
+application_domain(gpg_agent_t, gpg_agent_exec_t)
+ubac_constrained(gpg_agent_t)
+
+type gpg_agent_tmp_t;
+typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
+typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
+files_tmp_file(gpg_agent_tmp_t)
+ubac_constrained(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
+typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
+userdom_user_home_content(gpg_secret_t)
+
+type gpg_helper_t;
+type gpg_helper_exec_t;
+typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
+typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
+application_domain(gpg_helper_t, gpg_helper_exec_t)
+ubac_constrained(gpg_helper_t)
+role system_r types gpg_helper_t;
+
+type gpg_pinentry_t;
+type pinentry_exec_t;
+typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
+typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+ubac_constrained(gpg_pinentry_t)
+
+type gpg_pinentry_tmp_t;
+files_tmp_file(gpg_pinentry_tmp_t)
+ubac_constrained(gpg_pinentry_tmp_t)
+
+type gpg_pinentry_tmpfs_t;
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+allow gpg_t gpg_secret_t:dir create_dir_perms;
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+
+kernel_read_sysctl(gpg_t)
+
+corecmd_exec_shell(gpg_t)
+corecmd_exec_bin(gpg_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
+corenet_tcp_sendrecv_generic_node(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+auth_use_nsswitch(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+userdom_use_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_user_home_content_files(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+
+mta_write_config(gpg_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_t)
+ fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_t)
+ fs_manage_cifs_files(gpg_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(gpg_t)
+ mozilla_write_user_home_files(gpg_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
+')
+
+optional_policy(`
+ cron_system_entry(gpg_t, gpg_exec_t)
+ cron_read_system_job_tmp_files(gpg_t)
+')
+
+########################################
+#
+# GPG helper local policy
+#
+
+allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
+corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
+
+userdom_use_user_terminals(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+# Allow the gpg-agent to manage its tmp files (socket)
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_search_bin(gpg_agent_t)
+corecmd_exec_shell(gpg_agent_t)
+
+dev_read_urand(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+fs_dontaudit_list_inotifyfs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+userdom_search_user_home_dirs(gpg_agent_t)
+
+ifdef(`hide_broken_symptoms',`
+ userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+')
+
+tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+ userdom_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_manage_user_home_content_files(gpg_agent_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_agent_t)
+ fs_manage_nfs_files(gpg_agent_t)
+ fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_agent_t)
+ fs_manage_cifs_files(gpg_agent_t)
+ fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:process { getcap getsched setsched signal };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
+allow gpg_pinentry_t self:shm create_shm_perms;
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
+
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+corecmd_exec_bin(gpg_pinentry_t)
+
+corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
+
+dev_read_urand(gpg_pinentry_t)
+dev_read_rand(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_tmpfs(gpg_pinentry_t)
+
+auth_use_nsswitch(gpg_pinentry_t)
+
+logging_send_syslog_msg(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmpfs_files(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(gpg_pinentry_t)
+ pulseaudio_rw_home_files(gpg_pinentry_t)
+ pulseaudio_setattr_home_dir(gpg_pinentry_t)
+ pulseaudio_stream_connect(gpg_pinentry_t)
+ pulseaudio_signull(gpg_pinentry_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+')
diff --git a/gpm.fc b/gpm.fc
new file mode 100644
index 0000000..6fc9661
--- /dev/null
+++ b/gpm.fc
@@ -0,0 +1,7 @@
+
+/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0)
+/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0)
+
+/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0)
+
+/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
diff --git a/gpm.if b/gpm.if
new file mode 100644
index 0000000..7d97298
--- /dev/null
+++ b/gpm.if
@@ -0,0 +1,81 @@
+## General Purpose Mouse driver
+
+########################################
+##
+## Connect to GPM over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpm_stream_connect',`
+ gen_require(`
+ type gpmctl_t, gpm_t;
+ ')
+
+ allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+ allow $1 gpm_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Get the attributes of the GPM
+## control channel named socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpm_getattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 gpmctl_t:sock_file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the
+## attributes of the GPM control channel
+## named socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`gpm_dontaudit_getattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dontaudit $1 gpmctl_t:sock_file getattr;
+')
+
+########################################
+##
+## Set the attributes of the GPM
+## control channel named socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpm_setattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 gpmctl_t:sock_file setattr;
+')
diff --git a/gpm.te b/gpm.te
new file mode 100644
index 0000000..a627b34
--- /dev/null
+++ b/gpm.te
@@ -0,0 +1,79 @@
+policy_module(gpm, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpm_t;
+type gpm_exec_t;
+init_daemon_domain(gpm_t, gpm_exec_t)
+
+type gpm_conf_t;
+files_type(gpm_conf_t)
+
+type gpm_tmp_t;
+files_tmp_file(gpm_tmp_t)
+
+type gpm_var_run_t;
+files_pid_file(gpm_var_run_t)
+
+type gpmctl_t;
+files_type(gpmctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:process { getcap setcap };
+allow gpm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow gpm_t gpm_conf_t:dir list_dir_perms;
+read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
+read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
+
+manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
+manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
+files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
+
+allow gpm_t gpm_var_run_t:file manage_file_perms;
+files_pid_filetrans(gpm_t, gpm_var_run_t, file)
+
+allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
+allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file })
+
+kernel_read_kernel_sysctls(gpm_t)
+kernel_list_proc(gpm_t)
+kernel_read_proc_symlinks(gpm_t)
+
+dev_read_sysfs(gpm_t)
+# Access the mouse.
+dev_rw_input_dev(gpm_t)
+dev_rw_mouse(gpm_t)
+
+files_read_etc_files(gpm_t)
+
+fs_getattr_all_fs(gpm_t)
+fs_search_auto_mountpoints(gpm_t)
+
+term_use_unallocated_ttys(gpm_t)
+
+domain_use_interactive_fds(gpm_t)
+
+logging_send_syslog_msg(gpm_t)
+
+miscfiles_read_localization(gpm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gpm_t)
+userdom_dontaudit_search_user_home_dirs(gpm_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(gpm_t)
+')
+
+optional_policy(`
+ udev_read_db(gpm_t)
+')
diff --git a/gpsd.fc b/gpsd.fc
new file mode 100644
index 0000000..5e81e33
--- /dev/null
+++ b/gpsd.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
+/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --git a/gpsd.if b/gpsd.if
new file mode 100644
index 0000000..c0ee676
--- /dev/null
+++ b/gpsd.if
@@ -0,0 +1,66 @@
+## gpsd monitor daemon
+
+########################################
+##
+## Execute a domain transition to run gpsd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`gpsd_domtrans',`
+ gen_require(`
+ type gpsd_t, gpsd_exec_t;
+ ')
+
+ domtrans_pattern($1, gpsd_exec_t, gpsd_t)
+')
+
+########################################
+##
+## Execute gpsd in the gpsd domain, and
+## allow the specified role the gpsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`gpsd_run',`
+ gen_require(`
+ type gpsd_t;
+ ')
+
+ gpsd_domtrans($1)
+ role $2 types gpsd_t;
+')
+
+########################################
+##
+## Read and write gpsd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpsd_rw_shm',`
+ gen_require(`
+ type gpsd_t, gpsd_tmpfs_t;
+ ')
+
+ allow $1 gpsd_t:shm rw_shm_perms;
+ allow $1 gpsd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
diff --git a/gpsd.te b/gpsd.te
new file mode 100644
index 0000000..03742d8
--- /dev/null
+++ b/gpsd.te
@@ -0,0 +1,64 @@
+policy_module(gpsd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpsd_t;
+type gpsd_exec_t;
+application_domain(gpsd_t, gpsd_exec_t)
+init_daemon_domain(gpsd_t, gpsd_exec_t)
+
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
+
+type gpsd_tmpfs_t;
+files_tmpfs_file(gpsd_tmpfs_t)
+
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
+########################################
+#
+# gpsd local policy
+#
+
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
+allow gpsd_t self:process setsched;
+allow gpsd_t self:shm create_shm_perms;
+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow gpsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
+corenet_all_recvfrom_unlabeled(gpsd_t)
+corenet_all_recvfrom_netlabel(gpsd_t)
+corenet_tcp_sendrecv_generic_if(gpsd_t)
+corenet_tcp_sendrecv_generic_node(gpsd_t)
+corenet_tcp_sendrecv_all_ports(gpsd_t)
+corenet_tcp_bind_all_nodes(gpsd_t)
+corenet_tcp_bind_gpsd_port(gpsd_t)
+
+term_use_unallocated_ttys(gpsd_t)
+term_setattr_unallocated_ttys(gpsd_t)
+
+auth_use_nsswitch(gpsd_t)
+
+logging_send_syslog_msg(gpsd_t)
+
+miscfiles_read_localization(gpsd_t)
+
+optional_policy(`
+ dbus_system_bus_client(gpsd_t)
+')
+
+optional_policy(`
+ ntp_rw_shm(gpsd_t)
+')
diff --git a/guest.fc b/guest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/guest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/guest.if b/guest.if
new file mode 100644
index 0000000..8906a32
--- /dev/null
+++ b/guest.if
@@ -0,0 +1,50 @@
+## Least privledge terminal user role
+
+########################################
+##
+## Change to the guest role.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`guest_role_change',`
+ gen_require(`
+ role guest_r;
+ ')
+
+ allow $1 guest_r;
+')
+
+########################################
+##
+## Change from the guest role.
+##
+##
+##
+## Change from the guest role to
+## the specified role.
+##
+##
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`guest_role_change_to',`
+ gen_require(`
+ role guest_r;
+ ')
+
+ allow guest_r $1;
+')
diff --git a/guest.te b/guest.te
new file mode 100644
index 0000000..1cb7311
--- /dev/null
+++ b/guest.te
@@ -0,0 +1,17 @@
+policy_module(guest, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+role guest_r;
+
+userdom_restricted_user_template(guest)
+
+########################################
+#
+# Local policy
+#
+
+#gen_user(guest_u,, guest_r, s0, s0)
diff --git a/hadoop.fc b/hadoop.fc
new file mode 100644
index 0000000..633c470
--- /dev/null
+++ b/hadoop.fc
@@ -0,0 +1,59 @@
+/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
+
+/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
+
+/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0)
+/etc/zookeeper\.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t,s0)
+
+/usr/lib/hadoop.*/bin/hadoop -- gen_context(system_u:object_r:hadoop_exec_t,s0)
+
+/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t,s0)
+/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t,s0)
+
+/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
+
+/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
+/var/lock/subsys/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_lock_t,s0)
+/var/lock/subsys/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_lock_t,s0)
+/var/lock/subsys/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_lock_t,s0)
+/var/lock/subsys/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_lock_t,s0)
+
+/var/log/hadoop.* gen_context(system_u:object_r:hadoop_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-datanode(-.*)? gen_context(system_u:object_r:hadoop_datanode_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-jobtracker(-.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-namenode(-.*)? gen_context(system_u:object_r:hadoop_namenode_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-secondarynamenode(-.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_log_t,s0)
+/var/log/hadoop.*/hadoop-hadoop-tasktracker(-.*)? gen_context(system_u:object_r:hadoop_tasktracker_log_t,s0)
+/var/log/hadoop.*/history(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0)
+/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t,s0)
+
+/var/run/hadoop.* -d gen_context(system_u:object_r:hadoop_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-datanode\.pid -- gen_context(system_u:object_r:hadoop_datanode_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-jobtracker\.pid -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-namenode\.pid -- gen_context(system_u:object_r:hadoop_namenode_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_var_run_t,s0)
+/var/run/hadoop.*/hadoop-hadoop-tasktracker\.pid -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_var_run_t,s0)
+
+/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
diff --git a/hadoop.if b/hadoop.if
new file mode 100644
index 0000000..2d0b4e1
--- /dev/null
+++ b/hadoop.if
@@ -0,0 +1,534 @@
+## Software for reliable, scalable, distributed computing.
+
+#######################################
+##
+## The template to define a hadoop domain.
+##
+##
+##
+## Domain prefix to be used.
+##
+##
+#
+template(`hadoop_domain_template',`
+ gen_require(`
+ attribute hadoop_domain;
+ type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
+ type hadoop_exec_t, hadoop_hsperfdata_t;
+ ')
+
+ ########################################
+ #
+ # Shared declarations.
+ #
+
+ type hadoop_$1_t, hadoop_domain;
+ domain_type(hadoop_$1_t)
+ domain_entry_file(hadoop_$1_t, hadoop_exec_t)
+ role system_r types hadoop_$1_t;
+
+ type hadoop_$1_initrc_t;
+ type hadoop_$1_initrc_exec_t;
+ init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
+ role system_r types hadoop_$1_initrc_t;
+
+ type hadoop_$1_initrc_var_run_t;
+ files_pid_file(hadoop_$1_initrc_var_run_t)
+
+ type hadoop_$1_lock_t;
+ files_lock_file(hadoop_$1_lock_t)
+
+ type hadoop_$1_log_t;
+ logging_log_file(hadoop_$1_log_t)
+
+ type hadoop_$1_tmp_t;
+ files_tmp_file(hadoop_$1_tmp_t)
+
+ type hadoop_$1_var_lib_t;
+ files_type(hadoop_$1_var_lib_t)
+
+ ####################################
+ #
+ # Shared hadoop_$1 policy.
+ #
+
+ allow hadoop_$1_t self:capability { chown kill setgid setuid };
+ allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
+ allow hadoop_$1_t self:key search;
+ allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
+ allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
+ allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
+ allow hadoop_$1_t self:udp_socket create_socket_perms;
+ dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ allow hadoop_$1_t hadoop_domain:process signull;
+
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
+ logging_search_logs(hadoop_$1_t)
+
+ manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
+ files_search_var_lib(hadoop_$1_t)
+
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+ files_search_pids(hadoop_$1_t)
+
+ allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
+ files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir)
+
+ kernel_read_kernel_sysctls(hadoop_$1_t)
+ kernel_read_sysctl(hadoop_$1_t)
+ kernel_read_network_state(hadoop_$1_t)
+ kernel_read_system_state(hadoop_$1_t)
+
+ corecmd_exec_bin(hadoop_$1_t)
+ corecmd_exec_shell(hadoop_$1_t)
+
+ corenet_all_recvfrom_unlabeled(hadoop_$1_t)
+ corenet_all_recvfrom_netlabel(hadoop_$1_t)
+ corenet_tcp_bind_all_nodes(hadoop_$1_t)
+ corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
+ corenet_udp_sendrecv_generic_if(hadoop_$1_t)
+ corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
+ corenet_udp_sendrecv_generic_node(hadoop_$1_t)
+ corenet_tcp_sendrecv_all_ports(hadoop_$1_t)
+ corenet_udp_bind_generic_node(hadoop_$1_t)
+ # Hadoop uses high ordered random ports for services
+ # If permanent ports are chosen, remove line below and lock down
+ corenet_tcp_connect_generic_port(hadoop_$1_t)
+
+ dev_read_rand(hadoop_$1_t)
+ dev_read_urand(hadoop_$1_t)
+ dev_read_sysfs(hadoop_$1_t)
+
+ files_read_etc_files(hadoop_$1_t)
+
+ auth_domtrans_chkpwd(hadoop_$1_t)
+
+ hadoop_match_lan_spd(hadoop_$1_t)
+
+ init_read_utmp(hadoop_$1_t)
+ init_use_fds(hadoop_$1_t)
+ init_use_script_fds(hadoop_$1_t)
+ init_use_script_ptys(hadoop_$1_t)
+
+ logging_send_audit_msgs(hadoop_$1_t)
+ logging_send_syslog_msg(hadoop_$1_t)
+
+ miscfiles_read_localization(hadoop_$1_t)
+
+ sysnet_read_config(hadoop_$1_t)
+
+ hadoop_exec_config(hadoop_$1_t)
+
+ java_exec(hadoop_$1_t)
+
+ kerberos_use(hadoop_$1_t)
+
+ su_exec(hadoop_$1_t)
+
+ optional_policy(`
+ nscd_socket_use(hadoop_$1_t)
+ ')
+
+ ####################################
+ #
+ # Shared hadoop_$1 initrc policy.
+ #
+
+ allow hadoop_$1_initrc_t self:capability { setuid setgid };
+ dontaudit hadoop_$1_initrc_t self:capability sys_tty_config;
+ allow hadoop_$1_initrc_t self:process setsched;
+ allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms;
+
+ allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };
+
+ domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)
+
+ manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
+ files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)
+ files_search_locks(hadoop_$1_initrc_t)
+
+ manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+ filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+ files_search_pids(hadoop_$1_initrc_t)
+
+ manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
+ filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
+ logging_search_logs(hadoop_$1_initrc_t)
+
+ manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
+ manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
+
+ kernel_read_kernel_sysctls(hadoop_$1_initrc_t)
+ kernel_read_sysctl(hadoop_$1_initrc_t)
+ kernel_read_system_state(hadoop_$1_initrc_t)
+
+ corecmd_exec_bin(hadoop_$1_initrc_t)
+ corecmd_exec_shell(hadoop_$1_initrc_t)
+
+ files_read_etc_files(hadoop_$1_initrc_t)
+ files_read_usr_files(hadoop_$1_initrc_t)
+
+ consoletype_exec(hadoop_$1_initrc_t)
+
+ fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+ fs_search_cgroup_dirs(hadoop_$1_initrc_t)
+
+ term_use_generic_ptys(hadoop_$1_initrc_t)
+
+ hadoop_exec_config(hadoop_$1_initrc_t)
+
+ init_rw_utmp(hadoop_$1_initrc_t)
+ init_use_fds(hadoop_$1_initrc_t)
+ init_use_script_ptys(hadoop_$1_initrc_t)
+
+ logging_send_syslog_msg(hadoop_$1_initrc_t)
+ logging_send_audit_msgs(hadoop_$1_initrc_t)
+
+ miscfiles_read_localization(hadoop_$1_initrc_t)
+
+ userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
+
+ optional_policy(`
+ nscd_socket_use(hadoop_$1_initrc_t)
+ ')
+')
+
+########################################
+##
+## Role access for hadoop.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`hadoop_role',`
+ gen_require(`
+ type hadoop_t;
+ ')
+
+ hadoop_domtrans($2)
+ role $1 types hadoop_t;
+
+ allow $2 hadoop_t:process { ptrace signal_perms };
+ ps_process_pattern($2, hadoop_t)
+
+ hadoop_domtrans_zookeeper_client($2)
+ role $1 types zookeeper_t;
+
+ allow $2 zookeeper_t:process { ptrace signal_perms };
+ ps_process_pattern($2, zookeeper_t)
+')
+
+########################################
+##
+## Execute hadoop in the
+## hadoop domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hadoop_domtrans',`
+ gen_require(`
+ type hadoop_t, hadoop_exec_t;
+ ')
+
+ domtrans_pattern($1, hadoop_exec_t, hadoop_t)
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom hadoop_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom',`
+ gen_require(`
+ type hadoop_t;
+ ')
+
+ allow $1 hadoop_t:peer recv;
+')
+
+########################################
+##
+## Execute zookeeper client in the
+## zookeeper client domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hadoop_domtrans_zookeeper_client',`
+ gen_require(`
+ type zookeeper_t, zookeeper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom zookeeper_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom_zookeeper_client',`
+ gen_require(`
+ type zookeeper_t;
+ ')
+
+ allow $1 zookeeper_t:peer recv;
+')
+
+########################################
+##
+## Execute zookeeper server in the
+## zookeeper server domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hadoop_domtrans_zookeeper_server',`
+ gen_require(`
+ type zookeeper_server_t, zookeeper_server_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom zookeeper_server_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom_zookeeper_server',`
+ gen_require(`
+ type zookeeper_server_t;
+ ')
+
+ allow $1 zookeeper_server_t:peer recv;
+')
+
+########################################
+##
+## Execute zookeeper server in the
+## zookeeper domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hadoop_initrc_domtrans_zookeeper_server',`
+ gen_require(`
+ type zookeeper_server_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom hadoop_datanode_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom_datanode',`
+ gen_require(`
+ type hadoop_datanode_t;
+ ')
+
+ allow $1 hadoop_datanode_t:peer recv;
+')
+
+########################################
+##
+## Give permission to a domain to read
+## hadoop_etc_t
+##
+##
+##
+## Domain needing read permission
+##
+##
+#
+interface(`hadoop_read_config',`
+ gen_require(`
+ type hadoop_etc_t;
+ ')
+
+ read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
+ read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
+')
+
+########################################
+##
+## Give permission to a domain to
+## execute hadoop_etc_t
+##
+##
+##
+## Domain needing read and execute
+## permission
+##
+##
+#
+interface(`hadoop_exec_config',`
+ gen_require(`
+ type hadoop_etc_t;
+ ')
+
+ hadoop_read_config($1)
+ allow $1 hadoop_etc_t:file exec_file_perms;
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom hadoop_jobtracker_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom_jobtracker',`
+ gen_require(`
+ type hadoop_jobtracker_t;
+ ')
+
+ allow $1 hadoop_jobtracker_t:peer recv;
+')
+
+########################################
+##
+## Give permission to a domain to
+## polmatch on hadoop_lan_t
+##
+##
+##
+## Domain needing polmatch
+## permission
+##
+##
+#
+interface(`hadoop_match_lan_spd',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association polmatch;
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom hadoop_namenode_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom_namenode',`
+ gen_require(`
+ type hadoop_namenode_t;
+ ')
+
+ allow $1 hadoop_namenode_t:peer recv;
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom hadoop_secondarynamenode_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom_secondarynamenode',`
+ gen_require(`
+ type hadoop_secondarynamenode_t;
+ ')
+
+ allow $1 hadoop_secondarynamenode_t:peer recv;
+')
+
+########################################
+##
+## Give permission to a domain to
+## recvfrom hadoop_tasktracker_t
+##
+##
+##
+## Domain needing recvfrom
+## permission
+##
+##
+#
+interface(`hadoop_recvfrom_tasktracker',`
+ gen_require(`
+ type hadoop_tasktracker_t;
+ ')
+
+ allow $1 hadoop_tasktracker_t:peer recv;
+')
diff --git a/hadoop.te b/hadoop.te
new file mode 100644
index 0000000..241902f
--- /dev/null
+++ b/hadoop.te
@@ -0,0 +1,440 @@
+policy_module(hadoop, 1.1.0)
+
+########################################
+#
+# Declarations.
+#
+
+attribute hadoop_domain;
+
+type hadoop_t;
+type hadoop_exec_t;
+application_domain(hadoop_t, hadoop_exec_t)
+ubac_constrained(hadoop_t)
+
+type hadoop_etc_t;
+files_config_file(hadoop_etc_t)
+
+type hadoop_home_t;
+userdom_user_home_content(hadoop_home_t)
+
+type hadoop_lan_t;
+corenet_spd_type(hadoop_lan_t)
+
+type hadoop_log_t;
+logging_log_file(hadoop_log_t)
+
+type hadoop_tmp_t;
+files_tmp_file(hadoop_tmp_t)
+ubac_constrained(hadoop_tmp_t)
+
+type hadoop_var_lib_t;
+files_type(hadoop_var_lib_t)
+
+type hadoop_var_run_t;
+files_pid_file(hadoop_var_run_t)
+
+type hadoop_hsperfdata_t;
+files_tmp_file(hadoop_hsperfdata_t)
+ubac_constrained(hadoop_hsperfdata_t)
+
+hadoop_domain_template(datanode)
+hadoop_domain_template(jobtracker)
+hadoop_domain_template(namenode)
+hadoop_domain_template(secondarynamenode)
+hadoop_domain_template(tasktracker)
+
+type zookeeper_t;
+type zookeeper_exec_t;
+application_domain(zookeeper_t, zookeeper_exec_t)
+ubac_constrained(zookeeper_t)
+
+type zookeeper_etc_t;
+files_config_file(zookeeper_etc_t)
+
+type zookeeper_log_t;
+logging_log_file(zookeeper_log_t)
+
+type zookeeper_server_t;
+type zookeeper_server_exec_t;
+init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t)
+
+type zookeeper_server_initrc_exec_t;
+init_script_file(zookeeper_server_initrc_exec_t)
+
+type zookeeper_server_tmp_t;
+files_tmp_file(zookeeper_server_tmp_t)
+
+type zookeeper_server_var_t;
+files_type(zookeeper_server_var_t)
+
+# This will need a file context specification.
+type zookeeper_server_var_run_t;
+files_pid_file(zookeeper_server_var_run_t)
+
+type zookeeper_tmp_t;
+files_tmp_file(zookeeper_tmp_t)
+ubac_constrained(zookeeper_tmp_t)
+
+########################################
+#
+# Hadoop policy.
+#
+
+allow hadoop_t self:capability sys_resource;
+allow hadoop_t self:process { getsched setsched signal signull setrlimit execmem };
+allow hadoop_t self:fifo_file rw_fifo_file_perms;
+allow hadoop_t self:key write;
+allow hadoop_t self:tcp_socket create_stream_socket_perms;
+allow hadoop_t self:udp_socket create_socket_perms;
+dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow hadoop_t hadoop_domain:process signull;
+
+hadoop_match_lan_spd(hadoop_t)
+allow hadoop_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_t)
+hadoop_recvfrom_jobtracker(hadoop_t)
+hadoop_recvfrom_namenode(hadoop_t)
+hadoop_recvfrom_tasktracker(hadoop_t)
+
+read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
+read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
+can_exec(hadoop_t, hadoop_etc_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
+
+allow hadoop_t hadoop_hsperfdata_t:dir manage_dir_perms;
+files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
+
+manage_dirs_pattern(hadoop_t, hadoop_log_t, hadoop_log_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t)
+manage_files_pattern(hadoop_t, hadoop_tmp_t, hadoop_tmp_t)
+filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, { dir file })
+
+manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
+manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
+files_search_var_lib(hadoop_t)
+
+getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t)
+
+kernel_read_network_state(hadoop_t)
+kernel_read_system_state(hadoop_t)
+
+corecmd_exec_bin(hadoop_t)
+corecmd_exec_shell(hadoop_t)
+
+corenet_all_recvfrom_unlabeled(hadoop_t)
+corenet_all_recvfrom_netlabel(hadoop_t)
+corenet_tcp_sendrecv_generic_if(hadoop_t)
+corenet_udp_sendrecv_generic_if(hadoop_t)
+corenet_tcp_sendrecv_generic_node(hadoop_t)
+corenet_udp_sendrecv_generic_node(hadoop_t)
+corenet_tcp_bind_generic_node(hadoop_t)
+corenet_udp_bind_generic_node(hadoop_t)
+corenet_tcp_sendrecv_all_ports(hadoop_t)
+corenet_udp_sendrecv_all_ports(hadoop_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_t)
+corenet_tcp_connect_hadoop_datanode_port(hadoop_t)
+corenet_tcp_connect_portmap_port(hadoop_t)
+corenet_tcp_connect_zope_port(hadoop_t)
+corenet_sendrecv_hadoop_namenode_client_packets(hadoop_t)
+corenet_sendrecv_portmap_client_packets(hadoop_t)
+corenet_sendrecv_zope_client_packets(hadoop_t)
+# Hadoop uses high ordered random ports for services
+# If permanent ports are chosen, remove line below and lock down
+corenet_tcp_connect_generic_port(hadoop_t)
+
+dev_read_rand(hadoop_t)
+dev_read_sysfs(hadoop_t)
+dev_read_urand(hadoop_t)
+
+domain_use_interactive_fds(hadoop_t)
+
+files_dontaudit_search_spool(hadoop_t)
+files_read_etc_files(hadoop_t)
+files_read_usr_files(hadoop_t)
+
+fs_getattr_xattr_fs(hadoop_t)
+
+miscfiles_read_localization(hadoop_t)
+
+sysnet_read_config(hadoop_t)
+
+userdom_use_user_terminals(hadoop_t)
+
+java_exec(hadoop_t)
+
+kerberos_use(hadoop_t)
+
+optional_policy(`
+ nis_use_ypbind(hadoop_t)
+')
+
+optional_policy(`
+ nscd_socket_use(hadoop_t)
+')
+
+########################################
+#
+# Hadoop datanode policy.
+#
+
+allow hadoop_datanode_t self:process signal;
+
+manage_dirs_pattern(hadoop_datanode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_bind_hadoop_datanode_port(hadoop_datanode_t)
+corenet_tcp_connect_hadoop_datanode_port(hadoop_datanode_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
+
+fs_getattr_xattr_fs(hadoop_datanode_t)
+
+allow hadoop_datanode_t self:peer recv;
+hadoop_recvfrom_jobtracker(hadoop_datanode_t)
+hadoop_recvfrom_namenode(hadoop_datanode_t)
+hadoop_recvfrom(hadoop_datanode_t)
+hadoop_recvfrom_tasktracker(hadoop_datanode_t)
+
+########################################
+#
+# Hadoop jobtracker policy.
+#
+
+create_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t)
+setattr_dirs_pattern(hadoop_jobtracker_t, hadoop_jobtracker_log_t, hadoop_jobtracker_log_t)
+
+manage_dirs_pattern(hadoop_jobtracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
+corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
+
+allow hadoop_jobtracker_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_jobtracker_t)
+hadoop_recvfrom_namenode(hadoop_jobtracker_t)
+hadoop_recvfrom(hadoop_jobtracker_t)
+hadoop_recvfrom_tasktracker(hadoop_jobtracker_t)
+
+########################################
+#
+# Hadoop namenode policy.
+#
+
+manage_dirs_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
+
+allow hadoop_namenode_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_namenode_t)
+hadoop_recvfrom_jobtracker(hadoop_namenode_t)
+hadoop_recvfrom(hadoop_namenode_t)
+hadoop_recvfrom_secondarynamenode(hadoop_namenode_t)
+hadoop_recvfrom_tasktracker(hadoop_namenode_t)
+
+########################################
+#
+# Hadoop secondary namenode policy.
+#
+
+manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
+
+allow hadoop_secondarynamenode_t self:peer recv;
+hadoop_recvfrom_namenode(hadoop_secondarynamenode_t)
+
+########################################
+#
+# Hadoop tasktracker policy.
+#
+
+allow hadoop_tasktracker_t self:process signal;
+
+manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t)
+setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
+filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
+
+filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
+manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
+
+manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
+
+corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
+corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
+
+fs_getattr_xattr_fs(hadoop_tasktracker_t)
+
+allow hadoop_tasktracker_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_tasktracker_t)
+hadoop_recvfrom_jobtracker(hadoop_tasktracker_t)
+hadoop_recvfrom(hadoop_tasktracker_t)
+hadoop_recvfrom_namenode(hadoop_tasktracker_t)
+
+########################################
+#
+# Hadoop zookeeper client policy.
+#
+
+allow zookeeper_t self:process { getsched sigkill signal signull execmem };
+allow zookeeper_t self:fifo_file rw_fifo_file_perms;
+allow zookeeper_t self:tcp_socket create_stream_socket_perms;
+allow zookeeper_t self:udp_socket create_socket_perms;
+dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
+
+hadoop_match_lan_spd(zookeeper_t)
+hadoop_recvfrom_zookeeper_server(zookeeper_t)
+
+read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
+read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
+
+can_exec(zookeeper_t, zookeeper_exec_t)
+
+allow zookeeper_t hadoop_hsperfdata_t:dir manage_dir_perms;
+files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
+
+allow zookeeper_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow zookeeper_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms };
+append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t)
+logging_log_filetrans(zookeeper_t, zookeeper_log_t, file)
+
+allow zookeeper_t zookeeper_server_t:process signull;
+
+manage_files_pattern(zookeeper_t, zookeeper_tmp_t, zookeeper_tmp_t)
+filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
+
+kernel_read_network_state(zookeeper_t)
+kernel_read_system_state(zookeeper_t)
+
+corecmd_exec_bin(zookeeper_t)
+corecmd_exec_shell(zookeeper_t)
+
+corenet_all_recvfrom_unlabeled(zookeeper_t)
+corenet_all_recvfrom_netlabel(zookeeper_t)
+corenet_tcp_sendrecv_generic_if(zookeeper_t)
+corenet_udp_sendrecv_generic_if(zookeeper_t)
+corenet_tcp_sendrecv_generic_node(zookeeper_t)
+corenet_udp_sendrecv_generic_node(zookeeper_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_t)
+corenet_udp_sendrecv_all_ports(zookeeper_t)
+corenet_tcp_bind_generic_node(zookeeper_t)
+corenet_udp_bind_generic_node(zookeeper_t)
+corenet_tcp_connect_zookeeper_client_port(zookeeper_t)
+corenet_sendrecv_zookeeper_client_client_packets(zookeeper_t)
+# Hadoop uses high ordered random ports for services
+# If permanent ports are chosen, remove line below and lock down
+corenet_tcp_connect_generic_port(zookeeper_t)
+
+dev_read_rand(zookeeper_t)
+dev_read_sysfs(zookeeper_t)
+dev_read_urand(zookeeper_t)
+
+domain_use_interactive_fds(zookeeper_t)
+
+files_read_etc_files(zookeeper_t)
+files_read_usr_files(zookeeper_t)
+
+miscfiles_read_localization(zookeeper_t)
+
+sysnet_read_config(zookeeper_t)
+
+userdom_use_user_terminals(zookeeper_t)
+userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+
+java_exec(zookeeper_t)
+
+optional_policy(`
+ nscd_socket_use(zookeeper_t)
+')
+
+########################################
+#
+# Hadoop zookeeper server policy.
+#
+
+allow zookeeper_server_t self:capability kill;
+allow zookeeper_server_t self:process { execmem getsched sigkill signal signull };
+allow zookeeper_server_t self:fifo_file rw_fifo_file_perms;
+allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
+allow zookeeper_server_t self:udp_socket create_socket_perms;
+
+hadoop_match_lan_spd(zookeeper_server_t)
+allow zookeeper_server_t self:peer recv;
+hadoop_recvfrom_zookeeper_client(zookeeper_server_t)
+
+allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
+files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
+
+read_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t)
+read_lnk_files_pattern(zookeeper_server_t, zookeeper_etc_t, zookeeper_etc_t)
+
+manage_dirs_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t)
+manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_server_var_t)
+files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file })
+
+allow zookeeper_server_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow zookeeper_server_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms };
+logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file)
+
+manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t)
+filetrans_pattern(zookeeper_server_t, hadoop_hsperfdata_t, zookeeper_server_tmp_t, file)
+
+manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t)
+files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file)
+
+can_exec(zookeeper_server_t, zookeeper_server_exec_t)
+
+kernel_read_network_state(zookeeper_server_t)
+kernel_read_system_state(zookeeper_server_t)
+
+corecmd_exec_bin(zookeeper_server_t)
+corecmd_exec_shell(zookeeper_server_t)
+
+corenet_all_recvfrom_unlabeled(zookeeper_server_t)
+corenet_all_recvfrom_netlabel(zookeeper_server_t)
+corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
+corenet_udp_sendrecv_generic_if(zookeeper_server_t)
+corenet_tcp_sendrecv_generic_node(zookeeper_server_t)
+corenet_udp_sendrecv_generic_node(zookeeper_server_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_server_t)
+corenet_udp_sendrecv_all_ports(zookeeper_server_t)
+corenet_tcp_bind_generic_node(zookeeper_server_t)
+corenet_udp_bind_generic_node(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t)
+corenet_sendrecv_zookeeper_election_client_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_leader_client_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_client_server_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_election_server_packets(zookeeper_server_t)
+corenet_sendrecv_zookeeper_leader_server_packets(zookeeper_server_t)
+# Hadoop uses high ordered random ports for services
+# If permanent ports are chosen, remove line below and lock down
+corenet_tcp_connect_generic_port(zookeeper_server_t)
+
+dev_read_rand(zookeeper_server_t)
+dev_read_sysfs(zookeeper_server_t)
+dev_read_urand(zookeeper_server_t)
+
+files_read_etc_files(zookeeper_server_t)
+files_read_usr_files(zookeeper_server_t)
+
+fs_getattr_xattr_fs(zookeeper_server_t)
+
+logging_send_syslog_msg(zookeeper_server_t)
+
+miscfiles_read_localization(zookeeper_server_t)
+
+sysnet_read_config(zookeeper_server_t)
+
+java_exec(zookeeper_server_t)
diff --git a/hal.fc b/hal.fc
new file mode 100644
index 0000000..c98b0df
--- /dev/null
+++ b/hal.fc
@@ -0,0 +1,33 @@
+
+/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+
+/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
+/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
+/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+
+/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+
+/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0)
+
+/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+')
diff --git a/hal.if b/hal.if
new file mode 100644
index 0000000..7cf6763
--- /dev/null
+++ b/hal.if
@@ -0,0 +1,433 @@
+## Hardware abstraction layer
+
+########################################
+##
+## Execute hal in the hal domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hal_domtrans',`
+ gen_require(`
+ type hald_t, hald_exec_t;
+ ')
+
+ domtrans_pattern($1, hald_exec_t, hald_t)
+')
+
+########################################
+##
+## Get the attributes of a hal process.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_getattr',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:process getattr;
+')
+
+########################################
+##
+## Read hal system state
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_read_state',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ ps_process_pattern($1, hald_t)
+')
+
+########################################
+##
+## Allow ptrace of hal domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_ptrace',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:process ptrace;
+')
+
+########################################
+##
+## Allow domain to use file descriptors from hal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_use_fds',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to use file descriptors from hal.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`hal_dontaudit_use_fds',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:fd use;
+')
+
+########################################
+##
+## Allow attempts to read and write to
+## hald unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_rw_pipes',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write to
+## hald unnamed pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`hal_dontaudit_rw_pipes',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Send to hal over a unix domain
+## datagram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_dgram_send',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:unix_dgram_socket sendto;
+')
+
+########################################
+##
+## Send to hal over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_stream_connect',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Dontaudit read/write to a hal unix datagram socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`hal_dontaudit_rw_dgram_sockets',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
+
+########################################
+##
+## Send a dbus message to hal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_dbus_send',`
+ gen_require(`
+ type hald_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 hald_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## hal over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_dbus_chat',`
+ gen_require(`
+ type hald_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 hald_t:dbus send_msg;
+ allow hald_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Execute hal mac in the hal mac domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hal_domtrans_mac',`
+ gen_require(`
+ type hald_mac_t, hald_mac_exec_t;
+ ')
+
+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
+')
+
+########################################
+##
+## Allow attempts to write the hal
+## log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_write_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 hald_log_t:file write_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to write the hal
+## log files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`hal_dontaudit_write_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ dontaudit $1 hald_log_t:file { append write };
+')
+
+########################################
+##
+## Manage hald log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ # log files for hald
+ manage_files_pattern($1, hald_log_t, hald_log_t)
+ logging_log_filetrans($1, hald_log_t, file)
+')
+
+########################################
+##
+## Read hald tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_read_tmp_files',`
+ gen_require(`
+ type hald_tmp_t;
+ ')
+
+ allow $1 hald_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## HAL libraries files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`hal_dontaudit_append_lib_files',`
+ gen_require(`
+ type hald_var_lib_t;
+ ')
+
+ dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
+')
+
+########################################
+##
+## Read hald PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_read_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Read/Write hald PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_rw_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+')
+
+########################################
+##
+## Manage hald PID dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_pid_dirs',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+##
+## Manage hald PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+')
diff --git a/hal.te b/hal.te
new file mode 100644
index 0000000..24c6253
--- /dev/null
+++ b/hal.te
@@ -0,0 +1,531 @@
+policy_module(hal, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type hald_t;
+type hald_exec_t;
+init_daemon_domain(hald_t, hald_exec_t)
+
+type hald_acl_t;
+type hald_acl_exec_t;
+domain_type(hald_acl_t)
+domain_entry_file(hald_acl_t, hald_acl_exec_t)
+role system_r types hald_acl_t;
+
+type hald_cache_t;
+files_pid_file(hald_cache_t)
+
+type hald_dccm_t;
+type hald_dccm_exec_t;
+domain_type(hald_dccm_t)
+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
+role system_r types hald_dccm_t;
+
+type hald_keymap_t;
+type hald_keymap_exec_t;
+domain_type(hald_keymap_t)
+domain_entry_file(hald_keymap_t, hald_keymap_exec_t)
+role system_r types hald_keymap_t;
+
+type hald_log_t;
+logging_log_file(hald_log_t)
+
+type hald_mac_t;
+type hald_mac_exec_t;
+domain_type(hald_mac_t)
+domain_entry_file(hald_mac_t, hald_mac_exec_t)
+role system_r types hald_mac_t;
+
+type hald_sonypic_t;
+type hald_sonypic_exec_t;
+domain_type(hald_sonypic_t)
+domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t)
+role system_r types hald_sonypic_t;
+
+type hald_tmp_t;
+files_tmp_file(hald_tmp_t)
+
+type hald_var_run_t;
+files_pid_file(hald_var_run_t)
+
+type hald_var_lib_t;
+files_type(hald_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# execute openvt which needs setuid
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+allow hald_t self:process { getsched getattr signal_perms };
+allow hald_t self:fifo_file rw_fifo_file_perms;
+allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow hald_t self:unix_dgram_socket create_socket_perms;
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow hald_t self:tcp_socket create_stream_socket_perms;
+allow hald_t self:udp_socket create_socket_perms;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
+manage_files_pattern(hald_t, hald_cache_t, hald_cache_t)
+
+# log files for hald
+manage_files_pattern(hald_t, hald_log_t, hald_log_t)
+logging_log_filetrans(hald_t, hald_log_t, file)
+
+manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t)
+manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t)
+files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
+
+# var/lib files for hald
+manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+
+manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_t, hald_var_run_t, { dir file })
+
+kernel_read_system_state(hald_t)
+kernel_read_network_state(hald_t)
+kernel_read_software_raid_state(hald_t)
+kernel_rw_kernel_sysctl(hald_t)
+kernel_read_fs_sysctls(hald_t)
+kernel_rw_irq_sysctls(hald_t)
+kernel_rw_vm_sysctls(hald_t)
+kernel_write_proc_files(hald_t)
+kernel_search_network_sysctl(hald_t)
+kernel_setsched(hald_t)
+kernel_request_load_module(hald_t)
+
+auth_read_pam_console_data(hald_t)
+
+corecmd_exec_all_executables(hald_t)
+
+corenet_all_recvfrom_unlabeled(hald_t)
+corenet_all_recvfrom_netlabel(hald_t)
+corenet_tcp_sendrecv_generic_if(hald_t)
+corenet_udp_sendrecv_generic_if(hald_t)
+corenet_tcp_sendrecv_generic_node(hald_t)
+corenet_udp_sendrecv_generic_node(hald_t)
+corenet_tcp_sendrecv_all_ports(hald_t)
+corenet_udp_sendrecv_all_ports(hald_t)
+
+dev_rw_usbfs(hald_t)
+dev_read_rand(hald_t)
+dev_read_urand(hald_t)
+dev_read_input(hald_t)
+dev_read_mouse(hald_t)
+dev_rw_printer(hald_t)
+dev_read_lvm_control(hald_t)
+dev_getattr_all_chr_files(hald_t)
+dev_manage_generic_chr_files(hald_t)
+dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs_files(hald_t)
+dev_rw_power_management(hald_t)
+dev_read_raw_memory(hald_t)
+# hal is now execing pm-suspend
+dev_rw_sysfs(hald_t)
+dev_read_video_dev(hald_t)
+
+domain_use_interactive_fds(hald_t)
+domain_read_all_domains_state(hald_t)
+domain_dontaudit_ptrace_all_domains(hald_t)
+
+files_exec_etc_files(hald_t)
+files_read_etc_files(hald_t)
+files_rw_etc_runtime_files(hald_t)
+files_manage_mnt_dirs(hald_t)
+files_manage_mnt_files(hald_t)
+files_manage_mnt_symlinks(hald_t)
+files_search_var_lib(hald_t)
+files_read_usr_files(hald_t)
+# hal is now execing pm-suspend
+files_create_boot_flag(hald_t)
+files_getattr_all_dirs(hald_t)
+files_getattr_all_files(hald_t)
+files_read_kernel_img(hald_t)
+files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
+
+fs_getattr_all_fs(hald_t)
+fs_search_all(hald_t)
+fs_list_inotifyfs(hald_t)
+fs_list_auto_mountpoints(hald_t)
+fs_mount_dos_fs(hald_t)
+fs_unmount_dos_fs(hald_t)
+fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
+fs_rw_removable_blk_files(hald_t)
+
+files_getattr_all_mountpoints(hald_t)
+
+mls_file_read_all_levels(hald_t)
+
+selinux_get_fs_mount(hald_t)
+selinux_validate_context(hald_t)
+selinux_compute_access_vector(hald_t)
+selinux_compute_create_context(hald_t)
+selinux_compute_relabel_context(hald_t)
+selinux_compute_user_contexts(hald_t)
+
+storage_raw_read_removable_device(hald_t)
+storage_raw_write_removable_device(hald_t)
+storage_raw_read_fixed_disk(hald_t)
+storage_raw_write_fixed_disk(hald_t)
+
+# hal_probe_serial causes these
+term_setattr_unallocated_ttys(hald_t)
+term_use_unallocated_ttys(hald_t)
+
+auth_use_nsswitch(hald_t)
+
+fstools_getattr_swap_files(hald_t)
+
+init_domtrans_script(hald_t)
+init_read_utmp(hald_t)
+#hal runs shutdown, probably need a shutdown domain
+init_rw_utmp(hald_t)
+init_telinit(hald_t)
+
+libs_exec_ld_so(hald_t)
+libs_exec_lib_files(hald_t)
+
+logging_send_audit_msgs(hald_t)
+logging_send_syslog_msg(hald_t)
+logging_search_logs(hald_t)
+
+miscfiles_read_localization(hald_t)
+miscfiles_read_hwdata(hald_t)
+
+modutils_domtrans_insmod(hald_t)
+modutils_read_module_deps(hald_t)
+
+seutil_read_config(hald_t)
+seutil_read_default_contexts(hald_t)
+seutil_read_file_contexts(hald_t)
+
+sysnet_read_config(hald_t)
+sysnet_domtrans_dhcpc(hald_t)
+sysnet_domtrans_ifconfig(hald_t)
+sysnet_read_dhcp_config(hald_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hald_t)
+userdom_dontaudit_search_user_home_dirs(hald_t)
+
+optional_policy(`
+ alsa_domtrans(hald_t)
+ alsa_read_rw_config(hald_t)
+')
+
+optional_policy(`
+ bootloader_domtrans(hald_t)
+')
+
+optional_policy(`
+ # For /usr/libexec/hald-addon-acpi
+ # writes to /var/run/acpid.socket
+ apm_stream_connect(hald_t)
+')
+
+optional_policy(`
+ bind_search_cache(hald_t)
+')
+
+optional_policy(`
+ bluetooth_domtrans(hald_t)
+')
+
+optional_policy(`
+ clock_domtrans(hald_t)
+')
+
+optional_policy(`
+ cups_domtrans_config(hald_t)
+ cups_signal_config(hald_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(hald_t)
+ dbus_connect_system_bus(hald_t)
+
+ init_dbus_chat_script(hald_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(hald_t)
+ ')
+')
+
+optional_policy(`
+ # For /usr/libexec/hald-probe-smbios
+ dmidecode_domtrans(hald_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(hald_t)
+')
+
+optional_policy(`
+ hotplug_read_config(hald_t)
+')
+
+optional_policy(`
+ lvm_domtrans(hald_t)
+')
+
+optional_policy(`
+ mount_domtrans(hald_t)
+')
+
+optional_policy(`
+ ntp_domtrans(hald_t)
+')
+
+optional_policy(`
+ pcmcia_manage_pid(hald_t)
+ pcmcia_manage_pid_chr_files(hald_t)
+')
+
+optional_policy(`
+ podsleuth_domtrans(hald_t)
+')
+
+optional_policy(`
+ ppp_domtrans(hald_t)
+ ppp_read_rw_config(hald_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(hald_t)
+ policykit_domtrans_auth(hald_t)
+ policykit_domtrans_resolve(hald_t)
+ policykit_read_lib(hald_t)
+ policykit_read_reload(hald_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(hald_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hald_t)
+')
+
+optional_policy(`
+ udev_domtrans(hald_t)
+ udev_read_db(hald_t)
+')
+
+optional_policy(`
+ usbmuxd_stream_connect(hald_t)
+')
+
+optional_policy(`
+ updfstab_domtrans(hald_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(hald_t)
+')
+
+optional_policy(`
+ virt_manage_images(hald_t)
+')
+
+########################################
+#
+# Hal acl local policy
+#
+
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
+allow hald_acl_t self:process { getattr signal };
+allow hald_acl_t self:fifo_file rw_fifo_file_perms;
+
+domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
+allow hald_t hald_acl_t:process signal;
+allow hald_acl_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_acl_t)
+
+manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+
+corecmd_exec_bin(hald_acl_t)
+
+dev_getattr_all_chr_files(hald_acl_t)
+dev_setattr_all_chr_files(hald_acl_t)
+dev_getattr_generic_usb_dev(hald_acl_t)
+dev_getattr_video_dev(hald_acl_t)
+dev_setattr_video_dev(hald_acl_t)
+dev_getattr_sound_dev(hald_acl_t)
+dev_setattr_sound_dev(hald_acl_t)
+dev_setattr_generic_usb_dev(hald_acl_t)
+dev_setattr_usbfs_files(hald_acl_t)
+
+files_read_usr_files(hald_acl_t)
+files_read_etc_files(hald_acl_t)
+
+fs_getattr_all_fs(hald_acl_t)
+
+storage_getattr_removable_dev(hald_acl_t)
+storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
+
+auth_use_nsswitch(hald_acl_t)
+
+logging_send_syslog_msg(hald_acl_t)
+
+miscfiles_read_localization(hald_acl_t)
+
+optional_policy(`
+ policykit_dbus_chat(hald_acl_t)
+ policykit_domtrans_auth(hald_acl_t)
+ policykit_read_lib(hald_acl_t)
+ policykit_read_reload(hald_acl_t)
+')
+
+########################################
+#
+# Local hald mac policy
+#
+
+allow hald_mac_t self:capability { setgid setuid sys_admin };
+
+domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
+allow hald_t hald_mac_t:process signal;
+allow hald_mac_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_mac_t)
+
+write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
+
+kernel_read_system_state(hald_mac_t)
+
+dev_read_raw_memory(hald_mac_t)
+dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
+
+files_read_usr_files(hald_mac_t)
+files_read_etc_files(hald_mac_t)
+
+auth_use_nsswitch(hald_mac_t)
+
+logging_send_syslog_msg(hald_mac_t)
+
+miscfiles_read_localization(hald_mac_t)
+
+########################################
+#
+# Local hald sonypic policy
+#
+
+domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
+allow hald_t hald_sonypic_t:process signal;
+allow hald_sonypic_t hald_t:unix_stream_socket connectto;
+
+dev_read_video_dev(hald_sonypic_t)
+dev_write_video_dev(hald_sonypic_t)
+
+manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_sonypic_t)
+
+write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
+
+files_read_usr_files(hald_sonypic_t)
+
+miscfiles_read_localization(hald_sonypic_t)
+
+########################################
+#
+# Hal keymap local policy
+#
+
+domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t)
+allow hald_t hald_keymap_t:process signal;
+allow hald_keymap_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_keymap_t)
+
+write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+
+dev_rw_input_dev(hald_keymap_t)
+
+files_read_etc_files(hald_keymap_t)
+files_read_usr_files(hald_keymap_t)
+
+miscfiles_read_localization(hald_keymap_t)
+
+########################################
+#
+# Local hald dccm policy
+#
+
+allow hald_dccm_t self:capability { chown net_bind_service };
+allow hald_dccm_t self:process getsched;
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+allow hald_dccm_t self:udp_socket create_socket_perms;
+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+
+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
+allow hald_t hald_dccm_t:process signal;
+allow hald_dccm_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_dccm_t)
+
+manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })
+
+manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
+files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)
+
+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+kernel_search_network_sysctl(hald_dccm_t)
+
+dev_read_urand(hald_dccm_t)
+
+corenet_all_recvfrom_unlabeled(hald_dccm_t)
+corenet_all_recvfrom_netlabel(hald_dccm_t)
+corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+corenet_udp_sendrecv_generic_if(hald_dccm_t)
+corenet_tcp_sendrecv_generic_node(hald_dccm_t)
+corenet_udp_sendrecv_generic_node(hald_dccm_t)
+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
+corenet_udp_sendrecv_all_ports(hald_dccm_t)
+corenet_tcp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_ftp_port(hald_dccm_t)
+corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+logging_send_syslog_msg(hald_dccm_t)
+
+files_read_usr_files(hald_dccm_t)
+
+miscfiles_read_localization(hald_dccm_t)
+
+hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
diff --git a/hddtemp.fc b/hddtemp.fc
new file mode 100644
index 0000000..1676612
--- /dev/null
+++ b/hddtemp.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
+
+/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0)
+
+/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff --git a/hddtemp.if b/hddtemp.if
new file mode 100644
index 0000000..87b4531
--- /dev/null
+++ b/hddtemp.if
@@ -0,0 +1,77 @@
+## hddtemp hard disk temperature tool running as a daemon.
+
+#######################################
+##
+## Execute a domain transition to run hddtemp.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`hddtemp_domtrans',`
+ gen_require(`
+ type hddtemp_t, hddtemp_exec_t;
+ ')
+
+ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
+ corecmd_search_bin($1)
+')
+
+######################################
+##
+## Execute hddtemp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hddtemp_exec',`
+ gen_require(`
+ type hddtemp_exec_t;
+ ')
+
+ can_exec($1, hddtemp_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+##
+## All of the rules required to
+## administrate an hddtemp environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`hddtemp_admin',`
+ gen_require(`
+ type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
+ ')
+
+ allow $1 hddtemp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hddtemp_t)
+
+ init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 hddtemp_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, hddtemp_etc_t)
+ files_search_etc($1)
+
+ allow $1 hddtemp_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
+ kernel_search_proc($1)
+')
diff --git a/hddtemp.te b/hddtemp.te
new file mode 100644
index 0000000..c234b32
--- /dev/null
+++ b/hddtemp.te
@@ -0,0 +1,49 @@
+policy_module(hddtemp, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type hddtemp_t;
+type hddtemp_exec_t;
+init_daemon_domain(hddtemp_t, hddtemp_exec_t)
+
+type hddtemp_initrc_exec_t;
+init_script_file(hddtemp_initrc_exec_t)
+
+type hddtemp_etc_t;
+files_config_file(hddtemp_etc_t)
+
+########################################
+#
+# hddtemp local policy
+#
+
+allow hddtemp_t self:capability sys_rawio;
+dontaudit hddtemp_t self:capability sys_admin;
+allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms;
+allow hddtemp_t self:tcp_socket create_stream_socket_perms;
+allow hddtemp_t self:udp_socket create_socket_perms;
+
+allow hddtemp_t hddtemp_etc_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(hddtemp_t)
+corenet_all_recvfrom_netlabel(hddtemp_t)
+corenet_tcp_sendrecv_generic_if(hddtemp_t)
+corenet_tcp_sendrecv_generic_node(hddtemp_t)
+corenet_tcp_bind_generic_node(hddtemp_t)
+corenet_tcp_sendrecv_all_ports(hddtemp_t)
+corenet_tcp_bind_hddtemp_port(hddtemp_t)
+corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
+corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
+
+files_search_etc(hddtemp_t)
+files_read_usr_files(hddtemp_t)
+
+storage_raw_read_fixed_disk(hddtemp_t)
+
+logging_send_syslog_msg(hddtemp_t)
+
+miscfiles_read_localization(hddtemp_t)
+
diff --git a/howl.fc b/howl.fc
new file mode 100644
index 0000000..faf9146
--- /dev/null
+++ b/howl.fc
@@ -0,0 +1,5 @@
+
+/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0)
+/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0)
+
+/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0)
diff --git a/howl.if b/howl.if
new file mode 100644
index 0000000..9164dd2
--- /dev/null
+++ b/howl.if
@@ -0,0 +1,19 @@
+## Port of Apple Rendezvous multicast DNS
+
+########################################
+##
+## Send generic signals to howl.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`howl_signal',`
+ gen_require(`
+ type howl_t;
+ ')
+
+ allow $1 howl_t:process signal;
+')
diff --git a/howl.te b/howl.te
new file mode 100644
index 0000000..6ad2d3c
--- /dev/null
+++ b/howl.te
@@ -0,0 +1,80 @@
+policy_module(howl, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type howl_t;
+type howl_exec_t;
+init_daemon_domain(howl_t, howl_exec_t)
+
+type howl_var_run_t;
+files_pid_file(howl_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow howl_t self:capability { kill net_admin };
+dontaudit howl_t self:capability sys_tty_config;
+allow howl_t self:process signal_perms;
+allow howl_t self:fifo_file rw_fifo_file_perms;
+allow howl_t self:tcp_socket create_stream_socket_perms;
+allow howl_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t)
+files_pid_filetrans(howl_t, howl_var_run_t, file)
+
+kernel_read_network_state(howl_t)
+kernel_read_kernel_sysctls(howl_t)
+kernel_request_load_module(howl_t)
+kernel_list_proc(howl_t)
+kernel_read_proc_symlinks(howl_t)
+
+corenet_all_recvfrom_unlabeled(howl_t)
+corenet_all_recvfrom_netlabel(howl_t)
+corenet_tcp_sendrecv_generic_if(howl_t)
+corenet_udp_sendrecv_generic_if(howl_t)
+corenet_tcp_sendrecv_generic_node(howl_t)
+corenet_udp_sendrecv_generic_node(howl_t)
+corenet_tcp_sendrecv_all_ports(howl_t)
+corenet_udp_sendrecv_all_ports(howl_t)
+corenet_tcp_bind_generic_node(howl_t)
+corenet_udp_bind_generic_node(howl_t)
+corenet_tcp_bind_howl_port(howl_t)
+corenet_udp_bind_howl_port(howl_t)
+corenet_sendrecv_howl_server_packets(howl_t)
+
+dev_read_sysfs(howl_t)
+
+fs_getattr_all_fs(howl_t)
+fs_search_auto_mountpoints(howl_t)
+
+domain_use_interactive_fds(howl_t)
+
+files_read_etc_files(howl_t)
+
+init_rw_utmp(howl_t)
+
+logging_send_syslog_msg(howl_t)
+
+miscfiles_read_localization(howl_t)
+
+sysnet_read_config(howl_t)
+
+userdom_dontaudit_use_unpriv_user_fds(howl_t)
+userdom_dontaudit_search_user_home_dirs(howl_t)
+
+optional_policy(`
+ nis_use_ypbind(howl_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(howl_t)
+')
+
+optional_policy(`
+ udev_read_db(howl_t)
+')
diff --git a/i18n_input.fc b/i18n_input.fc
new file mode 100644
index 0000000..024eb18
--- /dev/null
+++ b/i18n_input.fc
@@ -0,0 +1,19 @@
+#
+# /usr
+#
+
+/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0)
diff --git a/i18n_input.if b/i18n_input.if
new file mode 100644
index 0000000..bc7de4f
--- /dev/null
+++ b/i18n_input.if
@@ -0,0 +1,15 @@
+## IIIMF htt server
+
+########################################
+##
+## Use i18n_input over a TCP connection. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`i18n_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/i18n_input.te b/i18n_input.te
new file mode 100644
index 0000000..5fc89c4
--- /dev/null
+++ b/i18n_input.te
@@ -0,0 +1,102 @@
+policy_module(i18n_input, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type i18n_input_t;
+type i18n_input_exec_t;
+init_daemon_domain(i18n_input_t, i18n_input_exec_t)
+
+type i18n_input_var_run_t;
+files_pid_file(i18n_input_var_run_t)
+
+########################################
+#
+# i18n_input local policy
+#
+
+allow i18n_input_t self:capability { kill setgid setuid };
+dontaudit i18n_input_t self:capability sys_tty_config;
+allow i18n_input_t self:process { signal_perms setsched setpgid };
+allow i18n_input_t self:fifo_file rw_fifo_file_perms;
+allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t self:tcp_socket create_stream_socket_perms;
+allow i18n_input_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file)
+
+can_exec(i18n_input_t, i18n_input_exec_t)
+
+kernel_read_kernel_sysctls(i18n_input_t)
+kernel_read_system_state(i18n_input_t)
+
+corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_all_recvfrom_netlabel(i18n_input_t)
+corenet_tcp_sendrecv_generic_if(i18n_input_t)
+corenet_udp_sendrecv_generic_if(i18n_input_t)
+corenet_tcp_sendrecv_generic_node(i18n_input_t)
+corenet_udp_sendrecv_generic_node(i18n_input_t)
+corenet_tcp_sendrecv_all_ports(i18n_input_t)
+corenet_udp_sendrecv_all_ports(i18n_input_t)
+corenet_tcp_bind_generic_node(i18n_input_t)
+corenet_tcp_bind_i18n_input_port(i18n_input_t)
+corenet_tcp_connect_all_ports(i18n_input_t)
+corenet_sendrecv_i18n_input_server_packets(i18n_input_t)
+corenet_sendrecv_all_client_packets(i18n_input_t)
+
+dev_read_sysfs(i18n_input_t)
+
+fs_getattr_all_fs(i18n_input_t)
+fs_search_auto_mountpoints(i18n_input_t)
+
+corecmd_search_bin(i18n_input_t)
+corecmd_exec_bin(i18n_input_t)
+
+domain_use_interactive_fds(i18n_input_t)
+
+files_read_etc_files(i18n_input_t)
+files_read_etc_runtime_files(i18n_input_t)
+files_read_usr_files(i18n_input_t)
+
+init_stream_connect_script(i18n_input_t)
+
+logging_send_syslog_msg(i18n_input_t)
+
+miscfiles_read_localization(i18n_input_t)
+
+sysnet_read_config(i18n_input_t)
+
+userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+userdom_read_user_home_content_files(i18n_input_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(i18n_input_t)
+ fs_read_nfs_symlinks(i18n_input_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(i18n_input_t)
+ fs_read_cifs_symlinks(i18n_input_t)
+')
+
+optional_policy(`
+ canna_stream_connect(i18n_input_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(i18n_input_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(i18n_input_t)
+')
+
+optional_policy(`
+ udev_read_db(i18n_input_t)
+')
diff --git a/icecast.fc b/icecast.fc
new file mode 100644
index 0000000..a81e090
--- /dev/null
+++ b/icecast.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
+
+/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0)
+
+/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0)
+
+/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0)
diff --git a/icecast.if b/icecast.if
new file mode 100644
index 0000000..ecab47a
--- /dev/null
+++ b/icecast.if
@@ -0,0 +1,188 @@
+## ShoutCast compatible streaming media server
+
+########################################
+##
+## Execute a domain transition to run icecast.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`icecast_domtrans',`
+ gen_require(`
+ type icecast_t, icecast_exec_t;
+ ')
+
+ domtrans_pattern($1, icecast_exec_t, icecast_t)
+')
+
+########################################
+##
+## Allow domain signal icecast
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`icecast_signal',`
+ gen_require(`
+ type icecast_t;
+ ')
+
+ allow $1 icecast_t:process signal;
+')
+
+########################################
+##
+## Execute icecast server in the icecast domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`icecast_initrc_domtrans',`
+ gen_require(`
+ type icecast_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, icecast_initrc_exec_t)
+')
+
+########################################
+##
+## Read icecast PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`icecast_read_pid_files',`
+ gen_require(`
+ type icecast_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 icecast_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage icecast pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`icecast_manage_pid_files',`
+ gen_require(`
+ type icecast_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
+')
+
+########################################
+##
+## Allow the specified domain to read icecast's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`icecast_read_log',`
+ gen_require(`
+ type icecast_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## icecast log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`icecast_append_log',`
+ gen_require(`
+ type icecast_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+##
+## Allow domain to manage icecast log files
+##
+##
+##
+## Domain allow access.
+##
+##
+#
+interface(`icecast_manage_log',`
+ gen_require(`
+ type icecast_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an icecast environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`icecast_admin',`
+ gen_require(`
+ type icecast_t, icecast_initrc_exec_t;
+ ')
+
+ ps_process_pattern($1, icecast_t)
+
+ # Allow icecast_t to restart the apache service
+ icecast_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 icecast_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ icecast_manage_pid_files($1)
+
+ icecast_manage_log($1)
+
+')
diff --git a/icecast.te b/icecast.te
new file mode 100644
index 0000000..fdb7e9a
--- /dev/null
+++ b/icecast.te
@@ -0,0 +1,61 @@
+policy_module(icecast, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type icecast_t;
+type icecast_exec_t;
+init_daemon_domain(icecast_t, icecast_exec_t)
+
+type icecast_initrc_exec_t;
+init_script_file(icecast_initrc_exec_t)
+
+type icecast_var_run_t;
+files_pid_file(icecast_var_run_t)
+
+type icecast_log_t;
+logging_log_file(icecast_log_t)
+
+########################################
+#
+# icecast local policy
+#
+
+allow icecast_t self:capability { dac_override setgid setuid sys_nice };
+allow icecast_t self:process { getsched fork setsched signal };
+allow icecast_t self:fifo_file rw_fifo_file_perms;
+allow icecast_t self:unix_stream_socket create_stream_socket_perms;
+allow icecast_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
+manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
+logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
+
+manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+
+kernel_read_system_state(icecast_t)
+
+corenet_tcp_bind_soundd_port(icecast_t)
+
+# Init script handling
+domain_use_interactive_fds(icecast_t)
+
+files_read_etc_files(icecast_t)
+
+auth_use_nsswitch(icecast_t)
+
+miscfiles_read_localization(icecast_t)
+
+sysnet_dns_name_resolve(icecast_t)
+
+optional_policy(`
+ apache_read_sys_content(icecast_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(icecast_t)
+')
diff --git a/ifplugd.fc b/ifplugd.fc
new file mode 100644
index 0000000..2eda96f
--- /dev/null
+++ b/ifplugd.fc
@@ -0,0 +1,7 @@
+/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0)
+
+/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+
+/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
+/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
diff --git a/ifplugd.if b/ifplugd.if
new file mode 100644
index 0000000..dfb4232
--- /dev/null
+++ b/ifplugd.if
@@ -0,0 +1,133 @@
+## Bring up/down ethernet interfaces based on cable detection.
+
+########################################
+##
+## Execute a domain transition to run ifplugd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ifplugd_domtrans',`
+ gen_require(`
+ type ifplugd_t, ifplugd_exec_t;
+ ')
+
+ domtrans_pattern($1, ifplugd_exec_t, ifplugd_t)
+')
+
+########################################
+##
+## Send a generic signal to ifplugd
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ifplugd_signal',`
+ gen_require(`
+ type ifplugd_t;
+ ')
+
+ allow $1 ifplugd_t:process signal;
+')
+
+########################################
+##
+## Read ifplugd etc configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ifplugd_read_config',`
+ gen_require(`
+ type ifplugd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+##
+## Manage ifplugd etc configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ifplugd_manage_config',`
+ gen_require(`
+ type ifplugd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+ manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+##
+## Read ifplugd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ifplugd_read_pid_files',`
+ gen_require(`
+ type ifplugd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ifplugd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ifplugd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ifplugd domain.
+##
+##
+##
+#
+interface(`ifplugd_admin',`
+ gen_require(`
+ type ifplugd_t, ifplugd_etc_t;
+ type ifplugd_var_run_t, ifplugd_initrc_exec_t;
+ ')
+
+ allow $1 ifplugd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ifplugd_t)
+
+ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ifplugd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ifplugd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ifplugd_var_run_t)
+')
diff --git a/ifplugd.te b/ifplugd.te
new file mode 100644
index 0000000..978c32f
--- /dev/null
+++ b/ifplugd.te
@@ -0,0 +1,76 @@
+policy_module(ifplugd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ifplugd_t;
+type ifplugd_exec_t;
+init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+
+# config files
+type ifplugd_etc_t;
+files_type(ifplugd_etc_t)
+
+type ifplugd_initrc_exec_t;
+init_script_file(ifplugd_initrc_exec_t)
+
+# pid files
+type ifplugd_var_run_t;
+files_pid_file(ifplugd_var_run_t)
+
+########################################
+#
+# ifplugd local policy
+#
+
+allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
+allow ifplugd_t self:process { signal signull };
+allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+allow ifplugd_t self:tcp_socket create_stream_socket_perms;
+allow ifplugd_t self:udp_socket create_socket_perms;
+allow ifplugd_t self:packet_socket create_socket_perms;
+allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms;
+
+# pid file
+manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file })
+
+# config files
+read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+
+kernel_read_system_state(ifplugd_t)
+kernel_read_network_state(ifplugd_t)
+kernel_rw_net_sysctls(ifplugd_t)
+kernel_read_kernel_sysctls(ifplugd_t)
+
+corecmd_exec_shell(ifplugd_t)
+corecmd_exec_bin(ifplugd_t)
+
+# reading of hardware information
+dev_read_sysfs(ifplugd_t)
+
+domain_read_confined_domains_state(ifplugd_t)
+domain_dontaudit_read_all_domains_state(ifplugd_t)
+
+auth_use_nsswitch(ifplugd_t)
+
+logging_send_syslog_msg(ifplugd_t)
+
+miscfiles_read_localization(ifplugd_t)
+
+netutils_domtrans(ifplugd_t)
+# transition to ifconfig & dhcpc
+sysnet_domtrans_ifconfig(ifplugd_t)
+sysnet_domtrans_dhcpc(ifplugd_t)
+sysnet_delete_dhcpc_pid(ifplugd_t)
+sysnet_read_dhcpc_pid(ifplugd_t)
+sysnet_signal_dhcpc(ifplugd_t)
+
+optional_policy(`
+ consoletype_exec(ifplugd_t)
+')
diff --git a/imaze.fc b/imaze.fc
new file mode 100644
index 0000000..8d455ba
--- /dev/null
+++ b/imaze.fc
@@ -0,0 +1,4 @@
+/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
+/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
+
+/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0)
diff --git a/imaze.if b/imaze.if
new file mode 100644
index 0000000..8eb9ec3
--- /dev/null
+++ b/imaze.if
@@ -0,0 +1 @@
+## iMaze game server
diff --git a/imaze.te b/imaze.te
new file mode 100644
index 0000000..0778af8
--- /dev/null
+++ b/imaze.te
@@ -0,0 +1,99 @@
+policy_module(imaze, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type imazesrv_t;
+type imazesrv_exec_t;
+init_daemon_domain(imazesrv_t, imazesrv_exec_t)
+
+type imazesrv_data_t;
+files_type(imazesrv_data_t)
+
+type imazesrv_data_labs_t;
+files_type(imazesrv_data_labs_t)
+
+type imazesrv_log_t;
+logging_log_file(imazesrv_log_t)
+
+type imazesrv_var_run_t;
+files_pid_file(imazesrv_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit imazesrv_t self:capability sys_tty_config;
+allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow imazesrv_t self:fd use;
+allow imazesrv_t self:fifo_file rw_fifo_file_perms;
+allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto };
+allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow imazesrv_t self:shm create_shm_perms;
+allow imazesrv_t self:sem create_sem_perms;
+allow imazesrv_t self:msgq create_msgq_perms;
+allow imazesrv_t self:msg { send receive };
+allow imazesrv_t self:tcp_socket create_stream_socket_perms;
+allow imazesrv_t self:udp_socket create_socket_perms;
+
+allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
+read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
+read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
+
+allow imazesrv_t imazesrv_log_t:file manage_file_perms;
+allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms;
+logging_log_filetrans(imazesrv_t, imazesrv_log_t, file)
+
+manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t)
+files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file)
+
+kernel_read_kernel_sysctls(imazesrv_t)
+kernel_list_proc(imazesrv_t)
+kernel_read_proc_symlinks(imazesrv_t)
+
+corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_all_recvfrom_netlabel(imazesrv_t)
+corenet_tcp_sendrecv_generic_if(imazesrv_t)
+corenet_udp_sendrecv_generic_if(imazesrv_t)
+corenet_tcp_sendrecv_generic_node(imazesrv_t)
+corenet_udp_sendrecv_generic_node(imazesrv_t)
+corenet_tcp_sendrecv_all_ports(imazesrv_t)
+corenet_udp_sendrecv_all_ports(imazesrv_t)
+corenet_tcp_bind_generic_node(imazesrv_t)
+corenet_udp_bind_generic_node(imazesrv_t)
+corenet_tcp_bind_imaze_port(imazesrv_t)
+corenet_udp_bind_imaze_port(imazesrv_t)
+corenet_sendrecv_imaze_server_packets(imazesrv_t)
+
+dev_read_sysfs(imazesrv_t)
+
+domain_use_interactive_fds(imazesrv_t)
+
+files_read_etc_files(imazesrv_t)
+
+fs_getattr_all_fs(imazesrv_t)
+fs_search_auto_mountpoints(imazesrv_t)
+
+logging_send_syslog_msg(imazesrv_t)
+
+miscfiles_read_localization(imazesrv_t)
+
+sysnet_read_config(imazesrv_t)
+
+userdom_use_unpriv_users_fds(imazesrv_t)
+userdom_dontaudit_search_user_home_dirs(imazesrv_t)
+
+optional_policy(`
+ nis_use_ypbind(imazesrv_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(imazesrv_t)
+')
+
+optional_policy(`
+ udev_read_db(imazesrv_t)
+')
diff --git a/inetd.fc b/inetd.fc
new file mode 100644
index 0000000..39d5baa
--- /dev/null
+++ b/inetd.fc
@@ -0,0 +1,12 @@
+
+/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
+/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
+/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
+
+/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --git a/inetd.if b/inetd.if
new file mode 100644
index 0000000..df48e5e
--- /dev/null
+++ b/inetd.if
@@ -0,0 +1,205 @@
+## Internet services daemon.
+
+########################################
+##
+## Define the specified domain as a inetd service.
+##
+##
+##
+## Define the specified domain as a inetd service. The
+## inetd_service_domain(), inetd_tcp_service_domain(),
+## or inetd_udp_service_domain() interfaces should be used
+## instead of this interface, as this interface only provides
+## the common rules to these three interfaces.
+##
+##
+##
+##
+## The type associated with the inetd service process.
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`inetd_core_service_domain',`
+ gen_require(`
+ type inetd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(inetd_t, $2, $1)
+ allow inetd_t $1:process { siginh sigkill };
+')
+
+########################################
+##
+## Define the specified domain as a TCP inetd service.
+##
+##
+##
+## The type associated with the inetd service process.
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`inetd_tcp_service_domain',`
+
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1, $2)
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+##
+## Define the specified domain as a UDP inetd service.
+##
+##
+##
+## The type associated with the inetd service process.
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`inetd_udp_service_domain',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1, $2)
+
+ allow $1 inetd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+##
+## Define the specified domain as a TCP and UDP inetd service.
+##
+##
+##
+## The type associated with the inetd service process.
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`inetd_service_domain',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1, $2)
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+ allow $1 inetd_t:udp_socket rw_socket_perms;
+
+ # encrypt the service through stunnel
+ optional_policy(`
+ stunnel_service_domain($1, $2)
+ ')
+')
+
+########################################
+##
+## Inherit and use file descriptors from inetd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inetd_use_fds',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:fd use;
+')
+
+########################################
+##
+## Connect to the inetd service using a TCP connection. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inetd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Run inetd child process in the inet child domain
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`inetd_domtrans_child',`
+ gen_require(`
+ type inetd_child_t, inetd_child_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, inetd_child_exec_t, inetd_child_t)
+')
+
+########################################
+##
+## Send UDP network traffic to inetd. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inetd_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Read and write inetd TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inetd_rw_tcp_sockets',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
diff --git a/inetd.te b/inetd.te
new file mode 100644
index 0000000..c51a7b2
--- /dev/null
+++ b/inetd.te
@@ -0,0 +1,242 @@
+policy_module(inetd, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type inetd_t;
+type inetd_exec_t;
+init_daemon_domain(inetd_t, inetd_exec_t)
+
+type inetd_log_t;
+logging_log_file(inetd_log_t)
+
+type inetd_tmp_t;
+files_tmp_file(inetd_tmp_t)
+
+type inetd_var_run_t;
+files_pid_file(inetd_var_run_t)
+
+type inetd_child_t;
+type inetd_child_exec_t;
+inetd_service_domain(inetd_child_t, inetd_child_exec_t)
+role system_r types inetd_child_t;
+
+type inetd_child_tmp_t;
+files_tmp_file(inetd_child_tmp_t)
+
+type inetd_child_var_run_t;
+files_pid_file(inetd_child_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow inetd_t self:capability { setuid setgid };
+dontaudit inetd_t self:capability sys_tty_config;
+allow inetd_t self:process { setsched setexec };
+allow inetd_t self:fifo_file rw_fifo_file_perms;
+allow inetd_t self:tcp_socket create_stream_socket_perms;
+allow inetd_t self:udp_socket create_socket_perms;
+allow inetd_t self:fd use;
+
+allow inetd_t inetd_log_t:file manage_file_perms;
+logging_log_filetrans(inetd_t, inetd_log_t, file)
+
+manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t)
+manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t)
+files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
+
+allow inetd_t inetd_var_run_t:file manage_file_perms;
+files_pid_filetrans(inetd_t, inetd_var_run_t, file)
+
+kernel_read_kernel_sysctls(inetd_t)
+kernel_list_proc(inetd_t)
+kernel_read_proc_symlinks(inetd_t)
+kernel_read_system_state(inetd_t)
+kernel_tcp_recvfrom_unlabeled(inetd_t)
+
+corecmd_bin_domtrans(inetd_t, inetd_child_t)
+
+# base networking:
+corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_all_recvfrom_netlabel(inetd_t)
+corenet_tcp_sendrecv_generic_if(inetd_t)
+corenet_udp_sendrecv_generic_if(inetd_t)
+corenet_tcp_sendrecv_generic_node(inetd_t)
+corenet_udp_sendrecv_generic_node(inetd_t)
+corenet_tcp_sendrecv_all_ports(inetd_t)
+corenet_udp_sendrecv_all_ports(inetd_t)
+corenet_tcp_bind_generic_node(inetd_t)
+corenet_udp_bind_generic_node(inetd_t)
+corenet_tcp_connect_all_ports(inetd_t)
+corenet_sendrecv_all_client_packets(inetd_t)
+
+# listen on service ports:
+corenet_tcp_bind_amanda_port(inetd_t)
+corenet_udp_bind_amanda_port(inetd_t)
+corenet_tcp_bind_auth_port(inetd_t)
+corenet_udp_bind_comsat_port(inetd_t)
+corenet_tcp_bind_dbskkd_port(inetd_t)
+corenet_udp_bind_dbskkd_port(inetd_t)
+corenet_tcp_bind_ftp_port(inetd_t)
+corenet_udp_bind_ftp_port(inetd_t)
+corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
+corenet_udp_bind_ktalkd_port(inetd_t)
+corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rlogind_port(inetd_t)
+corenet_udp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsync_port(inetd_t)
+corenet_udp_bind_rsync_port(inetd_t)
+#corenet_tcp_bind_stunnel_port(inetd_t)
+corenet_tcp_bind_swat_port(inetd_t)
+corenet_udp_bind_swat_port(inetd_t)
+corenet_tcp_bind_telnetd_port(inetd_t)
+corenet_udp_bind_tftp_port(inetd_t)
+corenet_tcp_bind_ssh_port(inetd_t)
+corenet_tcp_bind_git_port(inetd_t)
+corenet_udp_bind_git_port(inetd_t)
+
+# service port packets:
+corenet_sendrecv_amanda_server_packets(inetd_t)
+corenet_sendrecv_auth_server_packets(inetd_t)
+corenet_sendrecv_comsat_server_packets(inetd_t)
+corenet_sendrecv_dbskkd_server_packets(inetd_t)
+corenet_sendrecv_ftp_server_packets(inetd_t)
+corenet_sendrecv_inetd_child_server_packets(inetd_t)
+corenet_sendrecv_ircd_server_packets(inetd_t)
+corenet_sendrecv_ktalkd_server_packets(inetd_t)
+corenet_sendrecv_printer_server_packets(inetd_t)
+corenet_sendrecv_rsh_server_packets(inetd_t)
+corenet_sendrecv_rsync_server_packets(inetd_t)
+#corenet_sendrecv_stunnel_server_packets(inetd_t)
+corenet_sendrecv_swat_server_packets(inetd_t)
+corenet_sendrecv_tftp_server_packets(inetd_t)
+
+dev_read_sysfs(inetd_t)
+
+fs_getattr_all_fs(inetd_t)
+fs_search_auto_mountpoints(inetd_t)
+
+selinux_validate_context(inetd_t)
+selinux_compute_create_context(inetd_t)
+
+# Run other daemons in the inetd_child_t domain.
+corecmd_search_bin(inetd_t)
+corecmd_read_bin_symlinks(inetd_t)
+
+domain_use_interactive_fds(inetd_t)
+
+files_read_etc_files(inetd_t)
+files_read_etc_runtime_files(inetd_t)
+
+auth_use_nsswitch(inetd_t)
+
+logging_send_syslog_msg(inetd_t)
+
+miscfiles_read_localization(inetd_t)
+
+# xinetd needs MLS override privileges to work
+mls_fd_share_all_levels(inetd_t)
+mls_socket_read_to_clearance(inetd_t)
+mls_socket_write_to_clearance(inetd_t)
+mls_process_set_level(inetd_t)
+
+sysnet_read_config(inetd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(inetd_t)
+userdom_dontaudit_search_user_home_dirs(inetd_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(inetd_t)
+ ')
+')
+
+ifdef(`enable_mls',`
+ corenet_tcp_recvfrom_netlabel(inetd_t)
+ corenet_udp_recvfrom_netlabel(inetd_t)
+')
+
+optional_policy(`
+ amanda_search_lib(inetd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(inetd_t)
+')
+
+optional_policy(`
+ udev_read_db(inetd_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(inetd_t)
+')
+
+########################################
+#
+# inetd child local_policy
+#
+
+allow inetd_child_t self:process signal_perms;
+allow inetd_child_t self:fifo_file rw_fifo_file_perms;
+allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
+allow inetd_child_t self:udp_socket create_socket_perms;
+
+# for identd
+allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow inetd_child_t self:capability { setuid setgid };
+files_search_home(inetd_child_t)
+
+manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
+manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
+files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
+
+manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t)
+files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file)
+
+kernel_read_kernel_sysctls(inetd_child_t)
+kernel_read_system_state(inetd_child_t)
+kernel_read_network_state(inetd_child_t)
+
+corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
+corenet_udp_sendrecv_generic_if(inetd_child_t)
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
+corenet_udp_sendrecv_generic_node(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
+dev_read_urand(inetd_child_t)
+
+fs_getattr_xattr_fs(inetd_child_t)
+
+files_read_etc_files(inetd_child_t)
+files_read_etc_runtime_files(inetd_child_t)
+
+auth_use_nsswitch(inetd_child_t)
+
+logging_send_syslog_msg(inetd_child_t)
+
+miscfiles_read_localization(inetd_child_t)
+
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
+ kerberos_use(inetd_child_t)
+')
+
+optional_policy(`
+ unconfined_domain(inetd_child_t)
+')
diff --git a/inn.fc b/inn.fc
new file mode 100644
index 0000000..8ca038d
--- /dev/null
+++ b/inn.fc
@@ -0,0 +1,67 @@
+
+#
+# /etc
+#
+/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0)
+/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0)
+/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
+
+/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+# cjp: split these to fix an ordering
+# problem with a match in corecommands
+/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
+
+/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+
+/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0)
diff --git a/inn.if b/inn.if
new file mode 100644
index 0000000..ebc9e0d
--- /dev/null
+++ b/inn.if
@@ -0,0 +1,224 @@
+## Internet News NNTP server
+
+########################################
+##
+## Allow the specified domain to execute innd
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_exec',`
+ gen_require(`
+ type innd_t;
+ ')
+
+ can_exec($1, innd_exec_t)
+')
+
+########################################
+##
+## Allow the specified domain to execute
+## inn configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_exec_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ can_exec($1, innd_etc_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the innd log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_manage_log',`
+ gen_require(`
+ type innd_log_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ manage_files_pattern($1, innd_log_t, innd_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the innd pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_manage_pid',`
+ gen_require(`
+ type innd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, innd_var_run_t, innd_var_run_t)
+ manage_lnk_files_pattern($1, innd_var_run_t, innd_var_run_t)
+')
+
+########################################
+##
+## Read innd configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+#
+interface(`inn_read_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ allow $1 innd_etc_t:dir list_dir_perms;
+ allow $1 innd_etc_t:file read_file_perms;
+ allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Read innd news library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_read_news_lib',`
+ gen_require(`
+ type innd_var_lib_t;
+ ')
+
+ allow $1 innd_var_lib_t:dir list_dir_perms;
+ allow $1 innd_var_lib_t:file read_file_perms;
+ allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Read innd news library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_read_news_spool',`
+ gen_require(`
+ type news_spool_t;
+ ')
+
+ allow $1 news_spool_t:dir list_dir_perms;
+ allow $1 news_spool_t:file read_file_perms;
+ allow $1 news_spool_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Send to a innd unix dgram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`inn_dgram_send',`
+ gen_require(`
+ type innd_t;
+ ')
+
+ allow $1 innd_t:unix_dgram_socket sendto;
+')
+
+########################################
+##
+## Execute inn in the inn domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`inn_domtrans',`
+ gen_require(`
+ type innd_t, innd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, innd_exec_t, innd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an inn environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the inn domain.
+##
+##
+##
+#
+interface(`inn_admin',`
+ gen_require(`
+ type innd_t, innd_etc_t, innd_log_t;
+ type news_spool_t, innd_var_lib_t;
+ type innd_var_run_t, innd_initrc_exec_t;
+ ')
+
+ allow $1 innd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, innd_t)
+
+ init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 innd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, innd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, innd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, innd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, innd_var_run_t)
+
+ files_list_spool($1)
+ admin_pattern($1, news_spool_t)
+')
diff --git a/inn.te b/inn.te
new file mode 100644
index 0000000..9fab1dc
--- /dev/null
+++ b/inn.te
@@ -0,0 +1,129 @@
+policy_module(inn, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+type innd_t;
+type innd_exec_t;
+init_daemon_domain(innd_t, innd_exec_t)
+
+type innd_etc_t;
+files_config_file(innd_etc_t)
+
+type innd_initrc_exec_t;
+init_script_file(innd_initrc_exec_t)
+
+type innd_log_t;
+logging_log_file(innd_log_t)
+
+type innd_var_lib_t;
+files_type(innd_var_lib_t)
+
+type innd_var_run_t;
+files_pid_file(innd_var_run_t)
+
+type news_spool_t;
+files_mountpoint(news_spool_t)
+
+########################################
+#
+# Local policy
+#
+allow innd_t self:capability { dac_override kill setgid setuid };
+dontaudit innd_t self:capability sys_tty_config;
+allow innd_t self:process { setsched signal_perms };
+allow innd_t self:fifo_file rw_fifo_file_perms;
+allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow innd_t self:tcp_socket create_stream_socket_perms;
+allow innd_t self:udp_socket create_socket_perms;
+allow innd_t self:netlink_route_socket r_netlink_socket_perms;
+
+read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+
+can_exec(innd_t, innd_exec_t)
+
+manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+allow innd_t innd_log_t:dir setattr;
+logging_log_filetrans(innd_t, innd_log_t, file)
+
+manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
+
+manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+files_pid_filetrans(innd_t, innd_var_run_t, file)
+
+manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
+manage_files_pattern(innd_t, news_spool_t, news_spool_t)
+manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
+
+kernel_read_kernel_sysctls(innd_t)
+kernel_read_system_state(innd_t)
+
+corenet_all_recvfrom_unlabeled(innd_t)
+corenet_all_recvfrom_netlabel(innd_t)
+corenet_tcp_sendrecv_generic_if(innd_t)
+corenet_udp_sendrecv_generic_if(innd_t)
+corenet_tcp_sendrecv_generic_node(innd_t)
+corenet_udp_sendrecv_generic_node(innd_t)
+corenet_tcp_sendrecv_all_ports(innd_t)
+corenet_udp_sendrecv_all_ports(innd_t)
+corenet_tcp_bind_generic_node(innd_t)
+corenet_tcp_bind_innd_port(innd_t)
+corenet_tcp_connect_all_ports(innd_t)
+corenet_sendrecv_innd_server_packets(innd_t)
+corenet_sendrecv_all_client_packets(innd_t)
+
+dev_read_sysfs(innd_t)
+dev_read_urand(innd_t)
+
+fs_getattr_all_fs(innd_t)
+fs_search_auto_mountpoints(innd_t)
+
+corecmd_exec_bin(innd_t)
+corecmd_exec_shell(innd_t)
+
+domain_use_interactive_fds(innd_t)
+
+files_list_spool(innd_t)
+files_read_etc_files(innd_t)
+files_read_etc_runtime_files(innd_t)
+files_read_usr_files(innd_t)
+
+logging_send_syslog_msg(innd_t)
+
+miscfiles_read_localization(innd_t)
+
+seutil_dontaudit_search_config(innd_t)
+
+sysnet_read_config(innd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(innd_t)
+userdom_dontaudit_search_user_home_dirs(innd_t)
+
+mta_send_mail(innd_t)
+
+optional_policy(`
+ cron_system_entry(innd_t, innd_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(innd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(innd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(innd_t)
+')
+
+optional_policy(`
+ udev_read_db(innd_t)
+')
diff --git a/irc.fc b/irc.fc
new file mode 100644
index 0000000..65ece18
--- /dev/null
+++ b/irc.fc
@@ -0,0 +1,11 @@
+#
+# /home
+#
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+
+#
+# /usr
+#
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/irc.if b/irc.if
new file mode 100644
index 0000000..4f9dc90
--- /dev/null
+++ b/irc.if
@@ -0,0 +1,31 @@
+## IRC client policy
+
+########################################
+##
+## Role access for IRC
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`irc_role',`
+ gen_require(`
+ type irc_t, irc_exec_t;
+ ')
+
+ role $1 types irc_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, irc_exec_t, irc_t)
+
+ # allow ps to show irc
+ ps_process_pattern($2, irc_t)
+ allow $2 irc_t:process signal;
+')
diff --git a/irc.te b/irc.te
new file mode 100644
index 0000000..66beb80
--- /dev/null
+++ b/irc.te
@@ -0,0 +1,103 @@
+policy_module(irc, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type irc_t;
+type irc_exec_t;
+typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
+typealias irc_t alias { auditadm_irc_t secadm_irc_t };
+application_domain(irc_t, irc_exec_t)
+ubac_constrained(irc_t)
+
+type irc_home_t;
+typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
+typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+userdom_user_home_content(irc_home_t)
+
+type irc_tmp_t;
+typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
+typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
+manage_files_pattern(irc_t, irc_home_t, irc_home_t)
+manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
+userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+
+# access files under /tmp
+manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+kernel_read_proc_symlinks(irc_t)
+
+corenet_all_recvfrom_unlabeled(irc_t)
+corenet_all_recvfrom_netlabel(irc_t)
+corenet_tcp_sendrecv_generic_if(irc_t)
+corenet_udp_sendrecv_generic_if(irc_t)
+corenet_tcp_sendrecv_generic_node(irc_t)
+corenet_udp_sendrecv_generic_node(irc_t)
+corenet_tcp_sendrecv_all_ports(irc_t)
+corenet_udp_sendrecv_all_ports(irc_t)
+corenet_sendrecv_ircd_client_packets(irc_t)
+# cjp: this seems excessive:
+corenet_tcp_connect_all_ports(irc_t)
+corenet_sendrecv_all_client_packets(irc_t)
+
+domain_use_interactive_fds(irc_t)
+
+files_dontaudit_search_pids(irc_t)
+files_search_var(irc_t)
+files_read_etc_files(irc_t)
+files_read_usr_files(irc_t)
+
+fs_getattr_xattr_fs(irc_t)
+fs_search_auto_mountpoints(irc_t)
+
+term_use_controlling_term(irc_t)
+term_list_ptys(irc_t)
+
+# allow utmp access
+init_read_utmp(irc_t)
+init_dontaudit_lock_utmp(irc_t)
+
+miscfiles_read_localization(irc_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(irc_t)
+
+sysnet_read_config(irc_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(irc_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(irc_t)
+ fs_manage_nfs_files(irc_t)
+ fs_manage_nfs_symlinks(irc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(irc_t)
+ fs_manage_cifs_files(irc_t)
+ fs_manage_cifs_symlinks(irc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(irc_t)
+')
diff --git a/ircd.fc b/ircd.fc
new file mode 100644
index 0000000..d733fa8
--- /dev/null
+++ b/ircd.fc
@@ -0,0 +1,7 @@
+/etc/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0)
+
+/usr/sbin/(dancer-)?ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+
+/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
+/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0)
+/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0)
diff --git a/ircd.if b/ircd.if
new file mode 100644
index 0000000..3f4de83
--- /dev/null
+++ b/ircd.if
@@ -0,0 +1 @@
+## IRC server
diff --git a/ircd.te b/ircd.te
new file mode 100644
index 0000000..75ab1e2
--- /dev/null
+++ b/ircd.te
@@ -0,0 +1,93 @@
+policy_module(ircd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type ircd_t;
+type ircd_exec_t;
+init_daemon_domain(ircd_t, ircd_exec_t)
+
+type ircd_etc_t;
+files_config_file(ircd_etc_t)
+
+type ircd_log_t;
+logging_log_file(ircd_log_t)
+
+type ircd_var_lib_t;
+files_type(ircd_var_lib_t)
+
+type ircd_var_run_t;
+files_pid_file(ircd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit ircd_t self:capability sys_tty_config;
+allow ircd_t self:process signal_perms;
+allow ircd_t self:tcp_socket create_stream_socket_perms;
+allow ircd_t self:udp_socket create_socket_perms;
+
+read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t)
+read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t)
+files_search_etc(ircd_t)
+
+manage_files_pattern(ircd_t, ircd_log_t, ircd_log_t)
+logging_log_filetrans(ircd_t, ircd_log_t, { file dir })
+
+manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t)
+files_var_lib_filetrans(ircd_t, ircd_var_lib_t, file)
+
+manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t)
+files_pid_filetrans(ircd_t, ircd_var_run_t, file)
+
+kernel_read_system_state(ircd_t)
+kernel_read_kernel_sysctls(ircd_t)
+
+corecmd_search_bin(ircd_t)
+
+corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_all_recvfrom_netlabel(ircd_t)
+corenet_tcp_sendrecv_generic_if(ircd_t)
+corenet_udp_sendrecv_generic_if(ircd_t)
+corenet_tcp_sendrecv_generic_node(ircd_t)
+corenet_udp_sendrecv_generic_node(ircd_t)
+corenet_tcp_sendrecv_all_ports(ircd_t)
+corenet_udp_sendrecv_all_ports(ircd_t)
+corenet_tcp_bind_generic_node(ircd_t)
+corenet_tcp_bind_ircd_port(ircd_t)
+corenet_sendrecv_ircd_server_packets(ircd_t)
+
+dev_read_sysfs(ircd_t)
+
+domain_use_interactive_fds(ircd_t)
+
+files_read_etc_files(ircd_t)
+files_read_etc_runtime_files(ircd_t)
+
+fs_getattr_all_fs(ircd_t)
+fs_search_auto_mountpoints(ircd_t)
+
+logging_send_syslog_msg(ircd_t)
+
+miscfiles_read_localization(ircd_t)
+
+sysnet_read_config(ircd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ircd_t)
+userdom_dontaudit_search_user_home_dirs(ircd_t)
+
+optional_policy(`
+ nis_use_ypbind(ircd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ircd_t)
+')
+
+optional_policy(`
+ udev_read_db(ircd_t)
+')
diff --git a/irqbalance.fc b/irqbalance.fc
new file mode 100644
index 0000000..3831075
--- /dev/null
+++ b/irqbalance.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/irqbalance.if b/irqbalance.if
new file mode 100644
index 0000000..058fb75
--- /dev/null
+++ b/irqbalance.if
@@ -0,0 +1 @@
+## IRQ balancing daemon
diff --git a/irqbalance.te b/irqbalance.te
new file mode 100644
index 0000000..9aeeaf9
--- /dev/null
+++ b/irqbalance.te
@@ -0,0 +1,56 @@
+policy_module(irqbalance, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type irqbalance_t;
+type irqbalance_exec_t;
+init_daemon_domain(irqbalance_t, irqbalance_exec_t)
+
+type irqbalance_var_run_t;
+files_pid_file(irqbalance_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irqbalance_t self:capability { setpcap net_admin };
+dontaudit irqbalance_t self:capability sys_tty_config;
+allow irqbalance_t self:process { getcap setcap signal_perms };
+allow irqbalance_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+
+kernel_read_network_state(irqbalance_t)
+kernel_read_system_state(irqbalance_t)
+kernel_read_kernel_sysctls(irqbalance_t)
+kernel_rw_irq_sysctls(irqbalance_t)
+
+dev_read_sysfs(irqbalance_t)
+
+files_read_etc_files(irqbalance_t)
+files_read_etc_runtime_files(irqbalance_t)
+
+fs_getattr_all_fs(irqbalance_t)
+fs_search_auto_mountpoints(irqbalance_t)
+
+domain_use_interactive_fds(irqbalance_t)
+
+logging_send_syslog_msg(irqbalance_t)
+
+miscfiles_read_localization(irqbalance_t)
+
+userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
+userdom_dontaudit_search_user_home_dirs(irqbalance_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(irqbalance_t)
+')
+
+optional_policy(`
+ udev_read_db(irqbalance_t)
+')
diff --git a/iscsi.fc b/iscsi.fc
new file mode 100644
index 0000000..14d9670
--- /dev/null
+++ b/iscsi.fc
@@ -0,0 +1,7 @@
+/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
+/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/iscsi.if b/iscsi.if
new file mode 100644
index 0000000..4cae92a
--- /dev/null
+++ b/iscsi.if
@@ -0,0 +1,76 @@
+## Establish connections to iSCSI devices
+
+########################################
+##
+## Execute a domain transition to run iscsid.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`iscsid_domtrans',`
+ gen_require(`
+ type iscsid_t, iscsid_exec_t;
+ ')
+
+ domtrans_pattern($1, iscsid_exec_t, iscsid_t)
+')
+
+########################################
+##
+## Manage iscsid sempaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`iscsi_manage_semaphores',`
+ gen_require(`
+ type iscsid_t;
+ ')
+
+ allow $1 iscsid_t:sem create_sem_perms;
+')
+
+########################################
+##
+## Connect to ISCSI using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`iscsi_stream_connect',`
+ gen_require(`
+ type iscsid_t, iscsi_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
+')
+
+########################################
+##
+## Read iscsi lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`iscsi_read_lib_files',`
+ gen_require(`
+ type iscsi_var_lib_t;
+ ')
+
+ read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
+ allow $1 iscsi_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
diff --git a/iscsi.te b/iscsi.te
new file mode 100644
index 0000000..8bcfa2f
--- /dev/null
+++ b/iscsi.te
@@ -0,0 +1,97 @@
+policy_module(iscsi, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type iscsid_t;
+type iscsid_exec_t;
+domain_type(iscsid_t)
+init_daemon_domain(iscsid_t, iscsid_exec_t)
+
+type iscsi_lock_t;
+files_lock_file(iscsi_lock_t)
+
+type iscsi_log_t;
+logging_log_file(iscsi_log_t)
+
+type iscsi_tmp_t;
+files_tmp_file(iscsi_tmp_t)
+
+type iscsi_var_lib_t;
+files_type(iscsi_var_lib_t)
+
+type iscsi_var_run_t;
+files_pid_file(iscsi_var_run_t)
+
+########################################
+#
+# iscsid local policy
+#
+
+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+dontaudit iscsid_t self:capability sys_ptrace;
+allow iscsid_t self:process { setrlimit setsched signal };
+allow iscsid_t self:fifo_file rw_fifo_file_perms;
+allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow iscsid_t self:unix_dgram_socket create_socket_perms;
+allow iscsid_t self:sem create_sem_perms;
+allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_socket create_socket_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
+allow iscsid_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(iscsid_t, iscsid_exec_t)
+
+manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file })
+
+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+
+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
+
+allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+files_search_var_lib(iscsid_t)
+
+manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+
+kernel_read_network_state(iscsid_t)
+kernel_read_system_state(iscsid_t)
+
+corenet_all_recvfrom_unlabeled(iscsid_t)
+corenet_all_recvfrom_netlabel(iscsid_t)
+corenet_tcp_sendrecv_generic_if(iscsid_t)
+corenet_tcp_sendrecv_generic_node(iscsid_t)
+corenet_tcp_sendrecv_all_ports(iscsid_t)
+corenet_tcp_connect_http_port(iscsid_t)
+corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
+
+dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
+
+domain_use_interactive_fds(iscsid_t)
+domain_dontaudit_read_all_domains_state(iscsid_t)
+
+files_read_etc_files(iscsid_t)
+
+auth_use_nsswitch(iscsid_t)
+
+init_stream_connect_script(iscsid_t)
+
+logging_send_syslog_msg(iscsid_t)
+
+miscfiles_read_localization(iscsid_t)
+
+optional_policy(`
+ tgtd_manage_semaphores(iscsid_t)
+')
diff --git a/jabber.fc b/jabber.fc
new file mode 100644
index 0000000..4c9acec
--- /dev/null
+++ b/jabber.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+
+/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/jabber.if b/jabber.if
new file mode 100644
index 0000000..9878499
--- /dev/null
+++ b/jabber.if
@@ -0,0 +1,56 @@
+## Jabber instant messaging server
+
+########################################
+##
+## Connect to jabber over a TCP socket (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`jabber_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an jabber environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the jabber domain.
+##
+##
+##
+#
+interface(`jabber_admin',`
+ gen_require(`
+ type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+ type jabberd_var_run_t, jabberd_initrc_exec_t;
+ ')
+
+ allow $1 jabberd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jabberd_t)
+
+ init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 jabberd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, jabberd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, jabberd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, jabberd_var_run_t)
+')
diff --git a/jabber.te b/jabber.te
new file mode 100644
index 0000000..da2127e
--- /dev/null
+++ b/jabber.te
@@ -0,0 +1,94 @@
+policy_module(jabber, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type jabberd_t;
+type jabberd_exec_t;
+init_daemon_domain(jabberd_t, jabberd_exec_t)
+
+type jabberd_initrc_exec_t;
+init_script_file(jabberd_initrc_exec_t)
+
+type jabberd_log_t;
+logging_log_file(jabberd_log_t)
+
+type jabberd_var_lib_t;
+files_type(jabberd_var_lib_t)
+
+type jabberd_var_run_t;
+files_pid_file(jabberd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow jabberd_t self:capability dac_override;
+dontaudit jabberd_t self:capability sys_tty_config;
+allow jabberd_t self:process signal_perms;
+allow jabberd_t self:fifo_file read_fifo_file_perms;
+allow jabberd_t self:tcp_socket create_stream_socket_perms;
+allow jabberd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+
+manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+
+manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+
+kernel_read_kernel_sysctls(jabberd_t)
+kernel_list_proc(jabberd_t)
+kernel_read_proc_symlinks(jabberd_t)
+
+corenet_all_recvfrom_unlabeled(jabberd_t)
+corenet_all_recvfrom_netlabel(jabberd_t)
+corenet_tcp_sendrecv_generic_if(jabberd_t)
+corenet_udp_sendrecv_generic_if(jabberd_t)
+corenet_tcp_sendrecv_generic_node(jabberd_t)
+corenet_udp_sendrecv_generic_node(jabberd_t)
+corenet_tcp_sendrecv_all_ports(jabberd_t)
+corenet_udp_sendrecv_all_ports(jabberd_t)
+corenet_tcp_bind_generic_node(jabberd_t)
+corenet_tcp_bind_jabber_client_port(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+
+dev_read_sysfs(jabberd_t)
+# For SSL
+dev_read_rand(jabberd_t)
+
+domain_use_interactive_fds(jabberd_t)
+
+files_read_etc_files(jabberd_t)
+files_read_etc_runtime_files(jabberd_t)
+
+fs_getattr_all_fs(jabberd_t)
+fs_search_auto_mountpoints(jabberd_t)
+
+logging_send_syslog_msg(jabberd_t)
+
+miscfiles_read_localization(jabberd_t)
+
+sysnet_read_config(jabberd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+optional_policy(`
+ nis_use_ypbind(jabberd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
+
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
diff --git a/java.fc b/java.fc
new file mode 100644
index 0000000..86c1768
--- /dev/null
+++ b/java.fc
@@ -0,0 +1,38 @@
+#
+# /opt
+#
+/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+#
+# /usr
+#
+/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+')
diff --git a/java.if b/java.if
new file mode 100644
index 0000000..e6d84e8
--- /dev/null
+++ b/java.if
@@ -0,0 +1,200 @@
+## Java virtual machine
+
+########################################
+##
+## Role access for java
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`java_role',`
+ gen_require(`
+ type java_t, java_exec_t;
+ ')
+
+ role $1 types java_t;
+
+ # The user role is authorized for this domain.
+ domtrans_pattern($2, java_exec_t, java_t)
+ allow java_t $2:process signull;
+ # Unrestricted inheritance from the caller.
+ allow $2 java_t:process { noatsecure siginh rlimitinh };
+
+ allow java_t $2:unix_stream_socket connectto;
+ allow java_t $2:unix_stream_socket { read write };
+ allow java_t $2:tcp_socket { read write };
+')
+
+#######################################
+##
+## The role template for the java module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for java applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`java_role_template',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t, java_exec_t)
+ role $2 types $1_java_t;
+
+ domain_interactive_fd($1_java_t)
+
+ userdom_manage_user_tmpfs_files($1_java_t)
+
+ allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+
+ dontaudit $1_java_t $3:tcp_socket { read write };
+
+ allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($3, java_exec_t, $1_java_t)
+
+ corecmd_bin_domtrans($1_java_t, $3)
+
+ dev_dontaudit_append_rand($1_java_t)
+
+ files_execmod_all_files($1_java_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+
+ optional_policy(`
+ xserver_role($2, $1_java_t)
+ ')
+')
+
+########################################
+##
+## Run java in javaplugin domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+template(`java_domtrans',`
+ gen_require(`
+ type java_t, java_exec_t;
+ ')
+
+ domtrans_pattern($1, java_exec_t, java_t)
+')
+
+########################################
+##
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+')
+
+########################################
+##
+## Execute the java program in the unconfined java domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`java_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_java_t, java_exec_t;
+ ')
+
+ domtrans_pattern($1, java_exec_t, unconfined_java_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+##
+## Execute the java program in the unconfined java domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`java_run_unconfined',`
+ gen_require(`
+ type unconfined_java_t;
+ ')
+
+ java_domtrans_unconfined($1)
+ role $2 types unconfined_java_t;
+')
+
+########################################
+##
+## Execute the java program in the java domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`java_exec',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ can_exec($1, java_exec_t)
+')
diff --git a/java.te b/java.te
new file mode 100644
index 0000000..167950d
--- /dev/null
+++ b/java.te
@@ -0,0 +1,156 @@
+policy_module(java, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow java executable stack
+##
+##
+gen_tunable(allow_java_execstack, false)
+
+type java_t;
+type java_exec_t;
+application_domain(java_t, java_exec_t)
+ubac_constrained(java_t)
+typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+role system_r types java_t;
+
+type java_tmp_t;
+files_tmp_file(java_tmp_t)
+ubac_constrained(java_tmp_t)
+typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
+typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+
+type java_tmpfs_t;
+ubac_constrained(java_tmpfs_t)
+files_tmpfs_file(java_tmpfs_t)
+typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+type unconfined_java_t;
+init_system_domain(unconfined_java_t, java_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow java_t self:process { signal_perms getsched setsched execmem };
+allow java_t self:fifo_file rw_fifo_file_perms;
+allow java_t self:tcp_socket create_socket_perms;
+allow java_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
+manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
+files_tmp_filetrans(java_t, java_tmp_t, { file dir })
+
+manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(java_t, java_exec_t)
+
+kernel_read_all_sysctls(java_t)
+kernel_search_vm_sysctl(java_t)
+kernel_read_network_state(java_t)
+kernel_read_system_state(java_t)
+
+# Search bin directory under java for java executable
+corecmd_search_bin(java_t)
+
+corenet_all_recvfrom_unlabeled(java_t)
+corenet_all_recvfrom_netlabel(java_t)
+corenet_tcp_sendrecv_generic_if(java_t)
+corenet_udp_sendrecv_generic_if(java_t)
+corenet_tcp_sendrecv_generic_node(java_t)
+corenet_udp_sendrecv_generic_node(java_t)
+corenet_tcp_sendrecv_all_ports(java_t)
+corenet_udp_sendrecv_all_ports(java_t)
+corenet_tcp_connect_all_ports(java_t)
+corenet_sendrecv_all_client_packets(java_t)
+
+dev_read_sound(java_t)
+dev_write_sound(java_t)
+dev_read_urand(java_t)
+dev_read_rand(java_t)
+dev_dontaudit_append_rand(java_t)
+
+files_read_usr_files(java_t)
+files_search_home(java_t)
+files_search_var_lib(java_t)
+files_read_etc_runtime_files(java_t)
+# Read global fonts and font config
+files_read_etc_files(java_t)
+
+fs_getattr_xattr_fs(java_t)
+fs_dontaudit_rw_tmpfs_files(java_t)
+
+logging_send_syslog_msg(java_t)
+
+miscfiles_read_localization(java_t)
+# Read global fonts and font config
+miscfiles_read_fonts(java_t)
+
+sysnet_read_config(java_t)
+
+userdom_dontaudit_use_user_terminals(java_t)
+userdom_dontaudit_setattr_user_home_content_files(java_t)
+userdom_dontaudit_exec_user_home_content_files(java_t)
+userdom_manage_user_home_content_dirs(java_t)
+userdom_manage_user_home_content_files(java_t)
+userdom_manage_user_home_content_symlinks(java_t)
+userdom_manage_user_home_content_pipes(java_t)
+userdom_manage_user_home_content_sockets(java_t)
+userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
+userdom_write_user_tmp_sockets(java_t)
+
+tunable_policy(`allow_java_execstack',`
+ allow java_t self:process execstack;
+
+ allow java_t java_tmp_t:file execute;
+
+ libs_legacy_use_shared_libs(java_t)
+ libs_legacy_use_ld_so(java_t)
+
+ miscfiles_legacy_read_localization(java_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(java_t)
+')
+
+optional_policy(`
+ nscd_socket_use(java_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+')
+
+########################################
+#
+# Unconfined java local policy
+#
+
+optional_policy(`
+ # execheap is needed for itanium/BEA jrocket
+ allow unconfined_java_t self:process { execstack execmem execheap };
+
+ files_execmod_all_files(unconfined_java_t)
+
+ init_dbus_chat_script(unconfined_java_t)
+
+ unconfined_domain_noaudit(unconfined_java_t)
+ unconfined_dbus_chat(unconfined_java_t)
+
+ optional_policy(`
+ rpm_domtrans(unconfined_java_t)
+ ')
+')
diff --git a/kdump.fc b/kdump.fc
new file mode 100644
index 0000000..c66934f
--- /dev/null
+++ b/kdump.fc
@@ -0,0 +1,5 @@
+/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+
+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/kdump.if b/kdump.if
new file mode 100644
index 0000000..4198ff5
--- /dev/null
+++ b/kdump.if
@@ -0,0 +1,111 @@
+## Kernel crash dumping mechanism
+
+######################################
+##
+## Execute kdump in the kdump domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kdump_domtrans',`
+ gen_require(`
+ type kdump_t, kdump_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdump_exec_t, kdump_t)
+')
+
+#######################################
+##
+## Execute kdump in the kdump domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kdump_initrc_domtrans',`
+ gen_require(`
+ type kdump_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+')
+
+#####################################
+##
+## Read kdump configuration file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 kdump_etc_t:file read_file_perms;
+')
+
+####################################
+##
+## Manage kdump configuration file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kdump_manage_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 kdump_etc_t:file manage_file_perms;
+')
+
+######################################
+##
+## All of the rules required to administrate
+## an kdump environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the kdump domain.
+##
+##
+##
+#
+interface(`kdump_admin',`
+ gen_require(`
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ ')
+
+ allow $1 kdump_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kdump_t)
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kdump_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, kdump_etc_t)
+')
diff --git a/kdump.te b/kdump.te
new file mode 100644
index 0000000..b29d8e2
--- /dev/null
+++ b/kdump.te
@@ -0,0 +1,38 @@
+policy_module(kdump, 1.2.0)
+
+#######################################
+#
+# Declarations
+#
+
+type kdump_t;
+type kdump_exec_t;
+init_system_domain(kdump_t, kdump_exec_t)
+
+type kdump_etc_t;
+files_config_file(kdump_etc_t)
+
+type kdump_initrc_exec_t;
+init_script_file(kdump_initrc_exec_t)
+
+#####################################
+#
+# kdump local policy
+#
+
+allow kdump_t self:capability { sys_boot dac_override };
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+files_read_etc_runtime_files(kdump_t)
+files_read_kernel_img(kdump_t)
+
+kernel_read_system_state(kdump_t)
+kernel_read_core_if(kdump_t)
+kernel_read_debugfs(kdump_t)
+kernel_request_load_module(kdump_t)
+
+dev_read_framebuffer(kdump_t)
+dev_read_sysfs(kdump_t)
+
+term_use_console(kdump_t)
diff --git a/kdumpgui.fc b/kdumpgui.fc
new file mode 100644
index 0000000..250679c
--- /dev/null
+++ b/kdumpgui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-kdump/system-config-kdump-backend\.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
diff --git a/kdumpgui.if b/kdumpgui.if
new file mode 100644
index 0000000..d6af9b0
--- /dev/null
+++ b/kdumpgui.if
@@ -0,0 +1,2 @@
+## system-config-kdump GUI
+
diff --git a/kdumpgui.te b/kdumpgui.te
new file mode 100644
index 0000000..0c52f60
--- /dev/null
+++ b/kdumpgui.te
@@ -0,0 +1,65 @@
+policy_module(kdumpgui, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdumpgui_t;
+type kdumpgui_exec_t;
+dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+
+######################################
+#
+# system-config-kdump local policy
+#
+
+allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_system_state(kdumpgui_t)
+kernel_read_network_state(kdumpgui_t)
+
+corecmd_exec_bin(kdumpgui_t)
+corecmd_exec_shell(kdumpgui_t)
+
+dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
+dev_read_sysfs(kdumpgui_t)
+
+files_manage_boot_files(kdumpgui_t)
+files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(kdumpgui_t)
+# for blkid.tab
+files_manage_etc_runtime_files(kdumpgui_t)
+files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+files_read_usr_files(kdumpgui_t)
+
+storage_raw_read_fixed_disk(kdumpgui_t)
+storage_raw_write_fixed_disk(kdumpgui_t)
+
+auth_use_nsswitch(kdumpgui_t)
+
+logging_send_syslog_msg(kdumpgui_t)
+
+miscfiles_read_localization(kdumpgui_t)
+
+init_dontaudit_read_all_script_files(kdumpgui_t)
+
+optional_policy(`
+ consoletype_exec(kdumpgui_t)
+')
+
+optional_policy(`
+ dev_rw_lvm_control(kdumpgui_t)
+')
+
+optional_policy(`
+ kdump_manage_config(kdumpgui_t)
+ kdump_initrc_domtrans(kdumpgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
+')
diff --git a/kerberos.fc b/kerberos.fc
new file mode 100644
index 0000000..3525d24
--- /dev/null
+++ b/kerberos.fc
@@ -0,0 +1,33 @@
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+
+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
+
+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+
+/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
new file mode 100644
index 0000000..604f67b
--- /dev/null
+++ b/kerberos.if
@@ -0,0 +1,380 @@
+## MIT Kerberos admin and KDC
+##
+##
+## This policy supports:
+##
+##
+## Servers:
+##
+## - kadmind
+## - krb5kdc
+##
+##
+##
+## Clients:
+##
+## - kinit
+## - kdestroy
+## - klist
+## - ksu (incomplete)
+##
+##
+##
+
+########################################
+##
+## Execute kadmind in the current domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_exec_kadmind',`
+ gen_require(`
+ type kadmind_exec_t;
+ ')
+
+ can_exec($1, kadmind_exec_t)
+')
+
+########################################
+##
+## Execute a domain transition to run kpropd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kerberos_domtrans_kpropd',`
+ gen_require(`
+ type kpropd_t, kpropd_exec_t;
+ ')
+
+ domtrans_pattern($1, kpropd_exec_t, kpropd_t)
+')
+
+########################################
+##
+## Use kerberos services
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_use',`
+ gen_require(`
+ type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+ dontaudit $1 krb5_conf_t:file write;
+ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
+ dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ selinux_dontaudit_validate_context($1)
+ seutil_dontaudit_read_file_contexts($1)
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_kerberos_port($1)
+ corenet_udp_sendrecv_kerberos_port($1)
+ corenet_tcp_bind_generic_node($1)
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_connect_kerberos_port($1)
+ corenet_tcp_connect_ocsp_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+
+ allow $1 krb5_host_rcache_t:file getattr;
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_kerberos',`
+ pcscd_stream_connect($1)
+ ')
+ ')
+
+ optional_policy(`
+ sssd_read_public_files($1)
+ ')
+')
+
+########################################
+##
+## Read the kerberos configuration file (/etc/krb5.conf).
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kerberos_read_config',`
+ gen_require(`
+ type krb5_conf_t, krb5_home_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file read_file_perms;
+ allow $1 krb5_home_t:file read_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to write the kerberos
+## configuration file (/etc/krb5.conf).
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kerberos_dontaudit_write_config',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ dontaudit $1 krb5_conf_t:file write;
+')
+
+########################################
+##
+## Read and write the kerberos configuration file (/etc/krb5.conf).
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kerberos_rw_config',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file rw_file_perms;
+')
+
+########################################
+##
+## Read the kerberos key table.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kerberos_read_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file read_file_perms;
+')
+
+########################################
+##
+## Read/Write the kerberos key table.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_rw_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file rw_file_perms;
+')
+
+########################################
+##
+## Create a derived type for kerberos keytab
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`kerberos_keytab_template',`
+ type $1_keytab_t;
+ files_type($1_keytab_t)
+
+ allow $2 $1_keytab_t:file read_file_perms;
+
+ kerberos_read_keytab($2)
+ kerberos_use($2)
+')
+
+########################################
+##
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kerberos_read_kdc_config',`
+ gen_require(`
+ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+')
+
+########################################
+##
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
+ domain_obj_id_change_exemption($1)
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:process setfscreate;
+
+ selinux_validate_context($1)
+
+ seutil_read_file_contexts($1)
+
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_search_tmp($1)
+ ')
+')
+
+########################################
+##
+## Connect to krb524 service
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerberos_connect_524',`
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_sendrecv_kerberos_master_client_packets($1)
+ ')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an kerberos environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the kerberos domain.
+##
+##
+##
+#
+interface(`kerberos_admin',`
+ gen_require(`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
+ type kpropd_t;
+ ')
+
+ allow $1 kadmind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kadmind_t)
+
+ allow $1 krb5kdc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, krb5kdc_t)
+
+ allow $1 kpropd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kpropd_t)
+
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerberos_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, kadmind_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, kadmind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, kadmind_var_run_t)
+
+ admin_pattern($1, krb5_conf_t)
+
+ admin_pattern($1, krb5_host_rcache_t)
+
+ admin_pattern($1, krb5_keytab_t)
+
+ admin_pattern($1, krb5kdc_principal_t)
+
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
+')
diff --git a/kerberos.te b/kerberos.te
new file mode 100644
index 0000000..8edc29b
--- /dev/null
+++ b/kerberos.te
@@ -0,0 +1,325 @@
+policy_module(kerberos, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow confined applications to run with kerberos.
+##
+##
+gen_tunable(allow_kerberos, false)
+
+type kadmind_t;
+type kadmind_exec_t;
+init_daemon_domain(kadmind_t, kadmind_exec_t)
+domain_obj_id_change_exemption(kadmind_t)
+
+type kadmind_log_t;
+logging_log_file(kadmind_log_t)
+
+type kadmind_tmp_t;
+files_tmp_file(kadmind_tmp_t)
+
+type kadmind_var_run_t;
+files_pid_file(kadmind_var_run_t)
+
+type kerberos_initrc_exec_t;
+init_script_file(kerberos_initrc_exec_t)
+
+type kpropd_t;
+type kpropd_exec_t;
+init_daemon_domain(kpropd_t, kpropd_exec_t)
+domain_obj_id_change_exemption(kpropd_t)
+
+type krb5_conf_t;
+files_type(krb5_conf_t)
+
+type krb5_home_t;
+userdom_user_home_content(krb5_home_t)
+
+type krb5_host_rcache_t;
+files_tmp_file(krb5_host_rcache_t)
+
+# types for general configuration files in /etc
+type krb5_keytab_t;
+files_security_file(krb5_keytab_t)
+
+# types for KDC configs and principal file(s)
+type krb5kdc_conf_t;
+files_type(krb5kdc_conf_t)
+
+type krb5kdc_lock_t;
+files_type(krb5kdc_lock_t)
+
+# types for KDC principal file(s)
+type krb5kdc_principal_t;
+files_type(krb5kdc_principal_t)
+
+type krb5kdc_t;
+type krb5kdc_exec_t;
+init_daemon_domain(krb5kdc_t, krb5kdc_exec_t)
+domain_obj_id_change_exemption(krb5kdc_t)
+
+type krb5kdc_log_t;
+logging_log_file(krb5kdc_log_t)
+
+type krb5kdc_tmp_t;
+files_tmp_file(krb5kdc_tmp_t)
+
+type krb5kdc_var_run_t;
+files_pid_file(krb5kdc_var_run_t)
+
+########################################
+#
+# kadmind local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+dontaudit kadmind_t self:capability sys_tty_config;
+allow kadmind_t self:process { setfscreate signal_perms };
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+allow kadmind_t self:udp_socket create_socket_perms;
+
+allow kadmind_t kadmind_log_t:file manage_file_perms;
+logging_log_filetrans(kadmind_t, kadmind_log_t, file)
+
+allow kadmind_t krb5_conf_t:file read_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
+
+read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
+dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+
+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
+
+allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+
+can_exec(kadmind_t, kadmind_exec_t)
+
+manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+
+manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
+files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
+
+kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
+kernel_read_network_state(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
+
+corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_all_recvfrom_netlabel(kadmind_t)
+corenet_tcp_sendrecv_generic_if(kadmind_t)
+corenet_udp_sendrecv_generic_if(kadmind_t)
+corenet_tcp_sendrecv_generic_node(kadmind_t)
+corenet_udp_sendrecv_generic_node(kadmind_t)
+corenet_tcp_sendrecv_all_ports(kadmind_t)
+corenet_udp_sendrecv_all_ports(kadmind_t)
+corenet_tcp_bind_generic_node(kadmind_t)
+corenet_udp_bind_generic_node(kadmind_t)
+corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+
+dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
+
+fs_getattr_all_fs(kadmind_t)
+fs_search_auto_mountpoints(kadmind_t)
+
+domain_use_interactive_fds(kadmind_t)
+
+files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
+
+selinux_validate_context(kadmind_t)
+
+logging_send_syslog_msg(kadmind_t)
+
+miscfiles_read_localization(kadmind_t)
+
+seutil_read_file_contexts(kadmind_t)
+
+sysnet_read_config(kadmind_t)
+sysnet_use_ldap(kadmind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+userdom_dontaudit_search_user_home_dirs(kadmind_t)
+
+optional_policy(`
+ nis_use_ypbind(kadmind_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(kadmind_t)
+')
+
+optional_policy(`
+ udev_read_db(kadmind_t)
+')
+
+########################################
+#
+# Krb5kdc local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+dontaudit krb5kdc_t self:capability sys_tty_config;
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+allow krb5kdc_t self:udp_socket create_socket_perms;
+allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
+
+allow krb5kdc_t krb5_conf_t:file read_file_perms;
+dontaudit krb5kdc_t krb5_conf_t:file write;
+
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
+
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
+logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
+
+allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
+dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+
+manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+
+manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+
+kernel_read_system_state(krb5kdc_t)
+kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
+kernel_read_network_state(krb5kdc_t)
+kernel_search_network_sysctl(krb5kdc_t)
+
+corecmd_exec_bin(krb5kdc_t)
+
+corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_all_recvfrom_netlabel(krb5kdc_t)
+corenet_tcp_sendrecv_generic_if(krb5kdc_t)
+corenet_udp_sendrecv_generic_if(krb5kdc_t)
+corenet_tcp_sendrecv_generic_node(krb5kdc_t)
+corenet_udp_sendrecv_generic_node(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
+corenet_tcp_bind_generic_node(krb5kdc_t)
+corenet_udp_bind_generic_node(krb5kdc_t)
+corenet_tcp_bind_kerberos_port(krb5kdc_t)
+corenet_udp_bind_kerberos_port(krb5kdc_t)
+corenet_tcp_connect_ocsp_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
+
+dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
+
+fs_getattr_all_fs(krb5kdc_t)
+fs_search_auto_mountpoints(krb5kdc_t)
+
+domain_use_interactive_fds(krb5kdc_t)
+
+files_read_etc_files(krb5kdc_t)
+files_read_usr_symlinks(krb5kdc_t)
+files_read_var_files(krb5kdc_t)
+
+selinux_validate_context(krb5kdc_t)
+
+logging_send_syslog_msg(krb5kdc_t)
+
+miscfiles_read_localization(krb5kdc_t)
+
+seutil_read_file_contexts(krb5kdc_t)
+
+sysnet_read_config(krb5kdc_t)
+sysnet_use_ldap(krb5kdc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+optional_policy(`
+ nis_use_ypbind(krb5kdc_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(krb5kdc_t)
+')
+
+optional_policy(`
+ udev_read_db(krb5kdc_t)
+')
+
+########################################
+#
+# kpropd local policy
+#
+
+allow kpropd_t self:capability net_bind_service;
+allow kpropd_t self:process setfscreate;
+
+allow kpropd_t self:fifo_file rw_file_perms;
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
+
+allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
+
+allow kpropd_t krb5_keytab_t:file read_file_perms;
+
+read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t)
+
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+
+corecmd_exec_bin(kpropd_t)
+
+corenet_all_recvfrom_unlabeled(kpropd_t)
+corenet_tcp_sendrecv_generic_if(kpropd_t)
+corenet_tcp_sendrecv_generic_node(kpropd_t)
+corenet_tcp_sendrecv_all_ports(kpropd_t)
+corenet_tcp_bind_generic_node(kpropd_t)
+corenet_tcp_bind_kprop_port(kpropd_t)
+
+dev_read_urand(kpropd_t)
+
+files_read_etc_files(kpropd_t)
+files_search_tmp(kpropd_t)
+
+selinux_validate_context(kpropd_t)
+
+logging_send_syslog_msg(kpropd_t)
+
+miscfiles_read_localization(kpropd_t)
+
+seutil_read_file_contexts(kpropd_t)
+
+sysnet_dns_name_resolve(kpropd_t)
+
+kerberos_use(kpropd_t)
diff --git a/kerneloops.fc b/kerneloops.fc
new file mode 100644
index 0000000..5ef261a
--- /dev/null
+++ b/kerneloops.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+
+/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
diff --git a/kerneloops.if b/kerneloops.if
new file mode 100644
index 0000000..835b16b
--- /dev/null
+++ b/kerneloops.if
@@ -0,0 +1,115 @@
+## Service for reporting kernel oopses to kerneloops.org
+
+########################################
+##
+## Execute a domain transition to run kerneloops.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kerneloops_domtrans',`
+ gen_require(`
+ type kerneloops_t;
+ type kerneloops_exec_t;
+ ')
+
+ domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## kerneloops over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerneloops_dbus_chat',`
+ gen_require(`
+ type kerneloops_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kerneloops_t:dbus send_msg;
+ allow kerneloops_t $1:dbus send_msg;
+')
+
+########################################
+##
+## dontaudit attempts to Send and receive messages from
+## kerneloops over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kerneloops_dontaudit_dbus_chat',`
+ gen_require(`
+ type kerneloops_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 kerneloops_t:dbus send_msg;
+ dontaudit kerneloops_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Allow domain to manage kerneloops tmp files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kerneloops_manage_tmp_files',`
+ gen_require(`
+ type kerneloops_tmp_t;
+ ')
+
+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an kerneloops environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the kerneloops domain.
+##
+##
+##
+#
+interface(`kerneloops_admin',`
+ gen_require(`
+ type kerneloops_t, kerneloops_initrc_exec_t;
+ type kerneloops_tmp_t;
+ ')
+
+ allow $1 kerneloops_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kerneloops_t)
+
+ init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerneloops_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, kerneloops_tmp_t)
+')
diff --git a/kerneloops.te b/kerneloops.te
new file mode 100644
index 0000000..6b35547
--- /dev/null
+++ b/kerneloops.te
@@ -0,0 +1,54 @@
+policy_module(kerneloops, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type kerneloops_t;
+type kerneloops_exec_t;
+init_daemon_domain(kerneloops_t, kerneloops_exec_t)
+
+type kerneloops_initrc_exec_t;
+init_script_file(kerneloops_initrc_exec_t)
+
+type kerneloops_tmp_t;
+files_tmp_file(kerneloops_tmp_t)
+
+########################################
+#
+# kerneloops local policy
+#
+
+allow kerneloops_t self:capability sys_nice;
+allow kerneloops_t self:process { getcap setcap setsched getsched signal };
+allow kerneloops_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
+files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
+
+kernel_read_ring_buffer(kerneloops_t)
+
+# Init script handling
+domain_use_interactive_fds(kerneloops_t)
+
+corenet_all_recvfrom_unlabeled(kerneloops_t)
+corenet_all_recvfrom_netlabel(kerneloops_t)
+corenet_tcp_sendrecv_generic_if(kerneloops_t)
+corenet_tcp_sendrecv_generic_node(kerneloops_t)
+corenet_tcp_sendrecv_all_ports(kerneloops_t)
+corenet_tcp_bind_http_port(kerneloops_t)
+corenet_tcp_connect_http_port(kerneloops_t)
+
+files_read_etc_files(kerneloops_t)
+
+auth_use_nsswitch(kerneloops_t)
+
+logging_send_syslog_msg(kerneloops_t)
+logging_read_generic_logs(kerneloops_t)
+
+miscfiles_read_localization(kerneloops_t)
+
+optional_policy(`
+ dbus_system_domain(kerneloops_t, kerneloops_exec_t)
+')
diff --git a/kismet.fc b/kismet.fc
new file mode 100644
index 0000000..dae60e5
--- /dev/null
+++ b/kismet.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
+
+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
diff --git a/kismet.if b/kismet.if
new file mode 100644
index 0000000..c18c920
--- /dev/null
+++ b/kismet.if
@@ -0,0 +1,247 @@
+## Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
+
+########################################
+##
+## Execute a domain transition to run kismet.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kismet_domtrans',`
+ gen_require(`
+ type kismet_t, kismet_exec_t;
+ ')
+
+ domtrans_pattern($1, kismet_exec_t, kismet_t)
+ allow kismet_t $1:process signull;
+')
+
+########################################
+##
+## Execute kismet in the kismet domain, and
+## allow the specified role the kismet domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`kismet_run',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ kismet_domtrans($1)
+ role $2 types kismet_t;
+')
+
+########################################
+##
+## Read kismet PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_read_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ allow $1 kismet_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Manage kismet var_run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_manage_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ allow $1 kismet_var_run_t:file manage_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+##
+## Search kismet lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_search_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read kismet lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_read_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:file read_file_perms;
+ allow $1 kismet_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## kismet lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_manage_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Manage kismet var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_manage_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+')
+
+########################################
+##
+## Allow the specified domain to read kismet's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kismet_read_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## kismet log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_append_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+##
+## Allow domain to manage kismet log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kismet_manage_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ manage_dirs_pattern($1, kismet_log_t, kismet_log_t)
+ manage_files_pattern($1, kismet_log_t, kismet_log_t)
+ manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## All of the rules required to administrate an kismet environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kismet_admin',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ ps_process_pattern($1, kismet_t)
+ allow $1 kismet_t:process { ptrace signal_perms };
+
+ kismet_manage_pid_files($1)
+ kismet_manage_lib($1)
+ kismet_manage_log($1)
+')
diff --git a/kismet.te b/kismet.te
new file mode 100644
index 0000000..9dd6880
--- /dev/null
+++ b/kismet.te
@@ -0,0 +1,101 @@
+policy_module(kismet, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type kismet_t;
+type kismet_exec_t;
+application_domain(kismet_t, kismet_exec_t)
+role system_r types kismet_t;
+
+type kismet_home_t;
+userdom_user_home_content(kismet_home_t)
+
+type kismet_log_t;
+logging_log_file(kismet_log_t)
+
+type kismet_tmp_t;
+files_tmp_file(kismet_tmp_t)
+
+type kismet_tmpfs_t;
+files_tmp_file(kismet_tmpfs_t)
+
+type kismet_var_lib_t;
+files_type(kismet_var_lib_t)
+
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
+
+########################################
+#
+# kismet local policy
+#
+
+allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:process signal_perms;
+allow kismet_t self:fifo_file rw_file_perms;
+allow kismet_t self:packet_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
+allow kismet_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
+userdom_search_user_home_dirs(kismet_t)
+
+manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
+allow kismet_t kismet_log_t:dir setattr;
+logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
+
+manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
+
+allow kismet_t kismet_var_lib_t:file manage_file_perms;
+allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
+files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
+kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
+kernel_read_network_state(kismet_t)
+
+corecmd_exec_bin(kismet_t)
+
+corenet_all_recvfrom_unlabeled(kismet_t)
+corenet_all_recvfrom_netlabel(kismet_t)
+corenet_tcp_sendrecv_generic_if(kismet_t)
+corenet_tcp_sendrecv_generic_node(kismet_t)
+corenet_tcp_sendrecv_all_ports(kismet_t)
+corenet_tcp_bind_generic_node(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
+corenet_tcp_connect_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+auth_use_nsswitch(kismet_t)
+
+files_read_etc_files(kismet_t)
+files_read_usr_files(kismet_t)
+
+miscfiles_read_localization(kismet_t)
+
+userdom_use_user_terminals(kismet_t)
+userdom_read_user_tmpfs_files(kismet_t)
+
+optional_policy(`
+ dbus_system_bus_client(kismet_t)
+
+ networkmanager_dbus_chat(kismet_t)
+')
diff --git a/ksmtuned.fc b/ksmtuned.fc
new file mode 100644
index 0000000..9c0c835
--- /dev/null
+++ b/ksmtuned.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
new file mode 100644
index 0000000..6fd0b4c
--- /dev/null
+++ b/ksmtuned.if
@@ -0,0 +1,74 @@
+## Kernel Samepage Merging (KSM) Tuning Daemon
+
+########################################
+##
+## Execute a domain transition to run ksmtuned.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ksmtuned_domtrans',`
+ gen_require(`
+ type ksmtuned_t, ksmtuned_exec_t;
+ ')
+
+ domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t)
+')
+
+########################################
+##
+## Execute ksmtuned server in the ksmtuned domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ksmtuned_initrc_domtrans',`
+ gen_require(`
+ type ksmtuned_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ksmtuned environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ksmtuned_admin',`
+ gen_require(`
+ type ksmtuned_t, ksmtuned_var_run_t;
+ type ksmtuned_initrc_exec_t;
+ ')
+
+ allow $1 ksmtuned_t:process { ptrace signal_perms };
+ ps_process_pattern(ksmtumed_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ksmtuned_var_run_t)
+
+ # Allow ksmtuned_t to restart the apache service
+ ksmtuned_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ksmtuned_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
diff --git a/ksmtuned.te b/ksmtuned.te
new file mode 100644
index 0000000..a73b7a1
--- /dev/null
+++ b/ksmtuned.te
@@ -0,0 +1,39 @@
+policy_module(ksmtuned, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ksmtuned_t;
+type ksmtuned_exec_t;
+init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+
+type ksmtuned_initrc_exec_t;
+init_script_file(ksmtuned_initrc_exec_t)
+
+type ksmtuned_var_run_t;
+files_pid_file(ksmtuned_var_run_t)
+
+########################################
+#
+# ksmtuned local policy
+#
+
+allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+allow ksmtuned_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
+files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
+
+kernel_read_system_state(ksmtuned_t)
+
+dev_rw_sysfs(ksmtuned_t)
+
+domain_read_all_domains_state(ksmtuned_t)
+
+corecmd_exec_bin(ksmtuned_t)
+
+files_read_etc_files(ksmtuned_t)
+
+miscfiles_read_localization(ksmtuned_t)
diff --git a/ktalk.fc b/ktalk.fc
new file mode 100644
index 0000000..47d0bf3
--- /dev/null
+++ b/ktalk.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
diff --git a/ktalk.if b/ktalk.if
new file mode 100644
index 0000000..5ba36db
--- /dev/null
+++ b/ktalk.if
@@ -0,0 +1 @@
+## KDE Talk daemon
diff --git a/ktalk.te b/ktalk.te
new file mode 100644
index 0000000..ca5cfdf
--- /dev/null
+++ b/ktalk.te
@@ -0,0 +1,79 @@
+policy_module(ktalk, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type ktalkd_t;
+type ktalkd_exec_t;
+inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
+role system_r types ktalkd_t;
+
+type ktalkd_log_t;
+logging_log_file(ktalkd_log_t)
+
+type ktalkd_tmp_t;
+files_tmp_file(ktalkd_tmp_t)
+
+type ktalkd_var_run_t;
+files_pid_file(ktalkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ktalkd_t self:process signal_perms;
+allow ktalkd_t self:fifo_file rw_fifo_file_perms;
+allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
+allow ktalkd_t self:udp_socket create_socket_perms;
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow ktalkd_t self:capability { setuid setgid };
+files_search_home(ktalkd_t)
+optional_policy(`
+ kerberos_use(ktalkd_t)
+')
+#end for identd
+
+allow ktalkd_t ktalkd_log_t:file manage_file_perms;
+logging_log_filetrans(ktalkd_t, ktalkd_log_t, file)
+
+manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
+manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
+files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
+
+manage_files_pattern(ktalkd_t, ktalkd_var_run_t, ktalkd_var_run_t)
+files_pid_filetrans(ktalkd_t, ktalkd_var_run_t, file)
+
+kernel_read_kernel_sysctls(ktalkd_t)
+kernel_read_system_state(ktalkd_t)
+kernel_read_network_state(ktalkd_t)
+
+corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_all_recvfrom_netlabel(ktalkd_t)
+corenet_tcp_sendrecv_generic_if(ktalkd_t)
+corenet_udp_sendrecv_generic_if(ktalkd_t)
+corenet_tcp_sendrecv_generic_node(ktalkd_t)
+corenet_udp_sendrecv_generic_node(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
+
+dev_read_urand(ktalkd_t)
+
+fs_getattr_xattr_fs(ktalkd_t)
+
+files_read_etc_files(ktalkd_t)
+
+term_search_ptys(ktalkd_t)
+term_use_all_terms(ktalkd_t)
+
+auth_use_nsswitch(ktalkd_t)
+
+init_read_utmp(ktalkd_t)
+
+logging_send_syslog_msg(ktalkd_t)
+
+miscfiles_read_localization(ktalkd_t)
diff --git a/kudzu.fc b/kudzu.fc
new file mode 100644
index 0000000..dd88f74
--- /dev/null
+++ b/kudzu.fc
@@ -0,0 +1,5 @@
+
+/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
+/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/kudzu.if b/kudzu.if
new file mode 100644
index 0000000..65bcaff
--- /dev/null
+++ b/kudzu.if
@@ -0,0 +1,64 @@
+## Hardware detection and configuration tools
+
+########################################
+##
+## Execute kudzu in the kudzu domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`kudzu_domtrans',`
+ gen_require(`
+ type kudzu_t, kudzu_exec_t;
+ ')
+
+ domtrans_pattern($1, kudzu_exec_t, kudzu_t)
+')
+
+########################################
+##
+## Execute kudzu in the kudzu domain, and
+## allow the specified role the kudzu domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`kudzu_run',`
+ gen_require(`
+ type kudzu_t;
+ ')
+
+ kudzu_domtrans($1)
+ role $2 types kudzu_t;
+')
+
+########################################
+##
+## Get attributes of kudzu executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# cjp: added for ddcprobe
+interface(`kudzu_getattr_exec_files',`
+ gen_require(`
+ type kudzu_exec_t;
+ ')
+
+ allow $1 kudzu_exec_t:file getattr;
+')
diff --git a/kudzu.te b/kudzu.te
new file mode 100644
index 0000000..4f7bd3c
--- /dev/null
+++ b/kudzu.te
@@ -0,0 +1,145 @@
+policy_module(kudzu, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type kudzu_t;
+type kudzu_exec_t;
+init_system_domain(kudzu_t, kudzu_exec_t)
+
+type kudzu_tmp_t;
+files_tmp_file(kudzu_tmp_t)
+
+type kudzu_var_run_t;
+files_pid_file(kudzu_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
+allow kudzu_t self:process { signal_perms execmem };
+allow kudzu_t self:fifo_file rw_fifo_file_perms;
+allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow kudzu_t self:unix_dgram_socket create_socket_perms;
+allow kudzu_t self:udp_socket { create ioctl };
+
+manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
+
+manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
+manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
+files_pid_filetrans(kudzu_t, kudzu_var_run_t, file)
+
+kernel_change_ring_buffer_level(kudzu_t)
+kernel_list_proc(kudzu_t)
+kernel_read_device_sysctls(kudzu_t)
+kernel_read_kernel_sysctls(kudzu_t)
+kernel_read_proc_symlinks(kudzu_t)
+kernel_read_network_state(kudzu_t)
+kernel_read_system_state(kudzu_t)
+kernel_rw_hotplug_sysctls(kudzu_t)
+kernel_rw_kernel_sysctl(kudzu_t)
+
+files_read_kernel_modules(kudzu_t)
+
+dev_list_sysfs(kudzu_t)
+dev_read_usbfs(kudzu_t)
+dev_read_sysfs(kudzu_t)
+dev_rx_raw_memory(kudzu_t)
+dev_wx_raw_memory(kudzu_t)
+dev_rw_mouse(kudzu_t)
+dev_rwx_zero(kudzu_t)
+
+fs_search_auto_mountpoints(kudzu_t)
+fs_search_ramfs(kudzu_t)
+fs_write_ramfs_sockets(kudzu_t)
+
+mls_file_read_all_levels(kudzu_t)
+mls_file_write_all_levels(kudzu_t)
+
+storage_read_scsi_generic(kudzu_t)
+storage_read_tape(kudzu_t)
+storage_raw_write_fixed_disk(kudzu_t)
+storage_raw_write_removable_device(kudzu_t)
+storage_raw_read_fixed_disk(kudzu_t)
+storage_raw_read_removable_device(kudzu_t)
+
+term_dontaudit_use_console(kudzu_t)
+# so it can write messages to the console
+term_use_unallocated_ttys(kudzu_t)
+
+corecmd_exec_all_executables(kudzu_t)
+
+domain_use_interactive_fds(kudzu_t)
+
+files_search_var(kudzu_t)
+files_search_locks(kudzu_t)
+files_manage_etc_files(kudzu_t)
+files_manage_etc_runtime_files(kudzu_t)
+files_etc_filetrans_etc_runtime(kudzu_t, file)
+files_manage_mnt_files(kudzu_t)
+files_manage_mnt_symlinks(kudzu_t)
+files_dontaudit_search_src(kudzu_t)
+# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+files_read_usr_files(kudzu_t)
+# for /etc/sysconfig/hwconf - probably need a new type
+files_rw_etc_runtime_files(kudzu_t)
+# for file systems that are not yet mounted
+files_dontaudit_search_isid_type_dirs(kudzu_t)
+
+init_use_fds(kudzu_t)
+init_use_script_ptys(kudzu_t)
+init_stream_connect_script(kudzu_t)
+init_read_state(kudzu_t)
+init_ptrace(kudzu_t)
+# kudzu will telinit to make init re-read
+# the inittab after configuring serial consoles
+init_telinit(kudzu_t)
+
+# Read /usr/lib/gconv/gconv-modules.*
+libs_read_lib_files(kudzu_t)
+
+logging_send_syslog_msg(kudzu_t)
+
+miscfiles_read_hwdata(kudzu_t)
+miscfiles_read_localization(kudzu_t)
+
+modutils_read_module_config(kudzu_t)
+modutils_read_module_deps(kudzu_t)
+modutils_rename_module_config(kudzu_t)
+modutils_delete_module_config(kudzu_t)
+modutils_domtrans_insmod(kudzu_t)
+
+sysnet_read_config(kudzu_t)
+
+userdom_use_user_terminals(kudzu_t)
+userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
+userdom_search_user_home_dirs(kudzu_t)
+
+optional_policy(`
+ gpm_getattr_gpmctl(kudzu_t)
+')
+
+optional_policy(`
+ nscd_socket_use(kudzu_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(kudzu_t)
+')
+
+optional_policy(`
+ udev_read_db(kudzu_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(kudzu_t)
+ unconfined_domain(kudzu_t)
+')
diff --git a/ldap.fc b/ldap.fc
new file mode 100644
index 0000000..c62f23e
--- /dev/null
+++ b/ldap.fc
@@ -0,0 +1,17 @@
+
+/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+')
+
+/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
new file mode 100644
index 0000000..3aa8fa7
--- /dev/null
+++ b/ldap.if
@@ -0,0 +1,120 @@
+## OpenLDAP directory server
+
+########################################
+##
+## Read the contents of the OpenLDAP
+## database directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_list_db',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ allow $1 slapd_db_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Read the OpenLDAP configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ldap_read_config',`
+ gen_require(`
+ type slapd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_etc_t:file read_file_perms;
+')
+
+########################################
+##
+## Use LDAP over TCP connection. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Connect to slapd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ldap_stream_connect',`
+ gen_require(`
+ type slapd_t, slapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 slapd_var_run_t:sock_file write;
+ allow $1 slapd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ldap environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ldap domain.
+##
+##
+##
+#
+interface(`ldap_admin',`
+ gen_require(`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ type slapd_initrc_exec_t;
+ ')
+
+ allow $1 slapd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, slapd_t)
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 slapd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, slapd_etc_t)
+
+ admin_pattern($1, slapd_lock_t)
+
+ admin_pattern($1, slapd_replog_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, slapd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, slapd_var_run_t)
+')
diff --git a/ldap.te b/ldap.te
new file mode 100644
index 0000000..64fd1ff
--- /dev/null
+++ b/ldap.te
@@ -0,0 +1,132 @@
+policy_module(ldap, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type slapd_t;
+type slapd_exec_t;
+init_daemon_domain(slapd_t, slapd_exec_t)
+
+type slapd_cert_t;
+files_type(slapd_cert_t)
+
+type slapd_db_t;
+files_type(slapd_db_t)
+
+type slapd_etc_t;
+files_config_file(slapd_etc_t)
+
+type slapd_initrc_exec_t;
+init_script_file(slapd_initrc_exec_t)
+
+type slapd_lock_t;
+files_lock_file(slapd_lock_t)
+
+type slapd_replog_t;
+files_type(slapd_replog_t)
+
+type slapd_tmp_t;
+files_tmp_file(slapd_tmp_t)
+
+type slapd_var_run_t;
+files_pid_file(slapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# should not need kill
+# cjp: why net_raw?
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+dontaudit slapd_t self:capability sys_tty_config;
+allow slapd_t self:process setsched;
+allow slapd_t self:fifo_file rw_fifo_file_perms;
+allow slapd_t self:udp_socket create_socket_perms;
+#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+allow slapd_t self:tcp_socket create_stream_socket_perms;
+
+allow slapd_t slapd_cert_t:dir list_dir_perms;
+read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+
+# Allow access to the slapd databases
+manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
+manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+
+allow slapd_t slapd_etc_t:file read_file_perms;
+
+allow slapd_t slapd_lock_t:file manage_file_perms;
+files_lock_filetrans(slapd_t, slapd_lock_t, file)
+
+# Allow access to write the replication log (should tighten this)
+manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+
+manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+
+manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
+
+kernel_read_system_state(slapd_t)
+kernel_read_kernel_sysctls(slapd_t)
+
+corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_all_recvfrom_netlabel(slapd_t)
+corenet_tcp_sendrecv_generic_if(slapd_t)
+corenet_udp_sendrecv_generic_if(slapd_t)
+corenet_tcp_sendrecv_generic_node(slapd_t)
+corenet_udp_sendrecv_generic_node(slapd_t)
+corenet_tcp_sendrecv_all_ports(slapd_t)
+corenet_udp_sendrecv_all_ports(slapd_t)
+corenet_tcp_bind_generic_node(slapd_t)
+corenet_tcp_bind_ldap_port(slapd_t)
+corenet_tcp_connect_all_ports(slapd_t)
+corenet_sendrecv_ldap_server_packets(slapd_t)
+corenet_sendrecv_all_client_packets(slapd_t)
+
+dev_read_urand(slapd_t)
+dev_read_sysfs(slapd_t)
+
+fs_getattr_all_fs(slapd_t)
+fs_search_auto_mountpoints(slapd_t)
+
+domain_use_interactive_fds(slapd_t)
+
+files_read_etc_files(slapd_t)
+files_read_etc_runtime_files(slapd_t)
+files_read_usr_files(slapd_t)
+files_list_var_lib(slapd_t)
+
+auth_use_nsswitch(slapd_t)
+
+logging_send_syslog_msg(slapd_t)
+
+miscfiles_read_generic_certs(slapd_t)
+miscfiles_read_localization(slapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+userdom_dontaudit_search_user_home_dirs(slapd_t)
+
+optional_policy(`
+ kerberos_keytab_template(slapd, slapd_t)
+')
+
+optional_policy(`
+ sasl_connect(slapd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(slapd_t)
+')
+
+optional_policy(`
+ udev_read_db(slapd_t)
+')
diff --git a/likewise.fc b/likewise.fc
new file mode 100644
index 0000000..057a4e4
--- /dev/null
+++ b/likewise.fc
@@ -0,0 +1,54 @@
+/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
+/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
+
+/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
+/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
diff --git a/likewise.if b/likewise.if
new file mode 100644
index 0000000..771e04b
--- /dev/null
+++ b/likewise.if
@@ -0,0 +1,105 @@
+## Likewise Active Directory support for UNIX.
+##
+##
+## Likewise Open is a free, open source application that joins Linux, Unix,
+## and Mac machines to Microsoft Active Directory to securely authenticate
+## users with their domain credentials.
+##
+##
+
+#######################################
+##
+## The template to define a likewise domain.
+##
+##
+##
+## This template creates a domain to be used for
+## a new likewise daemon.
+##
+##
+##
+##
+## The type of daemon to be used.
+##
+##
+#
+template(`likewise_domain_template',`
+
+ gen_require(`
+ attribute likewise_domains;
+ type likewise_var_lib_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
+
+ typeattribute $1_t likewise_domains;
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ type $1_var_socket_t;
+ files_type($1_var_socket_t)
+
+ type $1_var_lib_t;
+ files_type($1_var_lib_t)
+
+ ####################################
+ #
+ # Local Policy
+ #
+
+ allow $1_t self:process { signal_perms getsched setsched };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ allow $1_t likewise_var_lib_t:dir setattr;
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+
+ manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
+ filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)
+
+ manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
+ filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_read_etc_files($1_t)
+ files_search_var_lib($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+')
+
+########################################
+##
+## Connect to lsassd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`likewise_stream_connect_lsassd',`
+ gen_require(`
+ type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+')
diff --git a/likewise.te b/likewise.te
new file mode 100644
index 0000000..5ba6cc2
--- /dev/null
+++ b/likewise.te
@@ -0,0 +1,238 @@
+policy_module(likewise, 1.2.0)
+
+#################################
+#
+# Declarations
+#
+
+attribute likewise_domains;
+
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+likewise_domain_template(dcerpcd)
+
+likewise_domain_template(eventlogd)
+
+likewise_domain_template(lsassd)
+
+type lsassd_tmp_t;
+files_tmp_file(lsassd_tmp_t)
+
+likewise_domain_template(lwiod)
+
+likewise_domain_template(lwregd)
+
+likewise_domain_template(lwsmd)
+
+likewise_domain_template(netlogond)
+
+likewise_domain_template(srvsvcd)
+
+#################################
+#
+# Likewise dcerpcd personal policy
+#
+
+stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(dcerpcd_t)
+corenet_all_recvfrom_unlabeled(dcerpcd_t)
+corenet_sendrecv_generic_client_packets(dcerpcd_t)
+corenet_sendrecv_generic_server_packets(dcerpcd_t)
+corenet_tcp_sendrecv_generic_if(dcerpcd_t)
+corenet_tcp_sendrecv_generic_node(dcerpcd_t)
+corenet_tcp_sendrecv_generic_port(dcerpcd_t)
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_epmap_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_epmap_port(dcerpcd_t)
+corenet_udp_sendrecv_generic_if(dcerpcd_t)
+corenet_udp_sendrecv_generic_node(dcerpcd_t)
+corenet_udp_sendrecv_generic_port(dcerpcd_t)
+
+#################################
+#
+# Likewise Auditing and Logging service policy
+#
+
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(eventlogd_t)
+corenet_all_recvfrom_unlabeled(eventlogd_t)
+corenet_sendrecv_generic_server_packets(eventlogd_t)
+corenet_tcp_sendrecv_generic_if(eventlogd_t)
+corenet_tcp_sendrecv_generic_node(eventlogd_t)
+corenet_tcp_sendrecv_generic_port(eventlogd_t)
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_if(eventlogd_t)
+corenet_udp_sendrecv_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_port(eventlogd_t)
+
+#################################
+#
+# Likewise Authentication service local policy
+#
+
+allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+
+manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)
+
+manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t)
+files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)
+
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+corecmd_exec_bin(lsassd_t)
+corecmd_exec_shell(lsassd_t)
+
+corenet_all_recvfrom_netlabel(lsassd_t)
+corenet_all_recvfrom_unlabeled(lsassd_t)
+corenet_tcp_sendrecv_generic_if(lsassd_t)
+corenet_tcp_sendrecv_generic_node(lsassd_t)
+corenet_tcp_sendrecv_generic_port(lsassd_t)
+corenet_tcp_bind_generic_node(lsassd_t)
+corenet_tcp_connect_epmap_port(lsassd_t)
+corenet_tcp_sendrecv_epmap_port(lsassd_t)
+
+domain_obj_id_change_exemption(lsassd_t)
+
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+files_relabelto_home(lsassd_t)
+
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, system_r)
+
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_user_home_content_files(lsassd_t)
+
+optional_policy(`
+ kerberos_rw_keytab(lsassd_t)
+ kerberos_use(lsassd_t)
+')
+
+#################################
+#
+# Likewise I/O service local policy
+#
+
+allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+
+corenet_all_recvfrom_netlabel(lwiod_t)
+corenet_all_recvfrom_unlabeled(lwiod_t)
+corenet_sendrecv_smbd_server_packets(lwiod_t)
+corenet_sendrecv_smbd_client_packets(lwiod_t)
+corenet_tcp_sendrecv_generic_if(lwiod_t)
+corenet_tcp_sendrecv_generic_node(lwiod_t)
+corenet_tcp_sendrecv_generic_port(lwiod_t)
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+
+sysnet_read_config(lwiod_t)
+
+optional_policy(`
+ kerberos_rw_config(lwiod_t)
+ kerberos_use(lwiod_t)
+')
+
+#################################
+#
+# Likewise Service Manager service local policy
+#
+
+allow lwsmd_t likewise_domains:process signal;
+
+domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
+domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
+domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
+domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
+domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
+domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
+domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)
+
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+#################################
+#
+# Likewise DC location service local policy
+#
+
+allow netlogond_t self:capability {dac_override};
+
+manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+
+stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+#################################
+#
+# Likewise Srv service local policy
+#
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(srvsvcd_t)
+corenet_all_recvfrom_unlabeled(srvsvcd_t)
+corenet_sendrecv_generic_server_packets(srvsvcd_t)
+corenet_tcp_sendrecv_generic_if(srvsvcd_t)
+corenet_tcp_sendrecv_generic_node(srvsvcd_t)
+corenet_tcp_sendrecv_generic_port(srvsvcd_t)
+corenet_tcp_bind_generic_node(srvsvcd_t)
+
+optional_policy(`
+ kerberos_use(srvsvcd_t)
+')
diff --git a/lircd.fc b/lircd.fc
new file mode 100644
index 0000000..49e04e5
--- /dev/null
+++ b/lircd.fc
@@ -0,0 +1,10 @@
+/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0)
+
+/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
+
+/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
+/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/lircd.if b/lircd.if
new file mode 100644
index 0000000..418cc81
--- /dev/null
+++ b/lircd.if
@@ -0,0 +1,96 @@
+## Linux infared remote control daemon
+
+########################################
+##
+## Execute a domain transition to run lircd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lircd_domtrans',`
+ gen_require(`
+ type lircd_t, lircd_exec_t;
+ ')
+
+ domain_auto_trans($1, lircd_exec_t, lircd_t)
+
+')
+
+######################################
+##
+## Connect to lircd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lircd_stream_connect',`
+ gen_require(`
+ type lircd_var_run_t, lircd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
+')
+
+#######################################
+##
+## Read lircd etc file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lircd_read_config',`
+ gen_require(`
+ type lircd_etc_t;
+ ')
+
+ read_files_pattern($1, lircd_etc_t, lircd_etc_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## a lircd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
+##
+#
+interface(`lircd_admin',`
+ gen_require(`
+ type lircd_t, lircd_var_run_t;
+ type lircd_initrc_exec_t, lircd_etc_t;
+ ')
+
+ allow $1 lircd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, lircd_t)
+
+ init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 lircd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, lircd_etc_t)
+
+ files_search_pids($1)
+ admin_pattern($1, lircd_var_run_t)
+')
diff --git a/lircd.te b/lircd.te
new file mode 100644
index 0000000..6a78de1
--- /dev/null
+++ b/lircd.te
@@ -0,0 +1,64 @@
+policy_module(lircd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type lircd_t;
+type lircd_exec_t;
+init_daemon_domain(lircd_t, lircd_exec_t)
+
+type lircd_initrc_exec_t;
+init_script_file(lircd_initrc_exec_t)
+
+type lircd_etc_t;
+files_type(lircd_etc_t)
+
+type lircd_var_run_t alias lircd_sock_t;
+files_pid_file(lircd_var_run_t)
+
+########################################
+#
+# lircd local policy
+#
+
+allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:fifo_file rw_fifo_file_perms;
+allow lircd_t self:unix_dgram_socket create_socket_perms;
+allow lircd_t self:tcp_socket create_stream_socket_perms;
+
+# etc file
+read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+# /dev/lircd socket
+dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
+
+corenet_tcp_sendrecv_generic_if(lircd_t)
+corenet_tcp_bind_generic_node(lircd_t)
+corenet_tcp_bind_lirc_port(lircd_t)
+corenet_tcp_sendrecv_all_ports(lircd_t)
+corenet_tcp_connect_lirc_port(lircd_t)
+
+dev_read_generic_usb_dev(lircd_t)
+dev_read_mouse(lircd_t)
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+
+files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+
+term_use_ptmx(lircd_t)
+
+logging_send_syslog_msg(lircd_t)
+
+miscfiles_read_localization(lircd_t)
+
+sysnet_dns_name_resolve(lircd_t)
diff --git a/livecd.fc b/livecd.fc
new file mode 100644
index 0000000..34937fc
--- /dev/null
+++ b/livecd.fc
@@ -0,0 +1 @@
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --git a/livecd.if b/livecd.if
new file mode 100644
index 0000000..b2e27ec
--- /dev/null
+++ b/livecd.if
@@ -0,0 +1,104 @@
+## Livecd tool for building alternate livecd for different os and policy versions.
+
+########################################
+##
+## Execute a domain transition to run livecd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`livecd_domtrans',`
+ gen_require(`
+ type livecd_t, livecd_exec_t;
+ ')
+
+ domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+########################################
+##
+## Execute livecd in the livecd domain, and
+## allow the specified role the livecd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`livecd_run',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ livecd_domtrans($1)
+ role $2 types livecd_t;
+
+ optional_policy(`
+ mount_run(livecd_t, $2)
+ ')
+')
+
+########################################
+##
+## Read livecd temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`livecd_read_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+##
+## Read and write livecd temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`livecd_rw_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+##
+## Allow read and write access to livecd semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`livecd_rw_semaphores',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ allow $1 livecd_t:sem { unix_read unix_write associate read write };
+')
diff --git a/livecd.te b/livecd.te
new file mode 100644
index 0000000..e3c0aa0
--- /dev/null
+++ b/livecd.te
@@ -0,0 +1,35 @@
+policy_module(livecd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+type livecd_tmp_t;
+files_tmp_file(livecd_tmp_t)
+
+########################################
+#
+# livecd local policy
+#
+
+dontaudit livecd_t self:capability2 mac_admin;
+
+domain_ptrace_all_domains(livecd_t)
+
+manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
+optional_policy(`
+ unconfined_domain(livecd_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
diff --git a/loadkeys.fc b/loadkeys.fc
new file mode 100644
index 0000000..8549f9f
--- /dev/null
+++ b/loadkeys.fc
@@ -0,0 +1,3 @@
+
+/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/loadkeys.if b/loadkeys.if
new file mode 100644
index 0000000..b55edd0
--- /dev/null
+++ b/loadkeys.if
@@ -0,0 +1,67 @@
+## Load keyboard mappings.
+
+########################################
+##
+## Execute the loadkeys program in the loadkeys domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`loadkeys_domtrans',`
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit loadkeys_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+##
+## Execute the loadkeys program in the loadkeys domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the loadkeys domain.
+##
+##
+##
+#
+interface(`loadkeys_run',`
+ gen_require(`
+ type loadkeys_t;
+ ')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+')
+
+########################################
+##
+## Execute the loadkeys program in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`loadkeys_exec',`
+ gen_require(`
+ type loadkeys_exec_t;
+ ')
+
+ can_exec($1, loadkeys_exec_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
new file mode 100644
index 0000000..2523758
--- /dev/null
+++ b/loadkeys.te
@@ -0,0 +1,50 @@
+policy_module(loadkeys, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+type loadkeys_t;
+type loadkeys_exec_t;
+init_system_domain(loadkeys_t, loadkeys_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(loadkeys_t)
+
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
+
+files_read_etc_files(loadkeys_t)
+files_read_etc_runtime_files(loadkeys_t)
+
+term_dontaudit_use_console(loadkeys_t)
+term_use_unallocated_ttys(loadkeys_t)
+
+init_dontaudit_use_fds(loadkeys_t)
+init_dontaudit_use_script_ptys(loadkeys_t)
+
+locallogin_use_fds(loadkeys_t)
+
+miscfiles_read_localization(loadkeys_t)
+
+userdom_use_user_ttys(loadkeys_t)
+userdom_list_user_home_content(loadkeys_t)
+
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+')
diff --git a/lockdev.fc b/lockdev.fc
new file mode 100644
index 0000000..8b5ce03
--- /dev/null
+++ b/lockdev.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
diff --git a/lockdev.if b/lockdev.if
new file mode 100644
index 0000000..8e7d279
--- /dev/null
+++ b/lockdev.if
@@ -0,0 +1,33 @@
+## device locking policy for lockdev
+
+########################################
+##
+## Role access for lockdev
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`lockdev_role',`
+ gen_require(`
+ type lockdev_t, lockdev_exec_t;
+ type lockdev_lock_t;
+ ')
+
+ role $1 types lockdev_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, lockdev_exec_t, lockdev_t)
+ allow lockdev_t $2:process signull;
+
+ # allow ps to show lockdev
+ ps_process_pattern($2, lockdev_t)
+ allow $2 lockdev_t:process signal;
+')
diff --git a/lockdev.te b/lockdev.te
new file mode 100644
index 0000000..0bac996
--- /dev/null
+++ b/lockdev.te
@@ -0,0 +1,39 @@
+policy_module(lockdev, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type lockdev_t;
+type lockdev_exec_t;
+typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
+typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
+application_domain(lockdev_t, lockdev_exec_t)
+ubac_constrained(lockdev_t)
+
+type lockdev_lock_t;
+typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
+typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t };
+files_lock_file(lockdev_lock_t)
+ubac_constrained(lockdev_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities.
+allow lockdev_t self:capability setgid;
+
+allow lockdev_t lockdev_lock_t:file manage_file_perms;
+files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
+
+files_read_all_locks(lockdev_t)
+
+fs_getattr_xattr_fs(lockdev_t)
+
+logging_send_syslog_msg(lockdev_t)
+
+userdom_use_user_terminals(lockdev_t)
+
diff --git a/logrotate.fc b/logrotate.fc
new file mode 100644
index 0000000..36c8de7
--- /dev/null
+++ b/logrotate.fc
@@ -0,0 +1,9 @@
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+ifdef(`distro_debian', `
+/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+', `
+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+')
diff --git a/logrotate.if b/logrotate.if
new file mode 100644
index 0000000..9cd6b0b
--- /dev/null
+++ b/logrotate.if
@@ -0,0 +1,120 @@
+## Rotate and archive system logs
+
+########################################
+##
+## Execute logrotate in the logrotate domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`logrotate_domtrans',`
+ gen_require(`
+ type logrotate_t, logrotate_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, logrotate_exec_t, logrotate_t)
+')
+
+########################################
+##
+## Execute logrotate in the logrotate domain, and
+## allow the specified role the logrotate domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`logrotate_run',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ logrotate_domtrans($1)
+ role $2 types logrotate_t;
+')
+
+########################################
+##
+## Execute logrotate in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logrotate_exec',`
+ gen_require(`
+ type logrotate_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, logrotate_exec_t)
+')
+
+########################################
+##
+## Inherit and use logrotate file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logrotate_use_fds',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ allow $1 logrotate_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit logrotate file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`logrotate_dontaudit_use_fds',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ dontaudit $1 logrotate_t:fd use;
+')
+
+########################################
+##
+## Read a logrotate temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logrotate_read_tmp_files',`
+ gen_require(`
+ type logrotate_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 logrotate_tmp_t:file read_file_perms;
+')
diff --git a/logrotate.te b/logrotate.te
new file mode 100644
index 0000000..7090dae
--- /dev/null
+++ b/logrotate.te
@@ -0,0 +1,230 @@
+policy_module(logrotate, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type logrotate_t;
+domain_type(logrotate_t)
+domain_obj_id_change_exemption(logrotate_t)
+domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
+domain_entry_file(logrotate_t, logrotate_exec_t)
+
+type logrotate_lock_t;
+files_lock_file(logrotate_lock_t)
+
+type logrotate_tmp_t;
+files_tmp_file(logrotate_tmp_t)
+
+type logrotate_var_lib_t;
+files_type(logrotate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
+allow logrotate_t self:fd use;
+allow logrotate_t self:fifo_file rw_fifo_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+allow logrotate_t self:unix_dgram_socket sendto;
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:shm create_shm_perms;
+allow logrotate_t self:sem create_sem_perms;
+allow logrotate_t self:msgq create_msgq_perms;
+allow logrotate_t self:msg { send receive };
+
+allow logrotate_t logrotate_lock_t:file manage_file_perms;
+files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
+
+can_exec(logrotate_t, logrotate_tmp_t)
+
+manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+
+kernel_read_system_state(logrotate_t)
+kernel_read_kernel_sysctls(logrotate_t)
+
+dev_read_urand(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_xattr_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+auth_manage_login_records(logrotate_t)
+auth_use_nsswitch(logrotate_t)
+
+# Run helper programs.
+corecmd_exec_bin(logrotate_t)
+corecmd_exec_shell(logrotate_t)
+
+domain_signal_all_domains(logrotate_t)
+domain_use_interactive_fds(logrotate_t)
+domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logrotate_t)
+
+files_read_usr_files(logrotate_t)
+files_read_etc_files(logrotate_t)
+files_read_etc_runtime_files(logrotate_t)
+files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
+files_read_var_lib_files(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
+files_manage_generic_spool(logrotate_t)
+files_manage_generic_spool_dirs(logrotate_t)
+files_getattr_generic_locks(logrotate_t)
+
+# cjp: why is this needed?
+init_domtrans_script(logrotate_t)
+
+logging_manage_all_logs(logrotate_t)
+logging_send_syslog_msg(logrotate_t)
+logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
+logging_exec_all_logs(logrotate_t)
+
+miscfiles_read_localization(logrotate_t)
+
+seutil_dontaudit_read_config(logrotate_t)
+
+userdom_use_user_terminals(logrotate_t)
+userdom_list_user_home_dirs(logrotate_t)
+userdom_use_unpriv_users_fds(logrotate_t)
+
+cron_system_entry(logrotate_t, logrotate_exec_t)
+cron_search_spool(logrotate_t)
+
+mta_send_mail(logrotate_t)
+
+ifdef(`distro_debian', `
+ allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+ # for savelog
+ can_exec(logrotate_t, logrotate_exec_t)
+
+ # for syslogd-listfiles
+ logging_read_syslog_config(logrotate_t)
+
+ # for "test -x /sbin/syslogd"
+ logging_check_exec_syslog(logrotate_t)
+')
+
+optional_policy(`
+ abrt_cache_manage(logrotate_t)
+')
+
+optional_policy(`
+ acct_domtrans(logrotate_t)
+ acct_manage_data(logrotate_t)
+ acct_exec_data(logrotate_t)
+')
+
+optional_policy(`
+ apache_read_config(logrotate_t)
+ apache_domtrans(logrotate_t)
+ apache_signull(logrotate_t)
+')
+
+optional_policy(`
+ asterisk_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ bind_manage_cache(logrotate_t)
+')
+
+optional_policy(`
+ consoletype_exec(logrotate_t)
+')
+
+optional_policy(`
+ cups_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ fail2ban_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+ hostname_exec(logrotate_t)
+')
+
+optional_policy(`
+ icecast_signal(logrotate_t)
+')
+
+optional_policy(`
+ mailman_domtrans(logrotate_t)
+ mailman_search_data(logrotate_t)
+ mailman_manage_log(logrotate_t)
+')
+
+optional_policy(`
+ munin_read_config(logrotate_t)
+ munin_stream_connect(logrotate_t)
+ munin_search_lib(logrotate_t)
+')
+
+optional_policy(`
+ mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
+ mysql_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+ psad_domtrans(logrotate_t)
+')
+
+
+optional_policy(`
+ samba_exec_log(logrotate_t)
+')
+
+optional_policy(`
+ sssd_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ slrnpull_manage_spool(logrotate_t)
+')
+
+optional_policy(`
+ squid_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ #Red Hat bug 564565
+ su_exec(logrotate_t)
+')
+
+optional_policy(`
+ varnishd_manage_log(logrotate_t)
+')
diff --git a/logwatch.fc b/logwatch.fc
new file mode 100644
index 0000000..3c7b1e8
--- /dev/null
+++ b/logwatch.fc
@@ -0,0 +1,7 @@
+/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
+/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
+/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
diff --git a/logwatch.if b/logwatch.if
new file mode 100644
index 0000000..d878e75
--- /dev/null
+++ b/logwatch.if
@@ -0,0 +1,38 @@
+## System log analyzer and reporter
+
+########################################
+##
+## Read logwatch temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logwatch_read_tmp_files',`
+ gen_require(`
+ type logwatch_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 logwatch_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## Search logwatch cache directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logwatch_search_cache_dir',`
+ gen_require(`
+ type logwatch_cache_t;
+ ')
+
+ allow $1 logwatch_cache_t:dir search_dir_perms;
+')
diff --git a/logwatch.te b/logwatch.te
new file mode 100644
index 0000000..75ce30f
--- /dev/null
+++ b/logwatch.te
@@ -0,0 +1,147 @@
+policy_module(logwatch, 1.11.0)
+
+#################################
+#
+# Declarations
+#
+
+type logwatch_t;
+type logwatch_exec_t;
+application_domain(logwatch_t, logwatch_exec_t)
+role system_r types logwatch_t;
+
+type logwatch_cache_t;
+files_type(logwatch_cache_t)
+
+type logwatch_lock_t;
+files_lock_file(logwatch_lock_t)
+
+type logwatch_tmp_t;
+files_tmp_file(logwatch_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow logwatch_t self:capability { dac_override dac_read_search setgid };
+allow logwatch_t self:process signal;
+allow logwatch_t self:fifo_file rw_file_perms;
+allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+
+allow logwatch_t logwatch_lock_t:file manage_file_perms;
+files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
+
+manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+
+kernel_read_fs_sysctls(logwatch_t)
+kernel_read_kernel_sysctls(logwatch_t)
+kernel_read_system_state(logwatch_t)
+kernel_read_net_sysctls(logwatch_t)
+kernel_read_network_state(logwatch_t)
+
+corecmd_exec_bin(logwatch_t)
+corecmd_exec_shell(logwatch_t)
+
+dev_read_urand(logwatch_t)
+dev_read_sysfs(logwatch_t)
+
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logwatch_t)
+
+files_list_var(logwatch_t)
+files_read_var_symlinks(logwatch_t)
+files_read_etc_files(logwatch_t)
+files_read_etc_runtime_files(logwatch_t)
+files_read_usr_files(logwatch_t)
+files_search_spool(logwatch_t)
+files_search_mnt(logwatch_t)
+files_dontaudit_search_home(logwatch_t)
+files_dontaudit_search_boot(logwatch_t)
+# Execs df and if file system mounted with a context avc raised
+files_dontaudit_search_all_dirs(logwatch_t)
+
+fs_getattr_all_fs(logwatch_t)
+fs_dontaudit_list_auto_mountpoints(logwatch_t)
+fs_list_inotifyfs(logwatch_t)
+
+term_dontaudit_getattr_pty_dirs(logwatch_t)
+term_dontaudit_list_ptys(logwatch_t)
+
+auth_use_nsswitch(logwatch_t)
+auth_dontaudit_read_shadow(logwatch_t)
+
+init_read_utmp(logwatch_t)
+init_dontaudit_write_utmp(logwatch_t)
+
+libs_read_lib_files(logwatch_t)
+
+logging_read_all_logs(logwatch_t)
+logging_send_syslog_msg(logwatch_t)
+
+miscfiles_read_localization(logwatch_t)
+
+selinux_dontaudit_getattr_dir(logwatch_t)
+
+sysnet_dns_name_resolve(logwatch_t)
+sysnet_exec_ifconfig(logwatch_t)
+
+userdom_dontaudit_search_user_home_dirs(logwatch_t)
+
+mta_send_mail(logwatch_t)
+
+ifdef(`distro_redhat',`
+ files_search_all(logwatch_t)
+ files_getattr_all_file_type_fs(logwatch_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(logwatch_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(logwatch_t)
+')
+
+optional_policy(`
+ apache_read_log(logwatch_t)
+')
+
+optional_policy(`
+ avahi_dontaudit_search_pid(logwatch_t)
+')
+
+optional_policy(`
+ bind_read_config(logwatch_t)
+ bind_read_zone(logwatch_t)
+')
+
+optional_policy(`
+ cron_system_entry(logwatch_t, logwatch_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(logwatch_t)
+')
+
+optional_policy(`
+ mta_getattr_spool(logwatch_t)
+')
+
+optional_policy(`
+ ntp_domtrans(logwatch_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(logwatch_t)
+')
+
+optional_policy(`
+ samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
+')
diff --git a/lpd.fc b/lpd.fc
new file mode 100644
index 0000000..5c9eb68
--- /dev/null
+++ b/lpd.fc
@@ -0,0 +1,37 @@
+#
+# /dev
+#
+/dev/printer -s gen_context(system_u:object_r:printer_t,s0)
+
+/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
+
+#
+# /var
+#
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
+/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/lpd.if b/lpd.if
new file mode 100644
index 0000000..a4f32f5
--- /dev/null
+++ b/lpd.if
@@ -0,0 +1,214 @@
+## Line printer daemon
+
+########################################
+##
+## Role access for lpd
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`lpd_role',`
+ gen_require(`
+ type lpr_t, lpr_exec_t, print_spool_t;
+ ')
+
+ role $1 types lpr_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, lpr_exec_t, lpr_t)
+ dontaudit lpr_t $2:unix_stream_socket { read write };
+
+ ps_process_pattern($2, lpr_t)
+ allow $2 lpr_t:process signull;
+
+ optional_policy(`
+ cups_read_config($2)
+ ')
+')
+
+########################################
+##
+## Execute lpd in the lpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`lpd_domtrans_checkpc',`
+ gen_require(`
+ type checkpc_t, checkpc_exec_t;
+ ')
+
+ domtrans_pattern($1, checkpc_exec_t, checkpc_t)
+')
+
+########################################
+##
+## Execute amrecover in the lpd domain, and
+## allow the specified role the lpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`lpd_run_checkpc',`
+ gen_require(`
+ type checkpc_t;
+ ')
+
+ lpd_domtrans_checkpc($1)
+ role $2 types checkpc_t;
+')
+
+########################################
+##
+## List the contents of the printer spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lpd_list_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 print_spool_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Read the printer spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lpd_read_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, print_spool_t, print_spool_t)
+')
+
+########################################
+##
+## Create, read, write, and delete printer spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lpd_manage_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ manage_files_pattern($1, print_spool_t, print_spool_t)
+ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+')
+
+########################################
+##
+## Relabel from and to the spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lpd_relabel_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 print_spool_t:file { relabelto relabelfrom };
+')
+
+########################################
+##
+## List the contents of the printer spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`lpd_read_config',`
+ gen_require(`
+ type printconf_t;
+ ')
+
+ allow $1 printconf_t:dir list_dir_perms;
+ read_files_pattern($1, printconf_t, printconf_t)
+')
+
+########################################
+##
+## Transition to a user lpr domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+template(`lpd_domtrans_lpr',`
+ gen_require(`
+ type lpr_t, lpr_exec_t;
+ ')
+
+ domtrans_pattern($1, lpr_exec_t, lpr_t)
+')
+
+########################################
+##
+## Allow the specified domain to execute lpr
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lpd_exec_lpr',`
+ gen_require(`
+ type lpr_exec_t;
+ ')
+
+ can_exec($1, lpr_exec_t)
+')
diff --git a/lpd.te b/lpd.te
new file mode 100644
index 0000000..93c14ca
--- /dev/null
+++ b/lpd.te
@@ -0,0 +1,330 @@
+policy_module(lpd, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Use lpd server instead of cups
+##
+##
+gen_tunable(use_lpd_server, false)
+
+type checkpc_t;
+type checkpc_exec_t;
+init_system_domain(checkpc_t, checkpc_exec_t)
+role system_r types checkpc_t;
+
+type checkpc_log_t;
+logging_log_file(checkpc_log_t)
+
+type lpd_t;
+type lpd_exec_t;
+init_daemon_domain(lpd_t, lpd_exec_t)
+
+type lpd_tmp_t;
+files_tmp_file(lpd_tmp_t)
+
+type lpd_var_run_t;
+files_pid_file(lpd_var_run_t)
+
+type lpr_t;
+type lpr_exec_t;
+typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t };
+typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t };
+application_domain(lpr_t, lpr_exec_t)
+ubac_constrained(lpr_t)
+
+type lpr_tmp_t;
+typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
+typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
+files_tmp_file(lpr_tmp_t)
+ubac_constrained(lpr_tmp_t)
+
+# Type for spool files.
+type print_spool_t;
+typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+files_type(print_spool_t)
+ubac_constrained(print_spool_t)
+
+type printer_t;
+files_type(printer_t)
+
+type printconf_t;
+files_type(printconf_t)
+
+########################################
+#
+# Checkpc local policy
+#
+
+# Allow checkpc to access the lpd spool so it can check & fix it.
+# This requires that /usr/sbin/checkpc have type checkpc_t.
+
+allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:process signal_perms;
+allow checkpc_t self:unix_stream_socket create_socket_perms;
+allow checkpc_t self:tcp_socket create_socket_perms;
+allow checkpc_t self:udp_socket create_socket_perms;
+
+allow checkpc_t checkpc_log_t:file manage_file_perms;
+logging_log_filetrans(checkpc_t, checkpc_log_t, file)
+
+allow checkpc_t lpd_var_run_t:dir search_dir_perms;
+files_search_pids(checkpc_t)
+
+rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+files_search_spool(checkpc_t)
+
+allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:dir list_dir_perms;
+
+kernel_read_system_state(checkpc_t)
+
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
+corenet_tcp_sendrecv_generic_if(checkpc_t)
+corenet_udp_sendrecv_generic_if(checkpc_t)
+corenet_tcp_sendrecv_generic_node(checkpc_t)
+corenet_udp_sendrecv_generic_node(checkpc_t)
+corenet_tcp_sendrecv_all_ports(checkpc_t)
+corenet_udp_sendrecv_all_ports(checkpc_t)
+corenet_tcp_connect_all_ports(checkpc_t)
+corenet_sendrecv_all_client_packets(checkpc_t)
+
+dev_append_printer(checkpc_t)
+
+# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
+corecmd_exec_shell(checkpc_t)
+corecmd_exec_bin(checkpc_t)
+
+domain_use_interactive_fds(checkpc_t)
+
+files_read_etc_files(checkpc_t)
+files_read_etc_runtime_files(checkpc_t)
+
+init_use_script_ptys(checkpc_t)
+# Allow access to /dev/console through the fd:
+init_use_fds(checkpc_t)
+
+sysnet_read_config(checkpc_t)
+
+userdom_use_user_terminals(checkpc_t)
+
+optional_policy(`
+ cron_system_entry(checkpc_t, checkpc_exec_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(checkpc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(checkpc_t)
+')
+
+########################################
+#
+# Lpd local policy
+#
+
+allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
+dontaudit lpd_t self:capability sys_tty_config;
+allow lpd_t self:process signal_perms;
+allow lpd_t self:fifo_file rw_fifo_file_perms;
+allow lpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lpd_t self:unix_dgram_socket create_socket_perms;
+allow lpd_t self:tcp_socket create_stream_socket_perms;
+allow lpd_t self:udp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
+
+manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+files_pid_filetrans(lpd_t, lpd_var_run_t, file)
+
+# Write to /var/spool/lpd.
+manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
+files_search_spool(lpd_t)
+
+# lpd must be able to execute the filter utilities in /usr/share/printconf.
+allow lpd_t printconf_t:dir list_dir_perms;
+can_exec(lpd_t, printconf_t)
+
+# Create and bind to /dev/printer.
+allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
+dev_filetrans(lpd_t, printer_t, lnk_file)
+
+kernel_read_kernel_sysctls(lpd_t)
+# bash wants access to /proc/meminfo
+kernel_read_system_state(lpd_t)
+
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
+corenet_tcp_sendrecv_generic_if(lpd_t)
+corenet_udp_sendrecv_generic_if(lpd_t)
+corenet_tcp_sendrecv_generic_node(lpd_t)
+corenet_udp_sendrecv_generic_node(lpd_t)
+corenet_tcp_sendrecv_all_ports(lpd_t)
+corenet_udp_sendrecv_all_ports(lpd_t)
+corenet_tcp_bind_generic_node(lpd_t)
+corenet_tcp_bind_printer_port(lpd_t)
+corenet_sendrecv_printer_server_packets(lpd_t)
+
+dev_read_sysfs(lpd_t)
+dev_rw_printer(lpd_t)
+
+fs_getattr_all_fs(lpd_t)
+fs_search_auto_mountpoints(lpd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_bin(lpd_t)
+corecmd_exec_shell(lpd_t)
+
+domain_use_interactive_fds(lpd_t)
+
+files_read_etc_runtime_files(lpd_t)
+files_read_usr_files(lpd_t)
+# for defoma
+files_list_world_readable(lpd_t)
+files_read_world_readable_files(lpd_t)
+files_read_world_readable_symlinks(lpd_t)
+files_list_var_lib(lpd_t)
+files_read_var_lib_files(lpd_t)
+files_read_var_lib_symlinks(lpd_t)
+# config files for lpd are of type etc_t, probably should change this
+files_read_etc_files(lpd_t)
+
+logging_send_syslog_msg(lpd_t)
+
+miscfiles_read_fonts(lpd_t)
+miscfiles_read_localization(lpd_t)
+
+sysnet_read_config(lpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(lpd_t)
+userdom_dontaudit_search_user_home_dirs(lpd_t)
+
+optional_policy(`
+ nis_use_ypbind(lpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(lpd_t)
+')
+
+optional_policy(`
+ udev_read_db(lpd_t)
+')
+
+##############################
+#
+# Local policy
+#
+
+allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:unix_stream_socket create_stream_socket_perms;
+allow lpr_t self:tcp_socket create_socket_perms;
+allow lpr_t self:udp_socket create_socket_perms;
+
+can_exec(lpr_t, lpr_exec_t)
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
+kernel_read_kernel_sysctls(lpr_t)
+
+corenet_all_recvfrom_unlabeled(lpr_t)
+corenet_all_recvfrom_netlabel(lpr_t)
+corenet_tcp_sendrecv_generic_if(lpr_t)
+corenet_udp_sendrecv_generic_if(lpr_t)
+corenet_tcp_sendrecv_generic_node(lpr_t)
+corenet_udp_sendrecv_generic_node(lpr_t)
+corenet_tcp_sendrecv_all_ports(lpr_t)
+corenet_udp_sendrecv_all_ports(lpr_t)
+corenet_tcp_connect_all_ports(lpr_t)
+corenet_sendrecv_all_client_packets(lpr_t)
+
+dev_read_rand(lpr_t)
+dev_read_urand(lpr_t)
+
+domain_use_interactive_fds(lpr_t)
+
+files_search_spool(lpr_t)
+# for lpd config files (should have a new type)
+files_read_etc_files(lpr_t)
+# for test print
+files_read_usr_files(lpr_t)
+#Added to cover read_content macro
+files_list_home(lpr_t)
+files_read_generic_tmp_files(lpr_t)
+
+fs_getattr_xattr_fs(lpr_t)
+
+# Access the terminal.
+term_use_controlling_term(lpr_t)
+term_use_generic_ptys(lpr_t)
+
+auth_use_nsswitch(lpr_t)
+
+miscfiles_read_localization(lpr_t)
+
+userdom_read_user_tmp_symlinks(lpr_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(lpr_t)
+userdom_read_user_home_content_files(lpr_t)
+userdom_read_user_tmp_files(lpr_t)
+
+tunable_policy(`use_lpd_server',`
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search;
+ allow lpr_t lpd_var_run_t:sock_file write;
+ files_read_var_files(lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file rw_sock_file_perms;
+ allow lpr_t lpd_t:unix_stream_socket connectto;
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
+
+ manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
+
+ manage_files_pattern(lpr_t, print_spool_t, print_spool_t)
+ filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file)
+ # Read and write shared files in the spool directory.
+ allow lpr_t print_spool_t:file rw_file_perms;
+
+ allow lpr_t printconf_t:dir list_dir_perms;
+ read_files_pattern(lpr_t, printconf_t, printconf_t)
+ read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_nfs_files(lpr_t)
+ fs_read_nfs_symlinks(lpr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_cifs_files(lpr_t)
+ fs_read_cifs_symlinks(lpr_t)
+')
+
+optional_policy(`
+ cups_read_config(lpr_t)
+ cups_stream_connect(lpr_t)
+ cups_read_pid_files(lpr_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+')
diff --git a/mailman.fc b/mailman.fc
new file mode 100644
index 0000000..14ad189
--- /dev/null
+++ b/mailman.fc
@@ -0,0 +1,34 @@
+/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
+/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+
+#
+# distro_debian
+#
+ifdef(`distro_debian', `
+/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+')
+
+#
+# distro_redhat
+#
+ifdef(`distro_redhat', `
+/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+')
diff --git a/mailman.if b/mailman.if
new file mode 100644
index 0000000..67c7fdd
--- /dev/null
+++ b/mailman.if
@@ -0,0 +1,352 @@
+## Mailman is for managing electronic mail discussion and e-newsletter lists
+
+#######################################
+##
+## The template to define a mailmain domain.
+##
+##
+##
+## This template creates a domain to be used for
+## a new mailman daemon.
+##
+##
+##
+##
+## The type of daemon to be used eg, cgi would give mailman_cgi_
+##
+##
+#
+template(`mailman_domain_template', `
+ type mailman_$1_t;
+ domain_type(mailman_$1_t)
+ role system_r types mailman_$1_t;
+
+ type mailman_$1_exec_t;
+ domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
+
+ type mailman_$1_tmp_t;
+ files_tmp_file(mailman_$1_tmp_t)
+
+ allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+ allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+ allow mailman_$1_t self:udp_socket create_socket_perms;
+
+ files_search_spool(mailman_$1_t)
+
+ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+
+ manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+
+ manage_files_pattern(mailman_$1_t, mailman_lock_t, mailman_lock_t)
+ files_lock_filetrans(mailman_$1_t, mailman_lock_t, file)
+
+ manage_files_pattern(mailman_$1_t, mailman_log_t, mailman_log_t)
+ logging_log_filetrans(mailman_$1_t, mailman_log_t, file)
+
+ manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+ manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+ files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+
+ kernel_read_kernel_sysctls(mailman_$1_t)
+ kernel_read_system_state(mailman_$1_t)
+
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+ corenet_udp_sendrecv_generic_if(mailman_$1_t)
+ corenet_raw_sendrecv_generic_if(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_node(mailman_$1_t)
+ corenet_udp_sendrecv_generic_node(mailman_$1_t)
+ corenet_raw_sendrecv_generic_node(mailman_$1_t)
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
+ corenet_tcp_bind_generic_node(mailman_$1_t)
+ corenet_udp_bind_generic_node(mailman_$1_t)
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
+ fs_getattr_xattr_fs(mailman_$1_t)
+
+ corecmd_exec_all_executables(mailman_$1_t)
+
+ files_exec_etc_files(mailman_$1_t)
+ files_list_usr(mailman_$1_t)
+ files_list_var(mailman_$1_t)
+ files_list_var_lib(mailman_$1_t)
+ files_read_var_lib_symlinks(mailman_$1_t)
+ files_read_etc_runtime_files(mailman_$1_t)
+
+ auth_use_nsswitch(mailman_$1_t)
+
+ libs_exec_ld_so(mailman_$1_t)
+ libs_exec_lib_files(mailman_$1_t)
+
+ logging_send_syslog_msg(mailman_$1_t)
+
+ miscfiles_read_localization(mailman_$1_t)
+')
+
+#######################################
+##
+## Execute mailman in the mailman domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mailman_domtrans',`
+ gen_require(`
+ type mailman_mail_exec_t, mailman_mail_t;
+ ')
+
+ domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
+')
+
+#######################################
+##
+## Execute mailman CGI scripts in the
+## mailman CGI domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mailman_domtrans_cgi',`
+ gen_require(`
+ type mailman_cgi_exec_t, mailman_cgi_t;
+ ')
+
+ domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
+')
+
+#######################################
+##
+## Execute mailman in the caller domain.
+##
+##
+##
+## Domain allowd access.
+##
+##
+#
+interface(`mailman_exec',`
+ gen_require(`
+ type mailman_mail_exec_t;
+ ')
+
+ can_exec($1, mailman_mail_exec_t)
+')
+
+#######################################
+##
+## Send generic signals to the mailman cgi domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_signal_cgi',`
+ gen_require(`
+ type mailman_cgi_t;
+ ')
+
+ allow $1 mailman_cgi_t:process signal;
+')
+
+#######################################
+##
+## Allow domain to search data directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_search_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search_dir_perms;
+')
+
+#######################################
+##
+## Allow domain to to read mailman data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_read_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ list_dirs_pattern($1, mailman_data_t, mailman_data_t)
+ read_files_pattern($1, mailman_data_t, mailman_data_t)
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+##
+## Allow domain to to create mailman data files
+## and write the directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_manage_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
+ manage_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+##
+## List the contents of mailman data directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_list_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir list_dir_perms;
+')
+
+#######################################
+##
+## Allow read acces to mailman data symbolic links.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_read_data_symlinks',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+##
+## Read mailman logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_read_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ read_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+##
+## Append to mailman logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_append_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ append_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## mailman logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_manage_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ manage_files_pattern($1, mailman_log_t, mailman_log_t)
+ manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+##
+## Allow domain to read mailman archive files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_read_archive',`
+ gen_require(`
+ type mailman_archive_t;
+ ')
+
+ allow $1 mailman_archive_t:dir list_dir_perms;
+ read_files_pattern($1, mailman_archive_t, mailman_archive_t)
+ read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
+')
+
+#######################################
+##
+## Execute mailman_queue in the mailman_queue domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mailman_domtrans_queue',`
+ gen_require(`
+ type mailman_queue_exec_t, mailman_queue_t;
+ ')
+
+ domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
+')
diff --git a/mailman.te b/mailman.te
new file mode 100644
index 0000000..af4d572
--- /dev/null
+++ b/mailman.te
@@ -0,0 +1,128 @@
+policy_module(mailman, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+mailman_domain_template(cgi)
+
+type mailman_data_t;
+files_type(mailman_data_t)
+
+type mailman_archive_t;
+files_type(mailman_archive_t)
+
+type mailman_log_t;
+logging_log_file(mailman_log_t)
+
+type mailman_lock_t;
+files_lock_file(mailman_lock_t)
+
+mailman_domain_template(mail)
+init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
+
+mailman_domain_template(queue)
+
+########################################
+#
+# Mailman CGI local policy
+#
+
+# cjp: the template invocation for cgi should be
+# in the below optional policy; however, there are no
+# optionals for file contexts yet, so it is promoted
+# to global scope until such facilities exist.
+
+optional_policy(`
+ dev_read_urand(mailman_cgi_t)
+
+ manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+
+ files_search_spool(mailman_cgi_t)
+
+ term_use_controlling_term(mailman_cgi_t)
+
+ # for python pre-compile foolishness
+ libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+
+ apache_sigchld(mailman_cgi_t)
+ apache_use_fds(mailman_cgi_t)
+ apache_dontaudit_append_log(mailman_cgi_t)
+ apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+')
+
+########################################
+#
+# Mailman mail local policy
+#
+
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+
+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+
+files_search_spool(mailman_mail_t)
+
+fs_rw_anon_inodefs_files(mailman_mail_t)
+
+mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
+
+optional_policy(`
+ courier_read_spool(mailman_mail_t)
+')
+
+optional_policy(`
+ cron_read_pipes(mailman_mail_t)
+')
+
+optional_policy(`
+ postfix_search_spool(mailman_mail_t)
+')
+
+########################################
+#
+# Mailman queue local policy
+#
+
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:process signal;
+allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+
+kernel_read_proc_symlinks(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+files_dontaudit_search_pids(mailman_queue_t)
+
+# for su
+seutil_dontaudit_search_config(mailman_queue_t)
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+userdom_search_user_home_dirs(mailman_queue_t)
+
+optional_policy(`
+ apache_read_config(mailman_queue_t)
+')
+
+optional_policy(`
+ cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+')
+
+optional_policy(`
+ su_exec(mailman_queue_t)
+')
\ No newline at end of file
diff --git a/mcelog.fc b/mcelog.fc
new file mode 100644
index 0000000..56c43c0
--- /dev/null
+++ b/mcelog.fc
@@ -0,0 +1 @@
+/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
diff --git a/mcelog.if b/mcelog.if
new file mode 100644
index 0000000..3d4cb1a
--- /dev/null
+++ b/mcelog.if
@@ -0,0 +1,20 @@
+## policy for mcelog
+
+########################################
+##
+## Execute a domain transition to run mcelog.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mcelog_domtrans',`
+ gen_require(`
+ type mcelog_t, mcelog_exec_t;
+ ')
+
+ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
+
diff --git a/mcelog.te b/mcelog.te
new file mode 100644
index 0000000..5671977
--- /dev/null
+++ b/mcelog.te
@@ -0,0 +1,32 @@
+policy_module(mcelog, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcelog_t;
+type mcelog_exec_t;
+application_domain(mcelog_t, mcelog_exec_t)
+cron_system_entry(mcelog_t, mcelog_exec_t)
+
+########################################
+#
+# mcelog local policy
+#
+
+allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
+dev_read_raw_memory(mcelog_t)
+dev_read_kmsg(mcelog_t)
+
+files_read_etc_files(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
+
+miscfiles_read_localization(mcelog_t)
diff --git a/mediawiki.fc b/mediawiki.fc
new file mode 100644
index 0000000..a78b34a
--- /dev/null
+++ b/mediawiki.fc
@@ -0,0 +1,8 @@
+/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+
+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+
+/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
diff --git a/mediawiki.if b/mediawiki.if
new file mode 100644
index 0000000..98d28b4
--- /dev/null
+++ b/mediawiki.if
@@ -0,0 +1 @@
+## Mediawiki policy
diff --git a/mediawiki.te b/mediawiki.te
new file mode 100644
index 0000000..d7cb9e4
--- /dev/null
+++ b/mediawiki.te
@@ -0,0 +1,17 @@
+policy_module(mediawiki, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mediawiki)
+
+########################################
+#
+# mediawiki local policy
+#
+
+files_search_var_lib(httpd_mediawiki_script_t)
+
+miscfiles_read_tetex_data(httpd_mediawiki_script_t)
diff --git a/memcached.fc b/memcached.fc
new file mode 100644
index 0000000..4d69477
--- /dev/null
+++ b/memcached.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0)
+
+/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
+
+/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/memcached.if b/memcached.if
new file mode 100644
index 0000000..db4fd6f
--- /dev/null
+++ b/memcached.if
@@ -0,0 +1,73 @@
+## high-performance memory object caching system
+
+########################################
+##
+## Execute a domain transition to run memcached.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`memcached_domtrans',`
+ gen_require(`
+ type memcached_t;
+ type memcached_exec_t;
+ ')
+
+ domtrans_pattern($1, memcached_exec_t, memcached_t)
+')
+
+########################################
+##
+## Read memcached PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`memcached_read_pid_files',`
+ gen_require(`
+ type memcached_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 memcached_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an memcached environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the memcached domain.
+##
+##
+##
+#
+interface(`memcached_admin',`
+ gen_require(`
+ type memcached_t;
+ type memcached_initrc_exec_t;
+ ')
+
+ allow $1 memcached_t:process { ptrace signal_perms };
+ ps_process_pattern($1, memcached_t)
+
+ init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 memcached_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, memcached_var_run_t)
+')
diff --git a/memcached.te b/memcached.te
new file mode 100644
index 0000000..b681608
--- /dev/null
+++ b/memcached.te
@@ -0,0 +1,58 @@
+policy_module(memcached, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type memcached_t;
+type memcached_exec_t;
+init_daemon_domain(memcached_t, memcached_exec_t)
+
+type memcached_initrc_exec_t;
+init_script_file(memcached_initrc_exec_t)
+
+type memcached_var_run_t;
+files_pid_file(memcached_var_run_t)
+
+########################################
+#
+# memcached local policy
+#
+
+allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { setrlimit signal_perms };
+allow memcached_t self:tcp_socket create_stream_socket_perms;
+allow memcached_t self:udp_socket { create_socket_perms listen };
+allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+
+corenet_all_recvfrom_unlabeled(memcached_t)
+corenet_udp_sendrecv_generic_if(memcached_t)
+corenet_udp_sendrecv_generic_node(memcached_t)
+corenet_udp_sendrecv_all_ports(memcached_t)
+corenet_udp_bind_generic_node(memcached_t)
+corenet_tcp_sendrecv_generic_if(memcached_t)
+corenet_tcp_sendrecv_generic_node(memcached_t)
+corenet_tcp_sendrecv_all_ports(memcached_t)
+corenet_tcp_bind_generic_node(memcached_t)
+corenet_tcp_bind_memcache_port(memcached_t)
+corenet_udp_bind_memcache_port(memcached_t)
+
+manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(memcached_t)
+kernel_read_system_state(memcached_t)
+
+files_read_etc_files(memcached_t)
+
+term_dontaudit_use_all_ptys(memcached_t)
+term_dontaudit_use_all_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+
+auth_use_nsswitch(memcached_t)
+
+miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
new file mode 100644
index 0000000..55a3e2f
--- /dev/null
+++ b/milter.fc
@@ -0,0 +1,13 @@
+/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
diff --git a/milter.if b/milter.if
new file mode 100644
index 0000000..ed1af3c
--- /dev/null
+++ b/milter.if
@@ -0,0 +1,102 @@
+## Milter mail filters
+
+########################################
+##
+## Create a set of derived types for various
+## mail filter applications using the milter interface.
+##
+##
+##
+## The name to be used for deriving type names.
+##
+##
+#
+template(`milter_template',`
+ # attributes common to all milters
+ gen_require(`
+ attribute milter_data_type, milter_domains;
+ ')
+
+ type $1_milter_t, milter_domains;
+ type $1_milter_exec_t;
+ init_daemon_domain($1_milter_t, $1_milter_exec_t)
+ role system_r types $1_milter_t;
+
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
+ type $1_milter_data_t, milter_data_type;
+ files_type($1_milter_data_t)
+
+ allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+
+ # Allow communication with MTA over a unix-domain socket
+ # Note: usage with TCP sockets requires additional policy
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+ # Create other data files and directories in the data directory
+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+ files_read_etc_files($1_milter_t)
+
+ miscfiles_read_localization($1_milter_t)
+
+ logging_send_syslog_msg($1_milter_t)
+')
+
+########################################
+##
+## MTA communication with milter sockets
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_stream_connect_all',`
+ gen_require(`
+ attribute milter_data_type, milter_domains;
+ ')
+
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+')
+
+########################################
+##
+## Allow getattr of milter sockets
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_getattr_all_sockets',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+##
+## Manage spamassassin milter state
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_manage_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+')
diff --git a/milter.te b/milter.te
new file mode 100644
index 0000000..47e3612
--- /dev/null
+++ b/milter.te
@@ -0,0 +1,96 @@
+policy_module(milter, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_data_type;
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
+milter_template(greylist)
+milter_template(regex)
+milter_template(spamass)
+
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t)
+
+########################################
+#
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
+#
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+kernel_read_kernel_sysctls(greylist_milter_t)
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
+########################################
+#
+# milter-regex local policy
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
+#
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(regex_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(regex_milter_t)
+
+########################################
+#
+# spamass-milter local policy
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
+#
+
+# The milter runs from /var/lib/spamass-milter
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
+
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
+
+mta_send_mail(spamass_milter_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+optional_policy(`
+ spamassassin_domtrans_client(spamass_milter_t)
+')
diff --git a/modemmanager.fc b/modemmanager.fc
new file mode 100644
index 0000000..a83894c
--- /dev/null
+++ b/modemmanager.fc
@@ -0,0 +1 @@
+/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
new file mode 100644
index 0000000..3368699
--- /dev/null
+++ b/modemmanager.if
@@ -0,0 +1,40 @@
+## Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
+
+########################################
+##
+## Execute a domain transition to run modemmanager.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`modemmanager_domtrans',`
+ gen_require(`
+ type modemmanager_t, modemmanager_exec_t;
+ ')
+
+ domtrans_pattern($1, modemmanager_exec_t, modemmanager_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## modemmanager over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`modemmanager_dbus_chat',`
+ gen_require(`
+ type modemmanager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 modemmanager_t:dbus send_msg;
+ allow modemmanager_t $1:dbus send_msg;
+')
diff --git a/modemmanager.te b/modemmanager.te
new file mode 100644
index 0000000..b3ace16
--- /dev/null
+++ b/modemmanager.te
@@ -0,0 +1,41 @@
+policy_module(modemmanager, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type modemmanager_t;
+type modemmanager_exec_t;
+dbus_system_domain(modemmanager_t, modemmanager_exec_t)
+typealias modemmanager_t alias ModemManager_t;
+typealias modemmanager_exec_t alias ModemManager_exec_t;
+
+########################################
+#
+# ModemManager local policy
+#
+
+allow modemmanager_t self:process signal;
+allow modemmanager_t self:fifo_file rw_file_perms;
+allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_system_state(modemmanager_t)
+
+dev_read_sysfs(modemmanager_t)
+dev_rw_modem(modemmanager_t)
+
+files_read_etc_files(modemmanager_t)
+
+term_use_unallocated_ttys(modemmanager_t)
+
+miscfiles_read_localization(modemmanager_t)
+
+logging_send_syslog_msg(modemmanager_t)
+
+networkmanager_dbus_chat(modemmanager_t)
+
+optional_policy(`
+ udev_read_db(modemmanager_t)
+')
diff --git a/mojomojo.fc b/mojomojo.fc
new file mode 100644
index 0000000..824c979
--- /dev/null
+++ b/mojomojo.fc
@@ -0,0 +1,5 @@
+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
+
+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
+
+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
diff --git a/mojomojo.if b/mojomojo.if
new file mode 100644
index 0000000..657a9fc
--- /dev/null
+++ b/mojomojo.if
@@ -0,0 +1,40 @@
+## MojoMojo Wiki
+
+########################################
+##
+## All of the rules required to administrate
+## an mojomojo environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`mojomojo_admin',`
+ gen_require(`
+ type httpd_mojomojo_script_t;
+ type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
+ type httpd_mojomojo_rw_content_t;
+ type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
+ ')
+
+ allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_mojomojo_script_t)
+
+ files_search_var_lib(httpd_mojomojo_script_t)
+
+ apache_search_sys_content($1)
+ admin_pattern($1, httpd_mojomojo_script_exec_t)
+ admin_pattern($1, httpd_mojomojo_script_t)
+ admin_pattern($1, httpd_mojomojo_content_t)
+ admin_pattern($1, httpd_mojomojo_htaccess_t)
+ admin_pattern($1, httpd_mojomojo_rw_content_t)
+ admin_pattern($1, httpd_mojomojo_ra_content_t)
+')
diff --git a/mojomojo.te b/mojomojo.te
new file mode 100644
index 0000000..83f002c
--- /dev/null
+++ b/mojomojo.te
@@ -0,0 +1,36 @@
+policy_module(mojomojo, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mojomojo)
+
+########################################
+#
+# mojomojo local policy
+#
+
+allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+
+corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
+corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+
+files_search_var_lib(httpd_mojomojo_script_t)
+
+sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+
+mta_send_mail(httpd_mojomojo_script_t)
+
+optional_policy(`
+ mysql_stream_connect(httpd_mojomojo_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_mojomojo_script_t)
+')
diff --git a/mono.fc b/mono.fc
new file mode 100644
index 0000000..b01bc91
--- /dev/null
+++ b/mono.fc
@@ -0,0 +1 @@
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/mono.if b/mono.if
new file mode 100644
index 0000000..7b08e13
--- /dev/null
+++ b/mono.if
@@ -0,0 +1,138 @@
+## Run .NET server and client applications on Linux.
+
+#######################################
+##
+## The role template for the mono module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for mono applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`mono_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t, mono_exec_t)
+ role $2 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+ application_type($1_mono_t)
+
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+
+ userdom_manage_user_tmpfs_files($1_mono_t)
+
+ optional_policy(`
+ xserver_role($1_r, $1_mono_t)
+ ')
+')
+
+########################################
+##
+## Execute the mono program in the mono domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mono_domtrans',`
+ gen_require(`
+ type mono_t, mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mono_exec_t, mono_t)
+')
+
+########################################
+##
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+')
+
+########################################
+##
+## Execute the mono program in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mono_exec',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, mono_exec_t)
+')
+
+########################################
+##
+## Read and write to mono shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
diff --git a/mono.te b/mono.te
new file mode 100644
index 0000000..dff0f12
--- /dev/null
+++ b/mono.te
@@ -0,0 +1,52 @@
+policy_module(mono, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+type mono_exec_t;
+application_type(mono_t)
+init_system_domain(mono_t, mono_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+init_dbus_chat_script(mono_t)
+
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ avahi_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ cups_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ unconfined_domain(mono_t)
+ unconfined_dbus_chat(mono_t)
+ unconfined_dbus_connect(mono_t)
+')
+
+optional_policy(`
+ xserver_rw_shm(mono_t)
+')
diff --git a/monop.fc b/monop.fc
new file mode 100644
index 0000000..9ee4028
--- /dev/null
+++ b/monop.fc
@@ -0,0 +1,4 @@
+/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0)
+
+/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
+/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/monop.if b/monop.if
new file mode 100644
index 0000000..2611351
--- /dev/null
+++ b/monop.if
@@ -0,0 +1 @@
+## Monopoly daemon
diff --git a/monop.te b/monop.te
new file mode 100644
index 0000000..6647a35
--- /dev/null
+++ b/monop.te
@@ -0,0 +1,85 @@
+policy_module(monop, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type monopd_t;
+type monopd_exec_t;
+init_daemon_domain(monopd_t, monopd_exec_t)
+
+type monopd_etc_t;
+files_config_file(monopd_etc_t)
+
+type monopd_share_t;
+files_type(monopd_share_t)
+
+type monopd_var_run_t;
+files_pid_file(monopd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit monopd_t self:capability sys_tty_config;
+allow monopd_t self:process signal_perms;
+allow monopd_t self:tcp_socket create_stream_socket_perms;
+allow monopd_t self:udp_socket create_socket_perms;
+
+allow monopd_t monopd_etc_t:file read_file_perms;
+files_search_etc(monopd_t)
+
+allow monopd_t monopd_share_t:dir list_dir_perms;
+read_files_pattern(monopd_t, monopd_share_t, monopd_share_t)
+read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t)
+
+manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t)
+files_pid_filetrans(monopd_t, monopd_var_run_t, file)
+
+kernel_read_kernel_sysctls(monopd_t)
+kernel_list_proc(monopd_t)
+kernel_read_proc_symlinks(monopd_t)
+
+corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_all_recvfrom_netlabel(monopd_t)
+corenet_tcp_sendrecv_generic_if(monopd_t)
+corenet_udp_sendrecv_generic_if(monopd_t)
+corenet_tcp_sendrecv_generic_node(monopd_t)
+corenet_udp_sendrecv_generic_node(monopd_t)
+corenet_tcp_sendrecv_all_ports(monopd_t)
+corenet_udp_sendrecv_all_ports(monopd_t)
+corenet_tcp_bind_generic_node(monopd_t)
+corenet_tcp_bind_monopd_port(monopd_t)
+corenet_sendrecv_monopd_server_packets(monopd_t)
+
+dev_read_sysfs(monopd_t)
+
+domain_use_interactive_fds(monopd_t)
+
+files_read_etc_files(monopd_t)
+
+fs_getattr_all_fs(monopd_t)
+fs_search_auto_mountpoints(monopd_t)
+
+logging_send_syslog_msg(monopd_t)
+
+miscfiles_read_localization(monopd_t)
+
+sysnet_read_config(monopd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(monopd_t)
+userdom_dontaudit_search_user_home_dirs(monopd_t)
+
+optional_policy(`
+ nis_use_ypbind(monopd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(monopd_t)
+')
+
+optional_policy(`
+ udev_read_db(monopd_t)
+')
diff --git a/mozilla.fc b/mozilla.fc
new file mode 100644
index 0000000..93ac529
--- /dev/null
+++ b/mozilla.fc
@@ -0,0 +1,29 @@
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+
+#
+# /bin
+#
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+#
+# /lib
+#
+/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --git a/mozilla.if b/mozilla.if
new file mode 100644
index 0000000..fbb5c5a
--- /dev/null
+++ b/mozilla.if
@@ -0,0 +1,306 @@
+## Policy for Mozilla and related web browsers
+
+########################################
+##
+## Role access for mozilla
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`mozilla_role',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t, mozilla_home_t;
+ ')
+
+ role $1 types mozilla_t;
+
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+ allow mozilla_t $2:fd use;
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mozilla_t)
+ allow $2 mozilla_t:process signal_perms;
+
+ allow $2 mozilla_t:fd use;
+ allow $2 mozilla_t:shm { associate getattr };
+ allow $2 mozilla_t:shm { unix_read unix_write };
+ allow $2 mozilla_t:unix_stream_socket connectto;
+
+ # X access, Home files
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+ mozilla_run_plugin(mozilla_t, $1)
+ mozilla_dbus_chat($2)
+
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ ')
+')
+
+########################################
+##
+## Read mozilla home directory content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_read_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file read_file_perms;
+ allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Write mozilla home directory content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_write_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Dontaudit attempts to read/write mozilla home directory content
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mozilla_dontaudit_rw_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ dontaudit $1 mozilla_home_t:file rw_file_perms;
+')
+
+########################################
+##
+## Dontaudit attempts to write mozilla home directory content
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mozilla_dontaudit_manage_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ dontaudit $1 mozilla_home_t:dir manage_dir_perms;
+ dontaudit $1 mozilla_home_t:file manage_file_perms;
+')
+
+########################################
+##
+## Execute mozilla home directory content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_exec_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ can_exec($1, mozilla_home_t)
+')
+
+########################################
+##
+## Execmod mozilla home directory content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_execmod_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:file execmod;
+')
+
+########################################
+##
+## Run mozilla in the mozilla domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mozilla_domtrans',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t;
+ ')
+
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+')
+
+########################################
+##
+## Execute a domain transition to run mozilla_plugin.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_domtrans_plugin',`
+ gen_require(`
+ type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
+ class dbus send_msg;
+ ')
+
+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ allow mozilla_plugin_t $1:process signull;
+')
+
+########################################
+##
+## Execute mozilla_plugin in the mozilla_plugin domain, and
+## allow the specified role the mozilla_plugin domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the mozilla_plugin domain.
+##
+##
+#
+interface(`mozilla_run_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
+')
+
+########################################
+##
+## Send and receive messages from
+## mozilla over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_dbus_chat',`
+ gen_require(`
+ type mozilla_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 mozilla_t:dbus send_msg;
+ allow mozilla_t $1:dbus send_msg;
+')
+
+########################################
+##
+## read/write mozilla per user tcp_socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mozilla_rw_tcp_sockets',`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+##
+## Read mozilla_plugin tmpfs files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+########################################
+##
+## Delete mozilla_plugin tmpfs files
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`mozilla_plugin_delete_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ allow $1 mozilla_plugin_tmpfs_t:file unlink;
+')
diff --git a/mozilla.te b/mozilla.te
new file mode 100644
index 0000000..1039ff2
--- /dev/null
+++ b/mozilla.te
@@ -0,0 +1,455 @@
+policy_module(mozilla, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow confined web browsers to read home directory content
+##
+##
+gen_tunable(mozilla_read_content, false)
+
+type mozilla_t;
+type mozilla_exec_t;
+typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+application_domain(mozilla_t, mozilla_exec_t)
+ubac_constrained(mozilla_t)
+
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
+type mozilla_home_t;
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+userdom_user_home_content(mozilla_home_t)
+
+type mozilla_plugin_t;
+type mozilla_plugin_exec_t;
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role system_r types mozilla_plugin_t;
+
+type mozilla_plugin_tmp_t;
+files_tmp_file(mozilla_plugin_tmp_t)
+ubac_constrained(mozilla_plugin_tmp_t)
+
+type mozilla_plugin_tmpfs_t;
+files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ubac_constrained(mozilla_plugin_tmpfs_t)
+
+type mozilla_tmp_t;
+files_tmp_file(mozilla_tmp_t)
+ubac_constrained(mozilla_tmp_t)
+
+type mozilla_tmpfs_t;
+typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
+typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
+files_tmpfs_file(mozilla_tmpfs_t)
+ubac_constrained(mozilla_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+allow mozilla_t self:fifo_file rw_fifo_file_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
+allow mozilla_t self:sem create_sem_perms;
+allow mozilla_t self:socket create_socket_perms;
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
+
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
+
+manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+
+manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(mozilla_t)
+kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
+kernel_read_system_state(mozilla_t)
+kernel_read_net_sysctls(mozilla_t)
+
+# Look for plugins
+corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
+corecmd_exec_shell(mozilla_t)
+corecmd_exec_bin(mozilla_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(mozilla_t)
+corenet_all_recvfrom_netlabel(mozilla_t)
+corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
+corenet_tcp_sendrecv_generic_node(mozilla_t)
+corenet_raw_sendrecv_generic_node(mozilla_t)
+corenet_tcp_sendrecv_http_port(mozilla_t)
+corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_sendrecv_ftp_port(mozilla_t)
+corenet_tcp_sendrecv_ipp_port(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
+corenet_tcp_connect_speech_port(mozilla_t)
+
+dev_read_urand(mozilla_t)
+dev_read_rand(mozilla_t)
+dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
+
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
+files_read_etc_runtime_files(mozilla_t)
+files_read_usr_files(mozilla_t)
+files_read_etc_files(mozilla_t)
+# /var/lib
+files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
+files_read_var_symlinks(mozilla_t)
+files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+fs_search_auto_mountpoints(mozilla_t)
+fs_list_inotifyfs(mozilla_t)
+fs_rw_tmpfs_files(mozilla_t)
+
+term_dontaudit_getattr_pty_dirs(mozilla_t)
+
+logging_send_syslog_msg(mozilla_t)
+
+miscfiles_read_fonts(mozilla_t)
+miscfiles_read_localization(mozilla_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+
+# Browse the web, connect to printer
+sysnet_dns_name_resolve(mozilla_t)
+
+userdom_use_user_ptys(mozilla_t)
+
+xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_t)
+ fs_manage_nfs_files(mozilla_t)
+ fs_manage_nfs_symlinks(mozilla_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_t)
+ fs_manage_cifs_files(mozilla_t)
+ fs_manage_cifs_symlinks(mozilla_t)
+')
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_nfs_files(mozilla_t)
+ fs_read_nfs_symlinks(mozilla_t)
+
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_nfs_files(mozilla_t)
+ fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_cifs_files(mozilla_t)
+ fs_read_cifs_symlinks(mozilla_t)
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_cifs_files(mozilla_t)
+ fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+ userdom_list_user_tmp(mozilla_t)
+ userdom_read_user_tmp_files(mozilla_t)
+ userdom_read_user_tmp_symlinks(mozilla_t)
+ userdom_read_user_home_content_files(mozilla_t)
+ userdom_read_user_home_content_symlinks(mozilla_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+ ')
+',`
+ files_dontaudit_list_tmp(mozilla_t)
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_removable(mozilla_t)
+ fs_dontaudit_read_removable_files(mozilla_t)
+ userdom_dontaudit_list_user_tmp(mozilla_t)
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
+')
+
+optional_policy(`
+ apache_read_user_scripts(mozilla_t)
+ apache_read_user_content(mozilla_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(mozilla_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(mozilla_t)
+ cups_dbus_chat(mozilla_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mozilla_t)
+ dbus_session_bus_client(mozilla_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(mozilla_t)
+ ')
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(mozilla_t)
+ gnome_manage_config(mozilla_t)
+')
+
+optional_policy(`
+ java_domtrans(mozilla_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(mozilla_t)
+')
+
+optional_policy(`
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(mozilla_t)
+')
+
+########################################
+#
+# mozilla_plugin local policy
+#
+
+dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(mozilla_plugin_t, mozilla_exec_t)
+
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_read_network_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
+
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
+corenet_all_recvfrom_netlabel(mozilla_plugin_t)
+corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+
+dev_read_rand(mozilla_plugin_t)
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
+dev_rw_xserver_misc(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+
+fs_getattr_all_fs(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_dos_files(mozilla_plugin_t)
+
+application_dontaudit_signull(mozilla_plugin_t)
+
+auth_use_nsswitch(mozilla_plugin_t)
+
+logging_send_syslog_msg(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_plugin_t self:process { execmem execstack };
+')
+
+tunable_policy(`allow_execstack',`
+ allow mozilla_plugin_t self:process { execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_plugin_t)
+ fs_manage_nfs_files(mozilla_plugin_t)
+ fs_manage_nfs_symlinks(mozilla_plugin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_plugin_t)
+ fs_manage_cifs_files(mozilla_plugin_t)
+ fs_manage_cifs_symlinks(mozilla_plugin_t)
+')
+
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+')
+
+optional_policy(`
+ java_exec(mozilla_plugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_read_user_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
+')
diff --git a/mpd.fc b/mpd.fc
new file mode 100644
index 0000000..ddc14d6
--- /dev/null
+++ b/mpd.fc
@@ -0,0 +1,8 @@
+/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
+/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
+
+/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0)
+
+/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
+/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --git a/mpd.if b/mpd.if
new file mode 100644
index 0000000..d72276f
--- /dev/null
+++ b/mpd.if
@@ -0,0 +1,267 @@
+## Music Player Daemon
+
+########################################
+##
+## Execute a domain transition to run mpd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mpd_domtrans',`
+ gen_require(`
+ type mpd_t, mpd_exec_t;
+ ')
+
+ domtrans_pattern($1, mpd_exec_t, mpd_t)
+')
+
+########################################
+##
+## Execute mpd server in the mpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mpd_initrc_domtrans',`
+ gen_require(`
+ type mpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, mpd_initrc_exec_t)
+')
+
+#######################################
+##
+## Read mpd data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_read_data_files',`
+ gen_require(`
+ type mpd_data_t;
+ ')
+
+ mpd_search_lib($1)
+ read_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+######################################
+##
+## Manage mpd data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_manage_data_files',`
+ gen_require(`
+ type mpd_data_t;
+ ')
+
+ mpd_search_lib($1)
+ manage_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+#######################################
+##
+## Read mpd tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_read_tmpfs_files',`
+ gen_require(`
+ type mpd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+###################################
+##
+## Manage mpd tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_manage_tmpfs_files',`
+ gen_require(`
+ type mpd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+########################################
+##
+## Search mpd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_search_lib',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ allow $1 mpd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read mpd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_read_lib_files',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## mpd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_manage_lib_files',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+#######################################
+##
+## Create an object in the root directory, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`mpd_var_lib_filetrans',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, mpd_var_lib_t, $2, $3)
+')
+
+########################################
+##
+## Manage mpd lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mpd_manage_lib_dirs',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an mpd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`mpd_admin',`
+ gen_require(`
+ type mpd_t, mpd_initrc_exec_t, mpd_etc_t;
+ type mpd_data_t, mpd_log_t, mpd_var_lib_t;
+ type mpd_tmpfs_t;
+ ')
+
+ allow $1 mpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mpd_t)
+
+ mpd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 mpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, mpd_etc_t)
+ files_list_etc($1)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mpd_var_lib_t)
+
+ admin_pattern($1, mpd_data_t)
+
+ admin_pattern($1, mpd_log_t)
+
+ fs_list_tmpfs($1)
+ admin_pattern($1, mpd_tmpfs_t)
+')
diff --git a/mpd.te b/mpd.te
new file mode 100644
index 0000000..7f68872
--- /dev/null
+++ b/mpd.te
@@ -0,0 +1,126 @@
+policy_module(mpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mpd_t;
+type mpd_exec_t;
+init_daemon_domain(mpd_t, mpd_exec_t)
+
+# type for music content
+type mpd_data_t;
+files_type(mpd_data_t)
+
+type mpd_etc_t;
+files_config_file(mpd_etc_t)
+
+type mpd_initrc_exec_t;
+init_script_file(mpd_initrc_exec_t)
+
+type mpd_log_t;
+logging_log_file(mpd_log_t)
+
+type mpd_tmp_t;
+files_tmp_file(mpd_tmp_t)
+
+type mpd_tmpfs_t;
+files_tmpfs_file(mpd_tmpfs_t)
+
+type mpd_var_lib_t;
+files_type(mpd_var_lib_t)
+
+########################################
+#
+# mpd local policy
+#
+
+# dac_override bug in mpd relating to mpd.log file
+allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:process { getsched setsched setrlimit signal signull };
+allow mpd_t self:fifo_file rw_fifo_file_perms;
+allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow mpd_t self:tcp_socket create_stream_socket_perms;
+allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
+
+manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
+
+manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
+# needed by pulseaudio
+kernel_getattr_proc(mpd_t)
+kernel_read_system_state(mpd_t)
+kernel_read_kernel_sysctls(mpd_t)
+
+corecmd_exec_bin(mpd_t)
+
+corenet_all_recvfrom_unlabeled(mpd_t)
+corenet_all_recvfrom_netlabel(mpd_t)
+corenet_tcp_sendrecv_generic_if(mpd_t)
+corenet_tcp_sendrecv_generic_node(mpd_t)
+corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t)
+corenet_tcp_connect_http_port(mpd_t)
+corenet_tcp_connect_http_cache_port(mpd_t)
+corenet_tcp_connect_pulseaudio_port(mpd_t)
+corenet_tcp_connect_soundd_port(mpd_t)
+corenet_sendrecv_http_client_packets(mpd_t)
+corenet_sendrecv_http_cache_client_packets(mpd_t)
+corenet_sendrecv_pulseaudio_client_packets(mpd_t)
+corenet_sendrecv_soundd_client_packets(mpd_t)
+
+dev_read_sound(mpd_t)
+dev_write_sound(mpd_t)
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
+
+fs_getattr_tmpfs(mpd_t)
+fs_list_inotifyfs(mpd_t)
+fs_rw_anon_inodefs_files(mpd_t)
+
+auth_use_nsswitch(mpd_t)
+
+logging_send_syslog_msg(mpd_t)
+
+miscfiles_read_localization(mpd_t)
+
+optional_policy(`
+ alsa_read_rw_config(mpd_t)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(mpd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mpd_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mpd_t)
+ pulseaudio_stream_connect(mpd_t)
+ pulseaudio_signull(mpd_t)
+')
+
+optional_policy(`
+ udev_read_db(mpd_t)
+')
diff --git a/mplayer.fc b/mplayer.fc
new file mode 100644
index 0000000..5a37c50
--- /dev/null
+++ b/mplayer.fc
@@ -0,0 +1,14 @@
+#
+# /etc
+#
+/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
diff --git a/mplayer.if b/mplayer.if
new file mode 100644
index 0000000..d8ea41d
--- /dev/null
+++ b/mplayer.if
@@ -0,0 +1,104 @@
+## Mplayer media player and encoder
+
+########################################
+##
+## Role access for mplayer
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`mplayer_role',`
+ gen_require(`
+ type mencoder_t, mencoder_exec_t;
+ type mplayer_t, mplayer_exec_t;
+ type mplayer_home_t;
+ ')
+
+ role $1 types { mencoder_t mplayer_t };
+
+ # domain transition
+ domtrans_pattern($2, mencoder_exec_t, mencoder_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mencoder_t)
+ allow $2 mencoder_t:process signal_perms;
+
+ # Home access
+ manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+
+ # domain transition
+ domtrans_pattern($2, mplayer_exec_t, mplayer_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mplayer_t)
+ allow $2 mplayer_t:process signal_perms;
+')
+
+########################################
+##
+## Run mplayer in mplayer domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mplayer_domtrans',`
+ gen_require(`
+ type mplayer_t, mplayer_exec_t;
+ ')
+
+ domtrans_pattern($1, mplayer_exec_t, mplayer_t)
+')
+
+########################################
+##
+## Execute mplayer in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`mplayer_exec',`
+ gen_require(`
+ type mplayer_exec_t;
+ ')
+
+ can_exec($1, mplayer_exec_t)
+')
+
+########################################
+##
+## Read mplayer per user homedir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mplayer_read_user_home_files',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/mplayer.te b/mplayer.te
new file mode 100644
index 0000000..4c43901
--- /dev/null
+++ b/mplayer.te
@@ -0,0 +1,314 @@
+policy_module(mplayer, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow mplayer executable stack
+##
+##
+gen_tunable(allow_mplayer_execstack, false)
+
+type mencoder_t;
+type mencoder_exec_t;
+typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t };
+typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t };
+application_domain(mencoder_t, mencoder_exec_t)
+ubac_constrained(mencoder_t)
+
+type mplayer_t;
+type mplayer_exec_t;
+typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t };
+typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t };
+application_domain(mplayer_t, mplayer_exec_t)
+ubac_constrained(mplayer_t)
+
+type mplayer_etc_t;
+files_config_file(mplayer_etc_t)
+
+type mplayer_home_t;
+typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
+typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+userdom_user_home_content(mplayer_home_t)
+
+type mplayer_tmpfs_t;
+typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
+typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
+files_tmpfs_file(mplayer_tmpfs_t)
+ubac_constrained(mplayer_tmpfs_t)
+
+########################################
+#
+# mencoder local policy
+#
+
+manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+
+# Read global config
+allow mencoder_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mencoder_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mencoder_t)
+
+# Required for win32 binary loader
+dev_rwx_zero(mencoder_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mencoder_t)
+
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mencoder_t)
+files_read_usr_symlinks(mencoder_t)
+
+fs_search_auto_mountpoints(mencoder_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mencoder_t)
+
+miscfiles_read_localization(mencoder_t)
+
+userdom_use_user_terminals(mencoder_t)
+# Handle removable media, /tmp, and /home
+userdom_list_user_tmp(mencoder_t)
+userdom_read_user_tmp_files(mencoder_t)
+userdom_read_user_tmp_symlinks(mencoder_t)
+userdom_read_user_home_content_files(mencoder_t)
+userdom_read_user_home_content_symlinks(mencoder_t)
+
+# Read content to encode
+ifndef(`enable_mls',`
+ fs_search_removable(mencoder_t)
+ fs_read_removable_files(mencoder_t)
+ fs_read_removable_symlinks(mencoder_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mencoder_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mencoder_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mencoder_t)
+ fs_manage_nfs_files(mencoder_t)
+ fs_manage_nfs_symlinks(mencoder_t)
+
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mencoder_t)
+ fs_manage_cifs_files(mencoder_t)
+ fs_manage_cifs_symlinks(mencoder_t)
+
+')
+
+# Read content to encode
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_nfs_files(mencoder_t)
+ fs_read_nfs_symlinks(mencoder_t)
+
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_nfs_files(mencoder_t)
+ fs_dontaudit_list_nfs(mencoder_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_cifs_files(mencoder_t)
+ fs_read_cifs_symlinks(mencoder_t)
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_cifs_files(mencoder_t)
+ fs_dontaudit_list_cifs(mencoder_t)
+')
+
+########################################
+#
+# mplayer local policy
+#
+
+allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:fifo_file rw_fifo_file_perms;
+allow mplayer_t self:sem create_sem_perms;
+allow mplayer_t self:netlink_route_socket create_netlink_socket_perms;
+allow mplayer_t self:tcp_socket create_socket_perms;
+allow mplayer_t self:unix_dgram_socket sendto;
+
+manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
+
+manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Read global config
+allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+
+kernel_dontaudit_list_unlabeled(mplayer_t)
+kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
+kernel_dontaudit_read_unlabeled_files(mplayer_t)
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mplayer_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mplayer_t)
+
+corenet_all_recvfrom_netlabel(mplayer_t)
+corenet_all_recvfrom_unlabeled(mplayer_t)
+corenet_tcp_sendrecv_generic_if(mplayer_t)
+corenet_tcp_sendrecv_generic_node(mplayer_t)
+corenet_tcp_bind_generic_node(mplayer_t)
+corenet_tcp_connect_pulseaudio_port(mplayer_t)
+corenet_sendrecv_pulseaudio_client_packets(mplayer_t)
+
+# Run bash/sed (??)
+corecmd_exec_bin(mplayer_t)
+corecmd_exec_shell(mplayer_t)
+
+dev_read_rand(mplayer_t)
+dev_read_urand(mplayer_t)
+# Required for win32 binary loader
+dev_rwx_zero(mplayer_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mplayer_t)
+dev_write_video_dev(mplayer_t)
+# Audio, alsa.conf
+dev_read_sound_mixer(mplayer_t)
+dev_write_sound_mixer(mplayer_t)
+# RTC clock
+dev_read_realtime_clock(mplayer_t)
+
+domain_use_interactive_fds(mplayer_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mplayer_t)
+
+files_read_etc_files(mplayer_t)
+files_dontaudit_list_non_security(mplayer_t)
+files_dontaudit_getattr_non_security_files(mplayer_t)
+files_read_non_security_files(mplayer_t)
+# Unfortunately the ancient file dialog starts in /
+files_list_home(mplayer_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(mplayer_t)
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mplayer_t)
+files_read_usr_symlinks(mplayer_t)
+
+fs_dontaudit_getattr_all_fs(mplayer_t)
+fs_search_auto_mountpoints(mplayer_t)
+fs_list_inotifyfs(mplayer_t)
+
+miscfiles_read_localization(mplayer_t)
+miscfiles_read_fonts(mplayer_t)
+
+userdom_use_user_terminals(mplayer_t)
+# Read media files
+userdom_list_user_tmp(mplayer_t)
+userdom_read_user_tmp_files(mplayer_t)
+userdom_read_user_tmp_symlinks(mplayer_t)
+userdom_read_user_home_content_files(mplayer_t)
+userdom_read_user_home_content_symlinks(mplayer_t)
+userdom_write_user_tmp_sockets(mplayer_t)
+
+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+# Read songs
+ifdef(`enable_mls',`',`
+ fs_search_removable(mplayer_t)
+ fs_read_removable_files(mplayer_t)
+ fs_read_removable_symlinks(mplayer_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mplayer_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mplayer_t)
+ fs_manage_nfs_files(mplayer_t)
+ fs_manage_nfs_symlinks(mplayer_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mplayer_t)
+ fs_manage_cifs_files(mplayer_t)
+ fs_manage_cifs_symlinks(mplayer_t)
+')
+
+# Legacy domain issues
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t mplayer_tmpfs_t:file execute;
+')
+
+# Read songs
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_nfs_files(mplayer_t)
+ fs_read_nfs_symlinks(mplayer_t)
+
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_nfs_files(mplayer_t)
+ fs_dontaudit_list_nfs(mplayer_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_cifs_files(mplayer_t)
+ fs_read_cifs_symlinks(mplayer_t)
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_cifs_files(mplayer_t)
+ fs_dontaudit_list_cifs(mplayer_t)
+')
+
+optional_policy(`
+ alsa_read_rw_config(mplayer_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mplayer_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mplayer_t)
+ pulseaudio_stream_connect(mplayer_t)
+')
diff --git a/mrtg.fc b/mrtg.fc
new file mode 100644
index 0000000..37fb953
--- /dev/null
+++ b/mrtg.fc
@@ -0,0 +1,18 @@
+#
+# /etc
+#
+/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0)
+/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0)
+
+#
+# /var
+#
+/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
+/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
+/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/mrtg.if b/mrtg.if
new file mode 100644
index 0000000..5970b9c
--- /dev/null
+++ b/mrtg.if
@@ -0,0 +1,20 @@
+## Network traffic graphing
+
+########################################
+##
+## Create and append mrtg logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mrtg_append_create_logs',`
+ gen_require(`
+ type mrtg_log_t;
+ ')
+
+ append_files_pattern($1, mrtg_log_t, mrtg_log_t)
+ create_files_pattern($1, mrtg_log_t, mrtg_log_t)
+')
diff --git a/mrtg.te b/mrtg.te
new file mode 100644
index 0000000..0e19d80
--- /dev/null
+++ b/mrtg.te
@@ -0,0 +1,160 @@
+policy_module(mrtg, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type mrtg_t;
+type mrtg_exec_t;
+init_system_domain(mrtg_t, mrtg_exec_t)
+
+type mrtg_etc_t;
+files_config_file(mrtg_etc_t)
+
+type mrtg_lock_t;
+files_lock_file(mrtg_lock_t)
+
+type mrtg_log_t;
+logging_log_file(mrtg_log_t)
+
+type mrtg_var_lib_t;
+files_type(mrtg_var_lib_t)
+
+type mrtg_var_run_t;
+files_pid_file(mrtg_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mrtg_t self:capability { setgid setuid chown };
+dontaudit mrtg_t self:capability sys_tty_config;
+allow mrtg_t self:process signal_perms;
+allow mrtg_t self:fifo_file rw_fifo_file_perms;
+allow mrtg_t self:unix_stream_socket create_socket_perms;
+allow mrtg_t self:tcp_socket create_socket_perms;
+allow mrtg_t self:udp_socket create_socket_perms;
+
+allow mrtg_t mrtg_etc_t:dir list_dir_perms;
+read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+dontaudit mrtg_t mrtg_etc_t:dir write;
+dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+
+manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+
+manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
+
+manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+
+allow mrtg_t mrtg_var_run_t:file manage_file_perms;
+files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
+
+kernel_read_system_state(mrtg_t)
+kernel_read_network_state(mrtg_t)
+kernel_read_kernel_sysctls(mrtg_t)
+
+corecmd_exec_bin(mrtg_t)
+corecmd_exec_shell(mrtg_t)
+
+corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_all_recvfrom_netlabel(mrtg_t)
+corenet_tcp_sendrecv_generic_if(mrtg_t)
+corenet_udp_sendrecv_generic_if(mrtg_t)
+corenet_tcp_sendrecv_generic_node(mrtg_t)
+corenet_udp_sendrecv_generic_node(mrtg_t)
+corenet_tcp_sendrecv_all_ports(mrtg_t)
+corenet_udp_sendrecv_all_ports(mrtg_t)
+corenet_tcp_connect_all_ports(mrtg_t)
+corenet_sendrecv_all_client_packets(mrtg_t)
+
+dev_read_sysfs(mrtg_t)
+dev_read_urand(mrtg_t)
+
+domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
+
+files_read_usr_files(mrtg_t)
+files_search_var(mrtg_t)
+files_search_locks(mrtg_t)
+files_search_var_lib(mrtg_t)
+files_search_spool(mrtg_t)
+files_getattr_tmp_dirs(mrtg_t)
+# for uptime
+files_read_etc_runtime_files(mrtg_t)
+# read config files
+files_read_etc_files(mrtg_t)
+
+fs_search_auto_mountpoints(mrtg_t)
+fs_getattr_xattr_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
+
+term_dontaudit_use_console(mrtg_t)
+
+init_use_fds(mrtg_t)
+init_use_script_ptys(mrtg_t)
+# for uptime
+init_read_utmp(mrtg_t)
+init_dontaudit_write_utmp(mrtg_t)
+
+auth_use_nsswitch(mrtg_t)
+
+libs_read_lib_files(mrtg_t)
+
+logging_send_syslog_msg(mrtg_t)
+
+miscfiles_read_localization(mrtg_t)
+
+selinux_dontaudit_getattr_dir(mrtg_t)
+
+userdom_use_user_terminals(mrtg_t)
+userdom_dontaudit_read_user_home_content_files(mrtg_t)
+userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+
+netutils_domtrans_ping(mrtg_t)
+
+ifdef(`enable_mls',`
+ corenet_udp_sendrecv_lo_if(mrtg_t)
+')
+
+ifdef(`distro_redhat',`
+ allow mrtg_t mrtg_lock_t:file manage_file_perms;
+ filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
+')
+
+optional_policy(`
+ apache_manage_sys_content(mrtg_t)
+')
+
+optional_policy(`
+ cron_system_entry(mrtg_t, mrtg_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(mrtg_t)
+')
+
+optional_policy(`
+ hddtemp_domtrans(mrtg_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mrtg_t)
+')
+
+optional_policy(`
+ quota_dontaudit_getattr_db(mrtg_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(mrtg_t)
+')
+
+optional_policy(`
+ udev_read_db(mrtg_t)
+')
diff --git a/mta.fc b/mta.fc
new file mode 100644
index 0000000..256166a
--- /dev/null
+++ b/mta.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
new file mode 100644
index 0000000..343cee3
--- /dev/null
+++ b/mta.if
@@ -0,0 +1,901 @@
+## Policy common to all email tranfer agents.
+
+########################################
+##
+## MTA stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_stub',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+')
+
+#######################################
+##
+## Basic mail transfer agent domain template.
+##
+##
+##
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+##
+##
+## This is the basic types and rules, common
+## to the system agent and user agents.
+##
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`mta_base_mail_template',`
+
+ gen_require(`
+ attribute user_mail_domain;
+ type sendmail_exec_t;
+ ')
+
+ ##############################
+ #
+ # $1_mail_t declarations
+ #
+
+ type $1_mail_t, user_mail_domain;
+ application_domain($1_mail_t, sendmail_exec_t)
+
+ type $1_mail_tmp_t;
+ files_tmp_file($1_mail_tmp_t)
+
+ ##############################
+ #
+ # $1_mail_t local policy
+ #
+
+ allow $1_mail_t self:capability { setuid setgid chown };
+ allow $1_mail_t self:process { signal_perms setrlimit };
+ allow $1_mail_t self:tcp_socket create_socket_perms;
+
+ # re-exec itself
+ can_exec($1_mail_t, sendmail_exec_t)
+ allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+ kernel_read_system_state($1_mail_t)
+ kernel_read_kernel_sysctls($1_mail_t)
+
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+ corenet_all_recvfrom_netlabel($1_mail_t)
+ corenet_tcp_sendrecv_generic_if($1_mail_t)
+ corenet_tcp_sendrecv_generic_node($1_mail_t)
+ corenet_tcp_sendrecv_all_ports($1_mail_t)
+ corenet_tcp_connect_all_ports($1_mail_t)
+ corenet_tcp_connect_smtp_port($1_mail_t)
+ corenet_sendrecv_smtp_client_packets($1_mail_t)
+
+ corecmd_exec_bin($1_mail_t)
+
+ files_read_etc_files($1_mail_t)
+ files_search_spool($1_mail_t)
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
+
+ auth_use_nsswitch($1_mail_t)
+
+ init_dontaudit_rw_utmp($1_mail_t)
+
+ logging_send_syslog_msg($1_mail_t)
+
+ miscfiles_read_localization($1_mail_t)
+
+ optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
+ ')
+
+ optional_policy(`
+ procmail_exec($1_mail_t)
+ ')
+
+ optional_policy(`
+ qmail_domtrans_inject($1_mail_t)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type etc_mail_t, mail_spool_t, mqueue_spool_t;
+ ')
+
+ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+
+ allow $1_mail_t etc_mail_t:dir search_dir_perms;
+
+ # Write to /var/spool/mail and /var/spool/mqueue.
+ manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
+
+ # Check available space.
+ fs_getattr_xattr_fs($1_mail_t)
+
+ files_read_etc_runtime_files($1_mail_t)
+
+ # Write to /var/log/sendmail.st
+ sendmail_manage_log($1_mail_t)
+ sendmail_create_log($1_mail_t)
+ ')
+
+ optional_policy(`
+ uucp_manage_spool($1_mail_t)
+ ')
+')
+
+########################################
+##
+## Role access for mta
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`mta_role',`
+ gen_require(`
+ attribute mta_user_agent;
+ type user_mail_t, sendmail_exec_t;
+ ')
+
+ role $1 types { user_mail_t mta_user_agent };
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+ allow $2 sendmail_exec_t:lnk_file { getattr read };
+
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+ allow mta_user_agent $2:fifo_file { read write };
+')
+
+########################################
+##
+## Make the specified domain usable for a mail server.
+##
+##
+##
+## Type to be used as a mail server domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`mta_mailserver',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ init_daemon_domain($1, $2)
+ typeattribute $1 mailserver_domain;
+')
+
+########################################
+##
+## Make the specified type a MTA executable file.
+##
+##
+##
+## Type to be used as a mail client.
+##
+##
+#
+interface(`mta_agent_executable',`
+ gen_require(`
+ attribute mta_exec_type;
+ ')
+
+ typeattribute $1 mta_exec_type;
+
+ application_executable_file($1)
+')
+
+########################################
+##
+## Make the specified type by a system MTA.
+##
+##
+##
+## Type to be used as a mail client.
+##
+##
+#
+interface(`mta_system_content',`
+ gen_require(`
+ attribute mailcontent_type;
+ ')
+
+ typeattribute $1 mailcontent_type;
+')
+
+########################################
+##
+## Modified mailserver interface for
+## sendmail daemon use.
+##
+##
+##
+## A modified MTA mail server interface for
+## the sendmail program. It's design does
+## not fit well with policy, and using the
+## regular interface causes a type_transition
+## conflict if direct running of init scripts
+## is enabled.
+##
+##
+## This interface should most likely only be used
+## by the sendmail policy.
+##
+##
+##
+##
+## The type to be used for the mail server.
+##
+##
+#
+interface(`mta_sendmail_mailserver',`
+ gen_require(`
+ attribute mailserver_domain;
+ type sendmail_exec_t;
+ ')
+
+ init_system_domain($1, sendmail_exec_t)
+ typeattribute $1 mailserver_domain;
+')
+
+#######################################
+##
+## Make a type a mailserver type used
+## for sending mail.
+##
+##
+##
+## Mail server domain type used for sending mail.
+##
+##
+#
+interface(`mta_mailserver_sender',`
+ gen_require(`
+ attribute mailserver_sender;
+ ')
+
+ typeattribute $1 mailserver_sender;
+')
+
+#######################################
+##
+## Make a type a mailserver type used
+## for delivering mail to local users.
+##
+##
+##
+## Mail server domain type used for delivering mail.
+##
+##
+#
+interface(`mta_mailserver_delivery',`
+ gen_require(`
+ attribute mailserver_delivery;
+ type mail_spool_t;
+ ')
+
+ typeattribute $1 mailserver_delivery;
+')
+
+#######################################
+##
+## Make a type a mailserver type used
+## for sending mail on behalf of local
+## users to the local mail spool.
+##
+##
+##
+## Mail server domain type used for sending local mail.
+##
+##
+#
+interface(`mta_mailserver_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ typeattribute $1 mta_user_agent;
+
+ optional_policy(`
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets($1)
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
+ ')
+')
+
+########################################
+##
+## Send mail from the system.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mta_send_mail',`
+ gen_require(`
+ attribute mta_user_agent;
+ type system_mail_t;
+ attribute mta_exec_type;
+ ')
+
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
+ domtrans_pattern($1, mta_exec_type, system_mail_t)
+
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Execute send mail in a specified domain.
+##
+##
+##
+## Execute send mail in a specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+#
+interface(`mta_sendmail_domtrans',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_read_bin_symlinks($1)
+ domain_auto_trans($1, sendmail_exec_t, $2)
+')
+
+########################################
+##
+## Send system mail client a signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`mta_signal_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ allow $1 system_mail_t:process signal;
+')
+
+########################################
+##
+## Execute sendmail in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_sendmail_exec',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ can_exec($1, sendmail_exec_t)
+')
+
+########################################
+##
+## Read mail server configuration.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mta_read_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_mail_t:dir list_dir_perms;
+ read_files_pattern($1, etc_mail_t, etc_mail_t)
+ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
+########################################
+##
+## write mail server configuration.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mta_write_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
+########################################
+##
+## Read mail address aliases.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_read_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file read_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete mail address aliases.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_manage_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+')
+
+########################################
+##
+## Type transition files created in /etc
+## to the mail address aliases type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_etc_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_etc_filetrans($1, etc_aliases_t, file)
+')
+
+########################################
+##
+## Read and write mail aliases.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mta_rw_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file { rw_file_perms setattr };
+')
+
+#######################################
+##
+## Do not audit attempts to read and write TCP
+## sockets of mail delivery domains.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ dontaudit $1 mailserver_delivery:tcp_socket { read write };
+')
+
+#######################################
+##
+## Connect to all mail servers over TCP. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_tcp_connect_all_mailservers',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+#######################################
+##
+## Do not audit attempts to read a symlink
+## in the mail spool.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mta_dontaudit_read_spool_symlinks',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ dontaudit $1 mail_spool_t:lnk_file read;
+')
+
+########################################
+##
+## Get the attributes of mail spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_getattr_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+ getattr_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of mail spool files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mta_dontaudit_getattr_spool_files',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_dontaudit_search_spool($1)
+ dontaudit $1 mail_spool_t:dir search_dir_perms;
+ dontaudit $1 mail_spool_t:lnk_file read;
+ dontaudit $1 mail_spool_t:file getattr;
+')
+
+#######################################
+##
+## Create private objects in the
+## mail spool directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`mta_spool_filetrans',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, mail_spool_t, $2, $3)
+')
+
+########################################
+##
+## Read and write the mail spool.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_rw_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+ allow $1 mail_spool_t:file setattr;
+ rw_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+#######################################
+##
+## Create, read, and write the mail spool.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_append_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+ create_files_pattern($1, mail_spool_t, mail_spool_t)
+ write_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+#######################################
+##
+## Delete from the mail spool.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_delete_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ delete_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+##
+## Create, read, write, and delete mail spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_manage_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+##
+## Search mail queue dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_search_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mqueue_spool_t:dir search_dir_perms;
+')
+
+#######################################
+##
+## List the mail queue.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_list_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+#######################################
+##
+## Read the mail queue.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_read_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ files_search_spool($1)
+')
+
+#######################################
+##
+## Do not audit attempts to read and
+## write the mail queue.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`mta_dontaudit_rw_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ dontaudit $1 mqueue_spool_t:dir search_dir_perms;
+ dontaudit $1 mqueue_spool_t:file { getattr read write };
+')
+
+########################################
+##
+## Create, read, write, and delete
+## mail queue files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_manage_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+')
+
+#######################################
+##
+## Read sendmail binary.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# cjp: added for postfix
+interface(`mta_read_sendmail_bin',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ allow $1 sendmail_exec_t:file read_file_perms;
+')
+
+#######################################
+##
+## Read and write unix domain stream sockets
+## of user mail domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_rw_user_mail_stream_sockets',`
+ gen_require(`
+ attribute user_mail_domain;
+ ')
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+')
diff --git a/mta.te b/mta.te
new file mode 100644
index 0000000..64268e4
--- /dev/null
+++ b/mta.te
@@ -0,0 +1,294 @@
+policy_module(mta, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mailcontent_type;
+attribute mta_exec_type;
+attribute mta_user_agent;
+attribute mailserver_delivery;
+attribute mailserver_domain;
+attribute mailserver_sender;
+
+attribute user_mail_domain;
+
+type etc_aliases_t;
+files_type(etc_aliases_t)
+
+type etc_mail_t;
+files_config_file(etc_mail_t)
+
+type mail_forward_t;
+files_type(mail_forward_t)
+
+type mqueue_spool_t;
+files_mountpoint(mqueue_spool_t)
+
+type mail_spool_t;
+files_mountpoint(mail_spool_t)
+
+type sendmail_exec_t;
+mta_agent_executable(sendmail_exec_t)
+
+mta_base_mail_template(system)
+role system_r types system_mail_t;
+
+mta_base_mail_template(user)
+typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
+typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
+typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+ubac_constrained(user_mail_t)
+ubac_constrained(user_mail_tmp_t)
+
+########################################
+#
+# System mail local policy
+#
+
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+
+allow system_mail_t mail_forward_t:file read_file_perms;
+
+allow system_mail_t mta_exec_type:file entrypoint;
+
+can_exec(system_mail_t, mta_exec_type)
+
+kernel_read_system_state(system_mail_t)
+kernel_read_network_state(system_mail_t)
+kernel_request_load_module(system_mail_t)
+
+dev_read_sysfs(system_mail_t)
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
+
+files_read_usr_files(system_mail_t)
+
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
+term_dontaudit_use_unallocated_ttys(system_mail_t)
+
+init_use_script_ptys(system_mail_t)
+
+userdom_use_user_terminals(system_mail_t)
+userdom_dontaudit_search_user_home_dirs(system_mail_t)
+
+optional_policy(`
+ apache_read_squirrelmail_data(system_mail_t)
+ apache_append_squirrelmail_data(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_append_log(system_mail_t)
+ apache_dontaudit_rw_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tcp_sockets(system_mail_t)
+ apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+ arpwatch_manage_tmp_files(system_mail_t)
+
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ clamav_stream_connect(system_mail_t)
+ clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
+ cron_read_system_job_tmp_files(system_mail_t)
+ cron_dontaudit_write_pipes(system_mail_t)
+ cron_rw_system_job_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
+')
+
+optional_policy(`
+ cvs_read_data(system_mail_t)
+')
+
+optional_policy(`
+ exim_domtrans(system_mail_t)
+ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
+ fail2ban_append_log(system_mail_t)
+')
+
+optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ logwatch_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ # newaliases runs as system_mail_t when the sendmail initscript does a restart
+ milter_getattr_all_sockets(system_mail_t)
+')
+
+optional_policy(`
+ nagios_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(system_mail_t)
+
+ postfix_exec_master(system_mail_t)
+ postfix_read_config(system_mail_t)
+ postfix_search_spool(system_mail_t)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
+ postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+ ')
+')
+
+optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+')
+
+optional_policy(`
+ sxid_read_log(system_mail_t)
+')
+
+optional_policy(`
+ userdom_dontaudit_use_user_ptys(system_mail_t)
+
+ optional_policy(`
+ cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ smartmon_read_tmp_files(system_mail_t)
+')
+
+# should break this up among sections:
+
+optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
+ arpwatch_manage_tmp_files(mta_user_agent)
+
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+ ')
+
+ optional_policy(`
+ cron_read_system_job_tmp_files(mta_user_agent)
+ ')
+')
+
+########################################
+#
+# Mailserver delivery local policy
+#
+
+allow mailserver_delivery mail_spool_t:dir list_dir_perms;
+create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+
+read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
+
+optional_policy(`
+ dovecot_manage_spool(mailserver_delivery)
+ dovecot_domtrans_deliver(mailserver_delivery)
+')
+
+optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+ mailman_domtrans(mailserver_delivery)
+ mailman_read_data_symlinks(mailserver_delivery)
+')
+
+########################################
+#
+# User send mail local policy
+#
+
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+')
+
+optional_policy(`
+ allow user_mail_t self:capability dac_override;
+
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
+ userdom_rw_user_tmp_files(user_mail_t)
+
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+')
diff --git a/munin.fc b/munin.fc
new file mode 100644
index 0000000..fd71d69
--- /dev/null
+++ b/munin.fc
@@ -0,0 +1,69 @@
+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
+/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
+
+/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+
+# disk plugins
+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+
+# services plugins
+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+
+# system plugins
+/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+
+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
new file mode 100644
index 0000000..c358d8f
--- /dev/null
+++ b/munin.if
@@ -0,0 +1,203 @@
+## Munin network-wide load graphing (formerly LRRD)
+
+########################################
+##
+## Create a set of derived types for various
+## munin plugins,
+##
+##
+##
+## The name to be used for deriving type names.
+##
+##
+#
+template(`munin_plugin_template',`
+ gen_require(`
+ type munin_t, munin_exec_t, munin_etc_t;
+ ')
+
+ type $1_munin_plugin_t;
+ type $1_munin_plugin_exec_t;
+ typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+ application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
+ role system_r types $1_munin_plugin_t;
+
+ type $1_munin_plugin_tmp_t;
+ typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
+ files_tmp_file($1_munin_plugin_tmp_t)
+
+ allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
+ domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+
+ allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+ allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+
+ read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
+
+ kernel_read_system_state($1_munin_plugin_t)
+
+ corecmd_exec_bin($1_munin_plugin_t)
+
+ miscfiles_read_localization($1_munin_plugin_t)
+')
+
+########################################
+##
+## Connect to munin over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`munin_stream_connect',`
+ gen_require(`
+ type munin_var_run_t, munin_t;
+ ')
+
+ allow $1 munin_t:unix_stream_socket connectto;
+ allow $1 munin_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
+
+#######################################
+##
+## Read munin configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`munin_read_config',`
+ gen_require(`
+ type munin_etc_t;
+ ')
+
+ allow $1 munin_etc_t:dir list_dir_perms;
+ allow $1 munin_etc_t:file read_file_perms;
+ allow $1 munin_etc_t:lnk_file { getattr read };
+ files_search_etc($1)
+')
+
+#######################################
+##
+## Append to the munin log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`munin_append_log',`
+ gen_require(`
+ type munin_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 munin_log_t:dir list_dir_perms;
+ append_files_pattern($1, munin_log_t, munin_log_t)
+')
+
+#######################################
+##
+## Search munin library directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`munin_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ allow $1 munin_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+#######################################
+##
+## Do not audit attempts to search
+## munin library directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`munin_dontaudit_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ dontaudit $1 munin_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an munin environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the munin domain.
+##
+##
+##
+#
+interface(`munin_admin',`
+ gen_require(`
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+ type httpd_munin_content_t;
+ type munin_initrc_exec_t;
+ ')
+
+ allow $1 munin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, munin_t)
+
+ init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 munin_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, munin_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, munin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, munin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, munin_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+ admin_pattern($1, httpd_munin_content_t)
+')
diff --git a/munin.te b/munin.te
new file mode 100644
index 0000000..f17583b
--- /dev/null
+++ b/munin.te
@@ -0,0 +1,315 @@
+policy_module(munin, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type munin_t alias lrrd_t;
+type munin_exec_t alias lrrd_exec_t;
+init_daemon_domain(munin_t, munin_exec_t)
+
+type munin_etc_t alias lrrd_etc_t;
+files_config_file(munin_etc_t)
+
+type munin_initrc_exec_t;
+init_script_file(munin_initrc_exec_t)
+
+type munin_log_t alias lrrd_log_t;
+logging_log_file(munin_log_t)
+
+type munin_tmp_t alias lrrd_tmp_t;
+files_tmp_file(munin_tmp_t)
+
+type munin_var_lib_t alias lrrd_var_lib_t;
+files_type(munin_var_lib_t)
+
+type munin_var_run_t alias lrrd_var_run_t;
+files_pid_file(munin_var_run_t)
+
+munin_plugin_template(disk)
+
+munin_plugin_template(mail)
+
+munin_plugin_template(services)
+
+munin_plugin_template(system)
+
+########################################
+#
+# Local policy
+#
+
+allow munin_t self:capability { chown dac_override setgid setuid };
+dontaudit munin_t self:capability sys_tty_config;
+allow munin_t self:process { getsched setsched signal_perms };
+allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+allow munin_t self:tcp_socket create_stream_socket_perms;
+allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+allow munin_t munin_etc_t:dir list_dir_perms;
+read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+files_search_etc(munin_t)
+
+can_exec(munin_t, munin_exec_t)
+
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t, munin_log_t, { file dir })
+
+manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
+
+# Allow access to the munin databases
+manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+files_search_var_lib(munin_t)
+
+manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+files_pid_filetrans(munin_t, munin_var_run_t, file)
+
+kernel_read_system_state(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
+
+corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
+
+corenet_all_recvfrom_unlabeled(munin_t)
+corenet_all_recvfrom_netlabel(munin_t)
+corenet_tcp_sendrecv_generic_if(munin_t)
+corenet_udp_sendrecv_generic_if(munin_t)
+corenet_tcp_sendrecv_generic_node(munin_t)
+corenet_udp_sendrecv_generic_node(munin_t)
+corenet_tcp_sendrecv_all_ports(munin_t)
+corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_generic_node(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
+
+dev_read_sysfs(munin_t)
+dev_read_urand(munin_t)
+
+domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t)
+
+files_read_etc_files(munin_t)
+files_read_etc_runtime_files(munin_t)
+files_read_usr_files(munin_t)
+files_list_spool(munin_t)
+
+fs_getattr_all_fs(munin_t)
+fs_search_auto_mountpoints(munin_t)
+
+auth_use_nsswitch(munin_t)
+
+logging_send_syslog_msg(munin_t)
+logging_read_all_logs(munin_t)
+
+miscfiles_read_fonts(munin_t)
+miscfiles_read_localization(munin_t)
+
+sysnet_exec_ifconfig(munin_t)
+
+userdom_dontaudit_use_unpriv_user_fds(munin_t)
+userdom_dontaudit_search_user_home_dirs(munin_t)
+
+optional_policy(`
+ apache_content_template(munin)
+
+ manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ apache_search_sys_content(munin_t)
+')
+
+optional_policy(`
+ cron_system_entry(munin_t, munin_exec_t)
+')
+
+optional_policy(`
+ fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(munin_t)
+')
+
+optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
+ mta_read_queue(munin_t)
+')
+
+optional_policy(`
+ mysql_read_config(munin_t)
+ mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(munin_t)
+')
+
+optional_policy(`
+ postfix_list_spool(munin_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(munin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(munin_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(munin_t)
+')
+
+optional_policy(`
+ udev_read_db(munin_t)
+')
+
+###################################
+#
+# local policy for disk plugins
+#
+
+allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+
+rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+corecmd_exec_shell(disk_munin_plugin_t)
+
+corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+
+files_read_etc_files(disk_munin_plugin_t)
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
+fs_getattr_all_fs(disk_munin_plugin_t)
+
+dev_read_sysfs(disk_munin_plugin_t)
+dev_read_urand(disk_munin_plugin_t)
+
+storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+
+sysnet_read_config(disk_munin_plugin_t)
+
+optional_policy(`
+ hddtemp_exec(disk_munin_plugin_t)
+')
+
+optional_policy(`
+ fstools_exec(disk_munin_plugin_t)
+')
+
+####################################
+#
+# local policy for mail plugins
+#
+
+allow mail_munin_plugin_t self:capability dac_override;
+
+rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+dev_read_urand(mail_munin_plugin_t)
+
+files_read_etc_files(mail_munin_plugin_t)
+
+fs_getattr_all_fs(mail_munin_plugin_t)
+
+logging_read_generic_logs(mail_munin_plugin_t)
+
+mta_read_config(mail_munin_plugin_t)
+mta_send_mail(mail_munin_plugin_t)
+mta_read_queue(mail_munin_plugin_t)
+
+optional_policy(`
+ postfix_read_config(mail_munin_plugin_t)
+ postfix_list_spool(mail_munin_plugin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(mail_munin_plugin_t)
+')
+
+###################################
+#
+# local policy for service plugins
+#
+
+allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow services_munin_plugin_t self:udp_socket create_socket_perms;
+allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_connect_all_ports(services_munin_plugin_t)
+corenet_tcp_connect_http_port(services_munin_plugin_t)
+
+dev_read_urand(services_munin_plugin_t)
+dev_read_rand(services_munin_plugin_t)
+
+fs_getattr_all_fs(services_munin_plugin_t)
+
+files_read_etc_files(services_munin_plugin_t)
+
+sysnet_read_config(services_munin_plugin_t)
+
+optional_policy(`
+ cups_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(services_munin_plugin_t)
+')
+
+optional_policy(`
+ mysql_read_config(services_munin_plugin_t)
+ mysql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(services_munin_plugin_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(services_munin_plugin_t)
+')
+
+##################################
+#
+# local policy for system plugins
+#
+
+allow system_munin_plugin_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+kernel_read_network_state(system_munin_plugin_t)
+kernel_read_all_sysctls(system_munin_plugin_t)
+
+corecmd_exec_shell(system_munin_plugin_t)
+
+fs_getattr_all_fs(system_munin_plugin_t)
+
+dev_read_sysfs(system_munin_plugin_t)
+dev_read_urand(system_munin_plugin_t)
+
+domain_read_all_domains_state(system_munin_plugin_t)
+
+# needed by users plugin
+init_read_utmp(system_munin_plugin_t)
+
+sysnet_exec_ifconfig(system_munin_plugin_t)
+
+term_getattr_unallocated_ttys(system_munin_plugin_t)
diff --git a/mysql.fc b/mysql.fc
new file mode 100644
index 0000000..cc7192c
--- /dev/null
+++ b/mysql.fc
@@ -0,0 +1,30 @@
+# mysql database server
+
+#
+# /etc
+#
+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
+/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
new file mode 100644
index 0000000..e9c0982
--- /dev/null
+++ b/mysql.if
@@ -0,0 +1,355 @@
+## Policy for MySQL
+
+######################################
+##
+## Execute MySQL in the mysql domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mysql_domtrans',`
+ gen_require(`
+ type mysqld_t, mysqld_exec_t;
+ ')
+
+ domtrans_pattern($1, mysqld_exec_t, mysqld_t)
+')
+
+########################################
+##
+## Send a generic signal to MySQL.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_signal',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ allow $1 mysqld_t:process signal;
+')
+
+########################################
+##
+## Allow the specified domain to connect to postgresql with a tcp socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_tcp_connect',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, mysqld_t)
+ corenet_tcp_sendrecv_mysqld_port($1)
+ corenet_tcp_connect_mysqld_port($1)
+ corenet_sendrecv_mysqld_client_packets($1)
+')
+
+########################################
+##
+## Connect to MySQL using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mysql_stream_connect',`
+ gen_require(`
+ type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+ ')
+
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+')
+
+########################################
+##
+## Read MySQL configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mysql_read_config',`
+ gen_require(`
+ type mysqld_etc_t;
+ ')
+
+ allow $1 mysqld_etc_t:dir list_dir_perms;
+ allow $1 mysqld_etc_t:file read_file_perms;
+ allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Search the directories that contain MySQL
+## database storage.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
+interface(`mysql_search_db',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read and write to the MySQL database directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_rw_db_dirs',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete MySQL database directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_manage_db_dirs',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir manage_dir_perms;
+')
+
+#######################################
+##
+## Append to the MySQL database directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_append_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+##
+## Read and write to the MySQL database directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_rw_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete MySQL database files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_manage_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+########################################
+##
+## Read and write to the MySQL database
+## named socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_rw_db_sockets',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search_dir_perms;
+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
+')
+
+########################################
+##
+## Write to the MySQL log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_write_log',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 mysqld_log_t:file { write_file_perms setattr };
+')
+
+######################################
+##
+## Execute MySQL server in the mysql domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`mysql_domtrans_mysql_safe',`
+ gen_require(`
+ type mysqld_safe_t, mysqld_safe_exec_t;
+ ')
+
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+')
+
+#####################################
+##
+## Read MySQL PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_read_pid_files',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ mysql_search_pid_files($1)
+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+#####################################
+##
+## Search MySQL PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mysql_search_pid_files',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate an mysql environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the mysql domain.
+##
+##
+##
+#
+interface(`mysql_admin',`
+ gen_require(`
+ type mysqld_t, mysqld_var_run_t;
+ type mysqld_tmp_t, mysqld_db_t;
+ type mysqld_etc_t, mysqld_log_t;
+ type mysqld_initrc_exec_t;
+ ')
+
+ allow $1 mysqld_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mysqld_t)
+
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 mysqld_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, mysqld_var_run_t)
+
+ admin_pattern($1, mysqld_db_t)
+
+ admin_pattern($1, mysqld_etc_t)
+
+ admin_pattern($1, mysqld_log_t)
+
+ admin_pattern($1, mysqld_tmp_t)
+')
diff --git a/mysql.te b/mysql.te
new file mode 100644
index 0000000..0a0d63c
--- /dev/null
+++ b/mysql.te
@@ -0,0 +1,239 @@
+policy_module(mysql, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow mysqld to connect to all ports
+##
+##
+gen_tunable(mysql_connect_any, false)
+
+type mysqld_t;
+type mysqld_exec_t;
+init_daemon_domain(mysqld_t, mysqld_exec_t)
+
+type mysqld_safe_t;
+type mysqld_safe_exec_t;
+init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
+
+type mysqld_var_run_t;
+files_pid_file(mysqld_var_run_t)
+
+type mysqld_db_t;
+files_type(mysqld_db_t)
+
+type mysqld_etc_t alias etc_mysqld_t;
+files_config_file(mysqld_etc_t)
+
+type mysqld_initrc_exec_t;
+init_script_file(mysqld_initrc_exec_t)
+
+type mysqld_log_t;
+logging_log_file(mysqld_log_t)
+
+type mysqld_tmp_t;
+files_tmp_file(mysqld_tmp_t)
+
+type mysqlmanagerd_t;
+type mysqlmanagerd_exec_t;
+init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
+
+type mysqlmanagerd_initrc_exec_t;
+init_script_file(mysqlmanagerd_initrc_exec_t)
+
+type mysqlmanagerd_var_run_t;
+files_pid_file(mysqlmanagerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
+dontaudit mysqld_t self:capability sys_tty_config;
+allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+
+allow mysqld_t mysqld_etc_t:file read_file_perms;
+allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+
+allow mysqld_t mysqld_log_t:file manage_file_perms;
+logging_log_filetrans(mysqld_t, mysqld_log_t, file)
+
+manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+
+manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
+
+kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corenet_all_recvfrom_unlabeled(mysqld_t)
+corenet_all_recvfrom_netlabel(mysqld_t)
+corenet_tcp_sendrecv_generic_if(mysqld_t)
+corenet_udp_sendrecv_generic_if(mysqld_t)
+corenet_tcp_sendrecv_generic_node(mysqld_t)
+corenet_udp_sendrecv_generic_node(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
+corenet_tcp_bind_generic_node(mysqld_t)
+corenet_tcp_bind_mysqld_port(mysqld_t)
+corenet_tcp_connect_mysqld_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
+
+dev_read_sysfs(mysqld_t)
+dev_read_urand(mysqld_t)
+
+fs_getattr_all_fs(mysqld_t)
+fs_search_auto_mountpoints(mysqld_t)
+fs_rw_hugetlbfs_files(mysqld_t)
+
+domain_use_interactive_fds(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
+files_read_etc_runtime_files(mysqld_t)
+files_read_etc_files(mysqld_t)
+files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
+
+auth_use_nsswitch(mysqld_t)
+
+logging_send_syslog_msg(mysqld_t)
+
+miscfiles_read_localization(mysqld_t)
+
+sysnet_read_config(mysqld_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+# for /root/.my.cnf - should not be needed:
+userdom_read_user_home_content_files(mysqld_t)
+
+ifdef(`distro_redhat',`
+ # because Fedora has the sock_file in the database directory
+ type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
+')
+
+tunable_policy(`mysql_connect_any',`
+ corenet_tcp_connect_all_ports(mysqld_t)
+ corenet_sendrecv_all_client_packets(mysqld_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(mysqld_t, mysqld_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mysqld_t)
+')
+
+optional_policy(`
+ udev_read_db(mysqld_t)
+')
+
+#######################################
+#
+# Local mysqld_safe policy
+#
+
+allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
+read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+
+manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+
+kernel_read_system_state(mysqld_safe_t)
+kernel_read_kernel_sysctls(mysqld_safe_t)
+
+corecmd_exec_bin(mysqld_safe_t)
+
+dev_list_sysfs(mysqld_safe_t)
+
+domain_read_all_domains_state(mysqld_safe_t)
+
+files_read_etc_files(mysqld_safe_t)
+files_read_usr_files(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+hostname_exec(mysqld_safe_t)
+
+miscfiles_read_localization(mysqld_safe_t)
+
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
+
+########################################
+#
+# MySQL Manager Policy
+#
+
+allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:process signal;
+allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
+allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
+
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
+
+domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
+
+manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
+
+kernel_read_system_state(mysqlmanagerd_t)
+
+corecmd_exec_shell(mysqlmanagerd_t)
+
+corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
+corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
+corenet_tcp_bind_generic_node(mysqlmanagerd_t)
+corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
+
+dev_read_urand(mysqlmanagerd_t)
+
+files_read_etc_files(mysqlmanagerd_t)
+files_read_usr_files(mysqlmanagerd_t)
+
+miscfiles_read_localization(mysqlmanagerd_t)
+
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/nagios.fc b/nagios.fc
new file mode 100644
index 0000000..1fc9905
--- /dev/null
+++ b/nagios.fc
@@ -0,0 +1,88 @@
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+
+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+# admin plugins
+/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+
+# check disk plugins
+/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+# mail plugins
+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+# system plugins
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+# services plugins
+/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --git a/nagios.if b/nagios.if
new file mode 100644
index 0000000..8581040
--- /dev/null
+++ b/nagios.if
@@ -0,0 +1,229 @@
+## Net Saint / NAGIOS - network monitoring server
+
+########################################
+##
+## Create a set of derived types for various
+## nagios plugins,
+##
+##
+##
+## The name to be used for deriving type names.
+##
+##
+#
+template(`nagios_plugin_template',`
+
+ gen_require(`
+ type nagios_t, nrpe_t;
+ type nagios_log_t;
+ ')
+
+ type nagios_$1_plugin_t;
+ type nagios_$1_plugin_exec_t;
+ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
+ role system_r types nagios_$1_plugin_t;
+
+ allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ # needed by command.cfg
+ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ allow nagios_t nagios_$1_plugin_t:process signal_perms;
+
+ # cjp: leaked file descriptor
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
+ miscfiles_read_localization(nagios_$1_plugin_t)
+')
+
+########################################
+##
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+##
+#
+interface(`nagios_dontaudit_rw_pipes',`
+ gen_require(`
+ type nagios_t;
+ ')
+
+ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to read
+## nagios configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`nagios_read_config',`
+ gen_require(`
+ type nagios_etc_t;
+ ')
+
+ allow $1 nagios_etc_t:dir list_dir_perms;
+ allow $1 nagios_etc_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+######################################
+##
+## Read nagios logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_read_log',`
+ gen_require(`
+ type nagios_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, nagios_log_t, nagios_log_t)
+')
+
+########################################
+##
+## Do not audit attempts to read or write nagios logs.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nagios_dontaudit_rw_log',`
+ gen_require(`
+ type nagios_log_t;
+ ')
+
+ dontaudit $1 nagios_log_t:file rw_file_perms;
+')
+
+########################################
+##
+## Search nagios spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_search_spool',`
+ gen_require(`
+ type nagios_spool_t;
+ ')
+
+ allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## nagios temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_read_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Execute the nagios NRPE with
+## a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nagios_domtrans_nrpe',`
+ gen_require(`
+ type nrpe_t, nrpe_exec_t;
+ ')
+
+ domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nagios environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the nagios domain.
+##
+##
+##
+#
+interface(`nagios_admin',`
+ gen_require(`
+ type nagios_t, nrpe_t;
+ type nagios_tmp_t, nagios_log_t;
+ type nagios_etc_t, nrpe_etc_t;
+ type nagios_spool_t, nagios_var_run_t;
+ type nagios_initrc_exec_t;
+ ')
+
+ allow $1 nagios_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nagios_t)
+
+ init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nagios_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, nagios_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, nagios_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, nagios_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, nagios_spool_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nagios_var_run_t)
+
+ admin_pattern($1, nrpe_etc_t)
+')
diff --git a/nagios.te b/nagios.te
new file mode 100644
index 0000000..07017da
--- /dev/null
+++ b/nagios.te
@@ -0,0 +1,392 @@
+policy_module(nagios, 1.10.2)
+
+########################################
+#
+# Declarations
+#
+
+type nagios_t;
+type nagios_exec_t;
+init_daemon_domain(nagios_t, nagios_exec_t)
+
+type nagios_etc_t;
+files_config_file(nagios_etc_t)
+
+type nagios_initrc_exec_t;
+init_script_file(nagios_initrc_exec_t)
+
+type nagios_log_t;
+logging_log_file(nagios_log_t)
+
+type nagios_tmp_t;
+files_tmp_file(nagios_tmp_t)
+
+type nagios_var_run_t;
+files_pid_file(nagios_var_run_t)
+
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
+nagios_plugin_template(admin)
+nagios_plugin_template(checkdisk)
+nagios_plugin_template(mail)
+nagios_plugin_template(services)
+nagios_plugin_template(system)
+nagios_plugin_template(unconfined)
+
+type nagios_system_plugin_tmp_t;
+files_tmp_file(nagios_system_plugin_tmp_t)
+
+type nrpe_t;
+type nrpe_exec_t;
+init_daemon_domain(nrpe_t, nrpe_exec_t)
+
+type nrpe_etc_t;
+files_config_file(nrpe_etc_t)
+
+type nrpe_var_run_t;
+files_pid_file(nrpe_var_run_t)
+
+########################################
+#
+# Nagios local policy
+#
+
+allow nagios_t self:capability { dac_override setgid setuid };
+dontaudit nagios_t self:capability sys_tty_config;
+allow nagios_t self:process { setpgid signal_perms };
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:tcp_socket create_stream_socket_perms;
+allow nagios_t self:udp_socket create_socket_perms;
+
+read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+allow nagios_t nagios_etc_t:dir list_dir_perms;
+
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
+
+manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
+
+manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+
+manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+
+kernel_read_system_state(nagios_t)
+kernel_read_kernel_sysctls(nagios_t)
+
+corecmd_exec_bin(nagios_t)
+corecmd_exec_shell(nagios_t)
+
+corenet_all_recvfrom_unlabeled(nagios_t)
+corenet_all_recvfrom_netlabel(nagios_t)
+corenet_tcp_sendrecv_generic_if(nagios_t)
+corenet_udp_sendrecv_generic_if(nagios_t)
+corenet_tcp_sendrecv_generic_node(nagios_t)
+corenet_udp_sendrecv_generic_node(nagios_t)
+corenet_tcp_sendrecv_all_ports(nagios_t)
+corenet_udp_sendrecv_all_ports(nagios_t)
+corenet_tcp_connect_all_ports(nagios_t)
+
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
+dev_read_sysfs(nagios_t)
+dev_read_urand(nagios_t)
+
+domain_use_interactive_fds(nagios_t)
+# for ps
+domain_read_all_domains_state(nagios_t)
+
+files_read_etc_files(nagios_t)
+files_read_etc_runtime_files(nagios_t)
+files_read_kernel_symbol_table(nagios_t)
+files_search_spool(nagios_t)
+
+fs_getattr_all_fs(nagios_t)
+fs_search_auto_mountpoints(nagios_t)
+
+# for who
+init_read_utmp(nagios_t)
+
+auth_use_nsswitch(nagios_t)
+
+logging_send_syslog_msg(nagios_t)
+
+miscfiles_read_localization(nagios_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_user_home_dirs(nagios_t)
+
+mta_send_mail(nagios_t)
+
+optional_policy(`
+ netutils_domtrans_ping(nagios_t)
+ netutils_signal_ping(nagios_t)
+ netutils_kill_ping(nagios_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nagios_t)
+')
+
+optional_policy(`
+ udev_read_db(nagios_t)
+')
+
+########################################
+#
+# Nagios CGI local policy
+#
+optional_policy(`
+ apache_content_template(nagios)
+ typealias httpd_nagios_script_t alias nagios_cgi_t;
+ typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+
+ allow httpd_nagios_script_t self:process signal_perms;
+
+ read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+ read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+
+ files_search_spool(httpd_nagios_script_t)
+ rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+ allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+ read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+ read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+
+ allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+ read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+ read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+
+ kernel_read_system_state(httpd_nagios_script_t)
+
+ domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+
+ files_read_etc_runtime_files(httpd_nagios_script_t)
+ files_read_kernel_symbol_table(httpd_nagios_script_t)
+
+ logging_send_syslog_msg(httpd_nagios_script_t)
+')
+
+########################################
+#
+# Nagios remote plugin executor local policy
+#
+
+allow nrpe_t self:capability { setuid setgid };
+dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
+allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
+allow nrpe_t self:fifo_file rw_fifo_file_perms;
+allow nrpe_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+
+read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
+files_search_etc(nrpe_t)
+
+manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
+files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+
+kernel_read_system_state(nrpe_t)
+kernel_read_kernel_sysctls(nrpe_t)
+
+corecmd_exec_bin(nrpe_t)
+corecmd_exec_shell(nrpe_t)
+
+corenet_tcp_bind_generic_node(nrpe_t)
+corenet_tcp_bind_inetd_child_port(nrpe_t)
+corenet_sendrecv_unlabeled_packets(nrpe_t)
+
+dev_read_sysfs(nrpe_t)
+dev_read_urand(nrpe_t)
+
+domain_use_interactive_fds(nrpe_t)
+domain_read_all_domains_state(nrpe_t)
+
+files_read_etc_runtime_files(nrpe_t)
+files_read_etc_files(nrpe_t)
+
+fs_getattr_all_fs(nrpe_t)
+fs_search_auto_mountpoints(nrpe_t)
+
+auth_use_nsswitch(nrpe_t)
+
+logging_send_syslog_msg(nrpe_t)
+
+miscfiles_read_localization(nrpe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
+')
+
+optional_policy(`
+ mta_send_mail(nrpe_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nrpe_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
+')
+
+optional_policy(`
+ udev_read_db(nrpe_t)
+')
+
+#####################################
+#
+# local policy for admin check plugins
+#
+
+corecmd_read_bin_files(nagios_admin_plugin_t)
+corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+dev_read_urand(nagios_admin_plugin_t)
+dev_getattr_all_chr_files(nagios_admin_plugin_t)
+dev_getattr_all_blk_files(nagios_admin_plugin_t)
+
+files_read_etc_files(nagios_admin_plugin_t)
+# for check_file_age plugin
+files_getattr_all_dirs(nagios_admin_plugin_t)
+files_getattr_all_files(nagios_admin_plugin_t)
+files_getattr_all_symlinks(nagios_admin_plugin_t)
+files_getattr_all_pipes(nagios_admin_plugin_t)
+files_getattr_all_sockets(nagios_admin_plugin_t)
+files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+
+######################################
+#
+# local policy for mail check plugins
+#
+
+allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(nagios_mail_plugin_t)
+kernel_read_kernel_sysctls(nagios_mail_plugin_t)
+
+corecmd_read_bin_files(nagios_mail_plugin_t)
+corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+
+dev_read_urand(nagios_mail_plugin_t)
+
+files_read_etc_files(nagios_mail_plugin_t)
+
+logging_send_syslog_msg(nagios_mail_plugin_t)
+
+sysnet_read_config(nagios_mail_plugin_t)
+
+optional_policy(`
+ mta_send_mail(nagios_mail_plugin_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(nagios_mail_plugin_t)
+')
+
+optional_policy(`
+ postfix_stream_connect_master(nagios_mail_plugin_t)
+ posftix_exec_postqueue(nagios_mail_plugin_t)
+')
+
+######################################
+#
+# local policy for disk check plugins
+#
+
+# needed by ioctl()
+allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+
+files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
+files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+
+fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+
+storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+
+#######################################
+#
+# local policy for service check plugins
+#
+
+allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+allow nagios_services_plugin_t self:process { signal sigkill };
+
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+
+corecmd_exec_bin(nagios_services_plugin_t)
+
+corenet_tcp_connect_all_ports(nagios_services_plugin_t)
+corenet_udp_bind_dhcpc_port(nagios_services_plugin_t)
+
+auth_use_nsswitch(nagios_services_plugin_t)
+
+domain_read_all_domains_state(nagios_services_plugin_t)
+
+files_read_usr_files(nagios_services_plugin_t)
+
+optional_policy(`
+ netutils_domtrans_ping(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
+')
+
+######################################
+#
+# local policy for system check plugins
+#
+
+allow nagios_system_plugin_t self:capability dac_override;
+dontaudit nagios_system_plugin_t self:capability { setuid setgid };
+
+# check_log
+manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+
+kernel_read_system_state(nagios_system_plugin_t)
+kernel_read_kernel_sysctls(nagios_system_plugin_t)
+
+corecmd_exec_bin(nagios_system_plugin_t)
+corecmd_exec_shell(nagios_system_plugin_t)
+
+dev_read_sysfs(nagios_system_plugin_t)
+dev_read_urand(nagios_system_plugin_t)
+
+domain_read_all_domains_state(nagios_system_plugin_t)
+
+files_read_etc_files(nagios_system_plugin_t)
+
+# needed by check_users plugin
+optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
+')
+
+########################################
+#
+# Unconfined plugin policy
+#
+
+optional_policy(`
+ unconfined_domain(nagios_unconfined_plugin_t)
+')
diff --git a/ncftool.fc b/ncftool.fc
new file mode 100644
index 0000000..ca1a0e2
--- /dev/null
+++ b/ncftool.fc
@@ -0,0 +1 @@
+/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --git a/ncftool.if b/ncftool.if
new file mode 100644
index 0000000..75ee31d
--- /dev/null
+++ b/ncftool.if
@@ -0,0 +1,48 @@
+## Netcf network configuration tool (ncftool).
+
+########################################
+##
+## Execute a domain transition to run ncftool.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ncftool_domtrans',`
+ gen_require(`
+ type ncftool_t, ncftool_exec_t;
+ ')
+
+ domtrans_pattern($1, ncftool_exec_t, ncftool_t)
+')
+
+########################################
+##
+## Execute ncftool in the ncftool domain, and
+## allow the specified role the ncftool domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the ncftool domain.
+##
+##
+#
+interface(`ncftool_run',`
+ gen_require(`
+ type ncftool_t;
+ ')
+
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
+
+ optional_policy(`
+ brctl_run(ncftool_t, $2)
+ ')
+')
diff --git a/ncftool.te b/ncftool.te
new file mode 100644
index 0000000..ec29391
--- /dev/null
+++ b/ncftool.te
@@ -0,0 +1,78 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ncftool_t;
+type ncftool_exec_t;
+application_domain(ncftool_t, ncftool_exec_t)
+domain_obj_id_change_exemption(ncftool_t)
+domain_system_change_exemption(ncftool_t)
+role system_r types ncftool_t;
+
+########################################
+#
+# ncftool local policy
+#
+
+allow ncftool_t self:capability { net_admin sys_ptrace };
+allow ncftool_t self:process signal;
+allow ncftool_t self:fifo_file manage_fifo_file_perms;
+allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+allow ncftool_t self:tcp_socket create_stream_socket_perms;
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+
+kernel_read_kernel_sysctls(ncftool_t)
+kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_network_state(ncftool_t)
+kernel_read_system_state(ncftool_t)
+kernel_request_load_module(ncftool_t)
+kernel_rw_net_sysctls(ncftool_t)
+
+corecmd_exec_bin(ncftool_t)
+corecmd_exec_shell(ncftool_t)
+
+domain_read_all_domains_state(ncftool_t)
+
+dev_read_sysfs(ncftool_t)
+
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
+
+miscfiles_read_localization(ncftool_t)
+
+sysnet_delete_dhcpc_pid(ncftool_t)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+sysnet_etc_filetrans_config(ncftool_t)
+sysnet_manage_config(ncftool_t)
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_read_dhcpc_pid(ncftool_t)
+sysnet_signal_dhcpc(ncftool_t)
+
+userdom_use_user_terminals(ncftool_t)
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
+ consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(ncftool_t)
+ modutils_domtrans_insmod(ncftool_t)
+')
+
+optional_policy(`
+ netutils_domtrans(ncftool_t)
+')
diff --git a/nessus.fc b/nessus.fc
new file mode 100644
index 0000000..74da57f
--- /dev/null
+++ b/nessus.fc
@@ -0,0 +1,10 @@
+
+/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0)
+
+/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0)
+
+/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0)
diff --git a/nessus.if b/nessus.if
new file mode 100644
index 0000000..6ec8003
--- /dev/null
+++ b/nessus.if
@@ -0,0 +1,15 @@
+## Nessus network scanning daemon
+
+########################################
+##
+## Connect to nessus over a TCP socket (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nessus_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/nessus.te b/nessus.te
new file mode 100644
index 0000000..b16c387
--- /dev/null
+++ b/nessus.te
@@ -0,0 +1,105 @@
+policy_module(nessus, 1.7.0)
+
+########################################
+#
+# Local policy
+#
+
+type nessusd_t;
+type nessusd_exec_t;
+init_daemon_domain(nessusd_t, nessusd_exec_t)
+
+type nessusd_db_t;
+files_type(nessusd_db_t)
+
+type nessusd_etc_t;
+files_config_file(nessusd_etc_t)
+
+type nessusd_log_t;
+logging_log_file(nessusd_log_t)
+
+type nessusd_var_run_t;
+files_pid_file(nessusd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow nessusd_t self:capability net_raw;
+dontaudit nessusd_t self:capability sys_tty_config;
+allow nessusd_t self:process { setsched signal_perms };
+allow nessusd_t self:fifo_file rw_fifo_file_perms;
+allow nessusd_t self:tcp_socket create_stream_socket_perms;
+allow nessusd_t self:udp_socket create_socket_perms;
+allow nessusd_t self:rawip_socket create_socket_perms;
+allow nessusd_t self:packet_socket create_socket_perms;
+
+# Allow access to the nessusd authentication database
+manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+files_list_var_lib(nessusd_t)
+
+allow nessusd_t nessusd_etc_t:file read_file_perms;
+files_search_etc(nessusd_t)
+
+manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
+logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir })
+
+manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t)
+files_pid_filetrans(nessusd_t, nessusd_var_run_t, file)
+
+kernel_read_system_state(nessusd_t)
+kernel_read_kernel_sysctls(nessusd_t)
+
+# for nmap etc
+corecmd_exec_bin(nessusd_t)
+
+corenet_all_recvfrom_unlabeled(nessusd_t)
+corenet_all_recvfrom_netlabel(nessusd_t)
+corenet_tcp_sendrecv_generic_if(nessusd_t)
+corenet_udp_sendrecv_generic_if(nessusd_t)
+corenet_raw_sendrecv_generic_if(nessusd_t)
+corenet_tcp_sendrecv_generic_node(nessusd_t)
+corenet_udp_sendrecv_generic_node(nessusd_t)
+corenet_raw_sendrecv_generic_node(nessusd_t)
+corenet_tcp_sendrecv_all_ports(nessusd_t)
+corenet_udp_sendrecv_all_ports(nessusd_t)
+corenet_tcp_bind_generic_node(nessusd_t)
+corenet_tcp_bind_nessus_port(nessusd_t)
+corenet_tcp_connect_all_ports(nessusd_t)
+corenet_sendrecv_all_client_packets(nessusd_t)
+corenet_sendrecv_nessus_server_packets(nessusd_t)
+
+dev_read_sysfs(nessusd_t)
+dev_read_urand(nessusd_t)
+
+domain_use_interactive_fds(nessusd_t)
+
+files_read_etc_files(nessusd_t)
+files_read_etc_runtime_files(nessusd_t)
+
+fs_getattr_all_fs(nessusd_t)
+fs_search_auto_mountpoints(nessusd_t)
+
+logging_send_syslog_msg(nessusd_t)
+
+miscfiles_read_localization(nessusd_t)
+
+sysnet_read_config(nessusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
+userdom_dontaudit_search_user_home_dirs(nessusd_t)
+
+optional_policy(`
+ nis_use_ypbind(nessusd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nessusd_t)
+')
+
+optional_policy(`
+ udev_read_db(nessusd_t)
+')
diff --git a/networkmanager.fc b/networkmanager.fc
new file mode 100644
index 0000000..386543b
--- /dev/null
+++ b/networkmanager.fc
@@ -0,0 +1,26 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+
+/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
+/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
new file mode 100644
index 0000000..2324d9e
--- /dev/null
+++ b/networkmanager.if
@@ -0,0 +1,193 @@
+## Manager for dynamically switching between networks.
+
+########################################
+##
+## Read and write NetworkManager UDP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# cjp: added for named.
+interface(`networkmanager_rw_udp_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:udp_socket { read write };
+')
+
+########################################
+##
+## Read and write NetworkManager packet sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# cjp: added for named.
+interface(`networkmanager_rw_packet_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:packet_socket { read write };
+')
+
+#######################################
+##
+## Allow caller to relabel tun_socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_attach_tun_iface',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+##
+## Read and write NetworkManager netlink
+## routing sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# cjp: added for named.
+interface(`networkmanager_rw_routing_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:netlink_route_socket { read write };
+')
+
+########################################
+##
+## Execute NetworkManager with a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`networkmanager_domtrans',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+')
+
+########################################
+##
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## NetworkManager over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+ allow NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send a generic signal to NetworkManager
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_signal',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+##
+## Read NetworkManager lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_read_lib_files',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
+########################################
+##
+## Read NetworkManager PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_read_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:file read_file_perms;
+')
diff --git a/networkmanager.te b/networkmanager.te
new file mode 100644
index 0000000..0619395
--- /dev/null
+++ b/networkmanager.te
@@ -0,0 +1,289 @@
+policy_module(networkmanager, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type NetworkManager_t;
+type NetworkManager_exec_t;
+init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_tmp_t;
+files_tmp_file(NetworkManager_tmp_t)
+
+type NetworkManager_var_lib_t;
+files_type(NetworkManager_var_lib_t)
+
+type NetworkManager_var_run_t;
+files_pid_file(NetworkManager_var_run_t)
+
+type wpa_cli_t;
+type wpa_cli_exec_t;
+init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
+allow NetworkManager_t self:udp_socket create_socket_perms;
+allow NetworkManager_t self:packet_socket create_socket_perms;
+
+allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(NetworkManager_t)
+kernel_read_network_state(NetworkManager_t)
+kernel_read_kernel_sysctls(NetworkManager_t)
+kernel_request_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t)
+
+corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_all_recvfrom_netlabel(NetworkManager_t)
+corenet_tcp_sendrecv_generic_if(NetworkManager_t)
+corenet_udp_sendrecv_generic_if(NetworkManager_t)
+corenet_raw_sendrecv_generic_if(NetworkManager_t)
+corenet_tcp_sendrecv_generic_node(NetworkManager_t)
+corenet_udp_sendrecv_generic_node(NetworkManager_t)
+corenet_raw_sendrecv_generic_node(NetworkManager_t)
+corenet_tcp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_bind_generic_node(NetworkManager_t)
+corenet_udp_bind_isakmp_port(NetworkManager_t)
+corenet_udp_bind_dhcpc_port(NetworkManager_t)
+corenet_tcp_connect_all_ports(NetworkManager_t)
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
+corenet_rw_tun_tap_dev(NetworkManager_t)
+corenet_getattr_ppp_dev(NetworkManager_t)
+
+dev_read_sysfs(NetworkManager_t)
+dev_read_rand(NetworkManager_t)
+dev_read_urand(NetworkManager_t)
+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+dev_getattr_all_chr_files(NetworkManager_t)
+
+fs_getattr_all_fs(NetworkManager_t)
+fs_search_auto_mountpoints(NetworkManager_t)
+fs_list_inotifyfs(NetworkManager_t)
+
+mls_file_read_all_levels(NetworkManager_t)
+
+selinux_dontaudit_search_fs(NetworkManager_t)
+
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_confined_domains_state(NetworkManager_t)
+
+files_read_etc_files(NetworkManager_t)
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_usr_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+
+storage_getattr_fixed_disk_dev(NetworkManager_t)
+
+init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
+init_domtrans_script(NetworkManager_t)
+
+auth_use_nsswitch(NetworkManager_t)
+
+logging_send_syslog_msg(NetworkManager_t)
+
+miscfiles_read_localization(NetworkManager_t)
+miscfiles_read_generic_certs(NetworkManager_t)
+
+modutils_domtrans_insmod(NetworkManager_t)
+
+seutil_read_config(NetworkManager_t)
+
+sysnet_domtrans_ifconfig(NetworkManager_t)
+sysnet_domtrans_dhcpc(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_delete_dhcpc_pid(NetworkManager_t)
+sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
+sysnet_manage_config(NetworkManager_t)
+sysnet_etc_filetrans_config(NetworkManager_t)
+
+userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+userdom_dontaudit_use_user_ttys(NetworkManager_t)
+# Read gnome-keyring
+userdom_read_user_home_content_files(NetworkManager_t)
+
+optional_policy(`
+ avahi_domtrans(NetworkManager_t)
+ avahi_kill(NetworkManager_t)
+ avahi_signal(NetworkManager_t)
+ avahi_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ bind_domtrans(NetworkManager_t)
+ bind_manage_cache(NetworkManager_t)
+ bind_kill(NetworkManager_t)
+ bind_signal(NetworkManager_t)
+ bind_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ bluetooth_dontaudit_read_helper_state(NetworkManager_t)
+')
+
+optional_policy(`
+ consoletype_exec(NetworkManager_t)
+')
+
+optional_policy(`
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
+ ')
+')
+
+optional_policy(`
+ dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
+ dnsmasq_initrc_domtrans(NetworkManager_t)
+ dnsmasq_kill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ hal_write_log(NetworkManager_t)
+')
+
+optional_policy(`
+ howl_signal(NetworkManager_t)
+')
+
+optional_policy(`
+ iptables_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ nscd_domtrans(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+ nscd_kill(NetworkManager_t)
+ nscd_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ # Dispatcher starting and stoping ntp
+ ntp_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ openvpn_domtrans(NetworkManager_t)
+ openvpn_kill(NetworkManager_t)
+ openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
+ policykit_domtrans_auth(NetworkManager_t)
+ policykit_read_lib(NetworkManager_t)
+ policykit_read_reload(NetworkManager_t)
+ userdom_read_all_users_state(NetworkManager_t)
+')
+
+optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
+ ppp_manage_pid_files(NetworkManager_t)
+ ppp_kill(NetworkManager_t)
+ ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
+')
+
+optional_policy(`
+ rpm_exec(NetworkManager_t)
+ rpm_read_db(NetworkManager_t)
+ rpm_dontaudit_manage_db(NetworkManager_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(NetworkManager_t)
+')
+
+optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
+')
+
+optional_policy(`
+ vpn_domtrans(NetworkManager_t)
+ vpn_kill(NetworkManager_t)
+ vpn_signal(NetworkManager_t)
+ vpn_signull(NetworkManager_t)
+')
+
+########################################
+#
+# wpa_cli local policy
+#
+
+allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+
+allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
+
+manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
+
+list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+
+init_dontaudit_use_fds(wpa_cli_t)
+init_use_script_ptys(wpa_cli_t)
+
+miscfiles_read_localization(wpa_cli_t)
+
+term_dontaudit_use_console(wpa_cli_t)
diff --git a/nis.fc b/nis.fc
new file mode 100644
index 0000000..15448d5
--- /dev/null
+++ b/nis.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
+
+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+
+/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+
+/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+
+/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff --git a/nis.if b/nis.if
new file mode 100644
index 0000000..abe3f7f
--- /dev/null
+++ b/nis.if
@@ -0,0 +1,396 @@
+## Policy for NIS (YP) servers and clients
+
+########################################
+##
+## Use the ypbind service to access NIS services
+## unconditionally.
+##
+##
+##
+## Use the ypbind service to access NIS services
+## unconditionally.
+##
+##
+## This interface was added because of apache and
+## spamassassin, to fix a nested conditionals problem.
+## When that support is added, this should be removed,
+## and the regular interface should be used.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_use_ypbind_uncond',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ allow $1 self:capability net_bind_service;
+
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ allow $1 var_yp_t:dir list_dir_perms;
+ allow $1 var_yp_t:lnk_file { getattr read };
+ allow $1 var_yp_t:file read_file_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_bind_generic_node($1)
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_bind_generic_port($1)
+ corenet_udp_bind_generic_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
+ corenet_dontaudit_tcp_bind_all_ports($1)
+ corenet_dontaudit_udp_bind_all_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_ports($1)
+ corenet_sendrecv_portmap_client_packets($1)
+ corenet_sendrecv_generic_client_packets($1)
+ corenet_sendrecv_generic_server_packets($1)
+
+ sysnet_read_config($1)
+')
+
+########################################
+##
+## Use the ypbind service to access NIS services.
+##
+##
+##
+## Allow the specified domain to use the ypbind service
+## to access Network Information Service (NIS) services.
+## Information that can be retreived from NIS includes
+## usernames, passwords, home directories, and groups.
+## If the network is configured to have a single sign-on
+## using NIS, it is likely that any program that does
+## authentication will need this access.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+#
+interface(`nis_use_ypbind',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ ')
+')
+
+########################################
+##
+## Use the nis to authenticate passwords
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ ')
+')
+
+########################################
+##
+## Execute ypbind in the ypbind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nis_domtrans_ypbind',`
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ypbind_exec_t, ypbind_t)
+')
+
+########################################
+##
+## Execute ypbind in the ypbind domain, and
+## allow the specified role the ypbind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`nis_run_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ nis_domtrans_ypbind($1)
+ role $2 types ypbind_t;
+')
+
+########################################
+##
+## Send generic signals to ypbind.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_signal_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ allow $1 ypbind_t:process signal;
+')
+
+########################################
+##
+## List the contents of the NIS data directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_list_var_yp',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_yp_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Send UDP network traffic to NIS clients. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_udp_send_ypbind',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Connect to ypbind over TCP. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_tcp_connect_ypbind',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Read ypbind pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_read_ypbind_pid',`
+ gen_require(`
+ type ypbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ypbind_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Delete ypbind pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_delete_ypbind_pid',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ # TODO: add delete pid from dir call to files
+ allow $1 ypbind_t:file unlink;
+')
+
+########################################
+##
+## Read ypserv configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nis_read_ypserv_config',`
+ gen_require(`
+ type ypserv_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ypserv_conf_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute ypxfr in the ypxfr domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nis_domtrans_ypxfr',`
+ gen_require(`
+ type ypxfr_t, ypxfr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
+')
+
+########################################
+##
+## Execute nis server in the nis domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+#
+interface(`nis_initrc_domtrans',`
+ gen_require(`
+ type nis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nis_initrc_exec_t)
+')
+
+########################################
+##
+## Execute nis server in the nis domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nis_initrc_domtrans_ypbind',`
+ gen_require(`
+ type ypbind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ypbind_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nis environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`nis_admin',`
+ gen_require(`
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t;
+ ')
+
+ allow $1 ypbind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypbind_t)
+
+ allow $1 yppasswdd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, yppasswdd_t)
+
+ allow $1 ypserv_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypserv_t)
+
+ allow $1 ypxfr_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypxfr_t)
+
+ nis_initrc_domtrans($1)
+ nis_initrc_domtrans_ypbind($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nis_initrc_exec_t system_r;
+ role_transition $2 ypbind_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, ypbind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ypbind_var_run_t)
+
+ admin_pattern($1, yppasswdd_var_run_t)
+
+ files_list_etc($1)
+ admin_pattern($1, ypserv_conf_t)
+
+ admin_pattern($1, ypserv_tmp_t)
+
+ admin_pattern($1, ypserv_var_run_t)
+')
diff --git a/nis.te b/nis.te
new file mode 100644
index 0000000..4876cae
--- /dev/null
+++ b/nis.te
@@ -0,0 +1,347 @@
+policy_module(nis, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type nis_initrc_exec_t;
+init_script_file(nis_initrc_exec_t)
+
+type var_yp_t;
+files_type(var_yp_t)
+
+type ypbind_t;
+type ypbind_exec_t;
+init_daemon_domain(ypbind_t, ypbind_exec_t)
+
+type ypbind_initrc_exec_t;
+init_script_file(ypbind_initrc_exec_t)
+
+type ypbind_tmp_t;
+files_tmp_file(ypbind_tmp_t)
+
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
+type yppasswdd_t;
+type yppasswdd_exec_t;
+init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
+domain_obj_id_change_exemption(yppasswdd_t)
+
+type yppasswdd_var_run_t;
+files_pid_file(yppasswdd_var_run_t)
+
+type ypserv_t;
+type ypserv_exec_t;
+init_daemon_domain(ypserv_t, ypserv_exec_t)
+
+type ypserv_conf_t;
+files_type(ypserv_conf_t)
+
+type ypserv_tmp_t;
+files_tmp_file(ypserv_tmp_t)
+
+type ypserv_var_run_t;
+files_pid_file(ypserv_var_run_t)
+
+type ypxfr_t;
+type ypxfr_exec_t;
+init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+
+type ypxfr_var_run_t;
+files_pid_file(ypxfr_var_run_t)
+
+########################################
+#
+# ypbind local policy
+
+dontaudit ypbind_t self:capability { net_admin sys_tty_config };
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
+allow ypbind_t self:process signal_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t self:tcp_socket create_stream_socket_perms;
+allow ypbind_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
+
+manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
+files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
+
+manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+
+kernel_read_system_state(ypbind_t)
+kernel_read_kernel_sysctls(ypbind_t)
+
+corenet_all_recvfrom_unlabeled(ypbind_t)
+corenet_all_recvfrom_netlabel(ypbind_t)
+corenet_tcp_sendrecv_generic_if(ypbind_t)
+corenet_udp_sendrecv_generic_if(ypbind_t)
+corenet_tcp_sendrecv_generic_node(ypbind_t)
+corenet_udp_sendrecv_generic_node(ypbind_t)
+corenet_tcp_sendrecv_all_ports(ypbind_t)
+corenet_udp_sendrecv_all_ports(ypbind_t)
+corenet_tcp_bind_generic_node(ypbind_t)
+corenet_udp_bind_generic_node(ypbind_t)
+corenet_tcp_bind_generic_port(ypbind_t)
+corenet_udp_bind_generic_port(ypbind_t)
+corenet_tcp_bind_reserved_port(ypbind_t)
+corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_bind_all_rpc_ports(ypbind_t)
+corenet_udp_bind_all_rpc_ports(ypbind_t)
+corenet_tcp_connect_all_ports(ypbind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
+
+dev_read_sysfs(ypbind_t)
+
+fs_getattr_all_fs(ypbind_t)
+fs_search_auto_mountpoints(ypbind_t)
+
+domain_use_interactive_fds(ypbind_t)
+
+files_read_etc_files(ypbind_t)
+files_list_var(ypbind_t)
+
+logging_send_syslog_msg(ypbind_t)
+
+miscfiles_read_localization(ypbind_t)
+
+sysnet_read_config(ypbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
+userdom_dontaudit_search_user_home_dirs(ypbind_t)
+
+optional_policy(`
+ dbus_system_bus_client(ypbind_t)
+ dbus_connect_system_bus(ypbind_t)
+ init_dbus_chat_script(ypbind_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(ypbind_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ypbind_t)
+')
+
+optional_policy(`
+ udev_read_db(ypbind_t)
+')
+
+########################################
+#
+# yppasswdd local policy
+#
+
+allow yppasswdd_t self:capability dac_override;
+dontaudit yppasswdd_t self:capability sys_tty_config;
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
+allow yppasswdd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t)
+files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+
+manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+
+kernel_list_proc(yppasswdd_t)
+kernel_read_proc_symlinks(yppasswdd_t)
+kernel_getattr_proc_files(yppasswdd_t)
+kernel_read_kernel_sysctls(yppasswdd_t)
+
+corenet_all_recvfrom_unlabeled(yppasswdd_t)
+corenet_all_recvfrom_netlabel(yppasswdd_t)
+corenet_tcp_sendrecv_generic_if(yppasswdd_t)
+corenet_udp_sendrecv_generic_if(yppasswdd_t)
+corenet_tcp_sendrecv_generic_node(yppasswdd_t)
+corenet_udp_sendrecv_generic_node(yppasswdd_t)
+corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+corenet_udp_sendrecv_all_ports(yppasswdd_t)
+corenet_tcp_bind_generic_node(yppasswdd_t)
+corenet_udp_bind_generic_node(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
+
+dev_read_sysfs(yppasswdd_t)
+
+fs_getattr_all_fs(yppasswdd_t)
+fs_search_auto_mountpoints(yppasswdd_t)
+
+selinux_get_fs_mount(yppasswdd_t)
+
+auth_manage_shadow(yppasswdd_t)
+auth_relabel_shadow(yppasswdd_t)
+auth_etc_filetrans_shadow(yppasswdd_t)
+
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_files(yppasswdd_t)
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
+logging_send_syslog_msg(yppasswdd_t)
+
+miscfiles_read_localization(yppasswdd_t)
+
+sysnet_read_config(yppasswdd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
+userdom_dontaudit_search_user_home_dirs(yppasswdd_t)
+
+optional_policy(`
+ hostname_exec(yppasswdd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(yppasswdd_t)
+')
+
+optional_policy(`
+ udev_read_db(yppasswdd_t)
+')
+
+########################################
+#
+# ypserv local policy
+#
+
+dontaudit ypserv_t self:capability sys_tty_config;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
+allow ypserv_t self:process signal_perms;
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypserv_t self:tcp_socket connected_stream_socket_perms;
+allow ypserv_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+
+allow ypserv_t ypserv_conf_t:file read_file_perms;
+
+manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
+
+manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t)
+files_pid_filetrans(ypserv_t, ypserv_var_run_t, file)
+
+kernel_read_kernel_sysctls(ypserv_t)
+kernel_list_proc(ypserv_t)
+kernel_read_proc_symlinks(ypserv_t)
+
+corenet_all_recvfrom_unlabeled(ypserv_t)
+corenet_all_recvfrom_netlabel(ypserv_t)
+corenet_tcp_sendrecv_generic_if(ypserv_t)
+corenet_udp_sendrecv_generic_if(ypserv_t)
+corenet_tcp_sendrecv_generic_node(ypserv_t)
+corenet_udp_sendrecv_generic_node(ypserv_t)
+corenet_tcp_sendrecv_all_ports(ypserv_t)
+corenet_udp_sendrecv_all_ports(ypserv_t)
+corenet_tcp_bind_generic_node(ypserv_t)
+corenet_udp_bind_generic_node(ypserv_t)
+corenet_tcp_bind_reserved_port(ypserv_t)
+corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
+
+dev_read_sysfs(ypserv_t)
+
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
+
+corecmd_exec_bin(ypserv_t)
+
+domain_use_interactive_fds(ypserv_t)
+
+files_read_var_files(ypserv_t)
+files_read_etc_files(ypserv_t)
+
+logging_send_syslog_msg(ypserv_t)
+
+miscfiles_read_localization(ypserv_t)
+
+nis_domtrans_ypxfr(ypserv_t)
+
+sysnet_read_config(ypserv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
+userdom_dontaudit_search_user_home_dirs(ypserv_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ypserv_t)
+')
+
+optional_policy(`
+ udev_read_db(ypserv_t)
+')
+
+########################################
+#
+# ypxfr local policy
+#
+
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
+allow ypxfr_t self:tcp_socket create_stream_socket_perms;
+allow ypxfr_t self:udp_socket create_socket_perms;
+allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
+
+allow ypxfr_t ypserv_t:tcp_socket { read write };
+allow ypxfr_t ypserv_t:udp_socket { read write };
+
+allow ypxfr_t ypserv_conf_t:file read_file_perms;
+
+manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
+files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(ypxfr_t)
+corenet_all_recvfrom_netlabel(ypxfr_t)
+corenet_tcp_sendrecv_generic_if(ypxfr_t)
+corenet_udp_sendrecv_generic_if(ypxfr_t)
+corenet_tcp_sendrecv_generic_node(ypxfr_t)
+corenet_udp_sendrecv_generic_node(ypxfr_t)
+corenet_tcp_sendrecv_all_ports(ypxfr_t)
+corenet_udp_sendrecv_all_ports(ypxfr_t)
+corenet_tcp_bind_generic_node(ypxfr_t)
+corenet_udp_bind_generic_node(ypxfr_t)
+corenet_tcp_bind_reserved_port(ypxfr_t)
+corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+corenet_tcp_connect_all_ports(ypxfr_t)
+corenet_sendrecv_generic_server_packets(ypxfr_t)
+corenet_sendrecv_all_client_packets(ypxfr_t)
+
+files_read_etc_files(ypxfr_t)
+files_search_usr(ypxfr_t)
+
+logging_send_syslog_msg(ypxfr_t)
+
+miscfiles_read_localization(ypxfr_t)
+
+sysnet_read_config(ypxfr_t)
diff --git a/nscd.fc b/nscd.fc
new file mode 100644
index 0000000..623b731
--- /dev/null
+++ b/nscd.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+
+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
+
+/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/nscd.if b/nscd.if
new file mode 100644
index 0000000..85188dc
--- /dev/null
+++ b/nscd.if
@@ -0,0 +1,291 @@
+## Name service cache daemon
+
+########################################
+##
+## Send generic signals to NSCD.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_signal',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signal;
+')
+
+########################################
+##
+## Send NSCD the kill signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_kill',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process sigkill;
+')
+
+########################################
+##
+## Send signulls to NSCD.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_signull',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signull;
+')
+
+########################################
+##
+## Execute NSCD in the nscd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nscd_domtrans',`
+ gen_require(`
+ type nscd_t, nscd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nscd_exec_t, nscd_t)
+')
+
+########################################
+##
+## Allow the specified domain to execute nscd
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_exec',`
+ gen_require(`
+ type nscd_exec_t;
+ ')
+
+ can_exec($1, nscd_exec_t)
+')
+
+########################################
+##
+## Use NSCD services by connecting using
+## a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_socket_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
+ ')
+
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_t:fd use;
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+ files_search_pids($1)
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+##
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ ')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 nscd_t:unix_stream_socket connectto;
+ allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+##
+## Do not audit attempts to search the NSCD pid directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nscd_dontaudit_search_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ dontaudit $1 nscd_var_run_t:dir search;
+')
+
+########################################
+##
+## Read NSCD pid file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_read_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
+')
+
+########################################
+##
+## Unconfined access to NSCD services.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nscd_unconfined',`
+ gen_require(`
+ type nscd_t;
+ class nscd all_nscd_perms;
+ ')
+
+ allow $1 nscd_t:nscd *;
+')
+
+########################################
+##
+## Execute nscd in the nscd domain, and
+## allow the specified role the nscd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`nscd_run',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ nscd_domtrans($1)
+ role $2 types nscd_t;
+')
+
+########################################
+##
+## Execute the nscd server init script.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nscd_initrc_domtrans',`
+ gen_require(`
+ type nscd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nscd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the nscd domain.
+##
+##
+##
+#
+interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
+ type nscd_initrc_exec_t;
+ ')
+
+ allow $1 nscd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nscd_t)
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nscd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, nscd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
+')
diff --git a/nscd.te b/nscd.te
new file mode 100644
index 0000000..7936e09
--- /dev/null
+++ b/nscd.te
@@ -0,0 +1,129 @@
+policy_module(nscd, 1.10.0)
+
+gen_require(`
+ class nscd all_nscd_perms;
+')
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
+type nscd_var_run_t;
+files_pid_file(nscd_var_run_t)
+
+# nscd is both the client program and the daemon.
+type nscd_t;
+type nscd_exec_t;
+init_daemon_domain(nscd_t, nscd_exec_t)
+
+type nscd_initrc_exec_t;
+init_script_file(nscd_initrc_exec_t)
+
+type nscd_log_t;
+logging_log_file(nscd_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow nscd_t self:capability { kill setgid setuid };
+dontaudit nscd_t self:capability sys_tty_config;
+allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
+allow nscd_t self:fifo_file read_fifo_file_perms;
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
+allow nscd_t self:nscd { admin getstat };
+
+allow nscd_t nscd_log_t:file manage_file_perms;
+logging_log_filetrans(nscd_t, nscd_log_t, file)
+
+manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+
+corecmd_search_bin(nscd_t)
+can_exec(nscd_t, nscd_exec_t)
+
+kernel_read_kernel_sysctls(nscd_t)
+kernel_list_proc(nscd_t)
+kernel_read_proc_symlinks(nscd_t)
+
+dev_read_sysfs(nscd_t)
+dev_read_rand(nscd_t)
+dev_read_urand(nscd_t)
+
+fs_getattr_all_fs(nscd_t)
+fs_search_auto_mountpoints(nscd_t)
+fs_list_inotifyfs(nscd_t)
+
+# for when /etc/passwd has just been updated and has the wrong type
+auth_getattr_shadow(nscd_t)
+auth_use_nsswitch(nscd_t)
+
+corenet_all_recvfrom_unlabeled(nscd_t)
+corenet_all_recvfrom_netlabel(nscd_t)
+corenet_tcp_sendrecv_generic_if(nscd_t)
+corenet_udp_sendrecv_generic_if(nscd_t)
+corenet_tcp_sendrecv_generic_node(nscd_t)
+corenet_udp_sendrecv_generic_node(nscd_t)
+corenet_tcp_sendrecv_all_ports(nscd_t)
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
+corenet_rw_tun_tap_dev(nscd_t)
+
+selinux_get_fs_mount(nscd_t)
+selinux_validate_context(nscd_t)
+selinux_compute_access_vector(nscd_t)
+selinux_compute_create_context(nscd_t)
+selinux_compute_relabel_context(nscd_t)
+selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+
+files_read_etc_files(nscd_t)
+files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
+
+logging_send_audit_msgs(nscd_t)
+logging_send_syslog_msg(nscd_t)
+
+miscfiles_read_localization(nscd_t)
+
+seutil_read_config(nscd_t)
+seutil_read_default_contexts(nscd_t)
+seutil_sigchld_newrole(nscd_t)
+
+sysnet_read_config(nscd_t)
+
+userdom_dontaudit_use_user_terminals(nscd_t)
+userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+userdom_dontaudit_search_user_home_dirs(nscd_t)
+
+optional_policy(`
+ cron_read_system_job_tmp_files(nscd_t)
+')
+
+optional_policy(`
+ kerberos_use(nscd_t)
+')
+
+optional_policy(`
+ udev_read_db(nscd_t)
+')
+
+optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+')
diff --git a/nsd.fc b/nsd.fc
new file mode 100644
index 0000000..53cc800
--- /dev/null
+++ b/nsd.fc
@@ -0,0 +1,14 @@
+
+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+
+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/nsd.if b/nsd.if
new file mode 100644
index 0000000..a1371d5
--- /dev/null
+++ b/nsd.if
@@ -0,0 +1,29 @@
+## Authoritative only name server
+
+########################################
+##
+## Send and receive datagrams from NSD. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsd_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Connect to NSD over a TCP socket (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/nsd.te b/nsd.te
new file mode 100644
index 0000000..4b15536
--- /dev/null
+++ b/nsd.te
@@ -0,0 +1,180 @@
+policy_module(nsd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type nsd_t;
+type nsd_exec_t;
+init_daemon_domain(nsd_t, nsd_exec_t)
+
+# A type for configuration files of nsd
+type nsd_conf_t;
+files_type(nsd_conf_t)
+
+type nsd_crond_t;
+domain_type(nsd_crond_t)
+domain_entry_file(nsd_crond_t, nsd_exec_t)
+role system_r types nsd_crond_t;
+
+# a type for nsd.db
+type nsd_db_t;
+files_type(nsd_db_t)
+
+type nsd_var_run_t;
+files_pid_file(nsd_var_run_t)
+
+# A type for zone files
+type nsd_zone_t;
+files_type(nsd_zone_t)
+
+########################################
+#
+# NSD Local policy
+#
+
+allow nsd_t self:capability { dac_override chown setuid setgid };
+dontaudit nsd_t self:capability sys_tty_config;
+allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
+
+allow nsd_t nsd_conf_t:dir list_dir_perms;
+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+
+allow nsd_t nsd_db_t:file manage_file_perms;
+filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+
+manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
+files_pid_filetrans(nsd_t, nsd_var_run_t, file)
+
+allow nsd_t nsd_zone_t:dir list_dir_perms;
+read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+
+can_exec(nsd_t, nsd_exec_t)
+
+kernel_read_system_state(nsd_t)
+kernel_read_kernel_sysctls(nsd_t)
+
+corecmd_exec_bin(nsd_t)
+
+corenet_all_recvfrom_unlabeled(nsd_t)
+corenet_all_recvfrom_netlabel(nsd_t)
+corenet_tcp_sendrecv_generic_if(nsd_t)
+corenet_udp_sendrecv_generic_if(nsd_t)
+corenet_tcp_sendrecv_generic_node(nsd_t)
+corenet_udp_sendrecv_generic_node(nsd_t)
+corenet_tcp_sendrecv_all_ports(nsd_t)
+corenet_udp_sendrecv_all_ports(nsd_t)
+corenet_tcp_bind_generic_node(nsd_t)
+corenet_udp_bind_generic_node(nsd_t)
+corenet_tcp_bind_dns_port(nsd_t)
+corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
+
+dev_read_sysfs(nsd_t)
+
+domain_use_interactive_fds(nsd_t)
+
+files_read_etc_files(nsd_t)
+files_read_etc_runtime_files(nsd_t)
+
+fs_getattr_all_fs(nsd_t)
+fs_search_auto_mountpoints(nsd_t)
+
+logging_send_syslog_msg(nsd_t)
+
+miscfiles_read_localization(nsd_t)
+
+sysnet_read_config(nsd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nsd_t)
+userdom_dontaudit_search_user_home_dirs(nsd_t)
+
+optional_policy(`
+ nis_use_ypbind(nsd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nsd_t)
+')
+
+optional_policy(`
+ udev_read_db(nsd_t)
+')
+
+########################################
+#
+# Zone update cron job local policy
+#
+
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_override kill };
+dontaudit nsd_crond_t self:capability sys_nice;
+allow nsd_crond_t self:process { setsched signal_perms };
+allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
+
+allow nsd_crond_t nsd_conf_t:file read_file_perms;
+
+allow nsd_crond_t nsd_db_t:file manage_file_perms;
+filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+
+ps_process_pattern(nsd_crond_t, nsd_t)
+
+manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
+filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
+
+can_exec(nsd_crond_t, nsd_exec_t)
+
+kernel_read_system_state(nsd_crond_t)
+
+corecmd_exec_bin(nsd_crond_t)
+corecmd_exec_shell(nsd_crond_t)
+
+corenet_all_recvfrom_unlabeled(nsd_crond_t)
+corenet_all_recvfrom_netlabel(nsd_crond_t)
+corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
+corenet_tcp_sendrecv_generic_node(nsd_crond_t)
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
+corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
+
+# for SSP
+dev_read_urand(nsd_crond_t)
+
+domain_dontaudit_read_all_domains_state(nsd_crond_t)
+
+files_read_etc_files(nsd_crond_t)
+files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
+
+logging_send_syslog_msg(nsd_crond_t)
+
+miscfiles_read_localization(nsd_crond_t)
+
+sysnet_read_config(nsd_crond_t)
+
+userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
+
+optional_policy(`
+ cron_system_entry(nsd_crond_t, nsd_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(nsd_crond_t)
+')
+
+optional_policy(`
+ nscd_read_pid(nsd_crond_t)
+')
diff --git a/nslcd.fc b/nslcd.fc
new file mode 100644
index 0000000..ce913b2
--- /dev/null
+++ b/nslcd.fc
@@ -0,0 +1,4 @@
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/nslcd.if b/nslcd.if
new file mode 100644
index 0000000..23c769c
--- /dev/null
+++ b/nslcd.if
@@ -0,0 +1,114 @@
+## nslcd - local LDAP name service daemon.
+
+########################################
+##
+## Execute a domain transition to run nslcd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nslcd_domtrans',`
+ gen_require(`
+ type nslcd_t, nslcd_exec_t;
+ ')
+
+ domtrans_pattern($1, nslcd_exec_t, nslcd_t)
+')
+
+########################################
+##
+## Execute nslcd server in the nslcd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nslcd_initrc_domtrans',`
+ gen_require(`
+ type nslcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nslcd_initrc_exec_t)
+')
+
+########################################
+##
+## Read nslcd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nslcd_read_pid_files',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 nslcd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Connect to nslcd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nslcd_stream_connect',`
+ gen_require(`
+ type nslcd_t, nslcd_var_run_t;
+ ')
+
+ stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+ files_search_pids($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an nslcd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`nslcd_admin',`
+ gen_require(`
+ type nslcd_t, nslcd_initrc_exec_t;
+ type nslcd_conf_t, nslcd_var_run_t;
+ ')
+
+ ps_process_pattern($1, nslcd_t)
+ allow $1 nslcd_t:process { ptrace signal_perms };
+
+ # Allow nslcd_t to restart the apache service
+ nslcd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nslcd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
+
+ manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+ manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+ manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+')
diff --git a/nslcd.te b/nslcd.te
new file mode 100644
index 0000000..4e28d58
--- /dev/null
+++ b/nslcd.te
@@ -0,0 +1,45 @@
+policy_module(nslcd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type nslcd_t;
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
+type nslcd_var_run_t;
+files_pid_file(nslcd_var_run_t)
+
+type nslcd_conf_t;
+files_type(nslcd_conf_t)
+
+########################################
+#
+# nslcd local policy
+#
+
+allow nslcd_t self:capability { setgid setuid dac_override };
+allow nslcd_t self:process signal;
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow nslcd_t nslcd_conf_t:file read_file_perms;
+
+manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+
+kernel_read_system_state(nslcd_t)
+
+files_read_etc_files(nslcd_t)
+
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
+
+miscfiles_read_localization(nslcd_t)
diff --git a/ntop.fc b/ntop.fc
new file mode 100644
index 0000000..1838432
--- /dev/null
+++ b/ntop.fc
@@ -0,0 +1,6 @@
+/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
+
+/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+
+/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
+/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff --git a/ntop.if b/ntop.if
new file mode 100644
index 0000000..4bf0a14
--- /dev/null
+++ b/ntop.if
@@ -0,0 +1 @@
+## Network Top
diff --git a/ntop.te b/ntop.te
new file mode 100644
index 0000000..ded9fb6
--- /dev/null
+++ b/ntop.te
@@ -0,0 +1,114 @@
+policy_module(ntop, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type ntop_t;
+type ntop_exec_t;
+init_daemon_domain(ntop_t, ntop_exec_t)
+application_domain(ntop_t, ntop_exec_t)
+
+type ntop_initrc_exec_t;
+init_script_file(ntop_initrc_exec_t)
+
+type ntop_etc_t;
+files_config_file(ntop_etc_t)
+
+type ntop_tmp_t;
+files_tmp_file(ntop_tmp_t)
+
+type ntop_var_lib_t;
+files_type(ntop_var_lib_t)
+
+type ntop_var_run_t;
+files_pid_file(ntop_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+dontaudit ntop_t self:capability sys_tty_config;
+allow ntop_t self:process signal_perms;
+allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:tcp_socket create_stream_socket_perms;
+allow ntop_t self:udp_socket create_socket_perms;
+allow ntop_t self:unix_dgram_socket create_socket_perms;
+allow ntop_t self:unix_stream_socket create_stream_socket_perms;
+allow ntop_t self:packet_socket create_socket_perms;
+allow ntop_t self:socket create_socket_perms;
+
+allow ntop_t ntop_etc_t:dir list_dir_perms;
+read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+
+manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+
+manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
+
+manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
+files_pid_filetrans(ntop_t, ntop_var_run_t, file)
+
+kernel_request_load_module(ntop_t)
+kernel_read_system_state(ntop_t)
+kernel_read_network_state(ntop_t)
+kernel_read_kernel_sysctls(ntop_t)
+kernel_list_proc(ntop_t)
+kernel_read_proc_symlinks(ntop_t)
+
+corenet_all_recvfrom_unlabeled(ntop_t)
+corenet_all_recvfrom_netlabel(ntop_t)
+corenet_tcp_sendrecv_generic_if(ntop_t)
+corenet_udp_sendrecv_generic_if(ntop_t)
+corenet_raw_sendrecv_generic_if(ntop_t)
+corenet_tcp_sendrecv_generic_node(ntop_t)
+corenet_udp_sendrecv_generic_node(ntop_t)
+corenet_raw_sendrecv_generic_node(ntop_t)
+corenet_tcp_sendrecv_all_ports(ntop_t)
+corenet_udp_sendrecv_all_ports(ntop_t)
+corenet_tcp_bind_ntop_port(ntop_t)
+corenet_tcp_connect_ntop_port(ntop_t)
+corenet_tcp_connect_http_port(ntop_t)
+corenet_sendrecv_http_client_packets(ntop_t)
+corenet_sendrecv_ntop_client_packets(ntop_t)
+corenet_sendrecv_ntop_server_packets(ntop_t)
+
+dev_read_sysfs(ntop_t)
+dev_rw_generic_usb_dev(ntop_t)
+
+domain_use_interactive_fds(ntop_t)
+
+files_read_etc_files(ntop_t)
+files_read_usr_files(ntop_t)
+
+fs_getattr_all_fs(ntop_t)
+fs_search_auto_mountpoints(ntop_t)
+
+auth_use_nsswitch(ntop_t)
+
+logging_send_syslog_msg(ntop_t)
+
+miscfiles_read_localization(ntop_t)
+miscfiles_read_fonts(ntop_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntop_t)
+userdom_dontaudit_search_user_home_dirs(ntop_t)
+
+optional_policy(`
+ apache_read_sys_content(ntop_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ntop_t)
+')
+
+optional_policy(`
+ udev_read_db(ntop_t)
+')
diff --git a/ntp.fc b/ntp.fc
new file mode 100644
index 0000000..e79dccc
--- /dev/null
+++ b/ntp.fc
@@ -0,0 +1,22 @@
+
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+
+/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/ntp.if b/ntp.if
new file mode 100644
index 0000000..e80f8c0
--- /dev/null
+++ b/ntp.if
@@ -0,0 +1,165 @@
+## Network time protocol daemon
+
+########################################
+##
+## NTP stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_stub',`
+ gen_require(`
+ type ntpd_t;
+ ')
+')
+
+########################################
+##
+## Execute ntp server in the ntpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ntp_domtrans',`
+ gen_require(`
+ type ntpd_t, ntpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ntpd_exec_t, ntpd_t)
+')
+
+########################################
+##
+## Execute ntp in the ntp domain, and
+## allow the specified role the ntp domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`ntp_run',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ ntp_domtrans($1)
+ role $2 types ntpd_t;
+')
+
+########################################
+##
+## Execute ntp server in the ntpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ntp_domtrans_ntpdate',`
+ gen_require(`
+ type ntpd_t, ntpdate_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
+')
+
+########################################
+##
+## Execute ntp server in the ntpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ntp_initrc_domtrans',`
+ gen_require(`
+ type ntpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
+##
+## Read and write ntpd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_rw_shm',`
+ gen_require(`
+ type ntpd_t, ntpd_tmpfs_t;
+ ')
+
+ allow $1 ntpd_t:shm rw_shm_perms;
+ list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+ rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+ read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ntp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ntp domain.
+##
+##
+##
+#
+interface(`ntp_admin',`
+ gen_require(`
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+ type ntpd_key_t, ntpd_var_run_t;
+ type ntpd_initrc_exec_t;
+ ')
+
+ allow $1 ntpd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, ntpd_t)
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ntpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, ntpd_key_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ntpd_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, ntpd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ntpd_var_run_t)
+')
diff --git a/ntp.te b/ntp.te
new file mode 100644
index 0000000..c61adc8
--- /dev/null
+++ b/ntp.te
@@ -0,0 +1,156 @@
+policy_module(ntp, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type ntp_drift_t;
+files_type(ntp_drift_t)
+
+type ntpd_t;
+type ntpd_exec_t;
+init_daemon_domain(ntpd_t, ntpd_exec_t)
+
+type ntpd_initrc_exec_t;
+init_script_file(ntpd_initrc_exec_t)
+
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
+type ntpd_log_t;
+logging_log_file(ntpd_log_t)
+
+type ntpd_tmp_t;
+files_tmp_file(ntpd_tmp_t)
+
+type ntpd_tmpfs_t;
+files_tmpfs_file(ntpd_tmpfs_t)
+
+type ntpd_var_run_t;
+files_pid_file(ntpd_var_run_t)
+
+type ntpdate_exec_t;
+init_system_domain(ntpd_t, ntpdate_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# sys_resource and setrlimit is for locking memory
+# ntpdate wants sys_nice
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
+allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:unix_dgram_socket create_socket_perms;
+allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:tcp_socket create_stream_socket_perms;
+allow ntpd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+
+can_exec(ntpd_t, ntpd_exec_t)
+
+read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+
+allow ntpd_t ntpd_log_t:dir setattr;
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+
+# for some reason it creates a file in /tmp
+manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
+
+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
+
+manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(ntpd_t)
+kernel_read_system_state(ntpd_t)
+kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)
+
+corenet_all_recvfrom_unlabeled(ntpd_t)
+corenet_all_recvfrom_netlabel(ntpd_t)
+corenet_tcp_sendrecv_generic_if(ntpd_t)
+corenet_udp_sendrecv_generic_if(ntpd_t)
+corenet_tcp_sendrecv_generic_node(ntpd_t)
+corenet_udp_sendrecv_generic_node(ntpd_t)
+corenet_tcp_sendrecv_all_ports(ntpd_t)
+corenet_udp_sendrecv_all_ports(ntpd_t)
+corenet_tcp_bind_generic_node(ntpd_t)
+corenet_udp_bind_generic_node(ntpd_t)
+corenet_udp_bind_ntp_port(ntpd_t)
+corenet_tcp_connect_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
+
+dev_read_sysfs(ntpd_t)
+# for SSP
+dev_read_urand(ntpd_t)
+
+fs_getattr_all_fs(ntpd_t)
+fs_search_auto_mountpoints(ntpd_t)
+
+term_use_ptmx(ntpd_t)
+
+auth_use_nsswitch(ntpd_t)
+
+corecmd_exec_bin(ntpd_t)
+corecmd_exec_shell(ntpd_t)
+
+domain_use_interactive_fds(ntpd_t)
+domain_dontaudit_list_all_domains_state(ntpd_t)
+
+files_read_etc_files(ntpd_t)
+files_read_etc_runtime_files(ntpd_t)
+files_read_usr_files(ntpd_t)
+files_list_var_lib(ntpd_t)
+
+init_exec_script_files(ntpd_t)
+
+logging_send_syslog_msg(ntpd_t)
+
+miscfiles_read_localization(ntpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
+userdom_list_user_home_dirs(ntpd_t)
+
+optional_policy(`
+ # for cron jobs
+ cron_system_entry(ntpd_t, ntpdate_exec_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(ntpd_t)
+')
+
+optional_policy(`
+ firstboot_dontaudit_use_fds(ntpd_t)
+ firstboot_dontaudit_rw_pipes(ntpd_t)
+ firstboot_dontaudit_rw_stream_sockets(ntpd_t)
+')
+
+optional_policy(`
+ hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
+ logrotate_exec(ntpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ntpd_t)
+')
+
+optional_policy(`
+ udev_read_db(ntpd_t)
+')
diff --git a/nut.fc b/nut.fc
new file mode 100644
index 0000000..0a929ef
--- /dev/null
+++ b/nut.fc
@@ -0,0 +1,12 @@
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+
+/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+
+/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
+/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
new file mode 100644
index 0000000..56660c5
--- /dev/null
+++ b/nut.if
@@ -0,0 +1 @@
+## nut - Network UPS Tools
diff --git a/nut.te b/nut.te
new file mode 100644
index 0000000..ff962dd
--- /dev/null
+++ b/nut.te
@@ -0,0 +1,171 @@
+policy_module(nut, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type nut_conf_t;
+files_config_file(nut_conf_t)
+
+type nut_upsd_t;
+type nut_upsd_exec_t;
+init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
+
+type nut_upsmon_t;
+type nut_upsmon_exec_t;
+init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
+
+type nut_upsdrvctl_t;
+type nut_upsdrvctl_exec_t;
+init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+
+type nut_var_run_t;
+files_pid_file(nut_var_run_t)
+
+########################################
+#
+# Local policy for upsd
+#
+
+allow nut_upsd_t self:capability { setgid setuid dac_override };
+
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
+
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(nut_upsd_t)
+
+corenet_tcp_bind_ups_port(nut_upsd_t)
+corenet_tcp_bind_generic_port(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
+
+files_read_usr_files(nut_upsd_t)
+
+auth_use_nsswitch(nut_upsd_t)
+
+logging_send_syslog_msg(nut_upsd_t)
+
+miscfiles_read_localization(nut_upsd_t)
+
+########################################
+#
+# Local policy for upsmon
+#
+
+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
+kernel_read_system_state(nut_upsmon_t)
+
+corecmd_exec_bin(nut_upsmon_t)
+corecmd_exec_shell(nut_upsmon_t)
+
+corenet_tcp_connect_ups_port(nut_upsmon_t)
+corenet_tcp_connect_generic_port(nut_upsmon_t)
+
+# Creates /etc/killpower
+files_manage_etc_runtime_files(nut_upsmon_t)
+files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
+files_search_usr(nut_upsmon_t)
+
+# /usr/bin/wall
+term_write_all_terms(nut_upsmon_t)
+
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
+logging_send_syslog_msg(nut_upsmon_t)
+
+auth_use_nsswitch(nut_upsmon_t)
+
+miscfiles_read_localization(nut_upsmon_t)
+
+mta_send_mail(nut_upsmon_t)
+
+optional_policy(`
+ shutdown_domtrans(nut_upsmon_t)
+')
+
+########################################
+#
+# Local policy for upsdrvctl
+#
+
+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
+allow nut_upsdrvctl_t self:process { sigchld signal signull };
+allow nut_upsdrvctl_t self:fd use;
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+
+# /sbin/upsdrvctl executes other drivers
+corecmd_exec_bin(nut_upsdrvctl_t)
+
+dev_read_urand(nut_upsdrvctl_t)
+dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+
+term_use_unallocated_ttys(nut_upsdrvctl_t)
+
+auth_use_nsswitch(nut_upsdrvctl_t)
+
+init_sigchld(nut_upsdrvctl_t)
+
+logging_send_syslog_msg(nut_upsdrvctl_t)
+
+miscfiles_read_localization(nut_upsdrvctl_t)
+
+#######################################
+#
+# Local policy for upscgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
+#
+
+optional_policy(`
+ apache_content_template(nutups_cgi)
+
+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+
+ sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+')
diff --git a/nx.fc b/nx.fc
new file mode 100644
index 0000000..c4d2dca
--- /dev/null
+++ b/nx.fc
@@ -0,0 +1,12 @@
+/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
+
+/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --git a/nx.if b/nx.if
new file mode 100644
index 0000000..79a225c
--- /dev/null
+++ b/nx.if
@@ -0,0 +1,85 @@
+## NX remote desktop
+
+########################################
+##
+## Transition to NX server.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nx_spec_domtrans_server',`
+ gen_require(`
+ type nx_server_t, nx_server_exec_t;
+ ')
+
+ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
+')
+
+########################################
+##
+## Read nx home directory content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nx_read_home_files',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
+########################################
+##
+## Read nx /var/lib content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nx_search_var_lib',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create an object in the root directory, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`nx_var_lib_filetrans',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
diff --git a/nx.te b/nx.te
new file mode 100644
index 0000000..58e2972
--- /dev/null
+++ b/nx.te
@@ -0,0 +1,98 @@
+policy_module(nx, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type nx_server_t;
+type nx_server_exec_t;
+domain_type(nx_server_t)
+domain_entry_file(nx_server_t, nx_server_exec_t)
+domain_user_exemption_target(nx_server_t)
+# we need an extra role because nxserver is called from sshd
+# cjp: do we really need this?
+role nx_server_r;
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+
+type nx_server_devpts_t;
+term_user_pty(nx_server_t, nx_server_devpts_t)
+
+type nx_server_tmp_t;
+files_tmp_file(nx_server_tmp_t)
+
+type nx_server_var_lib_t;
+files_type(nx_server_var_lib_t)
+
+type nx_server_var_run_t;
+files_pid_file(nx_server_var_run_t)
+
+########################################
+#
+# NX server local policy
+#
+
+allow nx_server_t self:fifo_file rw_fifo_file_perms;
+allow nx_server_t self:tcp_socket create_socket_perms;
+allow nx_server_t self:udp_socket create_socket_perms;
+
+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(nx_server_t, nx_server_devpts_t)
+
+manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+
+manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+
+manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
+files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+
+kernel_read_system_state(nx_server_t)
+kernel_read_kernel_sysctls(nx_server_t)
+
+# nxserver is a shell script --> call other programs
+corecmd_exec_shell(nx_server_t)
+corecmd_exec_bin(nx_server_t)
+
+corenet_all_recvfrom_unlabeled(nx_server_t)
+corenet_all_recvfrom_netlabel(nx_server_t)
+corenet_tcp_sendrecv_generic_if(nx_server_t)
+corenet_udp_sendrecv_generic_if(nx_server_t)
+corenet_tcp_sendrecv_generic_node(nx_server_t)
+corenet_udp_sendrecv_generic_node(nx_server_t)
+corenet_tcp_sendrecv_all_ports(nx_server_t)
+corenet_udp_sendrecv_all_ports(nx_server_t)
+corenet_tcp_connect_all_ports(nx_server_t)
+corenet_sendrecv_all_client_packets(nx_server_t)
+
+dev_read_urand(nx_server_t)
+
+files_read_etc_files(nx_server_t)
+files_read_etc_runtime_files(nx_server_t)
+# for reading the config files; maybe a separate type,
+# but users need to be able to also read the config
+files_read_usr_files(nx_server_t)
+
+miscfiles_read_localization(nx_server_t)
+
+seutil_dontaudit_search_config(nx_server_t)
+
+sysnet_read_config(nx_server_t)
+
+ifdef(`TODO',`
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+')
+
+########################################
+#
+# SSH component local policy
+#
+
+ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)
diff --git a/oav.fc b/oav.fc
new file mode 100644
index 0000000..0a66474
--- /dev/null
+++ b/oav.fc
@@ -0,0 +1,9 @@
+/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
+/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
+
+/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
+/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
+
+/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
diff --git a/oav.if b/oav.if
new file mode 100644
index 0000000..7f0d644
--- /dev/null
+++ b/oav.if
@@ -0,0 +1,46 @@
+## Open AntiVirus scannerdaemon and signature update
+
+########################################
+##
+## Execute oav_update in the oav_update domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`oav_domtrans_update',`
+ gen_require(`
+ type oav_update_t, oav_update_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, oav_update_exec_t, oav_update_t)
+')
+
+########################################
+##
+## Execute oav_update in the oav_update domain, and
+## allow the specified role the oav_update domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`oav_run_update',`
+ gen_require(`
+ type oav_update_t;
+ ')
+
+ oav_domtrans_update($1)
+ role $2 types oav_update_t;
+')
diff --git a/oav.te b/oav.te
new file mode 100644
index 0000000..b4c5f86
--- /dev/null
+++ b/oav.te
@@ -0,0 +1,146 @@
+policy_module(oav, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type oav_update_t;
+type oav_update_exec_t;
+application_domain(oav_update_t, oav_update_exec_t)
+
+# cjp: may be collapsable to etc_t
+type oav_update_etc_t;
+files_config_file(oav_update_etc_t)
+
+type oav_update_var_lib_t;
+files_type(oav_update_var_lib_t)
+
+type scannerdaemon_t;
+type scannerdaemon_exec_t;
+init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
+
+type scannerdaemon_etc_t;
+files_config_file(scannerdaemon_etc_t)
+
+type scannerdaemon_log_t;
+logging_log_file(scannerdaemon_log_t)
+
+type scannerdaemon_var_run_t;
+files_pid_file(scannerdaemon_var_run_t)
+
+########################################
+#
+# OAV update local policy
+#
+
+allow oav_update_t self:tcp_socket create_stream_socket_perms;
+allow oav_update_t self:udp_socket create_socket_perms;
+
+# Can read /etc/oav-update/* files
+allow oav_update_t oav_update_etc_t:dir list_dir_perms;
+allow oav_update_t oav_update_etc_t:file read_file_perms;
+
+# Can read /var/lib/oav-update/current
+manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+
+corecmd_exec_all_executables(oav_update_t)
+
+corenet_all_recvfrom_unlabeled(oav_update_t)
+corenet_all_recvfrom_netlabel(oav_update_t)
+corenet_tcp_sendrecv_generic_if(oav_update_t)
+corenet_udp_sendrecv_generic_if(oav_update_t)
+corenet_tcp_sendrecv_generic_node(oav_update_t)
+corenet_udp_sendrecv_generic_node(oav_update_t)
+corenet_tcp_sendrecv_all_ports(oav_update_t)
+corenet_udp_sendrecv_all_ports(oav_update_t)
+
+files_exec_etc_files(oav_update_t)
+
+libs_exec_ld_so(oav_update_t)
+libs_exec_lib_files(oav_update_t)
+
+logging_send_syslog_msg(oav_update_t)
+
+sysnet_read_config(oav_update_t)
+
+userdom_use_user_terminals(oav_update_t)
+
+optional_policy(`
+ cron_system_entry(oav_update_t, oav_update_exec_t)
+')
+
+########################################
+#
+# Scannerdaemon local policy
+#
+
+dontaudit scannerdaemon_t self:capability sys_tty_config;
+allow scannerdaemon_t self:process signal_perms;
+allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
+allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
+allow scannerdaemon_t self:udp_socket create_socket_perms;
+
+allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms;
+allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms;
+files_search_var_lib(scannerdaemon_t)
+
+allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms;
+
+allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms;
+logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file)
+
+manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t)
+files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file)
+
+kernel_read_system_state(scannerdaemon_t)
+kernel_read_kernel_sysctls(scannerdaemon_t)
+
+# Can run kaffe
+corecmd_exec_all_executables(scannerdaemon_t)
+
+corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+corenet_all_recvfrom_netlabel(scannerdaemon_t)
+corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
+corenet_udp_sendrecv_generic_if(scannerdaemon_t)
+corenet_tcp_sendrecv_generic_node(scannerdaemon_t)
+corenet_udp_sendrecv_generic_node(scannerdaemon_t)
+corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
+corenet_udp_sendrecv_all_ports(scannerdaemon_t)
+
+dev_read_sysfs(scannerdaemon_t)
+
+domain_use_interactive_fds(scannerdaemon_t)
+
+files_read_etc_files(scannerdaemon_t)
+files_read_etc_runtime_files(scannerdaemon_t)
+# Can run kaffe
+files_exec_etc_files(scannerdaemon_t)
+
+fs_getattr_all_fs(scannerdaemon_t)
+fs_search_auto_mountpoints(scannerdaemon_t)
+
+auth_dontaudit_read_shadow(scannerdaemon_t)
+
+# Can run kaffe
+libs_exec_ld_so(scannerdaemon_t)
+libs_exec_lib_files(scannerdaemon_t)
+
+logging_send_syslog_msg(scannerdaemon_t)
+
+miscfiles_read_localization(scannerdaemon_t)
+
+sysnet_read_config(scannerdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
+userdom_dontaudit_search_user_home_dirs(scannerdaemon_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(scannerdaemon_t)
+')
+
+optional_policy(`
+ udev_read_db(scannerdaemon_t)
+')
diff --git a/oddjob.fc b/oddjob.fc
new file mode 100644
index 0000000..bdf8c89
--- /dev/null
+++ b/oddjob.fc
@@ -0,0 +1,5 @@
+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
new file mode 100644
index 0000000..bd76ec2
--- /dev/null
+++ b/oddjob.if
@@ -0,0 +1,111 @@
+##
+## Oddjob provides a mechanism by which unprivileged applications can
+## request that specified privileged operations be performed on their
+## behalf.
+##
+
+########################################
+##
+## Execute a domain transition to run oddjob.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`oddjob_domtrans',`
+ gen_require(`
+ type oddjob_t, oddjob_exec_t;
+ ')
+
+ domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+')
+
+########################################
+##
+## Make the specified program domain accessable
+## from the oddjob.
+##
+##
+##
+## The type of the process to transition to.
+##
+##
+##
+##
+## The type of the file used as an entrypoint to this domain.
+##
+##
+#
+interface(`oddjob_system_entry',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ domtrans_pattern(oddjob_t, $2, $1)
+')
+
+########################################
+##
+## Send and receive messages from
+## oddjob over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`oddjob_dbus_chat',`
+ gen_require(`
+ type oddjob_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 oddjob_t:dbus send_msg;
+ allow oddjob_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Execute a domain transition to run oddjob_mkhomedir.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`oddjob_domtrans_mkhomedir',`
+ gen_require(`
+ type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+ ')
+
+ domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
+')
+
+########################################
+##
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`oddjob_run_mkhomedir',`
+ gen_require(`
+ type oddjob_mkhomedir_t;
+ ')
+
+ oddjob_domtrans_mkhomedir($1)
+ role $2 types oddjob_mkhomedir_t;
+')
diff --git a/oddjob.te b/oddjob.te
new file mode 100644
index 0000000..cadfc63
--- /dev/null
+++ b/oddjob.te
@@ -0,0 +1,106 @@
+policy_module(oddjob, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_t;
+type oddjob_exec_t;
+domain_type(oddjob_t)
+init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_obj_id_change_exemption(oddjob_t)
+domain_role_change_exemption(oddjob_t)
+domain_subj_id_change_exemption(oddjob_t)
+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_type(oddjob_mkhomedir_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+# pid files
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# oddjob local policy
+#
+
+allow oddjob_t self:capability setgid;
+allow oddjob_t self:process { setexec signal };
+allow oddjob_t self:fifo_file rw_fifo_file_perms;
+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
+
+kernel_read_system_state(oddjob_t)
+
+corecmd_exec_bin(oddjob_t)
+corecmd_exec_shell(oddjob_t)
+
+mcs_process_set_categories(oddjob_t)
+
+selinux_compute_create_context(oddjob_t)
+
+files_read_etc_files(oddjob_t)
+
+miscfiles_read_localization(oddjob_t)
+
+locallogin_dontaudit_use_fds(oddjob_t)
+
+optional_policy(`
+ dbus_system_bus_client(oddjob_t)
+ dbus_connect_system_bus(oddjob_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(oddjob_t)
+')
+
+########################################
+#
+# oddjob_mkhomedir local policy
+#
+
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
+allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+files_read_etc_files(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
+miscfiles_read_localization(oddjob_mkhomedir_t)
+
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
+userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
+userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+
diff --git a/oident.fc b/oident.fc
new file mode 100644
index 0000000..5840ea8
--- /dev/null
+++ b/oident.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0)
+
+/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
+
+/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
diff --git a/oident.if b/oident.if
new file mode 100644
index 0000000..bb4fae5
--- /dev/null
+++ b/oident.if
@@ -0,0 +1,68 @@
+## SELinux policy for Oident daemon.
+##
+##
+## Oident daemon is a server that implements the TCP/IP
+## standard IDENT user identification protocol as
+## specified in the RFC 1413 document.
+##
+##
+
+########################################
+##
+## Allow the specified domain to read
+## Oidentd personal configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`oident_read_user_content', `
+ gen_require(`
+ type oidentd_home_t;
+ ')
+
+ allow $1 oidentd_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Allow the specified domain to create, read, write, and delete
+## Oidentd personal configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`oident_manage_user_content', `
+ gen_require(`
+ type oidentd_home_t;
+ ')
+
+ allow $1 oidentd_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Allow the specified domain to relabel
+## Oidentd personal configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`oident_relabel_user_content', `
+ gen_require(`
+ type oidentd_home_t;
+ ')
+
+ allow $1 oidentd_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
diff --git a/oident.te b/oident.te
new file mode 100644
index 0000000..8845174
--- /dev/null
+++ b/oident.te
@@ -0,0 +1,75 @@
+policy_module(oident, 2.2.0)
+
+########################################
+#
+# Oident daemon private declarations
+#
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_home_t;
+typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t };
+typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t };
+userdom_user_home_content(oidentd_home_t)
+
+type oidentd_initrc_exec_t;
+init_script_file(oidentd_initrc_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+########################################
+#
+# Oident daemon private policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_generic_if(oidentd_t)
+corenet_tcp_sendrecv_generic_node(oidentd_t)
+corenet_tcp_bind_generic_node(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+corenet_sendrecv_auth_server_packets(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+# oidentd requests the tcp_diag kernel module, otherwise
+# it will be stuck using the slow /proc/net/tcp interface
+kernel_request_load_module(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+oident_read_user_content(oidentd_t)
+
+optional_policy(`
+ nis_use_ypbind(oidentd_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+ fs_list_cifs(oidentd_t)
+ fs_read_cifs_files(oidentd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+ fs_list_nfs(oidentd_t)
+ fs_read_nfs_files(oidentd_t)
+')
diff --git a/openca.fc b/openca.fc
new file mode 100644
index 0000000..72a2db6
--- /dev/null
+++ b/openca.fc
@@ -0,0 +1,9 @@
+/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0)
+/etc/openca/.*\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0)
+/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0)
+
+/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0)
+/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0)
+
+/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0)
+/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0)
diff --git a/openca.if b/openca.if
new file mode 100644
index 0000000..a8c1eef
--- /dev/null
+++ b/openca.if
@@ -0,0 +1,76 @@
+## OpenCA - Open Certificate Authority
+
+########################################
+##
+## Execute the OpenCA program with
+## a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openca_domtrans',`
+ gen_require(`
+ type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
+ ')
+
+ domtrans_pattern($1, openca_ca_exec_t, openca_ca_t)
+ allow $1 openca_usr_share_t:dir search_dir_perms;
+ files_search_usr($1)
+')
+
+########################################
+##
+## Send OpenCA generic signals.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openca_signal',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process signal;
+')
+
+########################################
+##
+## Send OpenCA stop signals.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openca_sigstop',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigstop;
+')
+
+########################################
+##
+## Kill OpenCA.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openca_kill',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigkill;
+')
diff --git a/openca.te b/openca.te
new file mode 100644
index 0000000..2df8170
--- /dev/null
+++ b/openca.te
@@ -0,0 +1,82 @@
+policy_module(openca, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type openca_ca_t;
+type openca_ca_exec_t;
+domain_type(openca_ca_t)
+domain_entry_file(openca_ca_t, openca_ca_exec_t)
+role system_r types openca_ca_t;
+
+# cjp: seems like some of these types
+# can be removed and replaced with generic
+# etc or usr files.
+
+# /etc/openca standard files
+type openca_etc_t;
+files_config_file(openca_etc_t)
+
+# /etc/openca template files
+type openca_etc_in_t;
+files_type(openca_etc_in_t)
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t;
+files_type(openca_etc_writeable_t)
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t;
+files_type(openca_usr_share_t)
+
+# /var/lib/openca
+type openca_var_lib_t;
+files_type(openca_var_lib_t)
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t;
+files_type(openca_var_lib_keys_t)
+
+########################################
+#
+# Local policy
+#
+
+# Allow access to other files under /etc/openca
+allow openca_ca_t openca_etc_t:file read_file_perms;
+allow openca_ca_t openca_etc_t:dir list_dir_perms;
+
+# Allow access to writeable files under /etc/openca
+manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
+manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
+
+# Allow access to other /var/lib/openca files
+manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+
+# Allow access to private CA key
+manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
+
+# Allow access to other /usr/share/openca files
+read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
+read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
+allow openca_ca_t openca_usr_share_t:dir list_dir_perms;
+
+# the perl executable will be able to run a perl script
+corecmd_exec_bin(openca_ca_t)
+
+dev_read_rand(openca_ca_t)
+
+files_list_default(openca_ca_t)
+
+init_use_fds(openca_ca_t)
+init_use_script_fds(openca_ca_t)
+
+libs_exec_lib_files(openca_ca_t)
+
+apache_append_log(openca_ca_t)
+# Allow the script to return its output
+apache_rw_cache_files(openca_ca_t)
diff --git a/openct.fc b/openct.fc
new file mode 100644
index 0000000..58c8816
--- /dev/null
+++ b/openct.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
+
+#
+# /var
+#
+/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0)
diff --git a/openct.if b/openct.if
new file mode 100644
index 0000000..9d0a67b
--- /dev/null
+++ b/openct.if
@@ -0,0 +1,95 @@
+## Service for handling smart card readers.
+
+########################################
+##
+## Send openct a null signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_signull',`
+ gen_require(`
+ type openct_t;
+ ')
+
+ allow $1 openct_t:process signull;
+')
+
+########################################
+##
+## Execute openct in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_exec',`
+ gen_require(`
+ type openct_t, openct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, openct_exec_t)
+')
+
+########################################
+##
+## Execute a domain transition to run openct.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openct_domtrans',`
+ gen_require(`
+ type openct_t, openct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openct_exec_t, openct_t)
+')
+
+########################################
+##
+## Read openct PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_read_pid_files',`
+ gen_require(`
+ type openct_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, openct_var_run_t, openct_var_run_t)
+')
+
+########################################
+##
+## Connect to openct over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_stream_connect',`
+ gen_require(`
+ type openct_t, openct_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t)
+')
diff --git a/openct.te b/openct.te
new file mode 100644
index 0000000..7f8fdc2
--- /dev/null
+++ b/openct.te
@@ -0,0 +1,61 @@
+policy_module(openct, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type openct_t;
+type openct_exec_t;
+init_daemon_domain(openct_t, openct_exec_t)
+
+type openct_var_run_t;
+files_pid_file(openct_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit openct_t self:capability sys_tty_config;
+allow openct_t self:process signal_perms;
+
+manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(openct_t)
+kernel_list_proc(openct_t)
+kernel_read_proc_symlinks(openct_t)
+
+dev_read_sysfs(openct_t)
+# openct asks for this
+dev_rw_usbfs(openct_t)
+dev_rw_smartcard(openct_t)
+dev_rw_generic_usb_dev(openct_t)
+
+domain_use_interactive_fds(openct_t)
+
+# openct asks for this
+files_read_etc_files(openct_t)
+
+fs_getattr_all_fs(openct_t)
+fs_search_auto_mountpoints(openct_t)
+
+logging_send_syslog_msg(openct_t)
+
+miscfiles_read_localization(openct_t)
+
+userdom_dontaudit_use_unpriv_user_fds(openct_t)
+userdom_dontaudit_search_user_home_dirs(openct_t)
+
+openct_exec(openct_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(openct_t)
+')
+
+optional_policy(`
+ udev_read_db(openct_t)
+')
diff --git a/openvpn.fc b/openvpn.fc
new file mode 100644
index 0000000..9c186d2
--- /dev/null
+++ b/openvpn.fc
@@ -0,0 +1,17 @@
+#
+# /etc
+#
+/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
+#
+# /var
+#
+/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/openvpn.if b/openvpn.if
new file mode 100644
index 0000000..d883214
--- /dev/null
+++ b/openvpn.if
@@ -0,0 +1,163 @@
+## full-featured SSL VPN solution
+
+########################################
+##
+## Execute OPENVPN clients in the openvpn domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openvpn_domtrans',`
+ gen_require(`
+ type openvpn_t, openvpn_exec_t;
+ ')
+
+ domtrans_pattern($1, openvpn_exec_t, openvpn_t)
+')
+
+########################################
+##
+## Execute OPENVPN clients in the openvpn domain, and
+## allow the specified role the openvpn domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`openvpn_run',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ openvpn_domtrans($1)
+ role $2 types openvpn_t;
+')
+
+########################################
+##
+## Send OPENVPN clients the kill signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvpn_kill',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process sigkill;
+')
+
+########################################
+##
+## Send generic signals to OPENVPN clients.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvpn_signal',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process signal;
+')
+
+########################################
+##
+## Send signulls to OPENVPN clients.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvpn_signull',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process signull;
+')
+
+########################################
+##
+## Allow the specified domain to read
+## OpenVPN configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`openvpn_read_config',`
+ gen_require(`
+ type openvpn_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 openvpn_etc_t:dir list_dir_perms;
+ read_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
+ read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an openvpn environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the openvpn domain.
+##
+##
+##
+#
+interface(`openvpn_admin',`
+ gen_require(`
+ type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
+ type openvpn_var_run_t, openvpn_initrc_exec_t;
+ ')
+
+ allow $1 openvpn_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openvpn_t)
+
+ init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 openvpn_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, openvpn_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, openvpn_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, openvpn_var_run_t)
+')
diff --git a/openvpn.te b/openvpn.te
new file mode 100644
index 0000000..8b550f4
--- /dev/null
+++ b/openvpn.te
@@ -0,0 +1,140 @@
+policy_module(openvpn, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow openvpn to read home directories
+##
+##
+gen_tunable(openvpn_enable_homedirs, false)
+
+# main openvpn domain
+type openvpn_t;
+type openvpn_exec_t;
+init_daemon_domain(openvpn_t, openvpn_exec_t)
+
+# configuration files
+type openvpn_etc_t;
+files_config_file(openvpn_etc_t)
+
+type openvpn_etc_rw_t;
+files_config_file(openvpn_etc_rw_t)
+
+type openvpn_initrc_exec_t;
+init_script_file(openvpn_initrc_exec_t)
+
+# log files
+type openvpn_var_log_t;
+logging_log_file(openvpn_var_log_t)
+
+# pid files
+type openvpn_var_run_t;
+files_pid_file(openvpn_var_run_t)
+
+########################################
+#
+# openvpn local policy
+#
+
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+allow openvpn_t self:process { signal getsched };
+allow openvpn_t self:fifo_file rw_fifo_file_perms;
+
+allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvpn_t self:udp_socket create_socket_perms;
+allow openvpn_t self:tcp_socket server_stream_socket_perms;
+allow openvpn_t self:tun_socket create;
+allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+can_exec(openvpn_t, openvpn_etc_t)
+read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+
+manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
+filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+
+allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(openvpn_t)
+kernel_read_net_sysctls(openvpn_t)
+kernel_read_network_state(openvpn_t)
+kernel_read_system_state(openvpn_t)
+
+corecmd_exec_bin(openvpn_t)
+corecmd_exec_shell(openvpn_t)
+
+corenet_all_recvfrom_unlabeled(openvpn_t)
+corenet_all_recvfrom_netlabel(openvpn_t)
+corenet_tcp_sendrecv_generic_if(openvpn_t)
+corenet_udp_sendrecv_generic_if(openvpn_t)
+corenet_tcp_sendrecv_generic_node(openvpn_t)
+corenet_udp_sendrecv_generic_node(openvpn_t)
+corenet_tcp_sendrecv_all_ports(openvpn_t)
+corenet_udp_sendrecv_all_ports(openvpn_t)
+corenet_tcp_bind_generic_node(openvpn_t)
+corenet_udp_bind_generic_node(openvpn_t)
+corenet_tcp_bind_openvpn_port(openvpn_t)
+corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
+corenet_tcp_connect_openvpn_port(openvpn_t)
+corenet_tcp_connect_http_port(openvpn_t)
+corenet_tcp_connect_http_cache_port(openvpn_t)
+corenet_rw_tun_tap_dev(openvpn_t)
+corenet_sendrecv_openvpn_server_packets(openvpn_t)
+corenet_sendrecv_openvpn_client_packets(openvpn_t)
+corenet_sendrecv_http_client_packets(openvpn_t)
+
+dev_search_sysfs(openvpn_t)
+dev_read_rand(openvpn_t)
+dev_read_urand(openvpn_t)
+
+files_read_etc_files(openvpn_t)
+files_read_etc_runtime_files(openvpn_t)
+
+auth_use_pam(openvpn_t)
+
+logging_send_syslog_msg(openvpn_t)
+
+miscfiles_read_localization(openvpn_t)
+miscfiles_read_all_certs(openvpn_t)
+
+sysnet_dns_name_resolve(openvpn_t)
+sysnet_exec_ifconfig(openvpn_t)
+sysnet_manage_config(openvpn_t)
+sysnet_etc_filetrans_config(openvpn_t)
+
+userdom_use_user_terminals(openvpn_t)
+
+tunable_policy(`openvpn_enable_homedirs',`
+ userdom_read_user_home_content_files(openvpn_t)
+')
+
+tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(openvpn_t)
+ fs_read_nfs_symlinks(openvpn_t)
+')
+
+tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+ fs_read_cifs_symlinks(openvpn_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(openvpn_t)
+ dbus_connect_system_bus(openvpn_t)
+
+ networkmanager_dbus_chat(openvpn_t)
+')
diff --git a/pads.fc b/pads.fc
new file mode 100644
index 0000000..0870c56
--- /dev/null
+++ b/pads.fc
@@ -0,0 +1,10 @@
+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0)
+
+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+
+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
+
+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
diff --git a/pads.if b/pads.if
new file mode 100644
index 0000000..8ac407e
--- /dev/null
+++ b/pads.if
@@ -0,0 +1,44 @@
+## Passive Asset Detection System
+##
+##
+## PADS is a libpcap based detection engine used to
+## passively detect network assets. It is designed to
+## complement IDS technology by providing context to IDS
+## alerts.
+##
+##
+
+########################################
+##
+## All of the rules required to administrate
+## an pads environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`pads_admin', `
+ gen_require(`
+ type pads_t, pads_config_t;
+ type pads_var_run_t, pads_initrc_exec_t;
+ ')
+
+ allow $1 pads_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pads_t)
+
+ init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pads_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, pads_var_run_t)
+ admin_pattern($1, pads_config_t)
+')
diff --git a/pads.te b/pads.te
new file mode 100644
index 0000000..b246bdd
--- /dev/null
+++ b/pads.te
@@ -0,0 +1,63 @@
+policy_module(pads, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pads_t;
+type pads_exec_t;
+init_daemon_domain(pads_t, pads_exec_t)
+role system_r types pads_t;
+
+type pads_initrc_exec_t;
+init_script_file(pads_initrc_exec_t)
+
+type pads_config_t;
+files_config_file(pads_config_t)
+
+type pads_var_run_t;
+files_pid_file(pads_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+allow pads_t self:udp_socket { create ioctl };
+allow pads_t self:unix_dgram_socket { write create connect };
+
+allow pads_t pads_config_t:file manage_file_perms;
+files_etc_filetrans(pads_t, pads_config_t, file)
+
+allow pads_t pads_var_run_t:file manage_file_perms;
+files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+kernel_read_sysctl(pads_t)
+
+corecmd_search_bin(pads_t)
+
+corenet_all_recvfrom_unlabeled(pads_t)
+corenet_all_recvfrom_netlabel(pads_t)
+corenet_tcp_sendrecv_generic_if(pads_t)
+corenet_tcp_sendrecv_generic_node(pads_t)
+corenet_tcp_connect_prelude_port(pads_t)
+
+dev_read_rand(pads_t)
+dev_read_urand(pads_t)
+
+files_read_etc_files(pads_t)
+files_search_spool(pads_t)
+
+miscfiles_read_localization(pads_t)
+
+logging_send_syslog_msg(pads_t)
+
+sysnet_dns_name_resolve(pads_t)
+
+optional_policy(`
+ prelude_manage_spool(pads_t)
+')
diff --git a/passenger.fc b/passenger.fc
new file mode 100644
index 0000000..545518d
--- /dev/null
+++ b/passenger.fc
@@ -0,0 +1,11 @@
+/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
+/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
new file mode 100644
index 0000000..f68b573
--- /dev/null
+++ b/passenger.if
@@ -0,0 +1,39 @@
+## Ruby on rails deployment for Apache and Nginx servers.
+
+######################################
+##
+## Execute passenger in the passenger domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`passenger_domtrans',`
+ gen_require(`
+ type passenger_t, passenger_exec_t;
+ ')
+
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
+')
+
+########################################
+##
+## Read passenger lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`passenger_read_lib_files',`
+ gen_require(`
+ type passenger_var_lib_t;
+ ')
+
+ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ files_search_var_lib($1)
+')
diff --git a/passenger.te b/passenger.te
new file mode 100644
index 0000000..3470036
--- /dev/null
+++ b/passenger.te
@@ -0,0 +1,77 @@
+policy_module(passanger, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type passenger_t;
+type passenger_exec_t;
+domain_type(passenger_t)
+domain_entry_file(passenger_t, passenger_exec_t)
+role system_r types passenger_t;
+
+type passenger_log_t;
+logging_log_file(passenger_log_t)
+
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
+type passenger_var_run_t;
+files_pid_file(passenger_var_run_t)
+
+########################################
+#
+# passanger local policy
+#
+
+allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
+allow passenger_t self:process { setpgid setsched sigkill signal };
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
+
+manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+logging_log_filetrans(passenger_t, passenger_log_t, file)
+
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+files_search_var_lib(passenger_t)
+
+manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
+corenet_all_recvfrom_netlabel(passenger_t)
+corenet_all_recvfrom_unlabeled(passenger_t)
+corenet_tcp_sendrecv_generic_if(passenger_t)
+corenet_tcp_sendrecv_generic_node(passenger_t)
+corenet_tcp_connect_http_port(passenger_t)
+
+corecmd_exec_bin(passenger_t)
+corecmd_exec_shell(passenger_t)
+
+dev_read_urand(passenger_t)
+
+files_read_etc_files(passenger_t)
+
+auth_use_nsswitch(passenger_t)
+
+miscfiles_read_localization(passenger_t)
+
+userdom_dontaudit_use_user_terminals(passenger_t)
+
+optional_policy(`
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+')
diff --git a/pcmcia.fc b/pcmcia.fc
new file mode 100644
index 0000000..9cf0e56
--- /dev/null
+++ b/pcmcia.fc
@@ -0,0 +1,10 @@
+
+/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+
+/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
diff --git a/pcmcia.if b/pcmcia.if
new file mode 100644
index 0000000..aef445d
--- /dev/null
+++ b/pcmcia.if
@@ -0,0 +1,156 @@
+## PCMCIA card management services
+
+########################################
+##
+## PCMCIA stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcmcia_stub',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+')
+
+########################################
+##
+## Execute cardmgr in the cardmgr domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pcmcia_domtrans_cardmgr',`
+ gen_require(`
+ type cardmgr_t, cardmgr_exec_t;
+ ')
+
+ domtrans_pattern($1, cardmgr_exec_t, cardmgr_t)
+')
+
+########################################
+##
+## Inherit and use file descriptors from cardmgr.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcmcia_use_cardmgr_fds',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+
+ allow $1 cardmgr_t:fd use;
+')
+
+########################################
+##
+## Execute cardctl in the cardmgr domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pcmcia_domtrans_cardctl',`
+ gen_require(`
+ type cardmgr_t, cardctl_exec_t;
+ ')
+
+ domtrans_pattern($1, cardctl_exec_t, cardmgr_t)
+')
+
+########################################
+##
+## Execute cardmgr in the cardctl domain, and
+## allow the specified role the cardmgr domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`pcmcia_run_cardctl',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+
+ pcmcia_domtrans_cardctl($1)
+ role $2 types cardmgr_t;
+')
+
+########################################
+##
+## Read cardmgr pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcmcia_read_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## cardmgr pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcmcia_manage_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## cardmgr runtime character nodes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcmcia_manage_pid_chr_files',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
diff --git a/pcmcia.te b/pcmcia.te
new file mode 100644
index 0000000..4d06ae3
--- /dev/null
+++ b/pcmcia.te
@@ -0,0 +1,137 @@
+policy_module(pcmcia, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type cardmgr_t;
+type cardmgr_exec_t;
+init_daemon_domain(cardmgr_t, cardmgr_exec_t)
+
+# Create symbolic links in /dev.
+# cjp: this should probably be eliminated
+type cardmgr_lnk_t;
+files_type(cardmgr_lnk_t)
+
+type cardmgr_var_lib_t;
+files_type(cardmgr_var_lib_t)
+
+type cardmgr_var_run_t;
+files_pid_file(cardmgr_var_run_t)
+
+type cardctl_exec_t;
+application_domain(cardmgr_t, cardctl_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities (net_admin for route), setuid for cardctl
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+dontaudit cardmgr_t self:capability sys_tty_config;
+allow cardmgr_t self:process signal_perms;
+allow cardmgr_t self:fifo_file rw_fifo_file_perms;
+allow cardmgr_t self:unix_dgram_socket create_socket_perms;
+allow cardmgr_t self:unix_stream_socket create_socket_perms;
+
+allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms;
+dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file)
+
+# Create stab file
+manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t)
+files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file)
+
+allow cardmgr_t cardmgr_var_run_t:file manage_file_perms;
+files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file)
+
+kernel_read_system_state(cardmgr_t)
+kernel_read_kernel_sysctls(cardmgr_t)
+kernel_dontaudit_getattr_message_if(cardmgr_t)
+
+corecmd_exec_all_executables(cardmgr_t)
+
+dev_read_sysfs(cardmgr_t)
+dev_manage_cardmgr_dev(cardmgr_t)
+dev_filetrans_cardmgr(cardmgr_t)
+dev_getattr_all_chr_files(cardmgr_t)
+dev_getattr_all_blk_files(cardmgr_t)
+# for SSP
+dev_read_urand(cardmgr_t)
+
+domain_use_interactive_fds(cardmgr_t)
+# Read /proc/PID directories for all domains (for fuser).
+domain_read_confined_domains_state(cardmgr_t)
+domain_getattr_confined_domains(cardmgr_t)
+domain_dontaudit_ptrace_confined_domains(cardmgr_t)
+# cjp: these look excessive:
+domain_dontaudit_getattr_all_pipes(cardmgr_t)
+domain_dontaudit_getattr_all_sockets(cardmgr_t)
+
+files_search_kernel_modules(cardmgr_t)
+files_list_usr(cardmgr_t)
+files_search_home(cardmgr_t)
+files_read_etc_runtime_files(cardmgr_t)
+files_exec_etc_files(cardmgr_t)
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+files_read_var_lib_files(cardmgr_t)
+# cjp: these look excessive:
+files_dontaudit_getattr_all_dirs(cardmgr_t)
+files_dontaudit_getattr_all_files(cardmgr_t)
+files_dontaudit_getattr_all_symlinks(cardmgr_t)
+files_dontaudit_getattr_all_pipes(cardmgr_t)
+files_dontaudit_getattr_all_sockets(cardmgr_t)
+
+fs_getattr_all_fs(cardmgr_t)
+fs_search_auto_mountpoints(cardmgr_t)
+
+term_use_unallocated_ttys(cardmgr_t)
+term_getattr_all_ttys(cardmgr_t)
+term_dontaudit_getattr_all_ptys(cardmgr_t)
+
+libs_exec_ld_so(cardmgr_t)
+libs_exec_lib_files(cardmgr_t)
+
+logging_send_syslog_msg(cardmgr_t)
+
+miscfiles_read_localization(cardmgr_t)
+
+modutils_domtrans_insmod(cardmgr_t)
+
+sysnet_domtrans_ifconfig(cardmgr_t)
+# for /etc/resolv.conf
+sysnet_etc_filetrans_config(cardmgr_t)
+sysnet_manage_config(cardmgr_t)
+
+userdom_use_user_terminals(cardmgr_t)
+userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
+userdom_dontaudit_search_user_home_dirs(cardmgr_t)
+
+optional_policy(`
+ seutil_dontaudit_read_config(cardmgr_t)
+ seutil_sigchld_newrole(cardmgr_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(cardmgr_t)
+
+ sysnet_read_dhcpc_pid(cardmgr_t)
+ sysnet_delete_dhcpc_pid(cardmgr_t)
+ sysnet_kill_dhcpc(cardmgr_t)
+ sysnet_sigchld_dhcpc(cardmgr_t)
+ sysnet_signal_dhcpc(cardmgr_t)
+ sysnet_signull_dhcpc(cardmgr_t)
+ sysnet_sigstop_dhcpc(cardmgr_t)
+')
+
+optional_policy(`
+ udev_read_db(cardmgr_t)
+')
+
+# Create device files in /tmp.
+# cjp: why is this created all over the place?
+files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file })
diff --git a/pcscd.fc b/pcscd.fc
new file mode 100644
index 0000000..87f17e8
--- /dev/null
+++ b/pcscd.fc
@@ -0,0 +1,6 @@
+/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+
+/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
diff --git a/pcscd.if b/pcscd.if
new file mode 100644
index 0000000..1c2a091
--- /dev/null
+++ b/pcscd.if
@@ -0,0 +1,95 @@
+## PCSC smart card service
+
+########################################
+##
+## Execute a domain transition to run pcscd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pcscd_domtrans',`
+ gen_require(`
+ type pcscd_t, pcscd_exec_t;
+ ')
+
+ domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+')
+
+########################################
+##
+## Read pcscd pub files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcscd_read_pub_files',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pcscd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage pcscd pub files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcscd_manage_pub_files',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+##
+## Manage pcscd pub fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcscd_manage_pub_pipes',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+##
+## Connect to pcscd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pcscd_stream_connect',`
+ gen_require(`
+ type pcscd_t, pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+')
diff --git a/pcscd.te b/pcscd.te
new file mode 100644
index 0000000..ceafba6
--- /dev/null
+++ b/pcscd.te
@@ -0,0 +1,79 @@
+policy_module(pcscd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type pcscd_t;
+type pcscd_exec_t;
+domain_type(pcscd_t)
+init_daemon_domain(pcscd_t, pcscd_exec_t)
+
+# pid files
+type pcscd_var_run_t;
+files_pid_file(pcscd_var_run_t)
+
+########################################
+#
+# pcscd local policy
+#
+
+allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:process signal;
+allow pcscd_t self:fifo_file rw_fifo_file_perms;
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+
+kernel_read_system_state(pcscd_t)
+
+corenet_all_recvfrom_unlabeled(pcscd_t)
+corenet_all_recvfrom_netlabel(pcscd_t)
+corenet_tcp_sendrecv_generic_if(pcscd_t)
+corenet_tcp_sendrecv_generic_node(pcscd_t)
+corenet_tcp_sendrecv_all_ports(pcscd_t)
+corenet_tcp_connect_http_port(pcscd_t)
+
+dev_rw_generic_usb_dev(pcscd_t)
+dev_rw_smartcard(pcscd_t)
+dev_rw_usbfs(pcscd_t)
+dev_read_sysfs(pcscd_t)
+
+files_read_etc_files(pcscd_t)
+files_read_etc_runtime_files(pcscd_t)
+
+term_use_unallocated_ttys(pcscd_t)
+term_dontaudit_getattr_pty_dirs(pcscd_t)
+
+locallogin_use_fds(pcscd_t)
+
+logging_send_syslog_msg(pcscd_t)
+
+miscfiles_read_localization(pcscd_t)
+
+sysnet_dns_name_resolve(pcscd_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcscd_t)
+
+ optional_policy(`
+ hal_dbus_chat(pcscd_t)
+ ')
+')
+
+optional_policy(`
+ openct_stream_connect(pcscd_t)
+ openct_read_pid_files(pcscd_t)
+ openct_signull(pcscd_t)
+')
+
+optional_policy(`
+ rpm_use_script_fds(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
new file mode 100644
index 0000000..9515043
--- /dev/null
+++ b/pegasus.fc
@@ -0,0 +1,12 @@
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/pegasus.if b/pegasus.if
new file mode 100644
index 0000000..920b13f
--- /dev/null
+++ b/pegasus.if
@@ -0,0 +1 @@
+## The Open Group Pegasus CIM/WBEM Server.
diff --git a/pegasus.te b/pegasus.te
new file mode 100644
index 0000000..3185114
--- /dev/null
+++ b/pegasus.te
@@ -0,0 +1,138 @@
+policy_module(pegasus, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type pegasus_t;
+type pegasus_exec_t;
+init_daemon_domain(pegasus_t, pegasus_exec_t)
+
+type pegasus_data_t;
+files_type(pegasus_data_t)
+
+type pegasus_tmp_t;
+files_tmp_file(pegasus_tmp_t)
+
+type pegasus_conf_t;
+files_type(pegasus_conf_t)
+
+type pegasus_mof_t;
+files_type(pegasus_mof_t)
+
+type pegasus_var_run_t;
+files_pid_file(pegasus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+dontaudit pegasus_t self:capability sys_tty_config;
+allow pegasus_t self:process signal;
+allow pegasus_t self:fifo_file rw_fifo_file_perms;
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
+
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
+allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+
+manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
+
+can_exec(pegasus_t, pegasus_exec_t)
+
+allow pegasus_t pegasus_mof_t:dir list_dir_perms;
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+
+manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
+
+kernel_read_kernel_sysctls(pegasus_t)
+kernel_read_fs_sysctls(pegasus_t)
+kernel_read_system_state(pegasus_t)
+kernel_search_vm_sysctl(pegasus_t)
+kernel_read_net_sysctls(pegasus_t)
+
+corenet_all_recvfrom_unlabeled(pegasus_t)
+corenet_all_recvfrom_netlabel(pegasus_t)
+corenet_tcp_sendrecv_generic_if(pegasus_t)
+corenet_tcp_sendrecv_generic_node(pegasus_t)
+corenet_tcp_sendrecv_all_ports(pegasus_t)
+corenet_tcp_bind_generic_node(pegasus_t)
+corenet_tcp_bind_pegasus_http_port(pegasus_t)
+corenet_tcp_bind_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_pegasus_http_port(pegasus_t)
+corenet_tcp_connect_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+
+corecmd_exec_bin(pegasus_t)
+corecmd_exec_shell(pegasus_t)
+
+dev_read_sysfs(pegasus_t)
+dev_read_urand(pegasus_t)
+
+fs_getattr_all_fs(pegasus_t)
+fs_search_auto_mountpoints(pegasus_t)
+files_getattr_all_dirs(pegasus_t)
+
+auth_use_nsswitch(pegasus_t)
+auth_domtrans_chk_passwd(pegasus_t)
+
+domain_use_interactive_fds(pegasus_t)
+domain_read_all_domains_state(pegasus_t)
+
+files_read_etc_files(pegasus_t)
+files_list_var_lib(pegasus_t)
+files_read_var_lib_files(pegasus_t)
+files_read_var_lib_symlinks(pegasus_t)
+
+hostname_exec(pegasus_t)
+
+init_rw_utmp(pegasus_t)
+init_stream_connect_script(pegasus_t)
+
+logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
+
+miscfiles_read_localization(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+userdom_dontaudit_search_user_home_dirs(pegasus_t)
+
+optional_policy(`
+ rpm_exec(pegasus_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pegasus_t)
+ seutil_dontaudit_read_config(pegasus_t)
+')
+
+optional_policy(`
+ udev_read_db(pegasus_t)
+')
+
+optional_policy(`
+ unconfined_signull(pegasus_t)
+')
diff --git a/perdition.fc b/perdition.fc
new file mode 100644
index 0000000..bcdf89b
--- /dev/null
+++ b/perdition.fc
@@ -0,0 +1,3 @@
+/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
+
+/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
diff --git a/perdition.if b/perdition.if
new file mode 100644
index 0000000..2b0bd64
--- /dev/null
+++ b/perdition.if
@@ -0,0 +1,15 @@
+## Perdition POP and IMAP proxy
+
+########################################
+##
+## Connect to perdition over a TCP socket (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`perdition_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/perdition.te b/perdition.te
new file mode 100644
index 0000000..3636277
--- /dev/null
+++ b/perdition.te
@@ -0,0 +1,75 @@
+policy_module(perdition, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type perdition_t;
+type perdition_exec_t;
+init_daemon_domain(perdition_t, perdition_exec_t)
+
+type perdition_etc_t;
+files_config_file(perdition_etc_t)
+
+type perdition_var_run_t;
+files_pid_file(perdition_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow perdition_t self:capability { setgid setuid };
+dontaudit perdition_t self:capability sys_tty_config;
+allow perdition_t self:process signal_perms;
+allow perdition_t self:tcp_socket create_stream_socket_perms;
+allow perdition_t self:udp_socket create_socket_perms;
+
+allow perdition_t perdition_etc_t:file read_file_perms;
+files_search_etc(perdition_t)
+
+manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
+files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+
+kernel_read_kernel_sysctls(perdition_t)
+kernel_list_proc(perdition_t)
+kernel_read_proc_symlinks(perdition_t)
+
+corenet_all_recvfrom_unlabeled(perdition_t)
+corenet_all_recvfrom_netlabel(perdition_t)
+corenet_tcp_sendrecv_generic_if(perdition_t)
+corenet_udp_sendrecv_generic_if(perdition_t)
+corenet_tcp_sendrecv_generic_node(perdition_t)
+corenet_udp_sendrecv_generic_node(perdition_t)
+corenet_tcp_sendrecv_all_ports(perdition_t)
+corenet_udp_sendrecv_all_ports(perdition_t)
+corenet_tcp_bind_generic_node(perdition_t)
+corenet_tcp_bind_pop_port(perdition_t)
+corenet_sendrecv_pop_server_packets(perdition_t)
+
+dev_read_sysfs(perdition_t)
+
+domain_use_interactive_fds(perdition_t)
+
+fs_getattr_all_fs(perdition_t)
+fs_search_auto_mountpoints(perdition_t)
+
+files_read_etc_files(perdition_t)
+
+logging_send_syslog_msg(perdition_t)
+
+miscfiles_read_localization(perdition_t)
+
+sysnet_read_config(perdition_t)
+
+userdom_dontaudit_use_unpriv_user_fds(perdition_t)
+userdom_dontaudit_search_user_home_dirs(perdition_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(perdition_t)
+')
+
+optional_policy(`
+ udev_read_db(perdition_t)
+')
diff --git a/pingd.fc b/pingd.fc
new file mode 100644
index 0000000..ea085f7
--- /dev/null
+++ b/pingd.fc
@@ -0,0 +1,6 @@
+/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0)
+/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+
+/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
+
+/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
diff --git a/pingd.if b/pingd.if
new file mode 100644
index 0000000..8688aae
--- /dev/null
+++ b/pingd.if
@@ -0,0 +1,97 @@
+## Pingd of the Whatsup cluster node up/down detection utility
+
+########################################
+##
+## Execute a domain transition to run pingd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pingd_domtrans',`
+ gen_require(`
+ type pingd_t, pingd_exec_t;
+ ')
+
+ domtrans_pattern($1, pingd_exec_t, pingd_t)
+')
+
+#######################################
+##
+## Read pingd etc configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pingd_read_config',`
+ gen_require(`
+ type pingd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, pingd_etc_t, pingd_etc_t)
+')
+
+#######################################
+##
+## Manage pingd etc configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pingd_manage_config',`
+ gen_require(`
+ type pingd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+
+')
+
+#######################################
+##
+## All of the rules required to administrate
+## an pingd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the pingd domain.
+##
+##
+##
+#
+interface(`pingd_admin',`
+ gen_require(`
+ type pingd_t, pingd_etc_t;
+ type pingd_initrc_exec_t, pingd_modules_t;
+ ')
+
+ allow $1 pingd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pingd_t)
+
+ init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pingd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, pingd_etc_t)
+
+ files_list_usr($1)
+ admin_pattern($1, pingd_modules_t)
+')
diff --git a/pingd.te b/pingd.te
new file mode 100644
index 0000000..e9cf8a4
--- /dev/null
+++ b/pingd.te
@@ -0,0 +1,47 @@
+policy_module(pingd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pingd_t;
+type pingd_exec_t;
+init_daemon_domain(pingd_t, pingd_exec_t)
+
+# type for config
+type pingd_etc_t;
+files_type(pingd_etc_t)
+
+type pingd_initrc_exec_t;
+init_script_file(pingd_initrc_exec_t)
+
+# type for pingd modules
+type pingd_modules_t;
+files_type(pingd_modules_t)
+
+########################################
+#
+# pingd local policy
+#
+
+allow pingd_t self:capability net_raw;
+allow pingd_t self:tcp_socket create_stream_socket_perms;
+allow pingd_t self:rawip_socket { write read create bind };
+
+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+
+corenet_raw_bind_generic_node(pingd_t)
+corenet_tcp_bind_generic_node(pingd_t)
+corenet_tcp_bind_pingd_port(pingd_t)
+
+auth_use_nsswitch(pingd_t)
+
+files_search_usr(pingd_t)
+
+logging_send_syslog_msg(pingd_t)
+
+miscfiles_read_localization(pingd_t)
diff --git a/plymouthd.fc b/plymouthd.fc
new file mode 100644
index 0000000..5702ca4
--- /dev/null
+++ b/plymouthd.fc
@@ -0,0 +1,7 @@
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
new file mode 100644
index 0000000..9759ed8
--- /dev/null
+++ b/plymouthd.if
@@ -0,0 +1,260 @@
+## Plymouth graphical boot
+
+########################################
+##
+## Execute a domain transition to run plymouthd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`plymouthd_domtrans', `
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+##
+## Execute the plymoth daemon in the current domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_exec', `
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+
+ can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+##
+## Allow domain to Stream socket connect
+## to Plymouth daemon.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_stream_connect', `
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Execute the plymoth command in the current domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_exec_plymouth', `
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+
+ can_exec($1, plymouth_exec_t)
+')
+
+########################################
+##
+## Execute a domain transition to run plymouthd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`plymouthd_domtrans_plymouth', `
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+########################################
+##
+## Search plymouthd spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_search_spool', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ allow $1 plymouthd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## Read plymouthd spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_read_spool_files', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## plymouthd spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_manage_spool_files', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+##
+## Search plymouthd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_search_lib', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read plymouthd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_read_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## plymouthd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_manage_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+##
+## Read plymouthd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`plymouthd_read_pid_files', `
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 plymouthd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an plymouthd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`plymouthd_admin', `
+ gen_require(`
+ type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
+ type plymouthd_var_run_t;
+ ')
+
+ allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+ admin_pattern($1, plymouthd_spool_t)
+
+ admin_pattern($1, plymouthd_var_lib_t)
+
+ admin_pattern($1, plymouthd_var_run_t)
+')
diff --git a/plymouthd.te b/plymouthd.te
new file mode 100644
index 0000000..86700ed
--- /dev/null
+++ b/plymouthd.te
@@ -0,0 +1,99 @@
+policy_module(plymouthd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+########################################
+#
+# Plymouthd private policy
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process { signal getsched };
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
+
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_read_framebuffer(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_manage_fonts_cache(plymouthd_t)
+
+########################################
+#
+# Plymouth private policy
+#
+
+allow plymouth_t self:process signal;
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ hal_dontaudit_write_log(plymouth_t)
+ hal_dontaudit_rw_pipes(plymouth_t)
+ ')
+')
+
+optional_policy(`
+ lvm_domtrans(plymouth_t)
+')
diff --git a/podsleuth.fc b/podsleuth.fc
new file mode 100644
index 0000000..6fbc01c
--- /dev/null
+++ b/podsleuth.fc
@@ -0,0 +1,3 @@
+/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --git a/podsleuth.if b/podsleuth.if
new file mode 100644
index 0000000..d6d80a0
--- /dev/null
+++ b/podsleuth.if
@@ -0,0 +1,45 @@
+## Podsleuth is a tool to get information about an Apple (TM) iPod (TM)
+
+########################################
+##
+## Execute a domain transition to run podsleuth.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`podsleuth_domtrans',`
+ gen_require(`
+ type podsleuth_t, podsleuth_exec_t;
+ ')
+
+ domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+ allow $1 podsleuth_t:process signal;
+')
+
+########################################
+##
+## Execute podsleuth in the podsleuth domain, and
+## allow the specified role the podsleuth domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`podsleuth_run',`
+ gen_require(`
+ type podsleuth_t;
+ ')
+
+ podsleuth_domtrans($1)
+ role $2 types podsleuth_t;
+')
diff --git a/podsleuth.te b/podsleuth.te
new file mode 100644
index 0000000..b669461
--- /dev/null
+++ b/podsleuth.te
@@ -0,0 +1,89 @@
+policy_module(podsleuth, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type podsleuth_t;
+type podsleuth_exec_t;
+application_domain(podsleuth_t, podsleuth_exec_t)
+role system_r types podsleuth_t;
+
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+ubac_constrained(podsleuth_cache_t)
+
+type podsleuth_tmp_t;
+files_tmp_file(podsleuth_tmp_t)
+ubac_constrained(podsleuth_tmp_t)
+
+type podsleuth_tmpfs_t;
+files_tmpfs_file(podsleuth_tmpfs_t)
+ubac_constrained(podsleuth_tmpfs_t)
+
+########################################
+#
+# podsleuth local policy
+#
+allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:fifo_file rw_file_perms;
+allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+allow podsleuth_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+
+manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
+
+kernel_read_system_state(podsleuth_t)
+kernel_request_load_module(podsleuth_t)
+
+corecmd_exec_bin(podsleuth_t)
+
+corenet_tcp_connect_http_port(podsleuth_t)
+
+dev_read_urand(podsleuth_t)
+
+files_read_etc_files(podsleuth_t)
+
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+fs_rw_removable_blk_files(podsleuth_t)
+
+miscfiles_read_localization(podsleuth_t)
+
+sysnet_dns_name_resolve(podsleuth_t)
+
+userdom_signal_unpriv_users(podsleuth_t)
+userdom_signull_unpriv_users(podsleuth_t)
+userdom_read_user_tmpfs_files(podsleuth_t)
+
+optional_policy(`
+ dbus_system_bus_client(podsleuth_t)
+
+ optional_policy(`
+ hal_dbus_chat(podsleuth_t)
+ ')
+')
+
+optional_policy(`
+ mono_exec(podsleuth_t)
+')
diff --git a/policykit.fc b/policykit.fc
new file mode 100644
index 0000000..27c739c
--- /dev/null
+++ b/policykit.fc
@@ -0,0 +1,15 @@
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+
diff --git a/policykit.if b/policykit.if
new file mode 100644
index 0000000..48ff1e8
--- /dev/null
+++ b/policykit.if
@@ -0,0 +1,209 @@
+## Policy framework for controlling privileges for system-wide services.
+
+########################################
+##
+## Send and receive messages from
+## policykit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_dbus_chat',`
+ gen_require(`
+ type policykit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 policykit_t:dbus send_msg;
+ allow policykit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_auth.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_domtrans_auth',`
+ gen_require(`
+ type policykit_auth_t, policykit_auth_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
+')
+
+########################################
+##
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`policykit_run_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ policykit_domtrans_auth($1)
+ role $2 types policykit_auth_t;
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_grant.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_domtrans_grant',`
+ gen_require(`
+ type policykit_grant_t, policykit_grant_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
+')
+
+########################################
+##
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`policykit_run_grant',`
+ gen_require(`
+ type policykit_grant_t;
+ ')
+
+ policykit_domtrans_grant($1)
+ role $2 types policykit_grant_t;
+
+ allow $1 policykit_grant_t:process signal;
+
+ ps_process_pattern(policykit_grant_t, $1)
+')
+
+########################################
+##
+## read policykit reload files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_read_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+##
+## rw policykit reload files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_rw_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_resolve.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_domtrans_resolve',`
+ gen_require(`
+ type policykit_resolve_t, policykit_resolve_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+ ps_process_pattern(policykit_resolve_t, $1)
+')
+
+########################################
+##
+## Search policykit lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_search_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ allow $1 policykit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## read policykit lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_read_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+')
diff --git a/policykit.te b/policykit.te
new file mode 100644
index 0000000..1e7169d
--- /dev/null
+++ b/policykit.te
@@ -0,0 +1,210 @@
+policy_module(policykit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type policykit_t alias polkit_t;
+type policykit_exec_t alias polkit_exec_t;
+init_daemon_domain(policykit_t, policykit_exec_t)
+
+type policykit_auth_t alias polkit_auth_t;
+type policykit_auth_exec_t alias polkit_auth_exec_t;
+init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+
+type policykit_grant_t alias polkit_grant_t;
+type policykit_grant_exec_t alias polkit_grant_exec_t;
+init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+
+type policykit_resolve_t alias polkit_resolve_t;
+type policykit_resolve_exec_t alias polkit_resolve_exec_t;
+init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+
+type policykit_reload_t alias polkit_reload_t;
+files_type(policykit_reload_t)
+
+type policykit_var_lib_t alias polkit_var_lib_t;
+files_type(policykit_var_lib_t)
+
+type policykit_var_run_t alias polkit_var_run_t;
+files_pid_file(policykit_var_run_t)
+
+########################################
+#
+# policykit local policy
+#
+
+allow policykit_t self:capability { setgid setuid };
+allow policykit_t self:process getattr;
+allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_t)
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+
+policykit_domtrans_resolve(policykit_t)
+
+manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(policykit_t)
+
+files_read_etc_files(policykit_t)
+files_read_usr_files(policykit_t)
+
+auth_use_nsswitch(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+miscfiles_read_localization(policykit_t)
+
+userdom_read_all_users_state(policykit_t)
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow policykit_auth_t self:capability setgid;
+allow policykit_auth_t self:process getattr;
+allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_search_bin(policykit_auth_t)
+
+rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
+kernel_read_system_state(policykit_auth_t)
+
+files_read_etc_files(policykit_auth_t)
+files_read_usr_files(policykit_auth_t)
+
+auth_use_nsswitch(policykit_auth_t)
+
+logging_send_syslog_msg(policykit_auth_t)
+
+miscfiles_read_localization(policykit_auth_t)
+
+userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+
+optional_policy(`
+ dbus_system_bus_client(policykit_auth_t)
+ dbus_session_bus_client(policykit_auth_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_auth_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(policykit_auth_t)
+ hal_read_state(policykit_auth_t)
+')
+
+########################################
+#
+# polkit_grant local policy
+#
+
+allow policykit_grant_t self:capability setuid;
+allow policykit_grant_t self:process getattr;
+allow policykit_grant_t self:fifo_file rw_file_perms;
+allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
+allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
+
+rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
+
+files_read_etc_files(policykit_grant_t)
+files_read_usr_files(policykit_grant_t)
+
+auth_use_nsswitch(policykit_grant_t)
+auth_domtrans_chk_passwd(policykit_grant_t)
+
+logging_send_syslog_msg(policykit_grant_t)
+
+miscfiles_read_localization(policykit_grant_t)
+
+userdom_read_all_users_state(policykit_grant_t)
+
+optional_policy(`
+ dbus_system_bus_client(policykit_grant_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_grant_t)
+ ')
+')
+
+########################################
+#
+# polkit_resolve local policy
+#
+
+allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow policykit_resolve_t self:process getattr;
+allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
+
+read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
+
+read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
+
+can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
+
+files_read_etc_files(policykit_resolve_t)
+files_read_usr_files(policykit_resolve_t)
+
+mcs_ptrace_all(policykit_resolve_t)
+
+auth_use_nsswitch(policykit_resolve_t)
+
+logging_send_syslog_msg(policykit_resolve_t)
+
+miscfiles_read_localization(policykit_resolve_t)
+
+userdom_read_all_users_state(policykit_resolve_t)
+
+optional_policy(`
+ dbus_system_bus_client(policykit_resolve_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_resolve_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
+ hal_read_state(policykit_resolve_t)
+')
+
diff --git a/portage.fc b/portage.fc
new file mode 100644
index 0000000..60b9752
--- /dev/null
+++ b/portage.fc
@@ -0,0 +1,33 @@
+/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
+
+/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
+/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+
+/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
+/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
+/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/portage.if b/portage.if
new file mode 100644
index 0000000..9f7d652
--- /dev/null
+++ b/portage.if
@@ -0,0 +1,316 @@
+##
+## Portage Package Management System. The primary package management and
+## distribution system for Gentoo.
+##
+
+########################################
+##
+## Execute emerge in the portage domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`portage_domtrans',`
+ gen_require(`
+ type portage_t, portage_exec_t;
+ type portage_fetch_t, portage_fetch_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ # transition to portage
+ domtrans_pattern($1, portage_exec_t, portage_t)
+ domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
+')
+
+########################################
+##
+## Execute emerge in the portage domain, and
+## allow the specified role the portage domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the portage domain.
+##
+##
+##
+#
+interface(`portage_run',`
+ gen_require(`
+ type portage_t, portage_fetch_t, portage_sandbox_t;
+ ')
+
+ portage_domtrans($1)
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
+')
+
+########################################
+##
+## Template for portage sandbox.
+##
+##
+##
+## Template for portage sandbox. Portage
+## does all compiling in the sandbox.
+##
+##
+##
+##
+## Domain Allowed Access
+##
+##
+#
+interface(`portage_compile_domain',`
+
+ gen_require(`
+ class dbus send_msg;
+ type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
+ type portage_tmpfs_t;
+ ')
+
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ dontaudit $1 self:capability sys_chroot;
+ allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
+ allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+ allow $1 self:fd use;
+ allow $1 self:fifo_file rw_fifo_file_perms;
+ allow $1 self:shm create_shm_perms;
+ allow $1 self:sem create_sem_perms;
+ allow $1 self:msgq create_msgq_perms;
+ allow $1 self:msg { send receive };
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket sendto;
+ allow $1 self:unix_stream_socket connectto;
+ # really shouldnt need this
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+ # misc networking stuff (esp needed for compiling perl):
+ allow $1 self:rawip_socket { create ioctl };
+ # needed for merging dbus:
+ allow $1 self:netlink_selinux_socket { bind create read };
+ allow $1 self:dbus send_msg;
+
+ allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
+ term_create_pty($1, portage_devpts_t)
+
+ # write compile logs
+ allow $1 portage_log_t:dir setattr;
+ allow $1 portage_log_t:file { write_file_perms setattr };
+
+ # Support live ebuilds (-9999)
+ manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+
+ # run scripts out of the build directory
+ can_exec(portage_sandbox_t, portage_tmp_t)
+
+ manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
+ # SELinux-enabled programs running in the sandbox
+ allow $1 portage_tmp_t:file relabel_file_perms;
+
+ manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+ kernel_read_system_state($1)
+ kernel_read_network_state($1)
+ kernel_read_software_raid_state($1)
+ kernel_getattr_core_if($1)
+ kernel_getattr_message_if($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_all_executables($1)
+
+ # really shouldnt need this but some packages test
+ # network access, such as during configure
+ # also distcc--need to reinvestigate confining distcc client
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_raw_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_raw_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_distccd_port($1)
+
+ dev_read_sysfs($1)
+ dev_read_rand($1)
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+ domain_dontaudit_read_all_domains_state($1)
+ # SELinux-aware installs doing relabels in the sandbox
+ domain_obj_id_change_exemption($1)
+
+ files_exec_etc_files($1)
+ files_exec_usr_src_files($1)
+
+ fs_getattr_xattr_fs($1)
+ fs_list_noxattr_fs($1)
+ fs_read_noxattr_fs_files($1)
+ fs_read_noxattr_fs_symlinks($1)
+ fs_search_auto_mountpoints($1)
+
+ selinux_validate_context($1)
+ # needed for merging dbus:
+ selinux_compute_access_vector($1)
+
+ auth_read_all_dirs_except_auth_files($1)
+ auth_read_all_files_except_auth_files($1)
+ auth_read_all_symlinks_except_auth_files($1)
+
+ libs_exec_lib_files($1)
+ # some config scripts use ldd
+ libs_exec_ld_so($1)
+ # this violates the idea of sandbox, but
+ # regular sandbox allows it
+ libs_domtrans_ldconfig($1)
+
+ logging_send_syslog_msg($1)
+
+ userdom_use_user_terminals($1)
+
+ # SELinux-enabled programs running in the sandbox
+ seutil_libselinux_linked($1)
+
+ tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_manage_nfs_symlinks($1)
+ ')
+
+ ifdef(`TODO',`
+ # some gui ebuilds want to interact with X server, like xawtv
+ optional_policy(`
+ allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
+ allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
+ ')
+ ') dnl end TODO
+')
+
+########################################
+##
+## Execute gcc-config in the gcc_config domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`portage_domtrans_gcc_config',`
+ gen_require(`
+ type gcc_config_t, gcc_config_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
+')
+
+########################################
+##
+## Execute gcc-config in the gcc_config domain, and
+## allow the specified role the gcc_config domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the gcc_config domain.
+##
+##
+##
+#
+interface(`portage_run_gcc_config',`
+ gen_require(`
+ type gcc_config_t;
+ ')
+
+ portage_domtrans_gcc_config($1)
+ role $2 types gcc_config_t;
+')
+
+########################################
+##
+## Do not audit attempts to use
+## portage file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`portage_dontaudit_use_fds',`
+ gen_require(`
+ type portage_t;
+ ')
+
+ dontaudit $1 portage_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to search the
+## portage temporary directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`portage_dontaudit_search_tmp',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ dontaudit $1 portage_tmp_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## the portage temporary files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`portage_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ dontaudit $1 portage_tmp_t:file rw_file_perms;
+')
diff --git a/portage.te b/portage.te
new file mode 100644
index 0000000..276edb3
--- /dev/null
+++ b/portage.te
@@ -0,0 +1,326 @@
+policy_module(portage, 1.11.2)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow the portage domains to use NFS mounts (regular nfs_t)
+##
+##
+gen_tunable(portage_use_nfs, false)
+
+type gcc_config_t;
+type gcc_config_exec_t;
+application_domain(gcc_config_t, gcc_config_exec_t)
+
+# constraining type
+type portage_t;
+type portage_exec_t;
+application_domain(portage_t, portage_exec_t)
+domain_obj_id_change_exemption(portage_t)
+rsync_entry_type(portage_t)
+corecmd_shell_entry_type(portage_t)
+
+# portage compile sandbox domain
+type portage_sandbox_t;
+application_domain(portage_sandbox_t, portage_exec_t)
+# the shell is the entrypoint if regular sandbox is disabled
+# portage_exec_t is the entrypoint if regular sandbox is enabled
+corecmd_shell_entry_type(portage_sandbox_t)
+
+# portage package fetching domain
+type portage_fetch_t;
+type portage_fetch_exec_t;
+application_domain(portage_fetch_t, portage_fetch_exec_t)
+corecmd_shell_entry_type(portage_fetch_t)
+rsync_entry_type(portage_fetch_t)
+
+type portage_devpts_t;
+term_pty(portage_devpts_t)
+
+type portage_ebuild_t;
+files_type(portage_ebuild_t)
+
+type portage_fetch_tmp_t;
+files_tmp_file(portage_fetch_tmp_t)
+
+type portage_db_t;
+files_type(portage_db_t)
+
+type portage_conf_t;
+files_type(portage_conf_t)
+
+type portage_cache_t;
+files_type(portage_cache_t)
+
+type portage_gpg_t;
+files_type(portage_gpg_t)
+
+type portage_log_t;
+logging_log_file(portage_log_t)
+
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
+type portage_tmp_t;
+files_tmp_file(portage_tmp_t)
+
+type portage_tmpfs_t;
+files_tmpfs_file(portage_tmpfs_t)
+
+########################################
+#
+# gcc-config policy
+#
+
+allow gcc_config_t self:capability { chown fsetid };
+allow gcc_config_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
+
+read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
+
+allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
+read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
+
+allow gcc_config_t portage_exec_t:file mmap_file_perms;
+
+kernel_read_system_state(gcc_config_t)
+kernel_read_kernel_sysctls(gcc_config_t)
+
+corecmd_exec_shell(gcc_config_t)
+corecmd_exec_bin(gcc_config_t)
+corecmd_manage_bin_files(gcc_config_t)
+
+domain_use_interactive_fds(gcc_config_t)
+
+files_manage_etc_files(gcc_config_t)
+files_rw_etc_runtime_files(gcc_config_t)
+files_read_usr_files(gcc_config_t)
+files_search_var_lib(gcc_config_t)
+files_search_pids(gcc_config_t)
+# complains loudly about not being able to list
+# the directory it is being run from
+files_list_all(gcc_config_t)
+
+# seems to be ok without this
+init_dontaudit_read_script_status_files(gcc_config_t)
+
+libs_read_lib_files(gcc_config_t)
+libs_domtrans_ldconfig(gcc_config_t)
+libs_manage_shared_libs(gcc_config_t)
+# gcc-config creates a temp dir for the libs
+libs_manage_lib_dirs(gcc_config_t)
+
+logging_send_syslog_msg(gcc_config_t)
+
+miscfiles_read_localization(gcc_config_t)
+
+userdom_use_user_terminals(gcc_config_t)
+
+consoletype_exec(gcc_config_t)
+
+ifdef(`distro_gentoo',`
+ init_exec_rc(gcc_config_t)
+')
+
+optional_policy(`
+ seutil_use_newrole_fds(gcc_config_t)
+')
+
+########################################
+#
+# Portage Merging Rules
+#
+
+# - setfscreate for merging to live fs
+# - setexec to run portage fetch
+allow portage_t self:process { setfscreate setexec };
+# - kill for mysql merging, at least
+allow portage_t self:capability { sys_nice kill setfcap };
+
+# user post-sync scripts
+can_exec(portage_t, portage_conf_t)
+
+allow portage_t portage_log_t:file manage_file_perms;
+logging_log_filetrans(portage_t, portage_log_t, file)
+
+allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
+
+# transition for rsync and wget
+corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
+rsync_entry_domtrans(portage_t, portage_fetch_t)
+allow portage_fetch_t portage_t:fd use;
+allow portage_fetch_t portage_t:fifo_file rw_file_perms;
+allow portage_fetch_t portage_t:process sigchld;
+
+# transition to sandbox for compiling
+domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
+corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;
+
+# run scripts out of the build directory
+can_exec(portage_t, portage_tmp_t)
+
+# merging baselayout will need this:
+kernel_write_proc_files(portage_t)
+
+domain_dontaudit_read_all_domains_state(portage_t)
+
+# modify any files in the system
+files_manage_all_files(portage_t)
+
+selinux_get_fs_mount(portage_t)
+
+auth_manage_shadow(portage_t)
+
+# merging baselayout will need this:
+init_exec(portage_t)
+
+# run setfiles -r
+seutil_domtrans_setfiles(portage_t)
+# run semodule
+seutil_domtrans_semanage(portage_t)
+
+portage_domtrans_gcc_config(portage_t)
+# if sesandbox is disabled, compiling is performed in this domain
+portage_compile_domain(portage_t)
+
+optional_policy(`
+ bootloader_domtrans(portage_t)
+')
+
+optional_policy(`
+ cron_system_entry(portage_t, portage_exec_t)
+ cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+')
+
+optional_policy(`
+ modutils_domtrans_depmod(portage_t)
+ modutils_domtrans_update_mods(portage_t)
+ #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(portage_t)
+ usermanage_domtrans_useradd(portage_t)
+')
+
+ifdef(`TODO',`
+# seems to work ok without these
+dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+dontaudit portage_t proc_t:dir setattr;
+dontaudit portage_t device_type:chr_file read_chr_file_perms;
+dontaudit portage_t device_type:blk_file read_blk_file_perms;
+')
+
+##########################################
+#
+# Portage fetch domain
+# - for rsync and distfile fetching
+#
+
+allow portage_fetch_t self:process signal;
+allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
+allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+
+allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+
+allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
+allow portage_fetch_t portage_gpg_t:file manage_file_perms;
+
+allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
+allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+
+read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+
+kernel_read_system_state(portage_fetch_t)
+kernel_read_kernel_sysctls(portage_fetch_t)
+
+corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_shell(portage_fetch_t)
+
+corenet_all_recvfrom_unlabeled(portage_fetch_t)
+corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_tcp_sendrecv_generic_if(portage_fetch_t)
+corenet_tcp_sendrecv_generic_node(portage_fetch_t)
+corenet_tcp_sendrecv_all_ports(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t)
+corenet_tcp_connect_git_port(portage_fetch_t)
+corenet_tcp_connect_rsync_port(portage_fetch_t)
+corenet_sendrecv_http_client_packets(portage_fetch_t)
+corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
+corenet_sendrecv_git_client_packets(portage_fetch_t)
+corenet_sendrecv_rsync_client_packets(portage_fetch_t)
+# would rather not connect to unspecified ports, but
+# it occasionally comes up
+corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
+corenet_tcp_connect_generic_port(portage_fetch_t)
+
+dev_dontaudit_read_rand(portage_fetch_t)
+
+domain_use_interactive_fds(portage_fetch_t)
+
+files_read_etc_files(portage_fetch_t)
+files_read_etc_runtime_files(portage_fetch_t)
+files_read_usr_files(portage_fetch_t)
+files_search_var_lib(portage_fetch_t)
+files_dontaudit_search_pids(portage_fetch_t)
+
+logging_list_logs(portage_fetch_t)
+
+term_search_ptys(portage_fetch_t)
+
+miscfiles_read_localization(portage_fetch_t)
+
+sysnet_read_config(portage_fetch_t)
+sysnet_dns_name_resolve(portage_fetch_t)
+
+userdom_use_user_terminals(portage_fetch_t)
+userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+
+rsync_exec(portage_fetch_t)
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit portage_fetch_t portage_cache_t:file read;
+')
+
+tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs(portage_fetch_t)
+ fs_manage_nfs_dirs(portage_fetch_t)
+ fs_manage_nfs_files(portage_fetch_t)
+ fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
+optional_policy(`
+ gpg_exec(portage_fetch_t)
+')
+
+##########################################
+#
+# Portage sandbox domain
+# - SELinux-enforced sandbox
+#
+
+portage_compile_domain(portage_sandbox_t)
+
+ifdef(`hide_broken_symptoms',`
+ # leaked descriptors
+ dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
+ dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+')
diff --git a/portmap.fc b/portmap.fc
new file mode 100644
index 0000000..76f5834
--- /dev/null
+++ b/portmap.fc
@@ -0,0 +1,12 @@
+
+/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
+ifdef(`distro_debian',`
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
+/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+')
+
+/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.if b/portmap.if
new file mode 100644
index 0000000..374afcf
--- /dev/null
+++ b/portmap.if
@@ -0,0 +1,89 @@
+## RPC port mapping service.
+
+########################################
+##
+## Execute portmap_helper in the helper domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`portmap_domtrans_helper',`
+ gen_require(`
+ type portmap_helper_t, portmap_helper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t)
+')
+
+########################################
+##
+## Execute portmap helper in the helper domain, and
+## allow the specified role the helper domain.
+## Communicate with portmap.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`portmap_run_helper',`
+ gen_require(`
+ type portmap_t, portmap_helper_t;
+ ')
+
+ portmap_domtrans_helper($1)
+ role $2 types portmap_helper_t;
+')
+
+########################################
+##
+## Send UDP network traffic to portmap. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portmap_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Send and receive UDP network traffic from portmap. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portmap_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Connect to portmap over a TCP socket (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portmap_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/portmap.te b/portmap.te
new file mode 100644
index 0000000..333a1fe
--- /dev/null
+++ b/portmap.te
@@ -0,0 +1,150 @@
+policy_module(portmap, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type portmap_t;
+type portmap_exec_t;
+init_daemon_domain(portmap_t, portmap_exec_t)
+
+type portmap_helper_t;
+type portmap_helper_exec_t;
+init_system_domain(portmap_helper_t, portmap_helper_exec_t)
+role system_r types portmap_helper_t;
+
+type portmap_tmp_t;
+files_tmp_file(portmap_tmp_t)
+
+type portmap_var_run_t;
+files_pid_file(portmap_var_run_t)
+
+########################################
+#
+# Portmap local policy
+#
+
+allow portmap_t self:capability { setuid setgid };
+dontaudit portmap_t self:capability sys_tty_config;
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+allow portmap_t self:tcp_socket create_stream_socket_perms;
+allow portmap_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
+manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
+files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
+
+manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
+files_pid_filetrans(portmap_t, portmap_var_run_t, file)
+
+kernel_read_system_state(portmap_t)
+kernel_read_kernel_sysctls(portmap_t)
+
+corenet_all_recvfrom_unlabeled(portmap_t)
+corenet_all_recvfrom_netlabel(portmap_t)
+corenet_tcp_sendrecv_generic_if(portmap_t)
+corenet_udp_sendrecv_generic_if(portmap_t)
+corenet_tcp_sendrecv_generic_node(portmap_t)
+corenet_udp_sendrecv_generic_node(portmap_t)
+corenet_tcp_sendrecv_all_ports(portmap_t)
+corenet_udp_sendrecv_all_ports(portmap_t)
+corenet_tcp_bind_generic_node(portmap_t)
+corenet_udp_bind_generic_node(portmap_t)
+corenet_tcp_bind_portmap_port(portmap_t)
+corenet_udp_bind_portmap_port(portmap_t)
+corenet_tcp_connect_all_ports(portmap_t)
+corenet_sendrecv_portmap_client_packets(portmap_t)
+corenet_sendrecv_portmap_server_packets(portmap_t)
+# portmap binds to arbitary ports
+corenet_tcp_bind_generic_port(portmap_t)
+corenet_udp_bind_generic_port(portmap_t)
+corenet_tcp_bind_reserved_port(portmap_t)
+corenet_udp_bind_reserved_port(portmap_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
+corenet_dontaudit_udp_bind_all_ports(portmap_t)
+
+dev_read_sysfs(portmap_t)
+
+fs_getattr_all_fs(portmap_t)
+fs_search_auto_mountpoints(portmap_t)
+
+domain_use_interactive_fds(portmap_t)
+
+files_read_etc_files(portmap_t)
+
+logging_send_syslog_msg(portmap_t)
+
+miscfiles_read_localization(portmap_t)
+
+sysnet_read_config(portmap_t)
+
+userdom_dontaudit_use_unpriv_user_fds(portmap_t)
+userdom_dontaudit_search_user_home_dirs(portmap_t)
+
+optional_policy(`
+ nis_use_ypbind(portmap_t)
+')
+
+optional_policy(`
+ nscd_socket_use(portmap_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(portmap_t)
+')
+
+optional_policy(`
+ udev_read_db(portmap_t)
+')
+
+########################################
+#
+# Portmap helper local policy
+#
+
+dontaudit portmap_helper_t self:capability net_admin;
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
+allow portmap_helper_t self:udp_socket create_socket_perms;
+
+allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
+files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(portmap_helper_t)
+corenet_all_recvfrom_netlabel(portmap_helper_t)
+corenet_tcp_sendrecv_generic_if(portmap_helper_t)
+corenet_udp_sendrecv_generic_if(portmap_helper_t)
+corenet_raw_sendrecv_generic_if(portmap_helper_t)
+corenet_tcp_sendrecv_generic_node(portmap_helper_t)
+corenet_udp_sendrecv_generic_node(portmap_helper_t)
+corenet_raw_sendrecv_generic_node(portmap_helper_t)
+corenet_tcp_sendrecv_all_ports(portmap_helper_t)
+corenet_udp_sendrecv_all_ports(portmap_helper_t)
+corenet_tcp_bind_generic_node(portmap_helper_t)
+corenet_udp_bind_generic_node(portmap_helper_t)
+corenet_tcp_bind_reserved_port(portmap_helper_t)
+corenet_udp_bind_reserved_port(portmap_helper_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+corenet_tcp_connect_all_ports(portmap_helper_t)
+
+domain_dontaudit_use_interactive_fds(portmap_helper_t)
+
+files_read_etc_files(portmap_helper_t)
+files_rw_generic_pids(portmap_helper_t)
+
+init_rw_utmp(portmap_helper_t)
+
+logging_send_syslog_msg(portmap_helper_t)
+
+sysnet_read_config(portmap_helper_t)
+
+userdom_use_user_terminals(portmap_helper_t)
+userdom_dontaudit_use_all_users_fds(portmap_helper_t)
+
+optional_policy(`
+ nis_use_ypbind(portmap_helper_t)
+')
diff --git a/portreserve.fc b/portreserve.fc
new file mode 100644
index 0000000..4313a6f
--- /dev/null
+++ b/portreserve.fc
@@ -0,0 +1,7 @@
+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+
+/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+
+/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/portreserve.if b/portreserve.if
new file mode 100644
index 0000000..7719d16
--- /dev/null
+++ b/portreserve.if
@@ -0,0 +1,120 @@
+## Reserve well-known ports in the RPC port range.
+
+########################################
+##
+## Execute a domain transition to run portreserve.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`portreserve_domtrans',`
+ gen_require(`
+ type portreserve_t, portreserve_exec_t;
+ ')
+
+ domtrans_pattern($1, portreserve_exec_t, portreserve_t)
+')
+
+#######################################
+##
+## Allow the specified domain to read
+## portreserve etcuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`portreserve_read_config',`
+ gen_require(`
+ type portreserve_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 portreserve_etc_t:dir list_dir_perms;
+ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+#######################################
+##
+## Allow the specified domain to manage
+## portreserve etcuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portreserve_manage_config',`
+ gen_require(`
+ type portreserve_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+########################################
+##
+## Execute portreserve in the portreserve domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`portreserve_initrc_domtrans',`
+ gen_require(`
+ type portreserve_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an portreserve environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`portreserve_admin',`
+ gen_require(`
+ type portreserve_t, portreserve_etc_t, portreserve_var_run_t;
+ type portreserve_initrc_exec_t;
+ ')
+
+ allow $1 portreserve_t:process { ptrace signal_perms };
+ ps_process_pattern($1, portreserve_t)
+
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 portreserve_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, portreserve_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, portreserve_var_run_t)
+')
diff --git a/portreserve.te b/portreserve.te
new file mode 100644
index 0000000..152af92
--- /dev/null
+++ b/portreserve.te
@@ -0,0 +1,54 @@
+policy_module(portreserve, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type portreserve_t;
+type portreserve_exec_t;
+init_daemon_domain(portreserve_t, portreserve_exec_t)
+
+type portreserve_initrc_exec_t;
+init_script_file(portreserve_initrc_exec_t)
+
+type portreserve_etc_t;
+files_type(portreserve_etc_t)
+
+type portreserve_var_run_t;
+files_pid_file(portreserve_var_run_t)
+
+########################################
+#
+# Portreserve local policy
+#
+
+allow portreserve_t self:capability { dac_read_search dac_override };
+allow portreserve_t self:fifo_file rw_fifo_file_perms;
+allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+allow portreserve_t self:tcp_socket create_socket_perms;
+allow portreserve_t self:udp_socket create_socket_perms;
+
+# Read etc files
+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+
+# Manage /var/run/portreserve/*
+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir })
+
+corecmd_getattr_bin_files(portreserve_t)
+
+corenet_all_recvfrom_unlabeled(portreserve_t)
+corenet_all_recvfrom_netlabel(portreserve_t)
+corenet_tcp_bind_generic_node(portreserve_t)
+corenet_udp_bind_generic_node(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
+corenet_udp_bind_all_ports(portreserve_t)
+
+files_read_etc_files(portreserve_t)
+
+userdom_dontaudit_search_user_home_content(portreserve_t)
diff --git a/portslave.fc b/portslave.fc
new file mode 100644
index 0000000..2dd7786
--- /dev/null
+++ b/portslave.fc
@@ -0,0 +1,4 @@
+/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
+
+/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/portslave.if b/portslave.if
new file mode 100644
index 0000000..b53ff77
--- /dev/null
+++ b/portslave.if
@@ -0,0 +1,19 @@
+## Portslave terminal server software
+
+########################################
+##
+## Execute portslave with a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`portslave_domtrans',`
+ gen_require(`
+ type portslave_t, portslave_exec_t;
+ ')
+
+ domtrans_pattern($1, portslave_exec_t, portslave_t)
+')
diff --git a/portslave.te b/portslave.te
new file mode 100644
index 0000000..69c331e
--- /dev/null
+++ b/portslave.te
@@ -0,0 +1,125 @@
+policy_module(portslave, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type portslave_t;
+type portslave_exec_t;
+init_domain(portslave_t, portslave_exec_t)
+init_daemon_domain(portslave_t, portslave_exec_t)
+
+type portslave_etc_t;
+files_config_file(portslave_etc_t)
+
+type portslave_lock_t;
+files_lock_file(portslave_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# setuid setgid net_admin fsetid for pppd
+# sys_admin for ctlportslave
+# net_bind_service for rlogin
+allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+dontaudit portslave_t self:capability sys_admin;
+allow portslave_t self:process signal_perms;
+allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow portslave_t self:fd use;
+allow portslave_t self:fifo_file rw_fifo_file_perms;
+allow portslave_t self:unix_dgram_socket create_socket_perms;
+allow portslave_t self:unix_stream_socket create_stream_socket_perms;
+allow portslave_t self:unix_dgram_socket sendto;
+allow portslave_t self:unix_stream_socket connectto;
+allow portslave_t self:shm create_shm_perms;
+allow portslave_t self:sem create_sem_perms;
+allow portslave_t self:msgq create_msgq_perms;
+allow portslave_t self:msg { send receive };
+allow portslave_t self:tcp_socket create_stream_socket_perms;
+allow portslave_t self:udp_socket create_socket_perms;
+
+allow portslave_t portslave_etc_t:dir list_dir_perms;
+read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
+read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
+
+allow portslave_t portslave_lock_t:file manage_file_perms;
+files_lock_filetrans(portslave_t, portslave_lock_t, file)
+
+kernel_read_system_state(portslave_t)
+kernel_read_kernel_sysctls(portslave_t)
+
+corecmd_exec_bin(portslave_t)
+corecmd_exec_shell(portslave_t)
+
+corenet_all_recvfrom_unlabeled(portslave_t)
+corenet_all_recvfrom_netlabel(portslave_t)
+corenet_tcp_sendrecv_generic_if(portslave_t)
+corenet_udp_sendrecv_generic_if(portslave_t)
+corenet_tcp_sendrecv_generic_node(portslave_t)
+corenet_udp_sendrecv_generic_node(portslave_t)
+corenet_tcp_sendrecv_all_ports(portslave_t)
+corenet_udp_sendrecv_all_ports(portslave_t)
+corenet_rw_ppp_dev(portslave_t)
+
+dev_read_sysfs(portslave_t)
+# for ssh
+dev_read_urand(portslave_t)
+
+domain_use_interactive_fds(portslave_t)
+
+files_read_etc_files(portslave_t)
+files_read_etc_runtime_files(portslave_t)
+files_exec_etc_files(portslave_t)
+
+fs_search_auto_mountpoints(portslave_t)
+fs_getattr_xattr_fs(portslave_t)
+
+term_use_unallocated_ttys(portslave_t)
+term_setattr_unallocated_ttys(portslave_t)
+term_use_all_ttys(portslave_t)
+term_search_ptys(portslave_t)
+
+auth_rw_login_records(portslave_t)
+auth_domtrans_chk_passwd(portslave_t)
+
+init_rw_utmp(portslave_t)
+
+logging_send_syslog_msg(portslave_t)
+logging_search_logs(portslave_t)
+
+sysnet_read_config(portslave_t)
+
+userdom_use_unpriv_users_fds(portslave_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+userdom_search_user_home_dirs(portslave_t)
+
+mta_send_mail(portslave_t)
+
+# this should probably be a domtrans to pppd
+# instead of exec.
+ppp_read_rw_config(portslave_t)
+ppp_exec(portslave_t)
+ppp_read_secrets(portslave_t)
+ppp_manage_pid_files(portslave_t)
+ppp_pid_filetrans(portslave_t)
+
+ssh_exec(portslave_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(portslave_t, portslave_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(portslave_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(portslave_t)
+')
+
+optional_policy(`
+ udev_read_db(portslave_t)
+')
diff --git a/postfix.fc b/postfix.fc
new file mode 100644
index 0000000..a3e85c9
--- /dev/null
+++ b/postfix.fc
@@ -0,0 +1,53 @@
+# postfix
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+', `
+/usr/lib(64)?/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib(64)?/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib(64)?/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib(64)?/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib(64)?/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib(64)?/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib(64)?/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib(64)?/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib(64)?/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
+/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0)
+
+/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
new file mode 100644
index 0000000..46bee12
--- /dev/null
+++ b/postfix.if
@@ -0,0 +1,623 @@
+## Postfix email server
+
+########################################
+##
+## Postfix stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_stub',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+')
+
+########################################
+##
+## Creates types and rules for a basic
+## postfix process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`postfix_domain_template',`
+ type postfix_$1_t;
+ type postfix_$1_exec_t;
+ domain_type(postfix_$1_t)
+ domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
+ role system_r types postfix_$1_t;
+
+ dontaudit postfix_$1_t self:capability sys_tty_config;
+ allow postfix_$1_t self:process { signal_perms setpgid };
+ allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket connectto;
+
+ allow postfix_master_t postfix_$1_t:process signal;
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+ allow postfix_$1_t postfix_master_t:file read;
+
+ allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+ read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
+
+ allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
+
+ allow postfix_$1_t postfix_master_t:process sigchld;
+
+ allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
+
+ allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+ files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
+
+ kernel_read_system_state(postfix_$1_t)
+ kernel_read_network_state(postfix_$1_t)
+ kernel_read_all_sysctls(postfix_$1_t)
+
+ dev_read_sysfs(postfix_$1_t)
+ dev_read_rand(postfix_$1_t)
+ dev_read_urand(postfix_$1_t)
+
+ fs_search_auto_mountpoints(postfix_$1_t)
+ fs_getattr_xattr_fs(postfix_$1_t)
+ fs_rw_anon_inodefs_files(postfix_$1_t)
+
+ term_dontaudit_use_console(postfix_$1_t)
+
+ corecmd_exec_shell(postfix_$1_t)
+
+ files_read_etc_files(postfix_$1_t)
+ files_read_etc_runtime_files(postfix_$1_t)
+ files_read_usr_symlinks(postfix_$1_t)
+ files_search_spool(postfix_$1_t)
+ files_getattr_tmp_dirs(postfix_$1_t)
+ files_search_all_mountpoints(postfix_$1_t)
+
+ init_dontaudit_use_fds(postfix_$1_t)
+ init_sigchld(postfix_$1_t)
+
+ auth_use_nsswitch(postfix_$1_t)
+
+ logging_send_syslog_msg(postfix_$1_t)
+
+ miscfiles_read_localization(postfix_$1_t)
+ miscfiles_read_generic_certs(postfix_$1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
+
+ optional_policy(`
+ udev_read_db(postfix_$1_t)
+ ')
+')
+
+########################################
+##
+## Creates a postfix server process domain.
+##
+##
+##
+## Prefix of the domain.
+##
+##
+#
+template(`postfix_server_domain_template',`
+ postfix_domain_template($1)
+
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+ allow postfix_$1_t self:capability { setuid setgid dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
+
+ domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+ corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+ corenet_udp_sendrecv_generic_if(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_node(postfix_$1_t)
+ corenet_udp_sendrecv_generic_node(postfix_$1_t)
+ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+ corenet_udp_sendrecv_all_ports(postfix_$1_t)
+ corenet_tcp_bind_generic_node(postfix_$1_t)
+ corenet_udp_bind_generic_node(postfix_$1_t)
+ corenet_tcp_connect_all_ports(postfix_$1_t)
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
+')
+
+########################################
+##
+## Creates a process domain for programs
+## that are ran by users.
+##
+##
+##
+## Prefix of the domain.
+##
+##
+#
+template(`postfix_user_domain_template',`
+ gen_require(`
+ attribute postfix_user_domains, postfix_user_domtrans;
+ ')
+
+ postfix_domain_template($1)
+
+ typeattribute postfix_$1_t postfix_user_domains;
+
+ allow postfix_$1_t self:capability dac_override;
+
+ domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+
+ domain_use_interactive_fds(postfix_$1_t)
+')
+
+########################################
+##
+## Read postfix configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`postfix_read_config',`
+ gen_require(`
+ type postfix_etc_t;
+ ')
+
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+##
+## Create files with the specified type in
+## the postfix configuration directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`postfix_config_filetrans',`
+ gen_require(`
+ type postfix_etc_t;
+ ')
+
+ files_search_etc($1)
+ filetrans_pattern($1, postfix_etc_t, $2, $3)
+')
+
+########################################
+##
+## Do not audit attempts to read and
+## write postfix local delivery
+## TCP sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`postfix_dontaudit_rw_local_tcp_sockets',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ dontaudit $1 postfix_local_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Allow read/write postfix local pipes
+## TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_rw_local_pipes',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Allow domain to read postfix local process state
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_read_local_state',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ read_files_pattern($1, postfix_local_t, postfix_local_t)
+')
+
+########################################
+##
+## Allow domain to read postfix master process state
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_read_master_state',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ read_files_pattern($1, postfix_master_t, postfix_master_t)
+')
+
+########################################
+##
+## Do not audit attempts to use
+## postfix master process file
+## file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`postfix_dontaudit_use_fds',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ dontaudit $1 postfix_master_t:fd use;
+')
+
+########################################
+##
+## Execute postfix_map in the postfix_map domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`postfix_domtrans_map',`
+ gen_require(`
+ type postfix_map_t, postfix_map_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
+')
+
+########################################
+##
+## Execute postfix_map in the postfix_map domain, and
+## allow the specified role the postfix_map domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`postfix_run_map',`
+ gen_require(`
+ type postfix_map_t;
+ ')
+
+ postfix_domtrans_map($1)
+ role $2 types postfix_map_t;
+')
+
+########################################
+##
+## Execute the master postfix program in the
+## postfix_master domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`postfix_domtrans_master',`
+ gen_require(`
+ type postfix_master_t, postfix_master_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+')
+
+########################################
+##
+## Execute the master postfix program in the
+## caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_exec_master',`
+ gen_require(`
+ type postfix_master_exec_t;
+ ')
+
+ can_exec($1, postfix_master_exec_t)
+')
+
+#######################################
+##
+## Connect to postfix master process using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`postfix_stream_connect_master',`
+ gen_require(`
+ type postfix_master_t, postfix_public_t;
+ ')
+
+ stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
+')
+
+########################################
+##
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`postfix_domtrans_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t, postfix_postdrop_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
+########################################
+##
+## Execute the master postqueue in the
+## postfix_postqueue domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`postfix_domtrans_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t, postfix_postqueue_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+#######################################
+##
+## Execute the master postqueue in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`posftix_exec_postqueue',`
+ gen_require(`
+ type postfix_postqueue_exec_t;
+ ')
+
+ can_exec($1, postfix_postqueue_exec_t)
+')
+
+########################################
+##
+## Create a named socket in a postfix private directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_create_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+##
+## manage named socket in a postfix private directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_manage_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+##
+## Execute the master postfix program in the
+## postfix_master domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`postfix_domtrans_smtp',`
+ gen_require(`
+ type postfix_smtp_t, postfix_smtp_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
+')
+
+########################################
+##
+## Search postfix mail spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_search_spool',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ allow $1 postfix_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## List postfix mail spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_list_spool',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ allow $1 postfix_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## Read postfix mail spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_read_spool_files',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+')
+
+########################################
+##
+## Create, read, write, and delete postfix mail spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_manage_spool_files',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+')
+
+########################################
+##
+## Execute postfix user mail programs
+## in their respective domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_domtrans_user_mail_handler',`
+ gen_require(`
+ attribute postfix_user_domtrans;
+ ')
+
+ typeattribute $1 postfix_user_domtrans;
+')
diff --git a/postfix.te b/postfix.te
new file mode 100644
index 0000000..a1b39a8
--- /dev/null
+++ b/postfix.te
@@ -0,0 +1,632 @@
+policy_module(postfix, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
+attribute postfix_user_domtrans;
+
+postfix_server_domain_template(bounce)
+
+type postfix_spool_bounce_t;
+files_type(postfix_spool_bounce_t)
+
+postfix_server_domain_template(cleanup)
+
+type postfix_etc_t;
+files_config_file(postfix_etc_t)
+
+type postfix_exec_t;
+application_executable_file(postfix_exec_t)
+
+postfix_server_domain_template(local)
+mta_mailserver_delivery(postfix_local_t)
+
+# Program for creating database files
+type postfix_map_t;
+type postfix_map_exec_t;
+application_domain(postfix_map_t, postfix_map_exec_t)
+role system_r types postfix_map_t;
+
+type postfix_map_tmp_t;
+files_tmp_file(postfix_map_tmp_t)
+
+postfix_domain_template(master)
+typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
+mta_mailserver(postfix_t, postfix_master_exec_t)
+
+postfix_server_domain_template(pickup)
+
+postfix_server_domain_template(pipe)
+
+postfix_user_domain_template(postdrop)
+mta_mailserver_user_agent(postfix_postdrop_t)
+
+postfix_user_domain_template(postqueue)
+
+type postfix_private_t;
+files_type(postfix_private_t)
+
+type postfix_prng_t;
+files_type(postfix_prng_t)
+
+postfix_server_domain_template(qmgr)
+
+postfix_user_domain_template(showq)
+
+postfix_server_domain_template(smtp)
+mta_mailserver_sender(postfix_smtp_t)
+
+postfix_server_domain_template(smtpd)
+
+type postfix_spool_t;
+files_type(postfix_spool_t)
+
+type postfix_spool_maildrop_t;
+files_type(postfix_spool_maildrop_t)
+
+type postfix_spool_flush_t;
+files_type(postfix_spool_flush_t)
+
+type postfix_public_t;
+files_type(postfix_public_t)
+
+type postfix_var_run_t;
+files_pid_file(postfix_var_run_t)
+
+# the data_directory config parameter
+type postfix_data_t;
+files_type(postfix_data_t)
+
+postfix_server_domain_template(virtual)
+mta_mailserver_delivery(postfix_virtual_t)
+
+########################################
+#
+# Postfix master process local policy
+#
+
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
+
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+
+can_exec(postfix_master_t, postfix_exec_t)
+
+allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+allow postfix_master_t postfix_data_t:file manage_file_perms;
+
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+
+allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+
+allow postfix_master_t postfix_prng_t:file rw_file_perms;
+
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+# allow access to deferred queue and allow removing bogus incoming entries
+manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+
+allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:file getattr;
+
+manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+
+delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+kernel_read_all_sysctls(postfix_master_t)
+
+corenet_all_recvfrom_unlabeled(postfix_master_t)
+corenet_all_recvfrom_netlabel(postfix_master_t)
+corenet_tcp_sendrecv_generic_if(postfix_master_t)
+corenet_udp_sendrecv_generic_if(postfix_master_t)
+corenet_tcp_sendrecv_generic_node(postfix_master_t)
+corenet_udp_sendrecv_generic_node(postfix_master_t)
+corenet_tcp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+corenet_tcp_bind_smtp_port(postfix_master_t)
+corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+
+# for a find command
+selinux_dontaudit_search_fs(postfix_master_t)
+
+corecmd_exec_shell(postfix_master_t)
+corecmd_exec_bin(postfix_master_t)
+
+domain_use_interactive_fds(postfix_master_t)
+
+files_read_usr_files(postfix_master_t)
+
+term_dontaudit_search_ptys(postfix_master_t)
+
+miscfiles_read_man_pages(postfix_master_t)
+
+seutil_sigchld_newrole(postfix_master_t)
+# postfix does a "find" on startup for some reason - keep it quiet
+seutil_dontaudit_search_config(postfix_master_t)
+
+mta_rw_aliases(postfix_master_t)
+mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
+
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(postfix, postfix_t)
+')
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_master_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
+ postgrey_search_spool(postfix_master_t)
+')
+
+optional_policy(`
+ sendmail_signal(postfix_master_t)
+')
+
+########################################
+#
+# Postfix bounce local policy
+#
+
+allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search;
+
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+
+########################################
+#
+# Postfix cleanup local policy
+#
+
+allow postfix_cleanup_t self:process setrlimit;
+
+# connect to master process
+stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+
+manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+
+allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
+
+corecmd_exec_bin(postfix_cleanup_t)
+
+mta_read_aliases(postfix_cleanup_t)
+
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
+
+########################################
+#
+# Postfix local local policy
+#
+
+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+allow postfix_local_t self:process { setsched setrlimit };
+
+# connect to master process
+stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
+# for .forward - maybe we need a new type for it?
+rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
+corecmd_exec_bin(postfix_local_t)
+
+files_read_etc_files(postfix_local_t)
+
+logging_dontaudit_search_logs(postfix_local_t)
+
+mta_read_aliases(postfix_local_t)
+mta_delete_spool(postfix_local_t)
+# For reading spamassasin
+mta_read_config(postfix_local_t)
+
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+
+optional_policy(`
+ clamav_search_lib(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
+')
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
+')
+
+optional_policy(`
+ procmail_domtrans(postfix_local_t)
+')
+
+########################################
+#
+# Postfix map local policy
+#
+allow postfix_map_t self:capability { dac_override setgid setuid };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+
+manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(postfix_map_t)
+kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
+
+corenet_all_recvfrom_unlabeled(postfix_map_t)
+corenet_all_recvfrom_netlabel(postfix_map_t)
+corenet_tcp_sendrecv_generic_if(postfix_map_t)
+corenet_udp_sendrecv_generic_if(postfix_map_t)
+corenet_tcp_sendrecv_generic_node(postfix_map_t)
+corenet_udp_sendrecv_generic_node(postfix_map_t)
+corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
+
+corecmd_list_bin(postfix_map_t)
+corecmd_read_bin_symlinks(postfix_map_t)
+corecmd_read_bin_files(postfix_map_t)
+corecmd_read_bin_pipes(postfix_map_t)
+corecmd_read_bin_sockets(postfix_map_t)
+
+files_list_home(postfix_map_t)
+files_read_usr_files(postfix_map_t)
+files_read_etc_files(postfix_map_t)
+files_read_etc_runtime_files(postfix_map_t)
+files_dontaudit_search_var(postfix_map_t)
+
+auth_use_nsswitch(postfix_map_t)
+
+logging_send_syslog_msg(postfix_map_t)
+
+miscfiles_read_localization(postfix_map_t)
+
+optional_policy(`
+ locallogin_dontaudit_use_fds(postfix_map_t)
+')
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_map_t)
+')
+
+########################################
+#
+# Postfix pickup local policy
+#
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+
+postfix_list_spool(postfix_pickup_t)
+
+allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+########################################
+#
+# Postfix pipe local policy
+#
+
+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+allow postfix_pipe_t self:process setrlimit;
+
+write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+
+write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
+optional_policy(`
+ procmail_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
+ mailman_domtrans_queue(postfix_pipe_t)
+')
+
+optional_policy(`
+ mta_manage_spool(postfix_pipe_t)
+ mta_send_mail(postfix_pipe_t)
+')
+
+optional_policy(`
+ spamassassin_domtrans_client(postfix_pipe_t)
+')
+
+optional_policy(`
+ uucp_domtrans_uux(postfix_pipe_t)
+')
+
+########################################
+#
+# Postfix postdrop local policy
+#
+
+# usually it does not need a UDP socket
+allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+postfix_list_spool(postfix_postdrop_t)
+manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
+
+term_dontaudit_use_all_ptys(postfix_postdrop_t)
+term_dontaudit_use_all_ttys(postfix_postdrop_t)
+
+mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
+
+optional_policy(`
+ apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
+')
+
+optional_policy(`
+ cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
+')
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
+optional_policy(`
+ fstools_read_pipes(postfix_postdrop_t)
+')
+
+optional_policy(`
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+')
+
+optional_policy(`
+ uucp_manage_spool(postfix_postdrop_t)
+')
+
+#######################################
+#
+# Postfix postqueue local policy
+#
+
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
+stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
+# write to /var/spool/postfix/public/qmgr
+write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+
+# to write the mailq output, it really should not need read access!
+term_use_all_ptys(postfix_postqueue_t)
+term_use_all_ttys(postfix_postqueue_t)
+
+init_sigchld_script(postfix_postqueue_t)
+init_use_script_fds(postfix_postqueue_t)
+
+optional_policy(`
+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
+
+optional_policy(`
+ ppp_use_fds(postfix_postqueue_t)
+ ppp_sigchld(postfix_postqueue_t)
+')
+
+########################################
+#
+# Postfix qmgr local policy
+#
+
+stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+
+# for /var/spool/postfix/active
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+
+corecmd_exec_bin(postfix_qmgr_t)
+
+########################################
+#
+# Postfix showq local policy
+#
+
+allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
+
+allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
+allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+
+# to write the mailq output, it really should not need read access!
+term_use_all_ptys(postfix_showq_t)
+term_use_all_ttys(postfix_showq_t)
+
+########################################
+#
+# Postfix smtp delivery local policy
+#
+
+# connect to master process
+allow postfix_smtp_t self:capability sys_chroot;
+stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
+files_search_all_mountpoints(postfix_smtp_t)
+
+optional_policy(`
+ cyrus_stream_connect(postfix_smtp_t)
+')
+
+optional_policy(`
+ milter_stream_connect_all(postfix_smtp_t)
+')
+
+########################################
+#
+# Postfix smtpd local policy
+#
+allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+
+# connect to master process
+stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+# for prng_exch
+allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+
+corecmd_exec_bin(postfix_smtpd_t)
+
+# for OpenSSL certificates
+files_read_usr_files(postfix_smtpd_t)
+mta_read_aliases(postfix_smtpd_t)
+
+optional_policy(`
+ dovecot_stream_connect_auth(postfix_smtpd_t)
+')
+
+optional_policy(`
+ mailman_read_data_files(postfix_smtpd_t)
+')
+
+optional_policy(`
+ postgrey_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
+ sasl_connect(postfix_smtpd_t)
+')
+
+########################################
+#
+# Postfix virtual local policy
+#
+
+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+allow postfix_virtual_t self:process { setsched setrlimit };
+
+allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+
+# connect to master process
+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+corecmd_exec_shell(postfix_virtual_t)
+corecmd_exec_bin(postfix_virtual_t)
+
+files_read_etc_files(postfix_virtual_t)
+files_read_usr_files(postfix_virtual_t)
+
+mta_read_aliases(postfix_virtual_t)
+mta_delete_spool(postfix_virtual_t)
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
diff --git a/postfixpolicyd.fc b/postfixpolicyd.fc
new file mode 100644
index 0000000..4361cb6
--- /dev/null
+++ b/postfixpolicyd.fc
@@ -0,0 +1,6 @@
+/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
+
+/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+
+/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
diff --git a/postfixpolicyd.if b/postfixpolicyd.if
new file mode 100644
index 0000000..feae93b
--- /dev/null
+++ b/postfixpolicyd.if
@@ -0,0 +1,40 @@
+## Postfix policy server
+
+########################################
+##
+## All of the rules required to administrate
+## an postfixpolicyd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the postfixpolicyd domain.
+##
+##
+##
+#
+interface(`postfixpolicyd_admin',`
+ gen_require(`
+ type postfix_policyd_t, postfix_policyd_conf_t;
+ type postfix_policyd_var_run_t;
+ type postfix_policyd_initrc_exec_t;
+ ')
+
+ allow $1 postfix_policyd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_policyd_t)
+
+ init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postfix_policyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, postfix_policyd_conf_t)
+
+ files_list_pids($1)
+ admin_pattern($1, postfix_policyd_var_run_t)
+')
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
new file mode 100644
index 0000000..7257526
--- /dev/null
+++ b/postfixpolicyd.te
@@ -0,0 +1,53 @@
+policy_module(postfixpolicyd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type postfix_policyd_t;
+type postfix_policyd_exec_t;
+init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
+
+type postfix_policyd_conf_t;
+files_config_file(postfix_policyd_conf_t)
+
+type postfix_policyd_initrc_exec_t;
+init_script_file(postfix_policyd_initrc_exec_t)
+
+type postfix_policyd_var_run_t;
+files_pid_file(postfix_policyd_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+
+allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+
+manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
+corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+corenet_tcp_bind_generic_node(postfix_policyd_t)
+corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t)
+corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+
+files_read_etc_files(postfix_policyd_t)
+files_read_usr_files(postfix_policyd_t)
+
+logging_send_syslog_msg(postfix_policyd_t)
+
+miscfiles_read_localization(postfix_policyd_t)
+
+sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/postgrey.fc b/postgrey.fc
new file mode 100644
index 0000000..e731841
--- /dev/null
+++ b/postgrey.fc
@@ -0,0 +1,12 @@
+
+/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0)
+/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+
+/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
+
+/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
+
+/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --git a/postgrey.if b/postgrey.if
new file mode 100644
index 0000000..ad15fde
--- /dev/null
+++ b/postgrey.if
@@ -0,0 +1,81 @@
+## Postfix grey-listing server
+
+########################################
+##
+## Write to postgrey socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postgrey_stream_connect',`
+ gen_require(`
+ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
+ ')
+
+ stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
+ stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
+ files_search_pids($1)
+')
+
+########################################
+##
+## Search the spool directory
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postgrey_search_spool',`
+ gen_require(`
+ type postgrey_spool_t;
+ ')
+
+ allow $1 postgrey_spool_t:dir search_dir_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an postgrey environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the postgrey domain.
+##
+##
+##
+#
+interface(`postgrey_admin',`
+ gen_require(`
+ type postgrey_t, postgrey_etc_t;
+ type postgrey_var_lib_t, postgrey_var_run_t;
+ type postgrey_initrc_exec_t;
+ ')
+
+ allow $1 postgrey_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgrey_t)
+
+ init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgrey_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, postgrey_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, postgrey_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, postgrey_var_run_t)
+')
diff --git a/postgrey.te b/postgrey.te
new file mode 100644
index 0000000..db843e2
--- /dev/null
+++ b/postgrey.te
@@ -0,0 +1,107 @@
+policy_module(postgrey, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type postgrey_t;
+type postgrey_exec_t;
+init_daemon_domain(postgrey_t, postgrey_exec_t)
+
+type postgrey_etc_t;
+files_config_file(postgrey_etc_t)
+
+type postgrey_initrc_exec_t;
+init_script_file(postgrey_initrc_exec_t)
+
+type postgrey_spool_t;
+files_type(postgrey_spool_t)
+
+type postgrey_var_lib_t;
+files_type(postgrey_var_lib_t)
+
+type postgrey_var_run_t;
+files_pid_file(postgrey_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow postgrey_t self:capability { chown dac_override setgid setuid };
+dontaudit postgrey_t self:capability sys_tty_config;
+allow postgrey_t self:process signal_perms;
+allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:fifo_file create_fifo_file_perms;
+
+allow postgrey_t postgrey_etc_t:dir list_dir_perms;
+read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
+read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
+
+manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+
+manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
+
+manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(postgrey_t)
+kernel_read_kernel_sysctls(postgrey_t)
+
+# for perl
+corecmd_search_bin(postgrey_t)
+
+corenet_all_recvfrom_unlabeled(postgrey_t)
+corenet_all_recvfrom_netlabel(postgrey_t)
+corenet_tcp_sendrecv_generic_if(postgrey_t)
+corenet_tcp_sendrecv_generic_node(postgrey_t)
+corenet_tcp_sendrecv_all_ports(postgrey_t)
+corenet_tcp_bind_generic_node(postgrey_t)
+corenet_tcp_bind_postgrey_port(postgrey_t)
+corenet_sendrecv_postgrey_server_packets(postgrey_t)
+
+dev_read_urand(postgrey_t)
+dev_read_sysfs(postgrey_t)
+
+domain_use_interactive_fds(postgrey_t)
+
+files_read_etc_files(postgrey_t)
+files_read_etc_runtime_files(postgrey_t)
+files_read_usr_files(postgrey_t)
+files_getattr_tmp_dirs(postgrey_t)
+
+fs_getattr_all_fs(postgrey_t)
+fs_search_auto_mountpoints(postgrey_t)
+
+logging_send_syslog_msg(postgrey_t)
+
+miscfiles_read_localization(postgrey_t)
+
+sysnet_read_config(postgrey_t)
+
+userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
+userdom_dontaudit_search_user_home_dirs(postgrey_t)
+
+optional_policy(`
+ nis_use_ypbind(postgrey_t)
+')
+
+optional_policy(`
+ postfix_read_config(postgrey_t)
+ postfix_manage_spool_files(postgrey_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(postgrey_t)
+')
+
+optional_policy(`
+ udev_read_db(postgrey_t)
+')
diff --git a/ppp.fc b/ppp.fc
new file mode 100644
index 0000000..2d82c6d
--- /dev/null
+++ b/ppp.fc
@@ -0,0 +1,38 @@
+#
+# /etc
+#
+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
+#
+# /sbin
+#
+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
new file mode 100644
index 0000000..b524673
--- /dev/null
+++ b/ppp.if
@@ -0,0 +1,395 @@
+## Point to Point Protocol daemon creates links in ppp networks
+
+########################################
+##
+## Use PPP file discriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_use_fds',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit
+## and use PPP file discriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ppp_dontaudit_use_fds',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ dontaudit $1 pppd_t:fd use;
+')
+
+########################################
+##
+## Send a SIGCHLD signal to PPP.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_sigchld',`
+ gen_require(`
+ type pppd_t;
+
+ ')
+
+ allow $1 pppd_t:process sigchld;
+')
+
+########################################
+##
+## Send ppp a kill signal
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`ppp_kill',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process sigkill;
+')
+
+########################################
+##
+## Send a generic signal to PPP.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_signal',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process signal;
+')
+
+########################################
+##
+## Send a generic signull to PPP.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_signull',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process signull;
+')
+
+########################################
+##
+## Execute domain in the ppp domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ppp_domtrans',`
+ gen_require(`
+ type pppd_t, pppd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pppd_exec_t, pppd_t)
+')
+
+########################################
+##
+## Conditionally execute ppp daemon on behalf of a user or staff type.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the ppp domain.
+##
+##
+##
+#
+interface(`ppp_run_cond',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ role $2 types pppd_t;
+
+ tunable_policy(`pppd_for_user',`
+ ppp_domtrans($1)
+ ')
+')
+
+########################################
+##
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the ppp domain.
+##
+##
+##
+#
+interface(`ppp_run',`
+ gen_require(`
+ type pppd_t, pptp_t;
+ ')
+
+ ppp_domtrans($1)
+ role $2 types pppd_t;
+ role $2 types pptp_t;
+
+ optional_policy(`
+ ddclient_run(pppd_t, $2)
+ ')
+')
+
+########################################
+##
+## Execute domain in the ppp caller.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_exec',`
+ gen_require(`
+ type pppd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pppd_exec_t)
+')
+
+########################################
+##
+## Read ppp configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_read_config',`
+ gen_require(`
+ type pppd_etc_t;
+ ')
+
+ read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+##
+## Read PPP-writable configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_read_rw_config',`
+ gen_require(`
+ type pppd_etc_t, pppd_etc_rw_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_etc_rw_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+##
+## Read PPP secrets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_read_secrets',`
+ gen_require(`
+ type pppd_etc_t, pppd_secret_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_secret_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+##
+## Read PPP pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_read_pid_files',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ allow $1 pppd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete PPP pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_manage_pid_files',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ allow $1 pppd_var_run_t:file manage_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete PPP pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_pid_filetrans',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ files_pid_filetrans($1, pppd_var_run_t, file)
+')
+
+########################################
+##
+## Execute ppp server in the ntpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ppp_initrc_domtrans',`
+ gen_require(`
+ type pppd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, pppd_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ppp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ppp_admin',`
+ gen_require(`
+ type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
+ type pppd_etc_t, pppd_secret_t;
+ type pppd_etc_rw_t, pppd_var_run_t;
+
+ type pptp_t, pptp_log_t, pptp_var_run_t;
+ type pppd_initrc_exec_t;
+ ')
+
+ allow $1 pppd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, pppd_t)
+
+ ppp_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 pppd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, pppd_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, pppd_log_t)
+
+ admin_pattern($1, pppd_lock_t)
+
+ files_list_etc($1)
+ admin_pattern($1, pppd_etc_t)
+
+ admin_pattern($1, pppd_etc_rw_t)
+
+ admin_pattern($1, pppd_secret_t)
+
+ files_list_pids($1)
+ admin_pattern($1, pppd_var_run_t)
+
+ allow $1 pptp_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, pptp_t)
+
+ admin_pattern($1, pptp_log_t)
+
+ admin_pattern($1, pptp_var_run_t)
+')
diff --git a/ppp.te b/ppp.te
new file mode 100644
index 0000000..a2d43a9
--- /dev/null
+++ b/ppp.te
@@ -0,0 +1,326 @@
+policy_module(ppp, 1.12.1)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow pppd to load kernel modules for certain modems
+##
+##
+gen_bool(pppd_can_insmod, false)
+
+##
+##
+## Allow pppd to be run for a regular user
+##
+##
+gen_tunable(pppd_for_user, false)
+
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+type pppd_t;
+type pppd_exec_t;
+init_daemon_domain(pppd_t, pppd_exec_t)
+
+type pppd_devpts_t;
+term_pty(pppd_devpts_t)
+
+# Define a separate type for /etc/ppp
+type pppd_etc_t;
+files_config_file(pppd_etc_t)
+
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t;
+files_type(pppd_etc_rw_t)
+
+type pppd_initrc_exec_t alias pppd_script_exec_t;
+init_script_file(pppd_initrc_exec_t)
+
+# pppd_secret_t is the type of the pap and chap password files
+type pppd_secret_t;
+files_type(pppd_secret_t)
+
+type pppd_log_t;
+logging_log_file(pppd_log_t)
+
+type pppd_lock_t;
+files_lock_file(pppd_lock_t)
+
+type pppd_tmp_t;
+files_tmp_file(pppd_tmp_t)
+
+type pppd_var_run_t;
+files_pid_file(pppd_var_run_t)
+
+type pptp_t;
+type pptp_exec_t;
+init_daemon_domain(pptp_t, pptp_exec_t)
+
+type pptp_log_t;
+logging_log_file(pptp_log_t)
+
+type pptp_var_run_t;
+files_pid_file(pptp_var_run_t)
+
+########################################
+#
+# PPPD Local policy
+#
+
+allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+dontaudit pppd_t self:capability sys_tty_config;
+allow pppd_t self:process { getsched signal };
+allow pppd_t self:fifo_file rw_fifo_file_perms;
+allow pppd_t self:socket create_socket_perms;
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
+allow pppd_t self:packet_socket create_socket_perms;
+
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
+
+allow pppd_t pppd_etc_t:dir rw_dir_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
+allow pppd_t pppd_etc_t:lnk_file { getattr read };
+
+manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+# Automatically label newly created files under /etc/ppp with this type
+filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+
+allow pppd_t pppd_lock_t:file manage_file_perms;
+files_lock_filetrans(pppd_t, pppd_lock_t, file)
+
+allow pppd_t pppd_log_t:file manage_file_perms;
+logging_log_filetrans(pppd_t, pppd_log_t, file)
+
+manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
+
+manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+files_pid_filetrans(pppd_t, pppd_var_run_t, file)
+
+allow pppd_t pptp_t:process signal;
+
+# for SSP
+# Access secret files
+allow pppd_t pppd_secret_t:file read_file_perms;
+
+ppp_initrc_domtrans(pppd_t)
+
+kernel_read_kernel_sysctls(pppd_t)
+kernel_read_system_state(pppd_t)
+kernel_rw_net_sysctls(pppd_t)
+kernel_read_network_state(pppd_t)
+kernel_request_load_module(pppd_t)
+
+dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
+dev_read_sysfs(pppd_t)
+dev_rw_modem(pppd_t)
+
+corenet_all_recvfrom_unlabeled(pppd_t)
+corenet_all_recvfrom_netlabel(pppd_t)
+corenet_tcp_sendrecv_generic_if(pppd_t)
+corenet_raw_sendrecv_generic_if(pppd_t)
+corenet_udp_sendrecv_generic_if(pppd_t)
+corenet_tcp_sendrecv_generic_node(pppd_t)
+corenet_raw_sendrecv_generic_node(pppd_t)
+corenet_udp_sendrecv_generic_node(pppd_t)
+corenet_tcp_sendrecv_all_ports(pppd_t)
+corenet_udp_sendrecv_all_ports(pppd_t)
+# Access /dev/ppp.
+corenet_rw_ppp_dev(pppd_t)
+
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t, pppd_devpts_t)
+
+# allow running ip-up and ip-down scripts and running chat.
+corecmd_exec_bin(pppd_t)
+corecmd_exec_shell(pppd_t)
+
+domain_use_interactive_fds(pppd_t)
+
+files_exec_etc_files(pppd_t)
+files_manage_etc_runtime_files(pppd_t)
+files_dontaudit_write_etc_files(pppd_t)
+
+# for scripts
+files_read_etc_files(pppd_t)
+
+init_read_utmp(pppd_t)
+init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
+
+auth_use_nsswitch(pppd_t)
+
+logging_send_syslog_msg(pppd_t)
+logging_send_audit_msgs(pppd_t)
+
+miscfiles_read_localization(pppd_t)
+
+sysnet_exec_ifconfig(pppd_t)
+sysnet_manage_config(pppd_t)
+sysnet_etc_filetrans_config(pppd_t)
+
+userdom_use_user_terminals(pppd_t)
+userdom_dontaudit_use_unpriv_user_fds(pppd_t)
+userdom_search_user_home_dirs(pppd_t)
+
+ppp_exec(pppd_t)
+
+optional_policy(`
+ ddclient_domtrans(pppd_t)
+')
+
+optional_policy(`
+ # The toolchain does not support nested conditionals
+ gen_require(`
+ bool secure_mode_insmod;
+ ')
+
+ if (pppd_can_insmod && ! secure_mode_insmod) {
+ modutils_domtrans_insmod_uncond(pppd_t)
+ }
+')
+
+optional_policy(`
+ mta_send_mail(pppd_t)
+')
+
+optional_policy(`
+ networkmanager_signal(pppd_t)
+')
+
+optional_policy(`
+ postfix_domtrans_master(pppd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pppd_t)
+')
+
+optional_policy(`
+ udev_read_db(pppd_t)
+')
+
+########################################
+#
+# PPTP Local policy
+#
+
+allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+dontaudit pptp_t self:capability sys_tty_config;
+allow pptp_t self:process signal;
+allow pptp_t self:fifo_file rw_fifo_file_perms;
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow pptp_t pppd_etc_t:dir list_dir_perms;
+allow pptp_t pppd_etc_t:file read_file_perms;
+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+
+allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
+allow pptp_t pppd_etc_rw_t:file read_file_perms;
+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+
+# Allow pptp to append to pppd log files
+allow pptp_t pppd_log_t:file append_file_perms;
+
+allow pptp_t pptp_log_t:file manage_file_perms;
+logging_log_filetrans(pptp_t, pptp_log_t, file)
+
+manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, file)
+
+kernel_list_proc(pptp_t)
+kernel_read_kernel_sysctls(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
+kernel_read_system_state(pptp_t)
+
+dev_read_sysfs(pptp_t)
+
+corecmd_exec_shell(pptp_t)
+corecmd_read_bin_symlinks(pptp_t)
+
+corenet_all_recvfrom_unlabeled(pptp_t)
+corenet_all_recvfrom_netlabel(pptp_t)
+corenet_tcp_sendrecv_generic_if(pptp_t)
+corenet_raw_sendrecv_generic_if(pptp_t)
+corenet_tcp_sendrecv_generic_node(pptp_t)
+corenet_raw_sendrecv_generic_node(pptp_t)
+corenet_tcp_sendrecv_all_ports(pptp_t)
+corenet_tcp_bind_generic_node(pptp_t)
+corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_sendrecv_generic_client_packets(pptp_t)
+
+files_read_etc_files(pptp_t)
+
+fs_getattr_all_fs(pptp_t)
+fs_search_auto_mountpoints(pptp_t)
+
+term_ioctl_generic_ptys(pptp_t)
+term_search_ptys(pptp_t)
+term_use_ptmx(pptp_t)
+
+domain_use_interactive_fds(pptp_t)
+
+auth_use_nsswitch(pptp_t)
+
+logging_send_syslog_msg(pptp_t)
+
+miscfiles_read_localization(pptp_t)
+
+sysnet_exec_ifconfig(pptp_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+userdom_dontaudit_search_user_home_dirs(pptp_t)
+userdom_signal_unpriv_users(pptp_t)
+
+optional_policy(`
+ consoletype_exec(pppd_t)
+')
+
+optional_policy(`
+ dbus_system_domain(pppd_t, pppd_exec_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pppd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(pptp_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pptp_t)
+')
+
+optional_policy(`
+ udev_read_db(pptp_t)
+')
+
+optional_policy(`
+ postfix_read_config(pppd_t)
+')
diff --git a/prelink.fc b/prelink.fc
new file mode 100644
index 0000000..ec0e76a
--- /dev/null
+++ b/prelink.fc
@@ -0,0 +1,11 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
+
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+
+/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
+/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+
+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/prelink.if b/prelink.if
new file mode 100644
index 0000000..93ec175
--- /dev/null
+++ b/prelink.if
@@ -0,0 +1,204 @@
+## Prelink ELF shared library mappings.
+
+########################################
+##
+## Execute the prelink program in the prelink domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prelink_domtrans',`
+ gen_require(`
+ type prelink_t, prelink_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, prelink_exec_t, prelink_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit prelink_t $1:socket_class_set { read write };
+ dontaudit prelink_t $1:fifo_file setattr;
+ ')
+')
+
+########################################
+##
+## Execute the prelink program in the current domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_exec',`
+ gen_require(`
+ type prelink_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, prelink_exec_t)
+')
+
+########################################
+##
+## Execute the prelink program in the prelink domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the prelink domain.
+##
+##
+##
+#
+interface(`prelink_run',`
+ gen_require(`
+ type prelink_t;
+ ')
+
+ prelink_domtrans($1)
+ role $2 types prelink_t;
+')
+
+########################################
+##
+## Make the specified file type prelinkable.
+##
+##
+##
+## File type to be prelinked.
+##
+##
+#
+# cjp: added for misc non-entrypoint objects
+interface(`prelink_object_file',`
+ gen_require(`
+ attribute prelink_object;
+ ')
+
+ typeattribute $1 prelink_object;
+')
+
+########################################
+##
+## Read the prelink cache.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_read_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 prelink_cache_t:file read_file_perms;
+')
+
+########################################
+##
+## Delete the prelink cache.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_delete_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ allow $1 prelink_cache_t:file unlink;
+ files_rw_etc_dirs($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## prelink log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_manage_log',`
+ gen_require(`
+ type prelink_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, prelink_log_t, prelink_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## prelink var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_manage_lib',`
+ gen_require(`
+ type prelink_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
+
+########################################
+##
+## Relabel from files in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_relabelfrom_lib',`
+ gen_require(`
+ type prelink_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
+
+########################################
+##
+## Relabel from files in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelink_relabel_lib',`
+ gen_require(`
+ type prelink_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
diff --git a/prelink.te b/prelink.te
new file mode 100644
index 0000000..af55369
--- /dev/null
+++ b/prelink.te
@@ -0,0 +1,164 @@
+policy_module(prelink, 1.10.0)
+
+########################################
+#
+# Declarations
+
+attribute prelink_object;
+
+type prelink_t;
+type prelink_exec_t;
+init_system_domain(prelink_t, prelink_exec_t)
+domain_obj_id_change_exemption(prelink_t)
+
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_cron_system_t;
+type prelink_cron_system_exec_t;
+domain_type(prelink_cron_system_t)
+domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+type prelink_tmp_t;
+files_tmp_file(prelink_tmp_t)
+
+type prelink_tmpfs_t;
+files_tmpfs_file(prelink_tmpfs_t)
+
+type prelink_var_lib_t;
+files_type(prelink_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
+allow prelink_t self:process { execheap execmem execstack signal };
+allow prelink_t self:fifo_file rw_fifo_file_perms;
+
+allow prelink_t prelink_cache_t:file manage_file_perms;
+files_etc_filetrans(prelink_t, prelink_cache_t, file)
+
+allow prelink_t prelink_log_t:dir setattr;
+create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+logging_log_filetrans(prelink_t, prelink_log_t, file)
+
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
+fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
+
+manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+
+kernel_read_system_state(prelink_t)
+kernel_read_kernel_sysctls(prelink_t)
+
+corecmd_manage_all_executables(prelink_t)
+corecmd_relabel_all_executables(prelink_t)
+corecmd_mmap_all_executables(prelink_t)
+corecmd_read_bin_symlinks(prelink_t)
+
+dev_read_urand(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_files(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
+files_manage_var_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+selinux_get_enforce_mode(prelink_t)
+
+libs_exec_ld_so(prelink_t)
+libs_legacy_use_shared_libs(prelink_t)
+libs_manage_ld_so(prelink_t)
+libs_relabel_ld_so(prelink_t)
+libs_manage_shared_libs(prelink_t)
+libs_relabel_shared_libs(prelink_t)
+libs_delete_lib_symlinks(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+userdom_use_user_terminals(prelink_t)
+
+optional_policy(`
+ amanda_manage_lib(prelink_t)
+')
+
+optional_policy(`
+ cron_system_entry(prelink_t, prelink_exec_t)
+')
+
+optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
+ unconfined_domain(prelink_t)
+')
+
+########################################
+#
+# Prelink Cron system Policy
+#
+
+optional_policy(`
+ allow prelink_cron_system_t self:capability setuid;
+ allow prelink_cron_system_t self:process { setsched setfscreate signal };
+ allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
+
+ read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
+ allow prelink_cron_system_t prelink_cache_t:file unlink;
+
+ domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+ allow prelink_cron_system_t prelink_t:process noatsecure;
+
+ manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
+
+ manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
+ files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
+ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
+
+ kernel_read_system_state(prelink_cron_system_t)
+
+ corecmd_exec_bin(prelink_cron_system_t)
+ corecmd_exec_shell(prelink_cron_system_t)
+
+ files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+ files_read_etc_files(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+
+ init_exec(prelink_cron_system_t)
+
+ libs_exec_ld_so(prelink_cron_system_t)
+
+ logging_search_logs(prelink_cron_system_t)
+
+ miscfiles_read_localization(prelink_cron_system_t)
+
+ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+ optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+ ')
+')
diff --git a/prelude.fc b/prelude.fc
new file mode 100644
index 0000000..3bd847a
--- /dev/null
+++ b/prelude.fc
@@ -0,0 +1,18 @@
+/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0)
+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+
+/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+
+/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
+/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0)
+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
diff --git a/prelude.if b/prelude.if
new file mode 100644
index 0000000..2316653
--- /dev/null
+++ b/prelude.if
@@ -0,0 +1,144 @@
+## Prelude hybrid intrusion detection system
+
+########################################
+##
+## Execute a domain transition to run prelude.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prelude_domtrans',`
+ gen_require(`
+ type prelude_t, prelude_exec_t;
+ ')
+
+ domtrans_pattern($1, prelude_exec_t, prelude_t)
+')
+
+########################################
+##
+## Execute a domain transition to run prelude_audisp.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prelude_domtrans_audisp',`
+ gen_require(`
+ type prelude_audisp_t, prelude_audisp_exec_t;
+ ')
+
+ domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
+')
+
+########################################
+##
+## Signal the prelude_audisp domain.
+##
+##
+##
+## Domain allowed acccess.
+##
+##
+#
+interface(`prelude_signal_audisp',`
+ gen_require(`
+ type prelude_audisp_t;
+ ')
+
+ allow $1 prelude_audisp_t:process signal;
+')
+
+########################################
+##
+## Read the prelude spool files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelude_read_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+##
+## Manage to prelude-manager spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelude_manage_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+ manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an prelude environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`prelude_admin',`
+ gen_require(`
+ type prelude_t, prelude_spool_t;
+ type prelude_var_run_t, prelude_var_lib_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t;
+ type prelude_initrc_exec_t;
+
+ type prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_lml_var_run_t;
+ ')
+
+ allow $1 prelude_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_t)
+
+ allow $1 prelude_audisp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_audisp_t)
+
+ allow $1 prelude_lml_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_lml_t)
+
+ init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, prelude_spool_t)
+ admin_pattern($1, prelude_var_lib_t)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_tmp_t)
+ admin_pattern($1, prelude_lml_var_run_t)
+')
diff --git a/prelude.te b/prelude.te
new file mode 100644
index 0000000..b1bc02c
--- /dev/null
+++ b/prelude.te
@@ -0,0 +1,308 @@
+policy_module(prelude, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type prelude_t;
+type prelude_exec_t;
+init_daemon_domain(prelude_t, prelude_exec_t)
+
+type prelude_initrc_exec_t;
+init_script_file(prelude_initrc_exec_t)
+
+type prelude_spool_t;
+files_type(prelude_spool_t)
+
+type prelude_log_t;
+logging_log_file(prelude_log_t)
+
+type prelude_var_run_t;
+files_pid_file(prelude_var_run_t)
+
+type prelude_var_lib_t;
+files_type(prelude_var_lib_t)
+
+type prelude_audisp_t;
+type prelude_audisp_exec_t;
+init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
+
+type prelude_audisp_var_run_t;
+files_pid_file(prelude_audisp_var_run_t)
+
+type prelude_correlator_t;
+type prelude_correlator_exec_t;
+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+role system_r types prelude_correlator_t;
+
+type prelude_correlator_config_t;
+files_config_file(prelude_correlator_config_t)
+
+type prelude_lml_t;
+type prelude_lml_exec_t;
+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
+
+type prelude_lml_tmp_t;
+files_tmp_file(prelude_lml_tmp_t)
+
+type prelude_lml_var_run_t;
+files_pid_file(prelude_lml_var_run_t)
+
+########################################
+#
+# prelude local policy
+#
+
+allow prelude_t self:capability { dac_override sys_tty_config };
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
+logging_log_filetrans(prelude_t, prelude_log_t, file)
+
+manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_t)
+
+manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_t)
+
+manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file })
+
+kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
+corecmd_search_bin(prelude_t)
+
+corenet_all_recvfrom_unlabeled(prelude_t)
+corenet_all_recvfrom_netlabel(prelude_t)
+corenet_tcp_sendrecv_generic_if(prelude_t)
+corenet_tcp_sendrecv_generic_node(prelude_t)
+corenet_tcp_bind_generic_node(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
+corenet_tcp_connect_postgresql_port(prelude_t)
+corenet_tcp_connect_mysqld_port(prelude_t)
+
+dev_read_rand(prelude_t)
+dev_read_urand(prelude_t)
+
+files_read_etc_files(prelude_t)
+files_read_etc_runtime_files(prelude_t)
+files_read_usr_files(prelude_t)
+files_search_tmp(prelude_t)
+
+fs_rw_anon_inodefs_files(prelude_t)
+
+auth_use_nsswitch(prelude_t)
+
+logging_send_audit_msgs(prelude_t)
+logging_send_syslog_msg(prelude_t)
+
+miscfiles_read_localization(prelude_t)
+
+optional_policy(`
+ mysql_search_db(prelude_t)
+ mysql_stream_connect(prelude_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(prelude_t)
+')
+
+########################################
+#
+# prelude_audisp local policy
+#
+
+allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
+allow prelude_audisp_t self:process { getcap setcap };
+allow prelude_audisp_t self:fifo_file rw_file_perms;
+allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
+allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_audisp_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_audisp_t)
+
+manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
+
+kernel_read_sysctl(prelude_audisp_t)
+kernel_read_system_state(prelude_audisp_t)
+
+corecmd_search_bin(prelude_audisp_t)
+
+corenet_all_recvfrom_unlabeled(prelude_audisp_t)
+corenet_all_recvfrom_netlabel(prelude_audisp_t)
+corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
+corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
+corenet_tcp_bind_generic_node(prelude_audisp_t)
+corenet_tcp_connect_prelude_port(prelude_audisp_t)
+
+dev_read_rand(prelude_audisp_t)
+dev_read_urand(prelude_audisp_t)
+
+# Init script handling
+domain_use_interactive_fds(prelude_audisp_t)
+
+files_read_etc_files(prelude_audisp_t)
+files_read_etc_runtime_files(prelude_audisp_t)
+files_search_tmp(prelude_audisp_t)
+
+logging_send_syslog_msg(prelude_audisp_t)
+
+miscfiles_read_localization(prelude_audisp_t)
+
+sysnet_dns_name_resolve(prelude_audisp_t)
+
+########################################
+#
+# prelude_correlator local policy
+#
+
+allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+kernel_read_sysctl(prelude_correlator_t)
+
+corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
+corenet_tcp_connect_prelude_port(prelude_correlator_t)
+
+dev_read_rand(prelude_correlator_t)
+dev_read_urand(prelude_correlator_t)
+
+files_read_etc_files(prelude_correlator_t)
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
+logging_send_syslog_msg(prelude_correlator_t)
+
+miscfiles_read_localization(prelude_correlator_t)
+
+sysnet_dns_name_resolve(prelude_correlator_t)
+
+prelude_manage_spool(prelude_correlator_t)
+
+########################################
+#
+# prelude_lml local declarations
+#
+
+allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+allow prelude_lml_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
+files_list_tmp(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_lml_t)
+
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
+kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
+files_read_etc_files(prelude_lml_t)
+files_read_etc_runtime_files(prelude_lml_t)
+
+fs_getattr_all_fs(prelude_lml_t)
+fs_list_inotifyfs(prelude_lml_t)
+fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
+libs_exec_lib_files(prelude_lml_t)
+libs_read_lib_files(prelude_lml_t)
+
+logging_send_syslog_msg(prelude_lml_t)
+logging_read_generic_logs(prelude_lml_t)
+
+miscfiles_read_localization(prelude_lml_t)
+
+sysnet_dns_name_resolve(prelude_lml_t)
+
+userdom_read_all_users_state(prelude_lml_t)
+
+optional_policy(`
+ apache_search_sys_content(prelude_lml_t)
+ apache_read_log(prelude_lml_t)
+')
+
+########################################
+#
+# prewikka_cgi Declarations
+#
+
+optional_policy(`
+ apache_content_template(prewikka)
+
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+ files_read_etc_files(httpd_prewikka_script_t)
+ files_search_tmp(httpd_prewikka_script_t)
+
+ kernel_read_sysctl(httpd_prewikka_script_t)
+ kernel_search_network_sysctl(httpd_prewikka_script_t)
+
+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
+
+ auth_use_nsswitch(httpd_prewikka_script_t)
+
+ logging_send_syslog_msg(httpd_prewikka_script_t)
+
+ apache_search_sys_content(httpd_prewikka_script_t)
+
+ optional_policy(`
+ mysql_search_db(httpd_prewikka_script_t)
+ mysql_stream_connect(httpd_prewikka_script_t)
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_prewikka_script_t)
+ ')
+')
diff --git a/privoxy.fc b/privoxy.fc
new file mode 100644
index 0000000..be4998a
--- /dev/null
+++ b/privoxy.fc
@@ -0,0 +1,6 @@
+/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
+
+/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+
+/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/privoxy.if b/privoxy.if
new file mode 100644
index 0000000..afd1751
--- /dev/null
+++ b/privoxy.if
@@ -0,0 +1,42 @@
+## Privacy enhancing web proxy.
+
+########################################
+##
+## All of the rules required to administrate
+## an privoxy environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`privoxy_admin',`
+ gen_require(`
+ type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
+ type privoxy_etc_rw_t, privoxy_var_run_t;
+ ')
+
+ allow $1 privoxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, privoxy_t)
+
+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 privoxy_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, privoxy_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, privoxy_etc_rw_t)
+
+ files_list_pids($1)
+ admin_pattern($1, privoxy_var_run_t)
+')
diff --git a/privoxy.te b/privoxy.te
new file mode 100644
index 0000000..2dbf4d4
--- /dev/null
+++ b/privoxy.te
@@ -0,0 +1,103 @@
+policy_module(privoxy, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow privoxy to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+##
+##
+gen_tunable(privoxy_connect_any, false)
+
+type privoxy_t; # web_client_domain
+type privoxy_exec_t;
+init_daemon_domain(privoxy_t, privoxy_exec_t)
+
+type privoxy_initrc_exec_t;
+init_script_file(privoxy_initrc_exec_t)
+
+type privoxy_etc_rw_t;
+files_type(privoxy_etc_rw_t)
+
+type privoxy_log_t;
+logging_log_file(privoxy_log_t)
+
+type privoxy_var_run_t;
+files_pid_file(privoxy_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow privoxy_t self:capability { setgid setuid };
+dontaudit privoxy_t self:capability sys_tty_config;
+allow privoxy_t self:tcp_socket create_stream_socket_perms;
+
+allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
+
+manage_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t)
+logging_log_filetrans(privoxy_t, privoxy_log_t, file)
+
+manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
+files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+
+kernel_read_system_state(privoxy_t)
+kernel_read_kernel_sysctls(privoxy_t)
+
+corenet_all_recvfrom_unlabeled(privoxy_t)
+corenet_all_recvfrom_netlabel(privoxy_t)
+corenet_tcp_sendrecv_generic_if(privoxy_t)
+corenet_tcp_sendrecv_generic_node(privoxy_t)
+corenet_tcp_sendrecv_all_ports(privoxy_t)
+corenet_tcp_bind_generic_node(privoxy_t)
+corenet_tcp_bind_http_cache_port(privoxy_t)
+corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_http_cache_port(privoxy_t)
+corenet_tcp_connect_squid_port(privoxy_t)
+corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+corenet_tcp_connect_tor_port(privoxy_t)
+corenet_sendrecv_http_cache_client_packets(privoxy_t)
+corenet_sendrecv_squid_client_packets(privoxy_t)
+corenet_sendrecv_http_cache_server_packets(privoxy_t)
+corenet_sendrecv_http_client_packets(privoxy_t)
+corenet_sendrecv_ftp_client_packets(privoxy_t)
+corenet_sendrecv_tor_client_packets(privoxy_t)
+
+dev_read_sysfs(privoxy_t)
+
+fs_getattr_all_fs(privoxy_t)
+fs_search_auto_mountpoints(privoxy_t)
+
+domain_use_interactive_fds(privoxy_t)
+
+files_read_etc_files(privoxy_t)
+
+auth_use_nsswitch(privoxy_t)
+
+logging_send_syslog_msg(privoxy_t)
+
+miscfiles_read_localization(privoxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
+userdom_dontaudit_search_user_home_dirs(privoxy_t)
+# cjp: this should really not be needed
+userdom_use_user_terminals(privoxy_t)
+
+tunable_policy(`privoxy_connect_any',`
+ corenet_tcp_connect_all_ports(privoxy_t)
+ corenet_sendrecv_all_client_packets(privoxy_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(privoxy_t)
+')
+
+optional_policy(`
+ udev_read_db(privoxy_t)
+')
diff --git a/procmail.fc b/procmail.fc
new file mode 100644
index 0000000..1343621
--- /dev/null
+++ b/procmail.fc
@@ -0,0 +1,5 @@
+
+/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/procmail.if b/procmail.if
new file mode 100644
index 0000000..b64b02f
--- /dev/null
+++ b/procmail.if
@@ -0,0 +1,79 @@
+## Procmail mail delivery agent
+
+########################################
+##
+## Execute procmail with a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`procmail_domtrans',`
+ gen_require(`
+ type procmail_exec_t, procmail_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, procmail_exec_t, procmail_t)
+')
+
+########################################
+##
+## Execute procmail in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`procmail_exec',`
+ gen_require(`
+ type procmail_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, procmail_exec_t)
+')
+
+########################################
+##
+## Read procmail tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`procmail_read_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## Read/write procmail tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`procmail_rw_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+')
diff --git a/procmail.te b/procmail.te
new file mode 100644
index 0000000..29b9295
--- /dev/null
+++ b/procmail.te
@@ -0,0 +1,150 @@
+policy_module(procmail, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type procmail_t;
+type procmail_exec_t;
+application_domain(procmail_t, procmail_exec_t)
+role system_r types procmail_t;
+
+type procmail_log_t;
+logging_log_file(procmail_log_t)
+
+type procmail_tmp_t;
+files_tmp_file(procmail_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:process { setsched signal signull };
+allow procmail_t self:fifo_file rw_fifo_file_perms;
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
+
+can_exec(procmail_t, procmail_exec_t)
+
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
+allow procmail_t procmail_log_t:dir setattr;
+create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+
+allow procmail_t procmail_tmp_t:file manage_file_perms;
+files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+
+kernel_read_system_state(procmail_t)
+kernel_read_kernel_sysctls(procmail_t)
+
+corenet_all_recvfrom_unlabeled(procmail_t)
+corenet_all_recvfrom_netlabel(procmail_t)
+corenet_tcp_sendrecv_generic_if(procmail_t)
+corenet_udp_sendrecv_generic_if(procmail_t)
+corenet_tcp_sendrecv_generic_node(procmail_t)
+corenet_udp_sendrecv_generic_node(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_generic_node(procmail_t)
+corenet_tcp_connect_spamd_port(procmail_t)
+corenet_sendrecv_spamd_client_packets(procmail_t)
+corenet_sendrecv_comsat_client_packets(procmail_t)
+
+dev_read_urand(procmail_t)
+
+fs_getattr_xattr_fs(procmail_t)
+fs_search_auto_mountpoints(procmail_t)
+fs_rw_anon_inodefs_files(procmail_t)
+
+auth_use_nsswitch(procmail_t)
+
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+corecmd_read_bin_symlinks(procmail_t)
+
+files_read_etc_files(procmail_t)
+files_read_etc_runtime_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
+files_read_usr_files(procmail_t)
+
+logging_send_syslog_msg(procmail_t)
+
+miscfiles_read_localization(procmail_t)
+
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_user_home_dirs(procmail_t)
+
+mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(procmail_t)
+ fs_manage_nfs_files(procmail_t)
+ fs_manage_nfs_symlinks(procmail_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(procmail_t)
+ fs_manage_cifs_files(procmail_t)
+ fs_manage_cifs_symlinks(procmail_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(procmail_t)
+ clamav_search_lib(procmail_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(procmail_t)
+')
+
+optional_policy(`
+ # for a bug in the postfix local program
+ postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
+ postfix_dontaudit_use_fds(procmail_t)
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(procmail_t)
+ pyzor_signal(procmail_t)
+')
+
+optional_policy(`
+ mta_read_config(procmail_t)
+ sendmail_domtrans(procmail_t)
+ sendmail_signal(procmail_t)
+ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(procmail_t)
+')
+
+optional_policy(`
+ corenet_udp_bind_generic_port(procmail_t)
+ corenet_dontaudit_udp_bind_all_ports(procmail_t)
+
+ spamassassin_domtrans_local_client(procmail_t)
+ spamassassin_domtrans_client(procmail_t)
+ spamassassin_read_lib_files(procmail_t)
+')
diff --git a/psad.fc b/psad.fc
new file mode 100644
index 0000000..6c66d44
--- /dev/null
+++ b/psad.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0)
+
+/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
+
+/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
+/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0)
+/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)
diff --git a/psad.if b/psad.if
new file mode 100644
index 0000000..bc329d1
--- /dev/null
+++ b/psad.if
@@ -0,0 +1,262 @@
+## Intrusion Detection and Log Analysis with iptables
+
+########################################
+##
+## Execute a domain transition to run psad.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`psad_domtrans',`
+ gen_require(`
+ type psad_t, psad_exec_t;
+ ')
+
+ domtrans_pattern($1, psad_exec_t, psad_t)
+')
+
+########################################
+##
+## Send a generic signal to psad
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_signal',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ allow $1 psad_t:process signal;
+')
+
+#######################################
+##
+## Send a null signal to psad.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_signull',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ allow $1 psad_t:process signull;
+')
+
+########################################
+##
+## Read psad etc configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_read_config',`
+ gen_require(`
+ type psad_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, psad_etc_t, psad_etc_t)
+')
+
+########################################
+##
+## Manage psad etc configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_manage_config',`
+ gen_require(`
+ type psad_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
+
+')
+
+########################################
+##
+## Read psad PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_read_pid_files',`
+ gen_require(`
+ type psad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+##
+## Read psad PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_rw_pid_files',`
+ gen_require(`
+ type psad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+##
+## Allow the specified domain to read psad's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`psad_read_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+ read_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append to psad's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`psad_append_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+ append_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+##
+## Read and write psad fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_rw_fifo_file',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+ rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+##
+## Read and write psad tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`psad_rw_tmp_files',`
+ gen_require(`
+ type psad_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an psad environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
+##
+#
+interface(`psad_admin',`
+ gen_require(`
+ type psad_t, psad_var_run_t, psad_var_log_t;
+ type psad_initrc_exec_t, psad_var_lib_t;
+ type psad_tmp_t;
+ ')
+
+ allow $1 psad_t:process { ptrace signal_perms };
+ ps_process_pattern($1, psad_t)
+
+ init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 psad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, psad_etc_t)
+
+ files_search_pids($1)
+ admin_pattern($1, psad_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, psad_var_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, psad_var_lib_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, psad_tmp_t)
+')
diff --git a/psad.te b/psad.te
new file mode 100644
index 0000000..d4000e0
--- /dev/null
+++ b/psad.te
@@ -0,0 +1,106 @@
+policy_module(psad, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type psad_t;
+type psad_exec_t;
+init_daemon_domain(psad_t, psad_exec_t)
+
+# config files
+type psad_etc_t;
+files_type(psad_etc_t)
+
+type psad_initrc_exec_t;
+init_script_file(psad_initrc_exec_t)
+
+# var/lib files
+type psad_var_lib_t;
+files_type(psad_var_lib_t)
+
+# log files
+type psad_var_log_t;
+logging_log_file(psad_var_log_t)
+
+# pid files
+type psad_var_run_t;
+files_pid_file(psad_var_run_t)
+
+# tmp files
+type psad_tmp_t;
+files_tmp_file(psad_tmp_t)
+
+########################################
+#
+# psad local policy
+#
+
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+dontaudit psad_t self:capability sys_tty_config;
+allow psad_t self:process signull;
+allow psad_t self:fifo_file rw_fifo_file_perms;
+allow psad_t self:rawip_socket create_socket_perms;
+
+# config files
+read_files_pattern(psad_t, psad_etc_t, psad_etc_t)
+list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t)
+
+# log files
+manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
+
+# pid file
+manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
+
+# tmp files
+manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
+
+# /var/lib files
+search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+
+kernel_read_system_state(psad_t)
+kernel_read_network_state(psad_t)
+kernel_read_net_sysctls(psad_t)
+
+corecmd_exec_shell(psad_t)
+corecmd_exec_bin(psad_t)
+
+corenet_all_recvfrom_unlabeled(psad_t)
+corenet_all_recvfrom_netlabel(psad_t)
+corenet_tcp_sendrecv_generic_if(psad_t)
+corenet_tcp_sendrecv_generic_node(psad_t)
+corenet_tcp_bind_generic_node(psad_t)
+corenet_tcp_sendrecv_all_ports(psad_t)
+corenet_tcp_connect_whois_port(psad_t)
+corenet_sendrecv_whois_client_packets(psad_t)
+
+dev_read_urand(psad_t)
+
+files_read_etc_runtime_files(psad_t)
+
+fs_getattr_all_fs(psad_t)
+
+auth_use_nsswitch(psad_t)
+
+iptables_domtrans(psad_t)
+
+logging_read_generic_logs(psad_t)
+logging_read_syslog_config(psad_t)
+logging_send_syslog_msg(psad_t)
+
+miscfiles_read_localization(psad_t)
+
+sysnet_exec_ifconfig(psad_t)
+
+optional_policy(`
+ mta_send_mail(psad_t)
+ mta_read_queue(psad_t)
+')
diff --git a/ptchown.fc b/ptchown.fc
new file mode 100644
index 0000000..9fc398e
--- /dev/null
+++ b/ptchown.fc
@@ -0,0 +1 @@
+/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
diff --git a/ptchown.if b/ptchown.if
new file mode 100644
index 0000000..96cc023
--- /dev/null
+++ b/ptchown.if
@@ -0,0 +1,44 @@
+## helper function for grantpt(3), changes ownship and permissions of pseudotty
+
+########################################
+##
+## Execute a domain transition to run ptchown.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ptchown_domtrans',`
+ gen_require(`
+ type ptchown_t, ptchown_exec_t;
+ ')
+
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+')
+
+########################################
+##
+## Execute ptchown in the ptchown domain, and
+## allow the specified role the ptchown domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`ptchown_run',`
+ gen_require(`
+ type ptchown_t;
+ ')
+
+ ptchown_domtrans($1)
+ role $2 types ptchown_t;
+')
diff --git a/ptchown.te b/ptchown.te
new file mode 100644
index 0000000..d90245a
--- /dev/null
+++ b/ptchown.te
@@ -0,0 +1,31 @@
+policy_module(ptchown, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type ptchown_t;
+type ptchown_exec_t;
+application_domain(ptchown_t, ptchown_exec_t)
+role system_r types ptchown_t;
+
+########################################
+#
+# ptchown local policy
+#
+
+allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+files_read_etc_files(ptchown_t)
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
+term_setattr_generic_ptys(ptchown_t)
+term_getattr_all_ptys(ptchown_t)
+term_setattr_all_ptys(ptchown_t)
+term_use_generic_ptys(ptchown_t)
+term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
diff --git a/publicfile.fc b/publicfile.fc
new file mode 100644
index 0000000..5b20b68
--- /dev/null
+++ b/publicfile.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0)
diff --git a/publicfile.if b/publicfile.if
new file mode 100644
index 0000000..5b07592
--- /dev/null
+++ b/publicfile.if
@@ -0,0 +1 @@
+## publicfile supplies files to the public through HTTP and FTP
diff --git a/publicfile.te b/publicfile.te
new file mode 100644
index 0000000..32edb73
--- /dev/null
+++ b/publicfile.te
@@ -0,0 +1,34 @@
+policy_module(publicfile, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type publicfile_t;
+type publicfile_exec_t;
+init_daemon_domain(publicfile_t, publicfile_exec_t)
+
+type publicfile_content_t;
+files_type(publicfile_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t publicfile_content_t:dir list_dir_perms;
+allow publicfile_t publicfile_content_t:file read_file_perms;
+
+files_search_var(publicfile_t)
+
+optional_policy(`
+ daemontools_ipc_domain(publicfile_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
+')
+
+#allow publicfile_t initrc_t:tcp_socket { read write };
diff --git a/pulseaudio.fc b/pulseaudio.fc
new file mode 100644
index 0000000..84f23dc
--- /dev/null
+++ b/pulseaudio.fc
@@ -0,0 +1,7 @@
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
new file mode 100644
index 0000000..f40c64d
--- /dev/null
+++ b/pulseaudio.if
@@ -0,0 +1,260 @@
+## Pulseaudio network sound server.
+
+########################################
+##
+## Role access for pulseaudio
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`pulseaudio_role',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t;
+ class dbus { acquire_svc send_msg };
+ ')
+
+ role $1 types pulseaudio_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
+
+ ps_process_pattern($2, pulseaudio_t)
+
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
+
+ allow $2 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+')
+
+########################################
+##
+## Execute a domain transition to run pulseaudio.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pulseaudio_domtrans',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t;
+ ')
+
+ domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
+')
+
+########################################
+##
+## Execute pulseaudio in the pulseaudio domain, and
+## allow the specified role the pulseaudio domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`pulseaudio_run',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ pulseaudio_domtrans($1)
+ role $2 types pulseaudio_t;
+')
+
+########################################
+##
+## Execute a pulseaudio in the current domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_exec',`
+ gen_require(`
+ type pulseaudio_exec_t;
+ ')
+
+ can_exec($1, pulseaudio_exec_t)
+')
+
+########################################
+##
+## Do not audit to execute a pulseaudio.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`pulseaudio_dontaudit_exec',`
+ gen_require(`
+ type pulseaudio_exec_t;
+ ')
+
+ dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
+')
+
+########################################
+##
+## Send signull signal to pulseaudio
+## processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_signull',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:process signull;
+')
+
+#####################################
+##
+## Connect to pulseaudio over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_stream_connect',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## pulseaudio over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_dbus_chat',`
+ gen_require(`
+ type pulseaudio_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Set the attributes of the pulseaudio homedir.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_setattr_home_dir',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ allow $1 pulseaudio_home_t:dir setattr;
+')
+
+########################################
+##
+## Read pulseaudio homedir files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_read_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+##
+## Read and write Pulse Audio files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_rw_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
+## Create, read, write, and delete pulseaudio
+## home directory files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pulseaudio_manage_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
diff --git a/pulseaudio.te b/pulseaudio.te
new file mode 100644
index 0000000..a15489a
--- /dev/null
+++ b/pulseaudio.te
@@ -0,0 +1,150 @@
+policy_module(pulseaudio, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type pulseaudio_t;
+type pulseaudio_exec_t;
+init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+application_domain(pulseaudio_t, pulseaudio_exec_t)
+ubac_constrained(pulseaudio_t)
+role system_r types pulseaudio_t;
+
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmpfs_t;
+files_tmpfs_file(pulseaudio_tmpfs_t)
+ubac_constrained(pulseaudio_tmpfs_t)
+
+type pulseaudio_var_lib_t;
+files_type(pulseaudio_var_lib_t)
+ubac_constrained(pulseaudio_var_lib_t)
+
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+ubac_constrained(pulseaudio_var_run_t)
+
+########################################
+#
+# pulseaudio local policy
+#
+
+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
+allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
+allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+
+can_exec(pulseaudio_t, pulseaudio_exec_t)
+
+kernel_getattr_proc(pulseaudio_t)
+kernel_read_system_state(pulseaudio_t)
+kernel_read_kernel_sysctls(pulseaudio_t)
+
+corecmd_exec_bin(pulseaudio_t)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_t)
+corenet_all_recvfrom_netlabel(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+
+dev_read_sound(pulseaudio_t)
+dev_write_sound(pulseaudio_t)
+dev_read_sysfs(pulseaudio_t)
+dev_read_urand(pulseaudio_t)
+
+files_read_etc_files(pulseaudio_t)
+files_read_usr_files(pulseaudio_t)
+
+fs_rw_anon_inodefs_files(pulseaudio_t)
+fs_getattr_tmpfs(pulseaudio_t)
+fs_list_inotifyfs(pulseaudio_t)
+
+term_use_all_ttys(pulseaudio_t)
+term_use_all_ptys(pulseaudio_t)
+
+auth_use_nsswitch(pulseaudio_t)
+
+logging_send_syslog_msg(pulseaudio_t)
+
+miscfiles_read_localization(pulseaudio_t)
+
+# cjp: this seems excessive. need to confirm
+userdom_manage_user_home_content_files(pulseaudio_t)
+userdom_manage_user_tmp_files(pulseaudio_t)
+userdom_manage_user_tmpfs_files(pulseaudio_t)
+
+optional_policy(`
+ bluetooth_stream_connect(pulseaudio_t)
+')
+
+optional_policy(`
+ dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
+ dbus_system_bus_client(pulseaudio_t)
+ dbus_session_bus_client(pulseaudio_t)
+ dbus_connect_session_bus(pulseaudio_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(pulseaudio_t)
+ ')
+')
+
+optional_policy(`
+ rtkit_scheduled(pulseaudio_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(pulseaudio_t)
+ policykit_read_lib(pulseaudio_t)
+ policykit_read_reload(pulseaudio_t)
+')
+
+optional_policy(`
+ udev_read_state(pulseaudio_t)
+ udev_read_db(pulseaudio_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(pulseaudio_t)
+ xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
+')
diff --git a/puppet.fc b/puppet.fc
new file mode 100644
index 0000000..2f1e529
--- /dev/null
+++ b/puppet.fc
@@ -0,0 +1,11 @@
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
new file mode 100644
index 0000000..2855a44
--- /dev/null
+++ b/puppet.if
@@ -0,0 +1,31 @@
+## Puppet client daemon
+##
+##
+## Puppet is a configuration management system written in Ruby.
+## The client daemon is responsible for periodically requesting the
+## desired system state from the server and ensuring the state of
+## the client system matches.
+##
+##
+
+################################################
+##
+## Read / Write to Puppet temp files. Puppet uses
+## some system binaries (groupadd, etc) that run in
+## a non-puppet domain and redirects output into temp
+## files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`puppet_rw_tmp', `
+ gen_require(`
+ type puppet_tmp_t;
+ ')
+
+ allow $1 puppet_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+')
diff --git a/puppet.te b/puppet.te
new file mode 100644
index 0000000..941f6e1
--- /dev/null
+++ b/puppet.te
@@ -0,0 +1,235 @@
+policy_module(puppet, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow Puppet client to manage all file
+## types.
+##
+##
+gen_tunable(puppet_manage_all_files, false)
+
+type puppet_t;
+type puppet_exec_t;
+init_daemon_domain(puppet_t, puppet_exec_t)
+
+type puppet_etc_t;
+files_config_file(puppet_etc_t)
+
+type puppet_initrc_exec_t;
+init_script_file(puppet_initrc_exec_t)
+
+type puppet_log_t;
+logging_log_file(puppet_log_t)
+
+type puppet_tmp_t;
+files_tmp_file(puppet_tmp_t)
+
+type puppet_var_lib_t;
+files_type(puppet_var_lib_t)
+
+type puppet_var_run_t;
+files_pid_file(puppet_var_run_t)
+
+type puppetmaster_t;
+type puppetmaster_exec_t;
+init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+
+type puppetmaster_initrc_exec_t;
+init_script_file(puppetmaster_initrc_exec_t)
+
+type puppetmaster_tmp_t;
+files_tmp_file(puppetmaster_tmp_t)
+
+########################################
+#
+# Puppet personal policy
+#
+
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow puppet_t self:process { signal signull getsched setsched };
+allow puppet_t self:fifo_file rw_fifo_file_perms;
+allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppet_t self:tcp_socket create_stream_socket_perms;
+allow puppet_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppet_t)
+
+setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(puppet_t)
+kernel_dontaudit_search_kernel_sysctl(puppet_t)
+kernel_read_system_state(puppet_t)
+kernel_read_crypto_sysctls(puppet_t)
+
+corecmd_exec_bin(puppet_t)
+corecmd_exec_shell(puppet_t)
+
+corenet_all_recvfrom_netlabel(puppet_t)
+corenet_all_recvfrom_unlabeled(puppet_t)
+corenet_tcp_sendrecv_generic_if(puppet_t)
+corenet_tcp_sendrecv_generic_node(puppet_t)
+corenet_tcp_bind_generic_node(puppet_t)
+corenet_tcp_connect_puppet_port(puppet_t)
+corenet_sendrecv_puppet_client_packets(puppet_t)
+
+dev_read_rand(puppet_t)
+dev_read_sysfs(puppet_t)
+dev_read_urand(puppet_t)
+
+domain_read_all_domains_state(puppet_t)
+domain_interactive_fd(puppet_t)
+
+files_manage_config_files(puppet_t)
+files_manage_config_dirs(puppet_t)
+files_manage_etc_dirs(puppet_t)
+files_manage_etc_files(puppet_t)
+files_read_usr_symlinks(puppet_t)
+files_relabel_config_dirs(puppet_t)
+files_relabel_config_files(puppet_t)
+
+selinux_search_fs(puppet_t)
+selinux_set_all_booleans(puppet_t)
+selinux_set_generic_booleans(puppet_t)
+selinux_validate_context(puppet_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppet_t)
+term_dontaudit_getattr_all_ttys(puppet_t)
+
+init_all_labeled_script_domtrans(puppet_t)
+init_domtrans_script(puppet_t)
+init_read_utmp(puppet_t)
+init_signull_script(puppet_t)
+
+logging_send_syslog_msg(puppet_t)
+
+miscfiles_read_hwdata(puppet_t)
+miscfiles_read_localization(puppet_t)
+
+mount_domtrans(puppet_t)
+
+seutil_domtrans_setfiles(puppet_t)
+seutil_domtrans_semanage(puppet_t)
+
+sysnet_dns_name_resolve(puppet_t)
+sysnet_run_ifconfig(puppet_t, system_r)
+
+tunable_policy(`puppet_manage_all_files',`
+ auth_manage_all_files_except_auth_files(puppet_t)
+')
+
+optional_policy(`
+ consoletype_domtrans(puppet_t)
+')
+
+optional_policy(`
+ hostname_exec(puppet_t)
+')
+
+optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+ rpm_manage_db(puppet_t)
+ rpm_manage_log(puppet_t)
+')
+
+optional_policy(`
+ unconfined_domain(puppet_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(puppet_t)
+ usermanage_domtrans_useradd(puppet_t)
+')
+
+########################################
+#
+# Pupper master personal policy
+#
+
+allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetmaster_t self:socket create;
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
+
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+
+kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+kernel_read_system_state(puppetmaster_t)
+kernel_read_crypto_sysctls(puppetmaster_t)
+
+corecmd_exec_bin(puppetmaster_t)
+corecmd_exec_shell(puppetmaster_t)
+
+corenet_all_recvfrom_netlabel(puppetmaster_t)
+corenet_all_recvfrom_unlabeled(puppetmaster_t)
+corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+corenet_tcp_bind_generic_node(puppetmaster_t)
+corenet_tcp_bind_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+
+dev_read_rand(puppetmaster_t)
+dev_read_urand(puppetmaster_t)
+
+domain_read_all_domains_state(puppetmaster_t)
+
+files_read_etc_files(puppetmaster_t)
+files_search_var_lib(puppetmaster_t)
+
+logging_send_syslog_msg(puppetmaster_t)
+
+miscfiles_read_localization(puppetmaster_t)
+
+sysnet_dns_name_resolve(puppetmaster_t)
+sysnet_run_ifconfig(puppetmaster_t, system_r)
+
+optional_policy(`
+ hostname_exec(puppetmaster_t)
+')
+
+optional_policy(`
+ files_read_usr_symlinks(puppetmaster_t)
+
+ rpm_exec(puppetmaster_t)
+ rpm_read_db(puppetmaster_t)
+')
diff --git a/pxe.fc b/pxe.fc
new file mode 100644
index 0000000..44b3a0c
--- /dev/null
+++ b/pxe.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
+
+/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
+
+/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
diff --git a/pxe.if b/pxe.if
new file mode 100644
index 0000000..d3d6a6b
--- /dev/null
+++ b/pxe.if
@@ -0,0 +1 @@
+## Server for the PXE network boot protocol
diff --git a/pxe.te b/pxe.te
new file mode 100644
index 0000000..fec69eb
--- /dev/null
+++ b/pxe.te
@@ -0,0 +1,63 @@
+policy_module(pxe, 1.4.0)
+
+# cjp: policy seems incomplete
+
+########################################
+#
+# Declarations
+#
+
+type pxe_t;
+type pxe_exec_t;
+init_daemon_domain(pxe_t, pxe_exec_t)
+
+type pxe_log_t;
+logging_log_file(pxe_log_t)
+
+type pxe_var_run_t;
+files_pid_file(pxe_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pxe_t self:capability { chown setgid setuid };
+dontaudit pxe_t self:capability sys_tty_config;
+allow pxe_t self:process signal_perms;
+
+allow pxe_t pxe_log_t:file manage_file_perms;
+logging_log_filetrans(pxe_t, pxe_log_t, file)
+
+manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t)
+files_pid_filetrans(pxe_t, pxe_var_run_t, file)
+
+kernel_read_kernel_sysctls(pxe_t)
+kernel_list_proc(pxe_t)
+kernel_read_proc_symlinks(pxe_t)
+
+corenet_udp_bind_pxe_port(pxe_t)
+
+dev_read_sysfs(pxe_t)
+
+domain_use_interactive_fds(pxe_t)
+
+files_read_etc_files(pxe_t)
+
+fs_getattr_all_fs(pxe_t)
+fs_search_auto_mountpoints(pxe_t)
+
+logging_send_syslog_msg(pxe_t)
+
+miscfiles_read_localization(pxe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pxe_t)
+userdom_dontaudit_search_user_home_dirs(pxe_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(pxe_t)
+')
+
+optional_policy(`
+ udev_read_db(pxe_t)
+')
diff --git a/pyicqt.fc b/pyicqt.fc
new file mode 100644
index 0000000..491fe8f
--- /dev/null
+++ b/pyicqt.fc
@@ -0,0 +1,7 @@
+/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
+
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
+
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/pyicqt.if b/pyicqt.if
new file mode 100644
index 0000000..9604b6a
--- /dev/null
+++ b/pyicqt.if
@@ -0,0 +1 @@
+## PyICQt is an ICQ transport for XMPP server.
diff --git a/pyicqt.te b/pyicqt.te
new file mode 100644
index 0000000..a841221
--- /dev/null
+++ b/pyicqt.te
@@ -0,0 +1,59 @@
+policy_module(pyicqt, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pyicqt_t;
+type pyicqt_exec_t;
+init_daemon_domain(pyicqt_t, pyicqt_exec_t)
+
+type pyicqt_conf_t;
+files_config_file(pyicqt_conf_t)
+
+type pyicqt_spool_t;
+files_type(pyicqt_spool_t)
+
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
+
+########################################
+#
+# PyICQt policy
+#
+
+allow pyicqt_t self:fifo_file rw_fifo_file_perms;
+allow pyicqt_t self:tcp_socket create_socket_perms;
+allow pyicqt_t self:udp_socket create_socket_perms;
+
+read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
+
+manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
+
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
+files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
+
+kernel_read_system_state(pyicqt_t)
+
+corecmd_exec_bin(pyicqt_t)
+
+corenet_all_recvfrom_unlabeled(pyicqt_t)
+corenet_all_recvfrom_netlabel(pyicqt_t)
+corenet_tcp_sendrecv_generic_if(pyicqt_t)
+corenet_tcp_sendrecv_generic_node(pyicqt_t)
+corenet_tcp_connect_generic_port(pyicqt_t)
+corenet_sendrecv_generic_client_packets(pyicqt_t)
+
+dev_read_urand(pyicqt_t)
+
+files_read_etc_files(pyicqt_t)
+files_read_usr_files(pyicqt_t)
+
+libs_read_lib_files(pyicqt_t)
+
+miscfiles_read_localization(pyicqt_t)
+
+sysnet_read_config(pyicqt_t)
diff --git a/pyzor.fc b/pyzor.fc
new file mode 100644
index 0000000..d4a7750
--- /dev/null
+++ b/pyzor.fc
@@ -0,0 +1,9 @@
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/pyzor.if b/pyzor.if
new file mode 100644
index 0000000..494f7e2
--- /dev/null
+++ b/pyzor.if
@@ -0,0 +1,90 @@
+## Pyzor is a distributed, collaborative spam detection and filtering network.
+
+########################################
+##
+## Role access for pyzor
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`pyzor_role',`
+ gen_require(`
+ type pyzor_t, pyzor_exec_t;
+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
+ ')
+
+ role $1 types pyzor_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pyzor_exec_t, pyzor_t)
+
+ # allow ps to show pyzor and allow the user to kill it
+ ps_process_pattern($2, pyzor_t)
+ allow $2 pyzor_t:process signal;
+')
+
+########################################
+##
+## Send generic signals to pyzor
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pyzor_signal',`
+ gen_require(`
+ type pyzor_t;
+ ')
+
+ allow $1 pyzor_t:process signal;
+')
+
+########################################
+##
+## Execute pyzor with a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pyzor_domtrans',`
+ gen_require(`
+ type pyzor_exec_t, pyzor_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pyzor_exec_t, pyzor_t)
+')
+
+########################################
+##
+## Execute pyzor in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`pyzor_exec',`
+ gen_require(`
+ type pyzor_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, pyzor_exec_t)
+')
diff --git a/pyzor.te b/pyzor.te
new file mode 100644
index 0000000..cd683f9
--- /dev/null
+++ b/pyzor.te
@@ -0,0 +1,148 @@
+policy_module(pyzor, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type pyzor_t;
+type pyzor_exec_t;
+typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+application_domain(pyzor_t, pyzor_exec_t)
+ubac_constrained(pyzor_t)
+role system_r types pyzor_t;
+
+type pyzor_etc_t;
+files_type(pyzor_etc_t)
+
+type pyzor_home_t;
+typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+userdom_user_home_content(pyzor_home_t)
+
+type pyzor_tmp_t;
+typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+files_tmp_file(pyzor_tmp_t)
+ubac_constrained(pyzor_tmp_t)
+
+type pyzor_var_lib_t;
+typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+files_type(pyzor_var_lib_t)
+ubac_constrained(pyzor_var_lib_t)
+
+type pyzord_t;
+type pyzord_exec_t;
+init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
+
+########################################
+#
+# Pyzor client local policy
+#
+
+allow pyzor_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
+
+allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
+read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
+files_search_var_lib(pyzor_t)
+
+manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(pyzor_t)
+kernel_read_system_state(pyzor_t)
+
+corecmd_list_bin(pyzor_t)
+corecmd_getattr_bin_files(pyzor_t)
+
+corenet_tcp_sendrecv_generic_if(pyzor_t)
+corenet_udp_sendrecv_generic_if(pyzor_t)
+corenet_tcp_sendrecv_generic_node(pyzor_t)
+corenet_udp_sendrecv_generic_node(pyzor_t)
+corenet_tcp_sendrecv_all_ports(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
+corenet_tcp_connect_http_port(pyzor_t)
+
+dev_read_urand(pyzor_t)
+
+files_read_etc_files(pyzor_t)
+
+auth_use_nsswitch(pyzor_t)
+
+miscfiles_read_localization(pyzor_t)
+
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
+
+optional_policy(`
+ amavis_manage_lib_files(pyzor_t)
+ amavis_manage_spool_files(pyzor_t)
+')
+
+optional_policy(`
+ spamassassin_signal_spamd(pyzor_t)
+ spamassassin_read_spamd_tmp_files(pyzor_t)
+')
+
+########################################
+#
+# Pyzor server local policy
+#
+
+allow pyzord_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
+files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
+
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
+allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+
+can_exec(pyzord_t, pyzor_exec_t)
+
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+allow pyzord_t pyzord_log_t:dir setattr;
+logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
+
+kernel_read_kernel_sysctls(pyzord_t)
+kernel_read_system_state(pyzord_t)
+
+dev_read_urand(pyzord_t)
+
+corecmd_exec_bin(pyzord_t)
+
+corenet_all_recvfrom_unlabeled(pyzord_t)
+corenet_all_recvfrom_netlabel(pyzord_t)
+corenet_udp_sendrecv_generic_if(pyzord_t)
+corenet_udp_sendrecv_generic_node(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
+corenet_udp_bind_generic_node(pyzord_t)
+corenet_udp_bind_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
+
+files_read_etc_files(pyzord_t)
+
+auth_use_nsswitch(pyzord_t)
+
+locallogin_dontaudit_use_fds(pyzord_t)
+
+miscfiles_read_localization(pyzord_t)
+
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_user_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
+
+optional_policy(`
+ logging_send_syslog_msg(pyzord_t)
+')
diff --git a/qemu.fc b/qemu.fc
new file mode 100644
index 0000000..64d877e
--- /dev/null
+++ b/qemu.fc
@@ -0,0 +1,4 @@
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
new file mode 100644
index 0000000..268d691
--- /dev/null
+++ b/qemu.if
@@ -0,0 +1,309 @@
+## QEMU machine emulator and virtualizer
+
+########################################
+##
+## Creates types and rules for a basic
+## qemu process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`qemu_domain_template',`
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ type $1_t;
+ domain_type($1_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:process { execstack execmem signal getsched };
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:tun_socket create;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_tcp_bind_vnc_port($1_t)
+ corenet_rw_tun_tap_dev($1_t)
+
+# dev_rw_kvm($1_t)
+
+ domain_use_interactive_fds($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
+ files_read_var_files($1_t)
+ files_search_all($1_t)
+
+ fs_list_inotifyfs($1_t)
+ fs_rw_anon_inodefs_files($1_t)
+ fs_rw_tmpfs_files($1_t)
+
+ storage_raw_write_removable_device($1_t)
+ storage_raw_read_removable_device($1_t)
+
+ term_use_ptmx($1_t)
+ term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+
+ userdom_use_user_terminals($1_t)
+ userdom_attach_admin_tun_iface($1_t)
+
+ optional_policy(`
+ samba_domtrans_smbd($1_t)
+ ')
+
+ optional_policy(`
+ virt_manage_images($1_t)
+ virt_read_config($1_t)
+ virt_read_lib_files($1_t)
+ virt_attach_tun_iface($1_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_read_xdm_pid($1_t)
+# xserver_xdm_rw_shm($1_t)
+ ')
+')
+
+#######################################
+##
+## The per role template for the qemu module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for qemu web browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`qemu_role',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+ type qemu_config_t, qemu_config_exec_t;
+ ')
+
+ role $1 types { qemu_t qemu_config_t };
+
+ domtrans_pattern($2, qemu_exec_t, qemu_t)
+ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+ allow qemu_t $2:process signull;
+')
+
+########################################
+##
+## Execute a domain transition to run qemu.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`qemu_domtrans',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+ ')
+
+ domtrans_pattern($1, qemu_exec_t, qemu_t)
+')
+
+########################################
+##
+## Execute qemu in the qemu domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the qemu domain.
+##
+##
+##
+#
+interface(`qemu_run',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ qemu_domtrans($1)
+ role $2 types qemu_t;
+ allow qemu_t $1:process signull;
+ allow $1 qemu_t:process signull;
+')
+
+########################################
+##
+## Allow the domain to read state files in /proc.
+##
+##
+##
+## Domain to allow access.
+##
+##
+#
+interface(`qemu_read_state',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ read_files_pattern($1, qemu_t, qemu_t)
+')
+
+########################################
+##
+## Set the schedule on qemu.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_setsched',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process setsched;
+')
+
+########################################
+##
+## Send a signal to qemu.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_signal',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process signal;
+')
+
+########################################
+##
+## Send a sigill to qemu
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_kill',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process sigkill;
+')
+
+########################################
+##
+## Execute a domain transition to run qemu unconfined.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`qemu_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_qemu_t, qemu_exec_t;
+ ')
+
+ domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+')
+
+########################################
+##
+## Manage qemu temporary dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_manage_tmp_dirs',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+##
+## Manage qemu temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_manage_tmp_files',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
diff --git a/qemu.te b/qemu.te
new file mode 100644
index 0000000..9cf9992
--- /dev/null
+++ b/qemu.te
@@ -0,0 +1,128 @@
+policy_module(qemu, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow qemu to connect fully to the network
+##
+##
+gen_tunable(qemu_full_network, false)
+
+##
+##
+## Allow qemu to use cifs/Samba file systems
+##
+##
+gen_tunable(qemu_use_cifs, true)
+
+##
+##
+## Allow qemu to use serial/parallel communication ports
+##
+##
+gen_tunable(qemu_use_comm, false)
+
+##
+##
+## Allow qemu to use nfs file systems
+##
+##
+gen_tunable(qemu_use_nfs, true)
+
+##
+##
+## Allow qemu to use usb devices
+##
+##
+gen_tunable(qemu_use_usb, true)
+
+type qemu_exec_t;
+virt_domain_template(qemu)
+application_domain(qemu_t, qemu_exec_t)
+role system_r types qemu_t;
+
+########################################
+#
+# qemu local policy
+#
+
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+
+tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+
+ corenet_udp_sendrecv_generic_if(qemu_t)
+ corenet_udp_sendrecv_generic_node(qemu_t)
+ corenet_udp_sendrecv_all_ports(qemu_t)
+ corenet_udp_bind_generic_node(qemu_t)
+ corenet_udp_bind_all_ports(qemu_t)
+ corenet_tcp_bind_all_ports(qemu_t)
+ corenet_tcp_connect_all_ports(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+ term_use_unallocated_ttys(qemu_t)
+ dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+ dbus_read_lib_files(qemu_t)
+')
+
+optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(qemu_t)
+ xserver_stream_connect(qemu_t)
+')
+
+########################################
+#
+# Unconfined qemu local policy
+#
+
+optional_policy(`
+ type unconfined_qemu_t;
+ typealias unconfined_qemu_t alias qemu_unconfined_t;
+ application_type(unconfined_qemu_t)
+ unconfined_domain(unconfined_qemu_t)
+
+ allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
+')
diff --git a/qmail.fc b/qmail.fc
new file mode 100644
index 0000000..0055e54
--- /dev/null
+++ b/qmail.fc
@@ -0,0 +1,47 @@
+
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+')
+
diff --git a/qmail.if b/qmail.if
new file mode 100644
index 0000000..a55bf44
--- /dev/null
+++ b/qmail.if
@@ -0,0 +1,151 @@
+## Qmail Mail Server
+
+########################################
+##
+## Template for qmail parent/sub-domain pairs
+##
+##
+##
+## The prefix of the child domain
+##
+##
+##
+##
+## The name of the parent domain.
+##
+##
+#
+template(`qmail_child_domain_template',`
+ type $1_t;
+ domain_type($1_t)
+ type $1_exec_t;
+ domain_entry_file($1_t, $1_exec_t)
+ domain_auto_trans($2, $1_exec_t, $1_t)
+ role system_r types $1_t;
+
+ allow $1_t self:process signal_perms;
+
+ allow $1_t $2:fd use;
+ allow $1_t $2:fifo_file rw_file_perms;
+ allow $1_t $2:process sigchld;
+
+ allow $1_t qmail_etc_t:dir list_dir_perms;
+ allow $1_t qmail_etc_t:file read_file_perms;
+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
+
+ allow $1_t qmail_start_t:fd use;
+
+ kernel_list_proc($2)
+ kernel_read_proc_symlinks($2)
+
+ corecmd_search_bin($1_t)
+
+ files_search_var($1_t)
+
+ fs_getattr_xattr_fs($1_t)
+
+ miscfiles_read_localization($1_t)
+')
+
+########################################
+##
+## Transition to qmail_inject_t
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`qmail_domtrans_inject',`
+ gen_require(`
+ type qmail_inject_t, qmail_inject_exec_t;
+ ')
+
+ domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ ',`
+ files_search_var($1)
+ corecmd_search_bin($1)
+ ')
+')
+
+########################################
+##
+## Transition to qmail_queue_t
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`qmail_domtrans_queue',`
+ gen_require(`
+ type qmail_queue_t, qmail_queue_exec_t;
+ ')
+
+ domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ ',`
+ files_search_var($1)
+ corecmd_search_bin($1)
+ ')
+')
+
+########################################
+##
+## Read qmail configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`qmail_read_config',`
+ gen_require(`
+ type qmail_etc_t;
+ ')
+
+ allow $1 qmail_etc_t:dir list_dir_perms;
+ allow $1 qmail_etc_t:file read_file_perms;
+ allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
+ files_search_var($1)
+
+ ifdef(`distro_debian',`
+ # handle /etc/qmail
+ files_search_etc($1)
+ ')
+')
+
+########################################
+##
+## Define the specified domain as a qmail-smtp service.
+## Needed by antivirus/antispam filters.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`qmail_smtpd_service_domain',`
+ gen_require(`
+ type qmail_smtpd_t;
+ ')
+
+ domtrans_pattern(qmail_smtpd_t, $2, $1)
+')
diff --git a/qmail.te b/qmail.te
new file mode 100644
index 0000000..355b2a2
--- /dev/null
+++ b/qmail.te
@@ -0,0 +1,321 @@
+policy_module(qmail, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute qmail_user_domains;
+
+type qmail_alias_home_t;
+files_type(qmail_alias_home_t)
+
+qmail_child_domain_template(qmail_clean, qmail_start_t)
+
+type qmail_etc_t;
+files_config_file(qmail_etc_t)
+
+type qmail_exec_t;
+files_type(qmail_exec_t)
+
+type qmail_inject_t, qmail_user_domains;
+type qmail_inject_exec_t;
+domain_type(qmail_inject_t)
+domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
+mta_mailserver_user_agent(qmail_inject_t)
+role system_r types qmail_inject_t;
+
+qmail_child_domain_template(qmail_local, qmail_lspawn_t)
+mta_mailserver_delivery(qmail_local_t)
+
+qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+mta_mailserver_delivery(qmail_lspawn_t)
+
+qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
+mta_mailserver_user_agent(qmail_queue_t)
+
+qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
+mta_mailserver_sender(qmail_remote_t)
+
+qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
+qmail_child_domain_template(qmail_send, qmail_start_t)
+
+qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
+qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+type qmail_spool_t;
+files_type(qmail_spool_t)
+
+type qmail_start_t;
+type qmail_start_exec_t;
+init_daemon_domain(qmail_start_t, qmail_start_exec_t)
+
+type qmail_tcp_env_t;
+type qmail_tcp_env_exec_t;
+application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+
+########################################
+#
+# qmail-clean local policy
+# this component cleans up the queue directory
+#
+
+read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+
+########################################
+#
+# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
+#
+
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+allow qmail_inject_t self:process signal_perms;
+
+allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
+
+corecmd_search_bin(qmail_inject_t)
+
+files_search_var(qmail_inject_t)
+
+miscfiles_read_localization(qmail_inject_t)
+
+qmail_read_config(qmail_inject_t)
+
+########################################
+#
+# qmail-local local policy
+# this component delivers a mail message
+#
+
+allow qmail_local_t self:fifo_file write_file_perms;
+allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+
+can_exec(qmail_local_t, qmail_local_exec_t)
+
+allow qmail_local_t qmail_queue_exec_t:file read_file_perms;
+
+allow qmail_local_t qmail_spool_t:file read_file_perms;
+
+kernel_read_system_state(qmail_local_t)
+
+corecmd_exec_bin(qmail_local_t)
+corecmd_exec_shell(qmail_local_t)
+
+files_read_etc_files(qmail_local_t)
+files_read_etc_runtime_files(qmail_local_t)
+
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
+
+mta_append_spool(qmail_local_t)
+
+qmail_domtrans_queue(qmail_local_t)
+
+optional_policy(`
+ spamassassin_domtrans_client(qmail_local_t)
+')
+
+########################################
+#
+# qmail-lspawn local policy
+# this component schedules local deliveries
+#
+
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process signal_perms;
+allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+
+can_exec(qmail_lspawn_t, qmail_exec_t)
+
+allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
+
+read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_search_bin(qmail_lspawn_t)
+
+files_read_etc_files(qmail_lspawn_t)
+files_search_pids(qmail_lspawn_t)
+files_search_tmp(qmail_lspawn_t)
+
+########################################
+#
+# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
+#
+
+allow qmail_queue_t qmail_lspawn_t:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+
+allow qmail_queue_t qmail_smtpd_t:fd use;
+allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
+
+manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_queue_t)
+')
+
+########################################
+#
+# qmail-remote local policy
+# this component sends mail via SMTP
+#
+
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
+
+corenet_all_recvfrom_unlabeled(qmail_remote_t)
+corenet_all_recvfrom_netlabel(qmail_remote_t)
+corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
+corenet_tcp_sendrecv_generic_node(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
+corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
+
+dev_read_rand(qmail_remote_t)
+dev_read_urand(qmail_remote_t)
+
+sysnet_read_config(qmail_remote_t)
+
+########################################
+#
+# qmail-rspawn local policy
+# this component scedules remote deliveries
+#
+
+allow qmail_rspawn_t self:process signal_perms;
+allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;
+
+allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
+
+rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_search_bin(qmail_rspawn_t)
+
+########################################
+#
+# qmail-send local policy
+# this component delivers mail messages from the queue
+#
+
+allow qmail_send_t self:process signal_perms;
+allow qmail_send_t self:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+
+qmail_domtrans_queue(qmail_send_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_send_t)
+')
+
+########################################
+#
+# qmail-smtpd local policy
+# this component receives mails via SMTP
+#
+
+allow qmail_smtpd_t self:process signal_perms;
+allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
+allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+
+dev_read_rand(qmail_smtpd_t)
+dev_read_urand(qmail_smtpd_t)
+
+qmail_domtrans_queue(qmail_smtpd_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_smtpd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(qmail, qmail_smtpd_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
+')
+
+########################################
+#
+# splogger local policy
+# this component creates entries in syslog
+#
+
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(qmail_splogger_t)
+
+init_dontaudit_use_script_fds(qmail_splogger_t)
+
+miscfiles_read_localization(qmail_splogger_t)
+
+########################################
+#
+# qmail-start local policy
+# this component starts up the mail delivery component
+#
+
+allow qmail_start_t self:capability { setgid setuid };
+dontaudit qmail_start_t self:capability sys_tty_config;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+allow qmail_start_t self:process signal_perms;
+
+can_exec(qmail_start_t, qmail_start_exec_t)
+
+corecmd_search_bin(qmail_start_t)
+
+files_search_var(qmail_start_t)
+
+qmail_read_config(qmail_start_t)
+
+optional_policy(`
+ daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
+ daemontools_ipc_domain(qmail_start_t)
+')
+
+########################################
+#
+# tcp-env local policy
+# this component sets up TCP-related environment variables
+#
+
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
+
+corecmd_search_bin(qmail_tcp_env_t)
+
+sysnet_read_config(qmail_tcp_env_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
diff --git a/qpid.fc b/qpid.fc
new file mode 100644
index 0000000..4f94229
--- /dev/null
+++ b/qpid.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
+/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
+
+/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0)
+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff --git a/qpid.if b/qpid.if
new file mode 100644
index 0000000..5a9630c
--- /dev/null
+++ b/qpid.if
@@ -0,0 +1,186 @@
+## Apache QPID AMQP messaging server.
+
+########################################
+##
+## Execute a domain transition to run qpidd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`qpidd_domtrans',`
+ gen_require(`
+ type qpidd_t, qpidd_exec_t;
+ ')
+
+ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+')
+
+#####################################
+##
+## Allow read and write access to qpidd semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+########################################
+##
+## Read and write to qpidd shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Execute qpidd server in the qpidd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_initrc_domtrans',`
+ gen_require(`
+ type qpidd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+')
+
+########################################
+##
+## Read qpidd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_read_pid_files',`
+ gen_require(`
+ type qpidd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Search qpidd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_search_lib',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read qpidd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_read_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## qpidd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qpidd_manage_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an qpidd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`qpidd_admin',`
+ gen_require(`
+ type qpidd_t, qpidd_initrc_exec_t;
+ ')
+
+ allow $1 qpidd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, qpidd_t)
+
+ # Allow qpidd_t to restart the apache service
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, qpidd_var_lib_t)
+
+ admin_pattern($1, qpidd_var_run_t)
+')
diff --git a/qpid.te b/qpid.te
new file mode 100644
index 0000000..cb7ecb5
--- /dev/null
+++ b/qpid.te
@@ -0,0 +1,63 @@
+policy_module(qpid, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type qpidd_t;
+type qpidd_exec_t;
+init_daemon_domain(qpidd_t, qpidd_exec_t)
+
+type qpidd_initrc_exec_t;
+init_script_file(qpidd_initrc_exec_t)
+
+type qpidd_var_lib_t;
+files_type(qpidd_var_lib_t)
+
+type qpidd_var_run_t;
+files_pid_file(qpidd_var_run_t)
+
+########################################
+#
+# qpidd local policy
+#
+
+allow qpidd_t self:process { setsched signull };
+allow qpidd_t self:fifo_file rw_fifo_file_perms;
+allow qpidd_t self:sem create_sem_perms;
+allow qpidd_t self:shm create_shm_perms;
+allow qpidd_t self:tcp_socket create_stream_socket_perms;
+allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
+
+kernel_read_system_state(qpidd_t)
+
+corenet_all_recvfrom_unlabeled(qpidd_t)
+corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_sendrecv_generic_if(qpidd_t)
+corenet_tcp_sendrecv_generic_node(qpidd_t)
+corenet_tcp_sendrecv_all_ports(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
+corenet_tcp_bind_amqp_port(qpidd_t)
+
+dev_read_urand(qpidd_t)
+
+files_read_etc_files(qpidd_t)
+
+logging_send_syslog_msg(qpidd_t)
+
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)
+
+optional_policy(`
+ corosync_stream_connect(qpidd_t)
+')
diff --git a/quota.fc b/quota.fc
new file mode 100644
index 0000000..f387230
--- /dev/null
+++ b/quota.fc
@@ -0,0 +1,19 @@
+HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+
+/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+')
diff --git a/quota.if b/quota.if
new file mode 100644
index 0000000..bf75d99
--- /dev/null
+++ b/quota.if
@@ -0,0 +1,85 @@
+## File system quota management
+
+########################################
+##
+## Execute quota management tools in the quota domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`quota_domtrans',`
+ gen_require(`
+ type quota_t, quota_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, quota_exec_t, quota_t)
+')
+
+########################################
+##
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`quota_run',`
+ gen_require(`
+ type quota_t;
+ ')
+
+ quota_domtrans($1)
+ role $2 types quota_t;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`quota_dontaudit_getattr_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
+
+ dontaudit $1 quota_db_t:file getattr_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete quota
+## flag files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`quota_manage_flags',`
+ gen_require(`
+ type quota_flag_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, quota_flag_t, quota_flag_t)
+')
diff --git a/quota.te b/quota.te
new file mode 100644
index 0000000..5dd42f5
--- /dev/null
+++ b/quota.te
@@ -0,0 +1,84 @@
+policy_module(quota, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type quota_t;
+type quota_exec_t;
+init_system_domain(quota_t, quota_exec_t)
+
+type quota_db_t;
+files_type(quota_db_t)
+
+type quota_flag_t;
+files_type(quota_flag_t)
+
+########################################
+#
+# Local policy
+#
+
+allow quota_t self:capability { sys_admin dac_override };
+dontaudit quota_t self:capability sys_tty_config;
+allow quota_t self:process signal_perms;
+
+# for /quota.*
+allow quota_t quota_db_t:file { manage_file_perms quotaon };
+files_root_filetrans(quota_t, quota_db_t, file)
+files_boot_filetrans(quota_t, quota_db_t, file)
+files_etc_filetrans(quota_t, quota_db_t, file)
+files_tmp_filetrans(quota_t, quota_db_t, file)
+files_home_filetrans(quota_t, quota_db_t, file)
+files_usr_filetrans(quota_t, quota_db_t, file)
+files_var_filetrans(quota_t, quota_db_t, file)
+files_spool_filetrans(quota_t, quota_db_t, file)
+
+kernel_list_proc(quota_t)
+kernel_read_proc_symlinks(quota_t)
+kernel_read_kernel_sysctls(quota_t)
+kernel_setsched(quota_t)
+
+dev_read_sysfs(quota_t)
+dev_getattr_all_blk_files(quota_t)
+dev_getattr_all_chr_files(quota_t)
+
+fs_get_xattr_fs_quotas(quota_t)
+fs_set_xattr_fs_quotas(quota_t)
+fs_getattr_xattr_fs(quota_t)
+fs_remount_xattr_fs(quota_t)
+fs_search_auto_mountpoints(quota_t)
+
+mls_file_read_all_levels(quota_t)
+
+storage_raw_read_fixed_disk(quota_t)
+
+term_dontaudit_use_console(quota_t)
+
+domain_use_interactive_fds(quota_t)
+
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
+init_use_fds(quota_t)
+init_use_script_ptys(quota_t)
+
+logging_send_syslog_msg(quota_t)
+
+userdom_use_user_terminals(quota_t)
+userdom_dontaudit_use_unpriv_user_fds(quota_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(quota_t)
+')
+
+optional_policy(`
+ udev_read_db(quota_t)
+')
diff --git a/radius.fc b/radius.fc
new file mode 100644
index 0000000..09f7b50
--- /dev/null
+++ b/radius.fc
@@ -0,0 +1,23 @@
+
+/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
+
+/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
+/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
+
+/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+
+/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+
+/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
diff --git a/radius.if b/radius.if
new file mode 100644
index 0000000..75e5dc4
--- /dev/null
+++ b/radius.if
@@ -0,0 +1,62 @@
+## RADIUS authentication and accounting server.
+
+########################################
+##
+## Use radius over a UDP connection. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`radius_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an radius environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`radius_admin',`
+ gen_require(`
+ type radiusd_t, radiusd_etc_t, radiusd_log_t;
+ type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
+ type radiusd_initrc_exec_t;
+ ')
+
+ allow $1 radiusd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, radiusd_t)
+
+ init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 radiusd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, radiusd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, radiusd_log_t)
+
+ admin_pattern($1, radiusd_etc_rw_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, radiusd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, radiusd_var_run_t)
+')
diff --git a/radius.te b/radius.te
new file mode 100644
index 0000000..b1ed1bf
--- /dev/null
+++ b/radius.te
@@ -0,0 +1,143 @@
+policy_module(radius, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type radiusd_t;
+type radiusd_exec_t;
+init_daemon_domain(radiusd_t, radiusd_exec_t)
+
+type radiusd_etc_t;
+files_config_file(radiusd_etc_t)
+
+type radiusd_etc_rw_t;
+files_type(radiusd_etc_rw_t)
+
+type radiusd_initrc_exec_t;
+init_script_file(radiusd_initrc_exec_t)
+
+type radiusd_log_t;
+logging_log_file(radiusd_log_t)
+
+type radiusd_var_lib_t;
+files_type(radiusd_var_lib_t)
+
+type radiusd_var_run_t;
+files_pid_file(radiusd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+dontaudit radiusd_t self:capability sys_tty_config;
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:fifo_file rw_fifo_file_perms;
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+allow radiusd_t self:tcp_socket create_stream_socket_perms;
+allow radiusd_t self:udp_socket create_socket_perms;
+
+allow radiusd_t radiusd_etc_t:dir list_dir_perms;
+read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
+read_lnk_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
+files_search_etc(radiusd_t)
+
+manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
+
+manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
+
+manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
+
+manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+
+kernel_read_kernel_sysctls(radiusd_t)
+kernel_read_system_state(radiusd_t)
+
+corenet_all_recvfrom_unlabeled(radiusd_t)
+corenet_all_recvfrom_netlabel(radiusd_t)
+corenet_tcp_sendrecv_generic_if(radiusd_t)
+corenet_udp_sendrecv_generic_if(radiusd_t)
+corenet_tcp_sendrecv_generic_node(radiusd_t)
+corenet_udp_sendrecv_generic_node(radiusd_t)
+corenet_tcp_sendrecv_all_ports(radiusd_t)
+corenet_udp_sendrecv_all_ports(radiusd_t)
+corenet_udp_bind_generic_node(radiusd_t)
+corenet_udp_bind_radacct_port(radiusd_t)
+corenet_udp_bind_radius_port(radiusd_t)
+corenet_tcp_connect_mysqld_port(radiusd_t)
+corenet_tcp_connect_snmp_port(radiusd_t)
+corenet_sendrecv_radius_server_packets(radiusd_t)
+corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_sendrecv_mysqld_client_packets(radiusd_t)
+corenet_sendrecv_snmp_client_packets(radiusd_t)
+# for RADIUS proxy port
+corenet_udp_bind_generic_port(radiusd_t)
+corenet_dontaudit_udp_bind_all_ports(radiusd_t)
+corenet_sendrecv_generic_server_packets(radiusd_t)
+
+dev_read_sysfs(radiusd_t)
+
+fs_getattr_all_fs(radiusd_t)
+fs_search_auto_mountpoints(radiusd_t)
+
+corecmd_exec_bin(radiusd_t)
+corecmd_exec_shell(radiusd_t)
+
+domain_use_interactive_fds(radiusd_t)
+
+files_read_usr_files(radiusd_t)
+files_read_etc_files(radiusd_t)
+files_read_etc_runtime_files(radiusd_t)
+
+auth_use_nsswitch(radiusd_t)
+auth_read_shadow(radiusd_t)
+auth_domtrans_chk_passwd(radiusd_t)
+
+libs_exec_lib_files(radiusd_t)
+
+logging_send_syslog_msg(radiusd_t)
+
+miscfiles_read_localization(radiusd_t)
+miscfiles_read_generic_certs(radiusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+userdom_dontaudit_search_user_home_dirs(radiusd_t)
+
+optional_policy(`
+ cron_system_entry(radiusd_t, radiusd_exec_t)
+')
+
+optional_policy(`
+ logrotate_exec(radiusd_t)
+')
+
+optional_policy(`
+ mysql_read_config(radiusd_t)
+ mysql_stream_connect(radiusd_t)
+')
+
+optional_policy(`
+ samba_domtrans_winbind_helper(radiusd_t)
+ samba_read_var_files(radiusd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(radiusd_t)
+')
+
+optional_policy(`
+ udev_read_db(radiusd_t)
+')
diff --git a/radvd.fc b/radvd.fc
new file mode 100644
index 0000000..cc98d83
--- /dev/null
+++ b/radvd.fc
@@ -0,0 +1,7 @@
+/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0)
+/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
+
+/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
+
+/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0)
+/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/radvd.if b/radvd.if
new file mode 100644
index 0000000..be05bff
--- /dev/null
+++ b/radvd.if
@@ -0,0 +1,39 @@
+## IPv6 router advertisement daemon
+
+########################################
+##
+## All of the rules required to administrate
+## an radvd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`radvd_admin',`
+ gen_require(`
+ type radvd_t, radvd_etc_t;
+ type radvd_var_run_t, radvd_initrc_exec_t;
+ ')
+
+ allow $1 radvd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, radvd_t)
+
+ init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 radvd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, radvd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, radvd_var_run_t)
+')
diff --git a/radvd.te b/radvd.te
new file mode 100644
index 0000000..f9a2162
--- /dev/null
+++ b/radvd.te
@@ -0,0 +1,82 @@
+policy_module(radvd, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+type radvd_t;
+type radvd_exec_t;
+init_daemon_domain(radvd_t, radvd_exec_t)
+
+type radvd_initrc_exec_t;
+init_script_file(radvd_initrc_exec_t)
+
+type radvd_var_run_t;
+files_pid_file(radvd_var_run_t)
+
+type radvd_etc_t;
+files_config_file(radvd_etc_t)
+
+########################################
+#
+# Local policy
+#
+allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+dontaudit radvd_t self:capability sys_tty_config;
+allow radvd_t self:process { fork signal_perms };
+allow radvd_t self:unix_dgram_socket create_socket_perms;
+allow radvd_t self:unix_stream_socket create_socket_perms;
+allow radvd_t self:rawip_socket create_socket_perms;
+allow radvd_t self:tcp_socket create_stream_socket_perms;
+allow radvd_t self:udp_socket create_socket_perms;
+allow radvd_t self:fifo_file rw_file_perms;
+
+allow radvd_t radvd_etc_t:file read_file_perms;
+
+manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
+manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
+files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(radvd_t)
+kernel_rw_net_sysctls(radvd_t)
+kernel_read_network_state(radvd_t)
+kernel_read_system_state(radvd_t)
+kernel_request_load_module(radvd_t)
+
+corenet_all_recvfrom_unlabeled(radvd_t)
+corenet_all_recvfrom_netlabel(radvd_t)
+corenet_tcp_sendrecv_generic_if(radvd_t)
+corenet_udp_sendrecv_generic_if(radvd_t)
+corenet_raw_sendrecv_generic_if(radvd_t)
+corenet_tcp_sendrecv_generic_node(radvd_t)
+corenet_udp_sendrecv_generic_node(radvd_t)
+corenet_raw_sendrecv_generic_node(radvd_t)
+corenet_tcp_sendrecv_all_ports(radvd_t)
+corenet_udp_sendrecv_all_ports(radvd_t)
+
+dev_read_sysfs(radvd_t)
+
+fs_getattr_all_fs(radvd_t)
+fs_search_auto_mountpoints(radvd_t)
+
+domain_use_interactive_fds(radvd_t)
+
+files_read_etc_files(radvd_t)
+files_list_usr(radvd_t)
+
+auth_use_nsswitch(radvd_t)
+
+logging_send_syslog_msg(radvd_t)
+
+miscfiles_read_localization(radvd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radvd_t)
+userdom_dontaudit_search_user_home_dirs(radvd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(radvd_t)
+')
+
+optional_policy(`
+ udev_read_db(radvd_t)
+')
diff --git a/raid.fc b/raid.fc
new file mode 100644
index 0000000..ed9c70d
--- /dev/null
+++ b/raid.fc
@@ -0,0 +1,6 @@
+/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+
+/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
+/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
new file mode 100644
index 0000000..b1a85b5
--- /dev/null
+++ b/raid.if
@@ -0,0 +1,75 @@
+## RAID array management tools
+
+########################################
+##
+## Execute software raid tools in the mdadm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`raid_domtrans_mdadm',`
+ gen_require(`
+ type mdadm_t, mdadm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mdadm_exec_t, mdadm_t)
+')
+
+######################################
+##
+## Execute a domain transition to mdadm_t for the
+## specified role, allowing it to use the mdadm_t
+## domain
+##
+##
+##
+## Role allowed to access mdadm_t domain
+##
+##
+##
+##
+## Domain allowed to transition to mdadm_t
+##
+##
+#
+interface(`raid_run_mdadm',`
+ gen_require(`
+ type mdadm_t;
+ ')
+
+ role $1 types mdadm_t;
+ raid_domtrans_mdadm($2)
+')
+
+########################################
+##
+## Create, read, write, and delete the mdadm pid files.
+##
+##
+##
+## Create, read, write, and delete the mdadm pid files.
+##
+##
+## Added for use in the init module.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
+ allow $1 mdadm_var_run_t:file manage_file_perms;
+')
diff --git a/raid.te b/raid.te
new file mode 100644
index 0000000..3fd46f7
--- /dev/null
+++ b/raid.te
@@ -0,0 +1,100 @@
+policy_module(raid, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type mdadm_t;
+type mdadm_exec_t;
+init_daemon_domain(mdadm_t, mdadm_exec_t)
+role system_r types mdadm_t;
+
+type mdadm_map_t;
+files_type(mdadm_map_t)
+
+type mdadm_var_run_t;
+files_pid_file(mdadm_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability sys_tty_config;
+allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+allow mdadm_t self:fifo_file rw_fifo_file_perms;
+
+# create .mdadm files in /dev
+allow mdadm_t mdadm_map_t:file manage_file_perms;
+dev_filetrans(mdadm_t, mdadm_map_t, file)
+
+manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
+
+kernel_read_system_state(mdadm_t)
+kernel_read_kernel_sysctls(mdadm_t)
+kernel_rw_software_raid_state(mdadm_t)
+kernel_getattr_core_if(mdadm_t)
+
+# Helper program access
+corecmd_exec_bin(mdadm_t)
+corecmd_exec_shell(mdadm_t)
+
+dev_rw_sysfs(mdadm_t)
+# Ignore attempts to read every device file
+dev_dontaudit_getattr_all_blk_files(mdadm_t)
+dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_files(mdadm_t)
+dev_dontaudit_getattr_generic_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+dev_read_realtime_clock(mdadm_t)
+# unfortunately needed for DMI decoding:
+dev_read_raw_memory(mdadm_t)
+
+domain_use_interactive_fds(mdadm_t)
+
+files_read_etc_files(mdadm_t)
+files_read_etc_runtime_files(mdadm_t)
+
+fs_search_auto_mountpoints(mdadm_t)
+fs_dontaudit_list_tmpfs(mdadm_t)
+
+mls_file_read_all_levels(mdadm_t)
+mls_file_write_all_levels(mdadm_t)
+
+# RAID block device access
+storage_manage_fixed_disk(mdadm_t)
+storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_read_scsi_generic(mdadm_t)
+
+term_dontaudit_list_ptys(mdadm_t)
+
+init_dontaudit_getattr_initctl(mdadm_t)
+
+logging_send_syslog_msg(mdadm_t)
+
+miscfiles_read_localization(mdadm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+userdom_dontaudit_search_user_home_content(mdadm_t)
+userdom_dontaudit_use_user_terminals(mdadm_t)
+
+mta_send_mail(mdadm_t)
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mdadm_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mdadm_t)
+')
+
+optional_policy(`
+ udev_read_db(mdadm_t)
+')
+
+optional_policy(`
+ unconfined_domain(mdadm_t)
+')
diff --git a/razor.fc b/razor.fc
new file mode 100644
index 0000000..1efba0c
--- /dev/null
+++ b/razor.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+
+/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+
+/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+
+/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/razor.if b/razor.if
new file mode 100644
index 0000000..f04a595
--- /dev/null
+++ b/razor.if
@@ -0,0 +1,159 @@
+## A distributed, collaborative, spam detection and filtering network.
+##
+##
+## A distributed, collaborative, spam detection and filtering network.
+##
+##
+## This policy will work with either the ATrpms provided config
+## file in /etc/razor, or with the default of dumping everything into
+## $HOME/.razor.
+##
+##
+
+#######################################
+##
+## Template to create types and rules common to
+## all razor domains.
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`razor_common_domain_template',`
+ gen_require(`
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
+ ')
+ type $1_t;
+ domain_type($1_t)
+ domain_entry_file($1_t, razor_exec_t)
+
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:unix_dgram_socket sendto;
+ allow $1_t self:unix_stream_socket connectto;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
+ allow $1_t self:msg { send receive };
+ allow $1_t self:tcp_socket create_socket_perms;
+
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+ allow $1_t razor_etc_t:lnk_file { getattr read };
+
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
+ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
+ logging_log_filetrans($1_t, razor_log_t, file)
+
+ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ files_search_var_lib($1_t)
+
+ # Razor is one executable and several symlinks
+ allow $1_t razor_exec_t:file read_file_perms;
+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_read_kernel_sysctls($1_t)
+
+ corecmd_exec_bin($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_raw_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_raw_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_razor_port($1_t)
+
+ # mktemp and other randoms
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_search_pids($1_t)
+ # Allow access to various files in the /etc/directory including mtab
+ # and nsswitch
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ libs_read_lib_files($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+ sysnet_dns_name_resolve($1_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
+')
+
+########################################
+##
+## Role access for razor
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`razor_role',`
+ gen_require(`
+ type razor_t, razor_exec_t, razor_home_t;
+ ')
+
+ role $1 types razor_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, razor_exec_t, razor_t)
+
+ # allow ps to show razor and allow the user to kill it
+ ps_process_pattern($2, razor_t)
+ allow $2 razor_t:process signal;
+
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+ relabel_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
+')
+
+########################################
+##
+## Execute razor in the system razor domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`razor_domtrans',`
+ gen_require(`
+ type razor_t, razor_exec_t;
+ ')
+
+ domtrans_pattern($1, razor_exec_t, razor_t)
+')
diff --git a/razor.te b/razor.te
new file mode 100644
index 0000000..852840b
--- /dev/null
+++ b/razor.te
@@ -0,0 +1,122 @@
+policy_module(razor, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type razor_exec_t;
+corecmd_executable_file(razor_exec_t)
+
+type razor_etc_t;
+files_config_file(razor_etc_t)
+
+type razor_home_t;
+typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+userdom_user_home_content(razor_home_t)
+
+type razor_log_t;
+logging_log_file(razor_log_t)
+
+type razor_tmp_t;
+typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+files_tmp_file(razor_tmp_t)
+ubac_constrained(razor_tmp_t)
+
+type razor_var_lib_t;
+files_type(razor_var_lib_t)
+
+# these are here due to ordering issues:
+razor_common_domain_template(razor)
+typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ubac_constrained(razor_t)
+
+razor_common_domain_template(system_razor)
+role system_r types system_razor_t;
+
+########################################
+#
+# System razor local policy
+#
+
+# this version of razor is invoked typically
+# via the system spam filter
+
+allow system_razor_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+files_search_etc(system_razor_t)
+
+allow system_razor_t razor_log_t:file manage_file_perms;
+logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+corenet_all_recvfrom_unlabeled(system_razor_t)
+corenet_all_recvfrom_netlabel(system_razor_t)
+corenet_tcp_sendrecv_generic_if(system_razor_t)
+corenet_raw_sendrecv_generic_if(system_razor_t)
+corenet_tcp_sendrecv_generic_node(system_razor_t)
+corenet_raw_sendrecv_generic_node(system_razor_t)
+corenet_tcp_sendrecv_razor_port(system_razor_t)
+corenet_tcp_connect_razor_port(system_razor_t)
+corenet_sendrecv_razor_client_packets(system_razor_t)
+
+sysnet_read_config(system_razor_t)
+
+# cjp: this shouldn't be needed
+userdom_use_unpriv_users_fds(system_razor_t)
+
+optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+')
+
+optional_policy(`
+ nscd_socket_use(system_razor_t)
+')
+
+########################################
+#
+# User razor local policy
+#
+
+# Allow razor to be run by hand. Needed by any action other than
+# invocation from a spam filter.
+
+allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+logging_send_syslog_msg(razor_t)
+
+userdom_search_user_home_dirs(razor_t)
+userdom_use_user_terminals(razor_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(razor_t)
+ fs_manage_nfs_files(razor_t)
+ fs_manage_nfs_symlinks(razor_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(razor_t)
+ fs_manage_cifs_files(razor_t)
+ fs_manage_cifs_symlinks(razor_t)
+')
+
+optional_policy(`
+ nscd_socket_use(razor_t)
+')
diff --git a/rdisc.fc b/rdisc.fc
new file mode 100644
index 0000000..dee4adc
--- /dev/null
+++ b/rdisc.fc
@@ -0,0 +1,2 @@
+
+/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.if b/rdisc.if
new file mode 100644
index 0000000..fe24d25
--- /dev/null
+++ b/rdisc.if
@@ -0,0 +1,20 @@
+## Network router discovery daemon
+
+######################################
+##
+## Execute rdisc in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rdisc_exec',`
+ gen_require(`
+ type rdisc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rdisc_exec_t)
+')
diff --git a/rdisc.te b/rdisc.te
new file mode 100644
index 0000000..0f07685
--- /dev/null
+++ b/rdisc.te
@@ -0,0 +1,58 @@
+policy_module(rdisc, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type rdisc_t;
+type rdisc_exec_t;
+init_daemon_domain(rdisc_t, rdisc_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rdisc_t self:capability net_raw;
+dontaudit rdisc_t self:capability sys_tty_config;
+allow rdisc_t self:process signal_perms;
+allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
+allow rdisc_t self:udp_socket create_socket_perms;
+allow rdisc_t self:rawip_socket create_socket_perms;
+
+kernel_list_proc(rdisc_t)
+kernel_read_proc_symlinks(rdisc_t)
+kernel_read_kernel_sysctls(rdisc_t)
+
+corenet_all_recvfrom_unlabeled(rdisc_t)
+corenet_all_recvfrom_netlabel(rdisc_t)
+corenet_udp_sendrecv_generic_if(rdisc_t)
+corenet_raw_sendrecv_generic_if(rdisc_t)
+corenet_udp_sendrecv_generic_node(rdisc_t)
+corenet_raw_sendrecv_generic_node(rdisc_t)
+corenet_udp_sendrecv_all_ports(rdisc_t)
+
+dev_read_sysfs(rdisc_t)
+
+fs_search_auto_mountpoints(rdisc_t)
+
+domain_use_interactive_fds(rdisc_t)
+
+files_read_etc_files(rdisc_t)
+
+logging_send_syslog_msg(rdisc_t)
+
+miscfiles_read_localization(rdisc_t)
+
+sysnet_read_config(rdisc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(rdisc_t)
+')
+
+optional_policy(`
+ udev_read_db(rdisc_t)
+')
diff --git a/readahead.fc b/readahead.fc
new file mode 100644
index 0000000..7077413
--- /dev/null
+++ b/readahead.fc
@@ -0,0 +1,3 @@
+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/readahead.if b/readahead.if
new file mode 100644
index 0000000..47c4723
--- /dev/null
+++ b/readahead.if
@@ -0,0 +1 @@
+## Readahead, read files into page cache for improved performance
diff --git a/readahead.te b/readahead.te
new file mode 100644
index 0000000..b4ac57e
--- /dev/null
+++ b/readahead.te
@@ -0,0 +1,101 @@
+policy_module(readahead, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type readahead_t;
+type readahead_exec_t;
+init_daemon_domain(readahead_t, readahead_exec_t)
+application_domain(readahead_t, readahead_exec_t)
+
+type readahead_var_lib_t;
+files_type(readahead_var_lib_t)
+typealias readahead_var_lib_t alias readahead_etc_rw_t;
+
+type readahead_var_run_t;
+files_pid_file(readahead_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow readahead_t self:capability { fowner dac_override dac_read_search };
+dontaudit readahead_t self:capability { net_admin sys_tty_config };
+allow readahead_t self:process { setsched signal_perms };
+
+manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+files_search_var_lib(readahead_t)
+
+manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+files_pid_filetrans(readahead_t, readahead_var_run_t, file)
+
+kernel_read_all_sysctls(readahead_t)
+kernel_read_system_state(readahead_t)
+kernel_dontaudit_getattr_core_if(readahead_t)
+
+dev_read_sysfs(readahead_t)
+dev_getattr_generic_chr_files(readahead_t)
+dev_getattr_generic_blk_files(readahead_t)
+dev_getattr_all_chr_files(readahead_t)
+dev_getattr_all_blk_files(readahead_t)
+dev_dontaudit_read_all_blk_files(readahead_t)
+dev_dontaudit_getattr_memory_dev(readahead_t)
+dev_dontaudit_getattr_nvram_dev(readahead_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(readahead_t)
+
+domain_use_interactive_fds(readahead_t)
+domain_read_all_domains_state(readahead_t)
+
+files_list_non_security(readahead_t)
+files_read_non_security_files(readahead_t)
+files_create_boot_flag(readahead_t)
+files_getattr_all_pipes(readahead_t)
+files_dontaudit_getattr_all_sockets(readahead_t)
+files_dontaudit_getattr_non_security_blk_files(readahead_t)
+
+fs_getattr_all_fs(readahead_t)
+fs_search_auto_mountpoints(readahead_t)
+fs_getattr_all_pipes(readahead_t)
+fs_getattr_all_files(readahead_t)
+fs_read_cgroup_files(readahead_t)
+fs_read_tmpfs_files(readahead_t)
+fs_read_tmpfs_symlinks(readahead_t)
+fs_list_inotifyfs(readahead_t)
+fs_dontaudit_search_ramfs(readahead_t)
+fs_dontaudit_read_ramfs_pipes(readahead_t)
+fs_dontaudit_read_ramfs_files(readahead_t)
+fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+
+mls_file_read_all_levels(readahead_t)
+
+storage_raw_read_fixed_disk(readahead_t)
+
+term_dontaudit_use_console(readahead_t)
+
+auth_dontaudit_read_shadow(readahead_t)
+
+init_use_fds(readahead_t)
+init_use_script_ptys(readahead_t)
+init_getattr_initctl(readahead_t)
+
+logging_send_syslog_msg(readahead_t)
+logging_set_audit_parameters(readahead_t)
+logging_dontaudit_search_audit_config(readahead_t)
+
+miscfiles_read_localization(readahead_t)
+
+userdom_dontaudit_use_unpriv_user_fds(readahead_t)
+userdom_dontaudit_search_user_home_dirs(readahead_t)
+
+optional_policy(`
+ cron_system_entry(readahead_t, readahead_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(readahead_t)
+')
diff --git a/remotelogin.fc b/remotelogin.fc
new file mode 100644
index 0000000..d8691bd
--- /dev/null
+++ b/remotelogin.fc
@@ -0,0 +1,2 @@
+
+# Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
new file mode 100644
index 0000000..31be971
--- /dev/null
+++ b/remotelogin.if
@@ -0,0 +1,37 @@
+## Policy for rshd, rlogind, and telnetd.
+
+########################################
+##
+## Domain transition to the remote login domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`remotelogin_domtrans',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ auth_domtrans_login_program($1, remote_login_t)
+')
+
+########################################
+##
+## allow Domain to signal remote login domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`remotelogin_signal',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ allow $1 remote_login_t:process signal;
+')
diff --git a/remotelogin.te b/remotelogin.te
new file mode 100644
index 0000000..0a76027
--- /dev/null
+++ b/remotelogin.te
@@ -0,0 +1,123 @@
+policy_module(remotelogin, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type remote_login_t;
+domain_interactive_fd(remote_login_t)
+auth_login_pgm_domain(remote_login_t)
+auth_login_entry_type(remote_login_t)
+
+type remote_login_tmp_t;
+files_tmp_file(remote_login_tmp_t)
+
+########################################
+#
+# Remote login remote policy
+#
+
+allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow remote_login_t self:process { setrlimit setexec };
+allow remote_login_t self:fd use;
+allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
+allow remote_login_t self:unix_dgram_socket sendto;
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
+
+manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+
+kernel_read_system_state(remote_login_t)
+kernel_read_kernel_sysctls(remote_login_t)
+
+dev_getattr_mouse_dev(remote_login_t)
+dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
+
+fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
+
+term_relabel_all_ptys(remote_login_t)
+
+auth_rw_login_records(remote_login_t)
+auth_rw_faillog(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
+
+corecmd_list_bin(remote_login_t)
+corecmd_read_bin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
+
+domain_read_all_entry_files(remote_login_t)
+
+files_read_etc_files(remote_login_t)
+files_read_etc_runtime_files(remote_login_t)
+files_list_home(remote_login_t)
+files_read_usr_files(remote_login_t)
+files_list_world_readable(remote_login_t)
+files_read_world_readable_files(remote_login_t)
+files_read_world_readable_symlinks(remote_login_t)
+files_read_world_readable_pipes(remote_login_t)
+files_read_world_readable_sockets(remote_login_t)
+files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
+files_read_var_symlinks(remote_login_t)
+
+sysnet_dns_name_resolve(remote_login_t)
+
+miscfiles_read_localization(remote_login_t)
+
+userdom_use_unpriv_users_fds(remote_login_t)
+userdom_search_user_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
+userdom_signal_unpriv_users(remote_login_t)
+userdom_spec_domtrans_unpriv_users(remote_login_t)
+
+# Search for mail spool file.
+mta_getattr_spool(remote_login_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(remote_login_t)
+ fs_read_nfs_symlinks(remote_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(remote_login_t)
+ fs_read_cifs_symlinks(remote_login_t)
+')
+
+optional_policy(`
+ alsa_domtrans(remote_login_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(remote_login_t)
+')
+
+optional_policy(`
+ nscd_socket_use(remote_login_t)
+')
+
+optional_policy(`
+ unconfined_domain(remote_login_t)
+ unconfined_shell_domtrans(remote_login_t)
+')
+
+optional_policy(`
+ usermanage_read_crack_db(remote_login_t)
+')
diff --git a/resmgr.fc b/resmgr.fc
new file mode 100644
index 0000000..af810b9
--- /dev/null
+++ b/resmgr.fc
@@ -0,0 +1,7 @@
+
+/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/resmgr.if b/resmgr.if
new file mode 100644
index 0000000..d457736
--- /dev/null
+++ b/resmgr.if
@@ -0,0 +1,22 @@
+## Resource management daemon
+
+########################################
+##
+## Connect to resmgrd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`resmgr_stream_connect',`
+ gen_require(`
+ type resmgrd_var_run_t, resmgrd_t;
+ ')
+
+ allow $1 resmgrd_t:unix_stream_socket connectto;
+ allow $1 resmgrd_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
diff --git a/resmgr.te b/resmgr.te
new file mode 100644
index 0000000..bf5efbf
--- /dev/null
+++ b/resmgr.te
@@ -0,0 +1,66 @@
+policy_module(resmgr, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type resmgrd_t;
+type resmgrd_exec_t;
+init_daemon_domain(resmgrd_t, resmgrd_exec_t)
+
+type resmgrd_etc_t;
+files_config_file(resmgrd_etc_t)
+
+type resmgrd_var_run_t;
+files_pid_file(resmgrd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+dontaudit resmgrd_t self:capability sys_tty_config;
+allow resmgrd_t self:process signal_perms;
+
+allow resmgrd_t resmgrd_etc_t:file read_file_perms;
+files_search_etc(resmgrd_t)
+
+allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file })
+
+kernel_list_proc(resmgrd_t)
+kernel_read_proc_symlinks(resmgrd_t)
+kernel_read_kernel_sysctls(resmgrd_t)
+
+dev_read_sysfs(resmgrd_t)
+dev_getattr_scanner_dev(resmgrd_t)
+
+domain_use_interactive_fds(resmgrd_t)
+
+files_read_etc_files(resmgrd_t)
+
+fs_search_auto_mountpoints(resmgrd_t)
+
+storage_dontaudit_read_fixed_disk(resmgrd_t)
+storage_read_scsi_generic(resmgrd_t)
+storage_raw_read_removable_device(resmgrd_t)
+# not sure if it needs write access, needs to be investigated further...
+storage_write_scsi_generic(resmgrd_t)
+storage_raw_write_removable_device(resmgrd_t)
+
+logging_send_syslog_msg(resmgrd_t)
+
+miscfiles_read_localization(resmgrd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(resmgrd_t)
+')
+
+optional_policy(`
+ udev_read_db(resmgrd_t)
+')
diff --git a/rgmanager.fc b/rgmanager.fc
new file mode 100644
index 0000000..3c97ef0
--- /dev/null
+++ b/rgmanager.fc
@@ -0,0 +1,7 @@
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
new file mode 100644
index 0000000..7dc38d1
--- /dev/null
+++ b/rgmanager.if
@@ -0,0 +1,77 @@
+## rgmanager - Resource Group Manager
+
+#######################################
+##
+## Execute a domain transition to run rgmanager.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rgmanager_domtrans',`
+ gen_require(`
+ type rgmanager_t, rgmanager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
+')
+
+########################################
+##
+## Connect to rgmanager over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_stream_connect',`
+ gen_require(`
+ type rgmanager_t, rgmanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+')
+
+######################################
+##
+## Allow manage rgmanager tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_manage_tmp_files',`
+ gen_require(`
+ type rgmanager_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
+
+######################################
+##
+## Allow manage rgmanager tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rgmanager_manage_tmpfs_files',`
+ gen_require(`
+ type rgmanager_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+')
diff --git a/rgmanager.te b/rgmanager.te
new file mode 100644
index 0000000..c537000
--- /dev/null
+++ b/rgmanager.te
@@ -0,0 +1,202 @@
+policy_module(rgmanager, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow rgmanager domain to connect to the network using TCP.
+##
+##
+gen_tunable(rgmanager_can_network_connect, false)
+
+type rgmanager_t;
+type rgmanager_exec_t;
+domain_type(rgmanager_t)
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
+
+type rgmanager_var_run_t;
+files_pid_file(rgmanager_var_run_t)
+
+########################################
+#
+# rgmanager local policy
+#
+
+allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+dontaudit rgmanager_t self:capability { sys_ptrace };
+allow rgmanager_t self:process { setsched signal };
+dontaudit rgmanager_t self:process { ptrace };
+
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_system_state(rgmanager_t)
+kernel_rw_rpc_sysctls(rgmanager_t)
+kernel_search_debugfs(rgmanager_t)
+kernel_search_network_state(rgmanager_t)
+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+consoletype_exec(rgmanager_t)
+
+# need to write to /dev/misc/dlm-control
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+files_list_all(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+files_manage_mnt_dirs(rgmanager_t)
+files_manage_isid_type_dirs(rgmanager_t)
+
+fs_getattr_xattr_fs(rgmanager_t)
+fs_getattr_all_fs(rgmanager_t)
+
+storage_getattr_fixed_disk_dev(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
+#term_use_ptmx(rgmanager_t)
+
+# needed by resources scripts
+auth_read_all_files_except_auth_files(rgmanager_t)
+auth_dontaudit_getattr_shadow(rgmanager_t)
+auth_use_nsswitch(rgmanager_t)
+
+logging_send_syslog_msg(rgmanager_t)
+
+miscfiles_read_localization(rgmanager_t)
+
+mount_domtrans(rgmanager_t)
+
+tunable_policy(`rgmanager_can_network_connect',`
+ corenet_tcp_connect_all_ports(rgmanager_t)
+')
+
+# rgmanager can run resource scripts
+optional_policy(`
+ aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
+')
+
+optional_policy(`
+ fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_groupd(rgmanager_t)
+')
+
+optional_policy(`
+ hostname_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
+ rhcs_stream_connect_gfs_controld(rgmanager_t)
+')
+
+optional_policy(`
+ lvm_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(rgmanager_t)
+ mysql_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ netutils_domtrans(rgmanager_t)
+ netutils_domtrans_ping(rgmanager_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(rgmanager_t)
+ postgresql_signal(rgmanager_t)
+')
+
+optional_policy(`
+ rdisc_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
+')
+
+optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
+ rpc_manage_nfs_state_data(rgmanager_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(rgmanager_t)
+ samba_domtrans_smbd(rgmanager_t)
+ samba_domtrans_nmbd(rgmanager_t)
+ samba_manage_var_files(rgmanager_t)
+ samba_rw_config(rgmanager_t)
+ samba_signal_smbd(rgmanager_t)
+ samba_signal_nmbd(rgmanager_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(rgmanager_t)
+')
+
+optional_policy(`
+ udev_read_db(rgmanager_t)
+')
+
+optional_policy(`
+ virt_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
+')
diff --git a/rhcs.fc b/rhcs.fc
new file mode 100644
index 0000000..c2ba53b
--- /dev/null
+++ b/rhcs.fc
@@ -0,0 +1,22 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/rhcs.if b/rhcs.if
new file mode 100644
index 0000000..de37806
--- /dev/null
+++ b/rhcs.if
@@ -0,0 +1,355 @@
+## RHCS - Red Hat Cluster Suite
+
+#######################################
+##
+## Creates types and rules for a basic
+## rhcs init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`rhcs_domain_template',`
+ gen_require(`
+ attribute cluster_domain;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_t, cluster_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
+
+ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+
+')
+
+######################################
+##
+## Execute a domain transition to run dlm_controld.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_domtrans_dlm_controld',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
+')
+
+#####################################
+##
+## Connect to dlm_controld over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_stream_connect_dlm_controld',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+##
+## Allow read and write access to dlm_controld semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_dlm_controld_semaphores',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_tmpfs_t;
+ ')
+
+ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
+######################################
+##
+## Execute a domain transition to run fenced.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_domtrans_fenced',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fenced_exec_t, fenced_t)
+')
+
+######################################
+##
+## Allow read and write access to fenced semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_fenced_semaphores',`
+ gen_require(`
+ type fenced_t, fenced_tmpfs_t;
+ ')
+
+ allow $1 fenced_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
+######################################
+##
+## Connect to fenced over an unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_stream_connect_fenced',`
+ gen_require(`
+ type fenced_var_run_t, fenced_t;
+ ')
+
+ allow $1 fenced_t:unix_stream_socket connectto;
+ allow $1 fenced_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
+
+#####################################
+##
+## Execute a domain transition to run gfs_controld.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_domtrans_gfs_controld',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
+')
+
+####################################
+##
+## Allow read and write access to gfs_controld semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_gfs_controld_semaphores',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_tmpfs_t;
+ ')
+
+ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+########################################
+##
+## Read and write to gfs_controld_t shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_gfs_controld_shm',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_tmpfs_t;
+ ')
+
+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+#####################################
+##
+## Connect to gfs_controld_t over an unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_stream_connect_gfs_controld',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
+######################################
+##
+## Execute a domain transition to run groupd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_domtrans_groupd',`
+ gen_require(`
+ type groupd_t, groupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupd_exec_t, groupd_t)
+')
+
+#####################################
+##
+## Connect to groupd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_stream_connect_groupd',`
+ gen_require(`
+ type groupd_t, groupd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+##
+## Allow read and write access to groupd semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_groupd_semaphores',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+##
+## Read and write to group shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_rw_groupd_shm',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+######################################
+##
+## Execute a domain transition to run qdiskd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rhcs_domtrans_qdiskd',`
+ gen_require(`
+ type qdiskd_t, qdiskd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+')
diff --git a/rhcs.te b/rhcs.te
new file mode 100644
index 0000000..93c896a
--- /dev/null
+++ b/rhcs.te
@@ -0,0 +1,240 @@
+policy_module(rhcs, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow fenced domain to connect to the network using TCP.
+##
+##
+gen_tunable(fenced_can_network_connect, false)
+
+attribute cluster_domain;
+
+rhcs_domain_template(dlm_controld)
+
+rhcs_domain_template(fenced)
+
+type fenced_lock_t;
+files_lock_file(fenced_lock_t)
+
+type fenced_tmp_t;
+files_tmp_file(fenced_tmp_t)
+
+rhcs_domain_template(gfs_controld)
+
+rhcs_domain_template(groupd)
+
+rhcs_domain_template(qdiskd)
+
+type qdiskd_var_lib_t;
+files_type(qdiskd_var_lib_t)
+
+#####################################
+#
+# dlm_controld local policy
+#
+
+allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(dlm_controld_t)
+
+dev_rw_dlm_control(dlm_controld_t)
+dev_rw_sysfs(dlm_controld_t)
+
+fs_manage_configfs_files(dlm_controld_t)
+fs_manage_configfs_dirs(dlm_controld_t)
+
+init_rw_script_tmp_files(dlm_controld_t)
+
+optional_policy(`
+ ccs_stream_connect(dlm_controld_t)
+')
+
+#######################################
+#
+# fenced local policy
+#
+
+allow fenced_t self:capability { sys_rawio sys_resource };
+allow fenced_t self:process getsched;
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
+
+can_exec(fenced_t, fenced_exec_t)
+
+manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
+files_lock_filetrans(fenced_t, fenced_lock_t, file)
+
+manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+corecmd_exec_bin(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
+
+dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
+files_read_usr_symlinks(fenced_t)
+
+storage_raw_read_fixed_disk(fenced_t)
+storage_raw_write_fixed_disk(fenced_t)
+storage_raw_read_removable_device(fenced_t)
+
+term_getattr_pty_fs(fenced_t)
+term_use_ptmx(fenced_t)
+
+auth_use_nsswitch(fenced_t)
+
+tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+')
+
+optional_policy(`
+ ccs_read_config(fenced_t)
+ ccs_stream_connect(fenced_t)
+')
+
+optional_policy(`
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
+')
+
+######################################
+#
+# gfs_controld local policy
+#
+
+allow gfs_controld_t self:capability { net_admin sys_resource };
+
+allow gfs_controld_t self:shm create_shm_perms;
+allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(gfs_controld_t)
+
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
+
+storage_getattr_removable_dev(gfs_controld_t)
+
+init_rw_script_tmp_files(gfs_controld_t)
+
+optional_policy(`
+ ccs_stream_connect(gfs_controld_t)
+')
+
+optional_policy(`
+ lvm_exec(gfs_controld_t)
+ dev_rw_lvm_control(gfs_controld_t)
+')
+
+#######################################
+#
+# groupd local policy
+#
+
+allow groupd_t self:capability { sys_nice sys_resource };
+allow groupd_t self:process setsched;
+
+allow groupd_t self:shm create_shm_perms;
+
+dev_list_sysfs(groupd_t)
+
+files_read_etc_files(groupd_t)
+
+init_rw_script_tmp_files(groupd_t)
+
+######################################
+#
+# qdiskd local policy
+#
+
+allow qdiskd_t self:capability ipc_lock;
+
+allow qdiskd_t self:tcp_socket create_stream_socket_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(qdiskd_t)
+kernel_read_software_raid_state(qdiskd_t)
+kernel_getattr_core_if(qdiskd_t)
+
+corecmd_getattr_bin_files(qdiskd_t)
+corecmd_exec_shell(qdiskd_t)
+
+dev_read_sysfs(qdiskd_t)
+dev_list_all_dev_nodes(qdiskd_t)
+dev_getattr_all_blk_files(qdiskd_t)
+dev_getattr_all_chr_files(qdiskd_t)
+dev_manage_generic_blk_files(qdiskd_t)
+dev_manage_generic_chr_files(qdiskd_t)
+
+domain_dontaudit_getattr_all_pipes(qdiskd_t)
+domain_dontaudit_getattr_all_sockets(qdiskd_t)
+
+files_dontaudit_getattr_all_sockets(qdiskd_t)
+files_dontaudit_getattr_all_pipes(qdiskd_t)
+files_read_etc_files(qdiskd_t)
+
+storage_raw_read_removable_device(qdiskd_t)
+storage_raw_write_removable_device(qdiskd_t)
+storage_raw_read_fixed_disk(qdiskd_t)
+storage_raw_write_fixed_disk(qdiskd_t)
+
+auth_use_nsswitch(qdiskd_t)
+
+optional_policy(`
+ ccs_stream_connect(qdiskd_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(qdiskd_t)
+')
+
+optional_policy(`
+ udev_read_db(qdiskd_t)
+')
+
+#####################################
+#
+# rhcs domains common policy
+#
+
+allow cluster_domain self:capability { sys_nice };
+allow cluster_domain self:process setsched;
+
+allow cluster_domain self:sem create_sem_perms;
+allow cluster_domain self:fifo_file rw_fifo_file_perms;
+allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+logging_send_syslog_msg(cluster_domain)
+
+miscfiles_read_localization(cluster_domain)
+
+optional_policy(`
+ corosync_stream_connect(cluster_domain)
+')
diff --git a/rhgb.fc b/rhgb.fc
new file mode 100644
index 0000000..9e5d31b
--- /dev/null
+++ b/rhgb.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0)
diff --git a/rhgb.if b/rhgb.if
new file mode 100644
index 0000000..96efae7
--- /dev/null
+++ b/rhgb.if
@@ -0,0 +1,198 @@
+## Red Hat Graphical Boot
+
+########################################
+##
+## RHGB stub interface. No access allowed.
+##
+##
+##
+## N/A
+##
+##
+#
+interface(`rhgb_stub',`
+ gen_require(`
+ type rhgb_t;
+ ')
+')
+
+########################################
+##
+## Use a rhgb file descriptor.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_use_fds',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:fd use;
+')
+
+########################################
+##
+## Get the process group of rhgb.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_getpgid',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:process getpgid;
+')
+
+########################################
+##
+## Send a signal to rhgb.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_signal',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:process signal;
+')
+
+########################################
+##
+## Read and write to unix stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_rw_stream_sockets',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## rhgb unix domain stream sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`rhgb_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ dontaudit $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## Connected to rhgb unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_stream_connect',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Read and write to rhgb shared memory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_rw_shm',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Read from and write to the rhgb devpts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_use_ptys',`
+ gen_require(`
+ type rhgb_devpts_t;
+ ')
+
+ allow $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+##
+## dontaudit Read from and write to the rhgb devpts.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`rhgb_dontaudit_use_ptys',`
+ gen_require(`
+ type rhgb_devpts_t;
+ ')
+
+ dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Read and write to rhgb temporary file system.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhgb_rw_tmpfs_files',`
+ gen_require(`
+ type rhgb_tmpfs_t;
+ ')
+
+ allow $1 rhgb_tmpfs_t:file rw_file_perms;
+')
diff --git a/rhgb.te b/rhgb.te
new file mode 100644
index 0000000..0f262a7
--- /dev/null
+++ b/rhgb.te
@@ -0,0 +1,142 @@
+policy_module(rhgb, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhgb_t;
+type rhgb_exec_t;
+init_daemon_domain(rhgb_t, rhgb_exec_t)
+
+type rhgb_tmpfs_t;
+files_tmpfs_file(rhgb_tmpfs_t)
+
+type rhgb_devpts_t;
+term_pty(rhgb_devpts_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
+dontaudit rhgb_t self:capability sys_tty_config;
+allow rhgb_t self:process { setpgid signal_perms };
+allow rhgb_t self:shm create_shm_perms;
+allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
+allow rhgb_t self:fifo_file rw_fifo_file_perms;
+allow rhgb_t self:tcp_socket create_socket_perms;
+allow rhgb_t self:udp_socket create_socket_perms;
+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(rhgb_t, rhgb_devpts_t)
+
+manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(rhgb_t)
+kernel_read_system_state(rhgb_t)
+
+corecmd_exec_bin(rhgb_t)
+corecmd_exec_shell(rhgb_t)
+
+corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_all_recvfrom_netlabel(rhgb_t)
+corenet_tcp_sendrecv_generic_if(rhgb_t)
+corenet_udp_sendrecv_generic_if(rhgb_t)
+corenet_tcp_sendrecv_generic_node(rhgb_t)
+corenet_udp_sendrecv_generic_node(rhgb_t)
+corenet_tcp_sendrecv_all_ports(rhgb_t)
+corenet_udp_sendrecv_all_ports(rhgb_t)
+corenet_tcp_connect_all_ports(rhgb_t)
+corenet_sendrecv_all_client_packets(rhgb_t)
+
+dev_read_sysfs(rhgb_t)
+dev_read_urand(rhgb_t)
+
+domain_use_interactive_fds(rhgb_t)
+
+files_read_etc_files(rhgb_t)
+files_read_var_files(rhgb_t)
+files_read_etc_runtime_files(rhgb_t)
+files_search_tmp(rhgb_t)
+files_read_usr_files(rhgb_t)
+files_mounton_mnt(rhgb_t)
+files_dontaudit_rw_root_dir(rhgb_t)
+files_dontaudit_read_default_files(rhgb_t)
+files_dontaudit_search_pids(rhgb_t)
+# for nscd
+files_dontaudit_search_var(rhgb_t)
+
+fs_search_auto_mountpoints(rhgb_t)
+fs_mount_ramfs(rhgb_t)
+fs_unmount_ramfs(rhgb_t)
+fs_getattr_tmpfs(rhgb_t)
+# for ramfs file systems
+fs_manage_ramfs_dirs(rhgb_t)
+fs_manage_ramfs_files(rhgb_t)
+fs_manage_ramfs_pipes(rhgb_t)
+fs_manage_ramfs_sockets(rhgb_t)
+
+selinux_dontaudit_read_fs(rhgb_t)
+
+term_use_unallocated_ttys(rhgb_t)
+term_use_ptmx(rhgb_t)
+term_getattr_pty_fs(rhgb_t)
+
+init_write_initctl(rhgb_t)
+
+# for localization
+libs_read_lib_files(rhgb_t)
+
+logging_send_syslog_msg(rhgb_t)
+
+miscfiles_read_localization(rhgb_t)
+miscfiles_read_fonts(rhgb_t)
+miscfiles_dontaudit_write_fonts(rhgb_t)
+
+seutil_search_default_contexts(rhgb_t)
+seutil_read_config(rhgb_t)
+
+sysnet_read_config(rhgb_t)
+sysnet_domtrans_ifconfig(rhgb_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
+userdom_dontaudit_search_user_home_content(rhgb_t)
+
+xserver_read_tmp_files(rhgb_t)
+xserver_kill(rhgb_t)
+# for running setxkbmap
+xserver_read_xkb_libs(rhgb_t)
+xserver_domtrans(rhgb_t)
+xserver_signal(rhgb_t)
+xserver_read_xdm_tmp_files(rhgb_t)
+xserver_stream_connect(rhgb_t)
+
+optional_policy(`
+ consoletype_exec(rhgb_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(rhgb_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(rhgb_t)
+')
+
+optional_policy(`
+ udev_read_db(rhgb_t)
+')
+
+ifdef(`TODO',`
+ #this seems a bit much
+ allow domain rhgb_devpts_t:chr_file { read write };
+ allow initrc_t rhgb_gph_t:fd use;
+')
diff --git a/ricci.fc b/ricci.fc
new file mode 100644
index 0000000..5b08327
--- /dev/null
+++ b/ricci.fc
@@ -0,0 +1,16 @@
+/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
+/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
+/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
+/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
+
+/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0)
+
+/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
+
+/var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0)
diff --git a/ricci.if b/ricci.if
new file mode 100644
index 0000000..f7826f9
--- /dev/null
+++ b/ricci.if
@@ -0,0 +1,167 @@
+## Ricci cluster management agent
+
+########################################
+##
+## Execute a domain transition to run ricci.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ricci_domtrans',`
+ gen_require(`
+ type ricci_t, ricci_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_exec_t, ricci_t)
+')
+
+########################################
+##
+## Execute a domain transition to run ricci_modcluster.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ricci_domtrans_modcluster',`
+ gen_require(`
+ type ricci_modcluster_t, ricci_modcluster_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
+')
+
+########################################
+##
+## Do not audit attempts to use
+## ricci_modcluster file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ricci_dontaudit_use_modcluster_fds',`
+ gen_require(`
+ type ricci_modcluster_t;
+ ')
+
+ dontaudit $1 ricci_modcluster_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to read write
+## ricci_modcluster unamed pipes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ricci_dontaudit_rw_modcluster_pipes',`
+ gen_require(`
+ type ricci_modcluster_t;
+ ')
+
+ dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+')
+
+########################################
+##
+## Connect to ricci_modclusterd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ricci_stream_connect_modclusterd',`
+ gen_require(`
+ type ricci_modclusterd_t, ricci_modcluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ricci_modcluster_var_run_t:sock_file write;
+ allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Execute a domain transition to run ricci_modlog.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ricci_domtrans_modlog',`
+ gen_require(`
+ type ricci_modlog_t, ricci_modlog_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
+')
+
+########################################
+##
+## Execute a domain transition to run ricci_modrpm.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ricci_domtrans_modrpm',`
+ gen_require(`
+ type ricci_modrpm_t, ricci_modrpm_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
+')
+
+########################################
+##
+## Execute a domain transition to run ricci_modservice.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ricci_domtrans_modservice',`
+ gen_require(`
+ type ricci_modservice_t, ricci_modservice_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
+')
+
+########################################
+##
+## Execute a domain transition to run ricci_modstorage.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ricci_domtrans_modstorage',`
+ gen_require(`
+ type ricci_modstorage_t, ricci_modstorage_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
+')
diff --git a/ricci.te b/ricci.te
new file mode 100644
index 0000000..33e72e8
--- /dev/null
+++ b/ricci.te
@@ -0,0 +1,488 @@
+policy_module(ricci, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type ricci_t;
+type ricci_exec_t;
+domain_type(ricci_t)
+init_daemon_domain(ricci_t, ricci_exec_t)
+
+type ricci_tmp_t;
+files_tmp_file(ricci_tmp_t)
+
+type ricci_var_lib_t;
+files_type(ricci_var_lib_t)
+
+type ricci_var_log_t;
+logging_log_file(ricci_var_log_t)
+
+type ricci_var_run_t;
+files_pid_file(ricci_var_run_t)
+
+type ricci_modcluster_t;
+type ricci_modcluster_exec_t;
+domain_type(ricci_modcluster_t)
+domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
+role system_r types ricci_modcluster_t;
+
+type ricci_modcluster_var_lib_t;
+files_type(ricci_modcluster_var_lib_t)
+
+type ricci_modcluster_var_log_t;
+logging_log_file(ricci_modcluster_var_log_t)
+
+type ricci_modcluster_var_run_t;
+files_pid_file(ricci_modcluster_var_run_t)
+
+type ricci_modclusterd_t;
+type ricci_modclusterd_exec_t;
+domain_type(ricci_modclusterd_t)
+init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
+type ricci_modlog_t;
+type ricci_modlog_exec_t;
+domain_type(ricci_modlog_t)
+domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
+role system_r types ricci_modlog_t;
+
+type ricci_modrpm_t;
+type ricci_modrpm_exec_t;
+domain_type(ricci_modrpm_t)
+domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
+role system_r types ricci_modrpm_t;
+
+type ricci_modservice_t;
+type ricci_modservice_exec_t;
+domain_type(ricci_modservice_t)
+domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
+role system_r types ricci_modservice_t;
+
+type ricci_modstorage_t;
+type ricci_modstorage_exec_t;
+domain_type(ricci_modstorage_t)
+domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
+role system_r types ricci_modstorage_t;
+
+type ricci_modstorage_lock_t;
+files_lock_file(ricci_modstorage_lock_t)
+
+########################################
+#
+# ricci local policy
+#
+
+allow ricci_t self:capability { setuid sys_nice sys_boot };
+allow ricci_t self:process setsched;
+allow ricci_t self:fifo_file rw_fifo_file_perms;
+allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ricci_t self:tcp_socket create_stream_socket_perms;
+
+domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
+domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
+domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
+domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
+domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
+
+manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
+manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
+files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
+
+manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
+
+allow ricci_t ricci_var_log_t:dir setattr;
+manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
+
+manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(ricci_t)
+
+corecmd_exec_bin(ricci_t)
+
+corenet_all_recvfrom_unlabeled(ricci_t)
+corenet_all_recvfrom_netlabel(ricci_t)
+corenet_tcp_sendrecv_generic_if(ricci_t)
+corenet_tcp_sendrecv_generic_node(ricci_t)
+corenet_tcp_sendrecv_all_ports(ricci_t)
+corenet_tcp_bind_generic_node(ricci_t)
+corenet_udp_bind_generic_node(ricci_t)
+corenet_tcp_bind_ricci_port(ricci_t)
+corenet_udp_bind_ricci_port(ricci_t)
+corenet_tcp_connect_http_port(ricci_t)
+
+dev_read_urand(ricci_t)
+
+domain_read_all_domains_state(ricci_t)
+
+files_read_etc_files(ricci_t)
+files_read_etc_runtime_files(ricci_t)
+files_create_boot_flag(ricci_t)
+
+auth_domtrans_chk_passwd(ricci_t)
+auth_append_login_records(ricci_t)
+
+init_stream_connect_script(ricci_t)
+
+locallogin_dontaudit_use_fds(ricci_t)
+
+logging_send_syslog_msg(ricci_t)
+
+miscfiles_read_localization(ricci_t)
+
+sysnet_dns_name_resolve(ricci_t)
+
+optional_policy(`
+ ccs_read_config(ricci_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(ricci_t)
+
+ oddjob_dbus_chat(ricci_t)
+')
+
+optional_policy(`
+ # Needed so oddjob can run halt/reboot on behalf of ricci
+ corecmd_bin_entry_type(ricci_t)
+ term_dontaudit_search_ptys(ricci_t)
+ init_exec(ricci_t)
+ init_telinit(ricci_t)
+ init_rw_utmp(ricci_t)
+
+ oddjob_system_entry(ricci_t, ricci_exec_t)
+')
+
+optional_policy(`
+ rpm_use_script_fds(ricci_t)
+')
+
+optional_policy(`
+ sasl_connect(ricci_t)
+')
+
+optional_policy(`
+ unconfined_use_fds(ricci_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(ricci_t)
+')
+
+########################################
+#
+# ricci_modcluster local policy
+#
+
+allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
+allow ricci_modcluster_t self:process setsched;
+allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_kernel_sysctls(ricci_modcluster_t)
+kernel_read_system_state(ricci_modcluster_t)
+
+corecmd_exec_shell(ricci_modcluster_t)
+corecmd_exec_bin(ricci_modcluster_t)
+
+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+
+domain_read_all_domains_state(ricci_modcluster_t)
+
+files_search_locks(ricci_modcluster_t)
+files_read_etc_runtime_files(ricci_modcluster_t)
+files_read_etc_files(ricci_modcluster_t)
+files_search_usr(ricci_modcluster_t)
+
+init_exec(ricci_modcluster_t)
+init_domtrans_script(ricci_modcluster_t)
+
+logging_send_syslog_msg(ricci_modcluster_t)
+
+miscfiles_read_localization(ricci_modcluster_t)
+
+modutils_domtrans_insmod(ricci_modcluster_t)
+
+mount_domtrans(ricci_modcluster_t)
+
+consoletype_exec(ricci_modcluster_t)
+
+ricci_stream_connect_modclusterd(ricci_modcluster_t)
+
+optional_policy(`
+ aisexec_stream_connect(ricci_modcluster_t)
+ corosync_stream_connect(ricci_modcluster_t)
+')
+
+optional_policy(`
+ ccs_stream_connect(ricci_modcluster_t)
+ ccs_domtrans(ricci_modcluster_t)
+ ccs_manage_config(ricci_modcluster_t)
+')
+
+optional_policy(`
+ lvm_domtrans(ricci_modcluster_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ricci_modcluster_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
+')
+
+optional_policy(`
+ # XXX This has got to go.
+ unconfined_domain(ricci_modcluster_t)
+')
+
+########################################
+#
+# ricci_modclusterd local policy
+#
+
+allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
+allow ricci_modclusterd_t self:process { signal sigkill setsched };
+allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
+allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
+# cjp: this needs to be fixed for a specific socket type:
+allow ricci_modclusterd_t self:socket create_socket_perms;
+
+allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
+
+manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
+manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
+files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(ricci_modclusterd_t)
+kernel_read_system_state(ricci_modclusterd_t)
+
+corecmd_exec_bin(ricci_modclusterd_t)
+
+corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
+corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
+corenet_tcp_bind_generic_node(ricci_modclusterd_t)
+corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
+corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
+
+domain_read_all_domains_state(ricci_modclusterd_t)
+
+files_read_etc_files(ricci_modclusterd_t)
+files_read_etc_runtime_files(ricci_modclusterd_t)
+
+fs_getattr_xattr_fs(ricci_modclusterd_t)
+
+auth_use_nsswitch(ricci_modclusterd_t)
+
+init_stream_connect_script(ricci_modclusterd_t)
+
+locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+
+logging_send_syslog_msg(ricci_modclusterd_t)
+
+miscfiles_read_localization(ricci_modclusterd_t)
+
+sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+
+optional_policy(`
+ aisexec_stream_connect(ricci_modclusterd_t)
+ corosync_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
+ ccs_domtrans(ricci_modclusterd_t)
+ ccs_stream_connect(ricci_modclusterd_t)
+ ccs_read_config(ricci_modclusterd_t)
+')
+
+optional_policy(`
+ rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
+ unconfined_use_fds(ricci_modclusterd_t)
+')
+
+########################################
+#
+# ricci_modlog local policy
+#
+
+allow ricci_modlog_t self:capability sys_nice;
+allow ricci_modlog_t self:process setsched;
+
+kernel_read_kernel_sysctls(ricci_modlog_t)
+kernel_read_system_state(ricci_modlog_t)
+
+corecmd_exec_bin(ricci_modlog_t)
+
+domain_read_all_domains_state(ricci_modlog_t)
+
+files_read_etc_files(ricci_modlog_t)
+files_search_usr(ricci_modlog_t)
+
+logging_read_generic_logs(ricci_modlog_t)
+
+miscfiles_read_localization(ricci_modlog_t)
+
+optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modlog_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
+')
+
+########################################
+#
+# ricci_modrpm local policy
+#
+
+allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
+
+kernel_read_kernel_sysctls(ricci_modrpm_t)
+
+corecmd_exec_bin(ricci_modrpm_t)
+
+files_search_usr(ricci_modrpm_t)
+files_read_etc_files(ricci_modrpm_t)
+
+miscfiles_read_localization(ricci_modrpm_t)
+
+optional_policy(`
+ oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
+')
+
+optional_policy(`
+ rpm_domtrans(ricci_modrpm_t)
+')
+
+########################################
+#
+# ricci_modservice local policy
+#
+
+allow ricci_modservice_t self:capability { dac_override sys_nice };
+allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modservice_t self:process setsched;
+
+kernel_read_kernel_sysctls(ricci_modservice_t)
+kernel_read_system_state(ricci_modservice_t)
+
+corecmd_exec_bin(ricci_modservice_t)
+corecmd_exec_shell(ricci_modservice_t)
+
+files_read_etc_files(ricci_modservice_t)
+files_read_etc_runtime_files(ricci_modservice_t)
+files_search_usr(ricci_modservice_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(ricci_modservice_t)
+
+consoletype_exec(ricci_modservice_t)
+
+init_domtrans_script(ricci_modservice_t)
+
+miscfiles_read_localization(ricci_modservice_t)
+
+optional_policy(`
+ ccs_read_config(ricci_modservice_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modservice_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
+')
+
+########################################
+#
+# ricci_modstorage local policy
+#
+
+allow ricci_modstorage_t self:process { setsched signal };
+dontaudit ricci_modstorage_t self:process ptrace;
+allow ricci_modstorage_t self:capability { mknod sys_nice };
+allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(ricci_modstorage_t)
+kernel_read_system_state(ricci_modstorage_t)
+
+create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
+files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
+
+corecmd_exec_shell(ricci_modstorage_t)
+corecmd_exec_bin(ricci_modstorage_t)
+
+dev_read_sysfs(ricci_modstorage_t)
+dev_read_urand(ricci_modstorage_t)
+dev_manage_generic_blk_files(ricci_modstorage_t)
+
+domain_read_all_domains_state(ricci_modstorage_t)
+
+#Needed for editing /etc/fstab
+files_manage_etc_files(ricci_modstorage_t)
+files_read_etc_runtime_files(ricci_modstorage_t)
+files_read_usr_files(ricci_modstorage_t)
+files_read_kernel_modules(ricci_modstorage_t)
+
+storage_raw_read_fixed_disk(ricci_modstorage_t)
+
+term_dontaudit_use_console(ricci_modstorage_t)
+
+fstools_domtrans(ricci_modstorage_t)
+
+logging_send_syslog_msg(ricci_modstorage_t)
+
+miscfiles_read_localization(ricci_modstorage_t)
+
+modutils_read_module_deps(ricci_modstorage_t)
+
+consoletype_exec(ricci_modstorage_t)
+
+mount_domtrans(ricci_modstorage_t)
+
+optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
+ corosync_stream_connect(ricci_modstorage_t)
+')
+
+optional_policy(`
+ ccs_stream_connect(ricci_modstorage_t)
+ ccs_read_config(ricci_modstorage_t)
+')
+
+optional_policy(`
+ lvm_domtrans(ricci_modstorage_t)
+ lvm_manage_config(ricci_modstorage_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ricci_modstorage_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(ricci_modstorage_t)
+')
diff --git a/rlogin.fc b/rlogin.fc
new file mode 100644
index 0000000..2785337
--- /dev/null
+++ b/rlogin.fc
@@ -0,0 +1,7 @@
+HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+
+/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/rlogin.if b/rlogin.if
new file mode 100644
index 0000000..63e78c6
--- /dev/null
+++ b/rlogin.if
@@ -0,0 +1,47 @@
+## Remote login daemon
+
+########################################
+##
+## Execute rlogind in the rlogin domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rlogin_domtrans',`
+ gen_require(`
+ type rlogind_t, rlogind_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rlogind_exec_t, rlogind_t)
+')
+
+########################################
+##
+## read rlogin homedir content (.config)
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`rlogin_read_home_content',`
+ gen_require(`
+ type rlogind_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
+ read_files_pattern($1, rlogind_home_t, rlogind_home_t)
+ read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
+')
diff --git a/rlogin.te b/rlogin.te
new file mode 100644
index 0000000..779fa44
--- /dev/null
+++ b/rlogin.te
@@ -0,0 +1,116 @@
+policy_module(rlogin, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type rlogind_t;
+type rlogind_exec_t;
+inetd_service_domain(rlogind_t, rlogind_exec_t)
+role system_r types rlogind_t;
+
+type rlogind_devpts_t; #, userpty_type;
+term_login_pty(rlogind_devpts_t)
+
+type rlogind_home_t;
+userdom_user_home_content(rlogind_home_t)
+
+type rlogind_tmp_t;
+files_tmp_file(rlogind_tmp_t)
+
+type rlogind_var_run_t;
+files_pid_file(rlogind_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow rlogind_t self:process signal_perms;
+allow rlogind_t self:fifo_file rw_fifo_file_perms;
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rlogind_t self:capability { setuid setgid };
+
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(rlogind_t, rlogind_devpts_t)
+
+# for /usr/lib/telnetlogin
+can_exec(rlogind_t, rlogind_exec_t)
+
+manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
+
+manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
+files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
+
+kernel_read_kernel_sysctls(rlogind_t)
+kernel_read_system_state(rlogind_t)
+kernel_read_network_state(rlogind_t)
+
+corenet_all_recvfrom_unlabeled(rlogind_t)
+corenet_all_recvfrom_netlabel(rlogind_t)
+corenet_tcp_sendrecv_generic_if(rlogind_t)
+corenet_udp_sendrecv_generic_if(rlogind_t)
+corenet_tcp_sendrecv_generic_node(rlogind_t)
+corenet_udp_sendrecv_generic_node(rlogind_t)
+corenet_tcp_sendrecv_all_ports(rlogind_t)
+corenet_udp_sendrecv_all_ports(rlogind_t)
+
+dev_read_urand(rlogind_t)
+
+domain_interactive_fd(rlogind_t)
+
+fs_getattr_xattr_fs(rlogind_t)
+fs_search_auto_mountpoints(rlogind_t)
+
+auth_domtrans_chk_passwd(rlogind_t)
+auth_rw_login_records(rlogind_t)
+auth_use_nsswitch(rlogind_t)
+
+files_read_etc_files(rlogind_t)
+files_read_etc_runtime_files(rlogind_t)
+files_search_home(rlogind_t)
+files_search_default(rlogind_t)
+
+init_rw_utmp(rlogind_t)
+
+logging_send_syslog_msg(rlogind_t)
+
+miscfiles_read_localization(rlogind_t)
+
+seutil_read_config(rlogind_t)
+
+userdom_setattr_user_ptys(rlogind_t)
+# cjp: this is egregious
+userdom_read_user_home_content_files(rlogind_t)
+
+remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
+
+rlogin_read_home_content(rlogind_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(rlogind_t)
+ fs_read_nfs_files(rlogind_t)
+ fs_read_nfs_symlinks(rlogind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(rlogind_t)
+ fs_read_cifs_files(rlogind_t)
+ fs_read_cifs_symlinks(rlogind_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_manage_host_rcache(rlogind_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
+')
diff --git a/roundup.fc b/roundup.fc
new file mode 100644
index 0000000..e4110e6
--- /dev/null
+++ b/roundup.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0)
diff --git a/roundup.if b/roundup.if
new file mode 100644
index 0000000..30c4b75
--- /dev/null
+++ b/roundup.if
@@ -0,0 +1,39 @@
+## Roundup Issue Tracking System policy
+
+########################################
+##
+## All of the rules required to administrate
+## an roundup environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the roundup domain.
+##
+##
+##
+#
+interface(`roundup_admin',`
+ gen_require(`
+ type roundup_t, roundup_var_lib_t, roundup_var_run_t;
+ type roundup_initrc_exec_t;
+ ')
+
+ allow $1 roundup_t:process { ptrace signal_perms };
+ ps_process_pattern($1, roundup_t)
+
+ init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 roundup_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, roundup_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, roundup_var_run_t)
+')
diff --git a/roundup.te b/roundup.te
new file mode 100644
index 0000000..57f839f
--- /dev/null
+++ b/roundup.te
@@ -0,0 +1,96 @@
+policy_module(roundup, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type roundup_t;
+type roundup_exec_t;
+init_daemon_domain(roundup_t, roundup_exec_t)
+
+type roundup_initrc_exec_t;
+init_script_file(roundup_initrc_exec_t)
+
+type roundup_var_run_t;
+files_pid_file(roundup_var_run_t)
+
+type roundup_var_lib_t;
+files_type(roundup_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow roundup_t self:capability { setgid setuid };
+dontaudit roundup_t self:capability sys_tty_config;
+allow roundup_t self:process signal_perms;
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+allow roundup_t self:tcp_socket create_stream_socket_perms;
+allow roundup_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t)
+files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file)
+
+manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t)
+files_pid_filetrans(roundup_t, roundup_var_run_t, file)
+
+kernel_read_kernel_sysctls(roundup_t)
+kernel_list_proc(roundup_t)
+kernel_read_proc_symlinks(roundup_t)
+
+dev_read_sysfs(roundup_t)
+
+# execute python
+corecmd_exec_bin(roundup_t)
+
+corenet_all_recvfrom_unlabeled(roundup_t)
+corenet_all_recvfrom_netlabel(roundup_t)
+corenet_tcp_sendrecv_generic_if(roundup_t)
+corenet_udp_sendrecv_generic_if(roundup_t)
+corenet_raw_sendrecv_generic_if(roundup_t)
+corenet_tcp_sendrecv_generic_node(roundup_t)
+corenet_udp_sendrecv_generic_node(roundup_t)
+corenet_raw_sendrecv_generic_node(roundup_t)
+corenet_tcp_sendrecv_all_ports(roundup_t)
+corenet_udp_sendrecv_all_ports(roundup_t)
+corenet_tcp_bind_generic_node(roundup_t)
+corenet_tcp_bind_http_cache_port(roundup_t)
+corenet_tcp_connect_smtp_port(roundup_t)
+corenet_sendrecv_http_cache_server_packets(roundup_t)
+corenet_sendrecv_smtp_client_packets(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+dev_read_urand(roundup_t)
+
+domain_use_interactive_fds(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+files_read_usr_files(roundup_t)
+files_read_etc_files(roundup_t)
+
+fs_getattr_all_fs(roundup_t)
+fs_search_auto_mountpoints(roundup_t)
+
+logging_send_syslog_msg(roundup_t)
+
+miscfiles_read_localization(roundup_t)
+
+sysnet_read_config(roundup_t)
+
+userdom_dontaudit_use_unpriv_user_fds(roundup_t)
+userdom_dontaudit_search_user_home_dirs(roundup_t)
+
+optional_policy(`
+ mysql_stream_connect(roundup_t)
+ mysql_search_db(roundup_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(roundup_t)
+')
+
+optional_policy(`
+ udev_read_db(roundup_t)
+')
diff --git a/rpc.fc b/rpc.fc
new file mode 100644
index 0000000..5c70c0c
--- /dev/null
+++ b/rpc.fc
@@ -0,0 +1,31 @@
+#
+# /etc
+#
+/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+
+/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
diff --git a/rpc.if b/rpc.if
new file mode 100644
index 0000000..dddabcf
--- /dev/null
+++ b/rpc.if
@@ -0,0 +1,435 @@
+## Remote Procedure Call Daemon for managment of network based process communication
+
+########################################
+##
+## RPC stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_stub',`
+ gen_require(`
+ type exports_t;
+ ')
+')
+
+#######################################
+##
+## The template to define a rpc domain.
+##
+##
+##
+## This template creates a domain to be used for
+## a new rpc daemon.
+##
+##
+##
+##
+## The type of daemon to be used.
+##
+##
+#
+template(`rpc_domain_template', `
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
+
+ ####################################
+ #
+ # Local Policy
+ #
+
+ dontaudit $1_t self:capability { net_admin sys_tty_config };
+ allow $1_t self:capability net_bind_service;
+ allow $1_t self:process signal_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+ manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+
+ kernel_list_proc($1_t)
+ kernel_read_proc_symlinks($1_t)
+ kernel_read_kernel_sysctls($1_t)
+ # bind to arbitary unused ports
+ kernel_rw_rpc_sysctls($1_t)
+
+ dev_read_sysfs($1_t)
+ dev_read_urand($1_t)
+ dev_read_rand($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_udp_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_udp_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_udp_bind_generic_node($1_t)
+ corenet_tcp_bind_reserved_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_portmap_client_packets($1_t)
+ # do not log when it tries to bind to a port belonging to another domain
+ corenet_dontaudit_tcp_bind_all_ports($1_t)
+ corenet_dontaudit_udp_bind_all_ports($1_t)
+ # bind to arbitary unused ports
+ corenet_tcp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_rpc_ports($1_t)
+ corenet_udp_bind_all_rpc_ports($1_t)
+ corenet_sendrecv_generic_server_packets($1_t)
+
+ fs_rw_rpc_named_pipes($1_t)
+ fs_search_auto_mountpoints($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_search_var($1_t)
+ files_search_var_lib($1_t)
+ files_list_home($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds($1_t)
+
+ optional_policy(`
+ rpcbind_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole($1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db($1_t)
+ ')
+')
+
+########################################
+##
+## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of the NFS export file.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`rpc_dontaudit_getattr_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ dontaudit $1 exports_t:file getattr;
+')
+
+########################################
+##
+## Allow read access to exports.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_read_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file read_file_perms;
+')
+
+########################################
+##
+## Allow write access to exports.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_write_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file write;
+')
+
+########################################
+##
+## Execute domain in nfsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_t, nfsd_exec_t;
+ ')
+
+ domtrans_pattern($1, nfsd_exec_t, nfsd_t)
+')
+
+#######################################
+##
+## Execute domain in nfsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpc_initrc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
+')
+
+########################################
+##
+## Execute domain in rpcd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
+')
+
+#######################################
+##
+## Execute domain in rpcd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpc_initrc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+')
+
+########################################
+##
+## Read NFS exported content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rpc_read_nfs_content',`
+ gen_require(`
+ type nfsd_ro_t, nfsd_rw_t;
+ ')
+
+ allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+')
+
+########################################
+##
+## Allow domain to create read and write NFS directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rpc_manage_nfs_rw_content',`
+ gen_require(`
+ type nfsd_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+')
+
+########################################
+##
+## Allow domain to create read and write NFS directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rpc_manage_nfs_ro_content',`
+ gen_require(`
+ type nfsd_ro_t;
+ ')
+
+ manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+')
+
+########################################
+##
+## Allow domain to read and write to an NFS TCP socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_tcp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+##
+## Allow domain to read and write to an NFS UDP socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_udp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+##
+## Send UDP traffic to NFSd. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_udp_send_nfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Search NFS state data in /var/lib/nfs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_search_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir search;
+')
+
+########################################
+##
+## Read NFS state data in /var/lib/nfs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_read_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
+
+########################################
+##
+## Manage NFS state data in /var/lib/nfs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpc_manage_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
diff --git a/rpc.te b/rpc.te
new file mode 100644
index 0000000..62fca97
--- /dev/null
+++ b/rpc.te
@@ -0,0 +1,237 @@
+policy_module(rpc, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow gssd to read temp directory. For access to kerberos tgt.
+##
+##
+gen_tunable(allow_gssd_read_tmp, true)
+
+##
+##
+## Allow nfs servers to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+##
+##
+gen_tunable(allow_nfsd_anon_write, false)
+
+type exports_t;
+files_config_file(exports_t)
+
+rpc_domain_template(gssd)
+
+type gssd_tmp_t;
+files_tmp_file(gssd_tmp_t)
+
+type rpcd_var_run_t;
+files_pid_file(rpcd_var_run_t)
+
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
+rpc_domain_template(rpcd)
+
+type rpcd_initrc_exec_t;
+init_script_file(rpcd_initrc_exec_t)
+
+rpc_domain_template(nfsd)
+
+type nfsd_initrc_exec_t;
+init_script_file(nfsd_initrc_exec_t)
+
+type nfsd_rw_t;
+files_type(nfsd_rw_t)
+
+type nfsd_ro_t;
+files_type(nfsd_ro_t)
+
+type var_lib_nfs_t;
+files_mountpoint(var_lib_nfs_t)
+
+########################################
+#
+# RPC local policy
+#
+
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:process { getcap setcap };
+allow rpcd_t self:fifo_file rw_fifo_file_perms;
+
+allow rpcd_t rpcd_var_run_t:dir setattr;
+manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
+
+# rpc.statd executes sm-notify
+can_exec(rpcd_t, rpcd_exec_t)
+
+kernel_read_system_state(rpcd_t)
+kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
+kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
+kernel_dontaudit_getattr_core_if(rpcd_t)
+kernel_signal(rpcd_t)
+
+corecmd_exec_bin(rpcd_t)
+
+files_manage_mounttab(rpcd_t)
+files_getattr_all_dirs(rpcd_t)
+
+fs_list_rpc(rpcd_t)
+fs_read_rpc_files(rpcd_t)
+fs_read_rpc_symlinks(rpcd_t)
+fs_rw_rpc_sockets(rpcd_t)
+fs_get_all_fs_quotas(rpcd_t)
+fs_getattr_all_fs(rpcd_t)
+
+storage_getattr_fixed_disk_dev(rpcd_t)
+
+selinux_dontaudit_read_fs(rpcd_t)
+
+miscfiles_read_generic_certs(rpcd_t)
+
+seutil_dontaudit_search_config(rpcd_t)
+
+optional_policy(`
+ automount_signal(rpcd_t)
+ automount_dontaudit_write_pipes(rpcd_t)
+')
+
+optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
+')
+
+########################################
+#
+# NFSD local policy
+#
+
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+
+allow nfsd_t exports_t:file read_file_perms;
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
+kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
+
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
+corenet_udp_bind_all_rpc_ports(nfsd_t)
+
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+dev_rw_lvm_control(nfsd_t)
+
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
+files_getattr_tmp_dirs(nfsd_t)
+# cjp: this should really have its own type
+files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
+
+fs_mount_nfsd_fs(nfsd_t)
+fs_search_nfsd_fs(nfsd_t)
+fs_getattr_all_fs(nfsd_t)
+fs_getattr_all_dirs(nfsd_t)
+fs_rw_nfsd_fs(nfsd_t)
+
+storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_removable_device(nfsd_t)
+
+# Read access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`allow_nfsd_anon_write',`
+ miscfiles_manage_public_files(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_rw',`
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+ auth_manage_all_files_except_auth_files(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_ro',`
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
+ files_getattr_all_pipes(nfsd_t)
+ files_getattr_all_sockets(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+
+ auth_read_all_dirs_except_auth_files(nfsd_t)
+ auth_read_all_files_except_auth_files(nfsd_t)
+')
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:process { getsched setsched };
+allow gssd_t self:fifo_file rw_file_perms;
+
+manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_system_state(gssd_t)
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)
+kernel_request_load_module(gssd_t)
+kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
+
+corecmd_exec_bin(gssd_t)
+
+fs_list_rpc(gssd_t)
+fs_rw_rpc_sockets(gssd_t)
+fs_read_rpc_files(gssd_t)
+
+fs_list_inotifyfs(gssd_t)
+files_list_tmp(gssd_t)
+files_read_usr_symlinks(gssd_t)
+files_dontaudit_write_var_dirs(gssd_t)
+
+auth_use_nsswitch(gssd_t)
+auth_manage_cache(gssd_t)
+
+miscfiles_read_generic_certs(gssd_t)
+
+mount_signal(gssd_t)
+
+userdom_signal_all_users(gssd_t)
+
+tunable_policy(`allow_gssd_read_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_read_user_tmp_files(gssd_t)
+ userdom_read_user_tmp_symlinks(gssd_t)
+')
+
+optional_policy(`
+ automount_signal(gssd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(gssd, gssd_t)
+')
+
+optional_policy(`
+ pcscd_read_pub_files(gssd_t)
+')
+
+optional_policy(`
+ xserver_rw_xdm_tmp_files(gssd_t)
+')
diff --git a/rpcbind.fc b/rpcbind.fc
new file mode 100644
index 0000000..f5c47d6
--- /dev/null
+++ b/rpcbind.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+
+/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
+/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+
+/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/rpcbind.if b/rpcbind.if
new file mode 100644
index 0000000..a96249c
--- /dev/null
+++ b/rpcbind.if
@@ -0,0 +1,148 @@
+## Universal Addresses to RPC Program Number Mapper
+
+########################################
+##
+## Execute a domain transition to run rpcbind.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpcbind_domtrans',`
+ gen_require(`
+ type rpcbind_t, rpcbind_exec_t;
+ ')
+
+ domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
+')
+
+########################################
+##
+## Connect to rpcbindd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpcbind_stream_connect',`
+ gen_require(`
+ type rpcbind_t, rpcbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 rpcbind_var_run_t:sock_file write;
+ allow $1 rpcbind_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Read rpcbind PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpcbind_read_pid_files',`
+ gen_require(`
+ type rpcbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 rpcbind_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Search rpcbind lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpcbind_search_lib',`
+ gen_require(`
+ type rpcbind_var_lib_t;
+ ')
+
+ allow $1 rpcbind_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read rpcbind lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpcbind_read_lib_files',`
+ gen_require(`
+ type rpcbind_var_lib_t;
+ ')
+
+ read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## rpcbind lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpcbind_manage_lib_files',`
+ gen_require(`
+ type rpcbind_var_lib_t;
+ ')
+
+ manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an rpcbind environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the rpcbind domain.
+##
+##
+##
+#
+interface(`rpcbind_admin',`
+ gen_require(`
+ type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t;
+ type rpcbind_initrc_exec_t;
+ ')
+
+ allow $1 rpcbind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rpcbind_t)
+
+ init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rpcbind_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/rpcbind.te b/rpcbind.te
new file mode 100644
index 0000000..a63e9ee
--- /dev/null
+++ b/rpcbind.te
@@ -0,0 +1,69 @@
+policy_module(rpcbind, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type rpcbind_t;
+type rpcbind_exec_t;
+init_daemon_domain(rpcbind_t, rpcbind_exec_t)
+
+type rpcbind_initrc_exec_t;
+init_script_file(rpcbind_initrc_exec_t)
+
+type rpcbind_var_run_t;
+files_pid_file(rpcbind_var_run_t)
+
+type rpcbind_var_lib_t;
+files_type(rpcbind_var_lib_t)
+
+########################################
+#
+# rpcbind local policy
+#
+
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+allow rpcbind_t self:fifo_file rw_file_perms;
+allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow rpcbind_t self:udp_socket create_socket_perms;
+allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
+
+manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(rpcbind_t)
+kernel_read_network_state(rpcbind_t)
+kernel_request_load_module(rpcbind_t)
+
+corenet_all_recvfrom_unlabeled(rpcbind_t)
+corenet_all_recvfrom_netlabel(rpcbind_t)
+corenet_tcp_sendrecv_generic_if(rpcbind_t)
+corenet_udp_sendrecv_generic_if(rpcbind_t)
+corenet_tcp_sendrecv_generic_node(rpcbind_t)
+corenet_udp_sendrecv_generic_node(rpcbind_t)
+corenet_tcp_sendrecv_all_ports(rpcbind_t)
+corenet_udp_sendrecv_all_ports(rpcbind_t)
+corenet_tcp_bind_generic_node(rpcbind_t)
+corenet_udp_bind_generic_node(rpcbind_t)
+corenet_tcp_bind_portmap_port(rpcbind_t)
+corenet_udp_bind_portmap_port(rpcbind_t)
+corenet_udp_bind_all_rpc_ports(rpcbind_t)
+
+domain_use_interactive_fds(rpcbind_t)
+
+files_read_etc_files(rpcbind_t)
+files_read_etc_runtime_files(rpcbind_t)
+
+logging_send_syslog_msg(rpcbind_t)
+
+miscfiles_read_localization(rpcbind_t)
+
+sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
new file mode 100644
index 0000000..b206bf6
--- /dev/null
+++ b/rpm.fc
@@ -0,0 +1,52 @@
+
+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+')
+
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
+')
+
+ifdef(`enable_mls',`
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+')
diff --git a/rpm.if b/rpm.if
new file mode 100644
index 0000000..d33daa8
--- /dev/null
+++ b/rpm.if
@@ -0,0 +1,578 @@
+## Policy for the RPM package manager.
+
+########################################
+##
+## Execute rpm programs in the rpm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpm_domtrans',`
+ gen_require(`
+ type rpm_t, rpm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rpm_exec_t, rpm_t)
+')
+
+########################################
+##
+## Execute debuginfo_install programs in the rpm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpm_debuginfo_domtrans',`
+ gen_require(`
+ type rpm_t, debuginfo_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+')
+
+########################################
+##
+## Execute rpm_script programs in the rpm_script domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rpm_domtrans_script',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ # transition to rpm script:
+ corecmd_shell_domtrans($1, rpm_script_t)
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute RPM programs in the RPM domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the RPM domain.
+##
+##
+##
+#
+interface(`rpm_run',`
+ gen_require(`
+ type rpm_t, rpm_script_t;
+ ')
+
+ rpm_domtrans($1)
+ role $2 types { rpm_t rpm_script_t };
+ seutil_run_loadpolicy(rpm_script_t, $2)
+ seutil_run_semanage(rpm_script_t, $2)
+ seutil_run_setfiles(rpm_script_t, $2)
+')
+
+########################################
+##
+## Execute the rpm client in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_exec',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rpm_exec_t)
+')
+
+########################################
+##
+## Send a null signal to rpm.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_signull',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:process signull;
+')
+
+########################################
+##
+## Inherit and use file descriptors from RPM.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_use_fds',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fd use;
+')
+
+########################################
+##
+## Read from an unnamed RPM pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_read_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+##
+## Read and write an unnamed RPM pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_rw_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Send and receive messages from
+## rpm over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_dbus_chat',`
+ gen_require(`
+ type rpm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_t:dbus send_msg;
+ allow rpm_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Do not audit attempts to send and
+## receive messages from rpm over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`rpm_dontaudit_dbus_chat',`
+ gen_require(`
+ type rpm_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rpm_t:dbus send_msg;
+ dontaudit rpm_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## rpm_script over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_script_dbus_chat',`
+ gen_require(`
+ type rpm_script_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_script_t:dbus send_msg;
+ allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Search RPM log directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_search_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 rpm_log_t:dir search_dir_perms;
+')
+
+#####################################
+##
+## Allow the specified domain to append
+## to rpm log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_append_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rpm_log_t, rpm_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the RPM log.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_manage_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 rpm_log_t:file manage_file_perms;
+')
+
+########################################
+##
+## Inherit and use file descriptors from RPM scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_use_script_fds',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:fd use;
+')
+
+########################################
+##
+## Create, read, write, and delete RPM
+## script temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_manage_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+#####################################
+##
+## Allow the specified domain to append
+## to rpm tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_append_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+##
+## Create, read, write, and delete RPM
+## temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_manage_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+##
+## Read RPM script temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_read_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+########################################
+##
+## Read the RPM cache.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_read_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 rpm_var_cache_t:dir list_dir_perms;
+ read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the RPM package database.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_manage_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+##
+## Read the RPM package database.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_read_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 rpm_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+##
+## Delete the RPM package database.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_delete_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete the RPM package database.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_manage_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+##
+## Do not audit attempts to create, read,
+## write, and delete the RPM package database.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`rpm_dontaudit_manage_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file manage_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+')
+
+#####################################
+##
+## Read rpm pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_read_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
+ files_search_pids($1)
+')
+
+#####################################
+##
+## Create, read, write, and delete rpm pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_manage_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
+ files_search_pids($1)
+')
+
+######################################
+##
+## Create files in /var/run with the rpm pid file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_pid_filetrans',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpm_var_run_t, file)
+')
diff --git a/rpm.te b/rpm.te
new file mode 100644
index 0000000..7d964bf
--- /dev/null
+++ b/rpm.te
@@ -0,0 +1,395 @@
+policy_module(rpm, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
+
+type rpm_t;
+type rpm_exec_t;
+init_system_domain(rpm_t, rpm_exec_t)
+domain_obj_id_change_exemption(rpm_t)
+domain_role_change_exemption(rpm_t)
+domain_system_change_exemption(rpm_t)
+domain_interactive_fd(rpm_t)
+
+type rpm_file_t;
+files_type(rpm_file_t)
+
+type rpm_tmp_t;
+files_tmp_file(rpm_tmp_t)
+
+type rpm_tmpfs_t;
+files_tmpfs_file(rpm_tmpfs_t)
+
+type rpm_log_t;
+logging_log_file(rpm_log_t)
+
+type rpm_var_lib_t;
+files_type(rpm_var_lib_t)
+typealias rpm_var_lib_t alias var_lib_rpm_t;
+
+type rpm_var_cache_t;
+files_type(rpm_var_cache_t)
+
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
+type rpm_script_t;
+type rpm_script_exec_t;
+domain_obj_id_change_exemption(rpm_script_t)
+domain_system_change_exemption(rpm_script_t)
+corecmd_shell_entry_type(rpm_script_t)
+corecmd_bin_entry_type(rpm_script_t)
+domain_type(rpm_script_t)
+domain_entry_file(rpm_t, rpm_script_exec_t)
+domain_interactive_fd(rpm_script_t)
+role system_r types rpm_script_t;
+
+type rpm_script_tmp_t;
+files_tmp_file(rpm_script_tmp_t)
+
+type rpm_script_tmpfs_t;
+files_tmpfs_file(rpm_script_tmpfs_t)
+
+########################################
+#
+# rpm Local policy
+#
+
+allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
+allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+allow rpm_t self:fd use;
+allow rpm_t self:fifo_file rw_fifo_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_t self:unix_dgram_socket sendto;
+allow rpm_t self:unix_stream_socket connectto;
+allow rpm_t self:udp_socket { connect };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket create_stream_socket_perms;
+allow rpm_t self:shm create_shm_perms;
+allow rpm_t self:sem create_sem_perms;
+allow rpm_t self:msgq create_msgq_perms;
+allow rpm_t self:msg { send receive };
+
+allow rpm_t rpm_log_t:file manage_file_perms;
+logging_log_filetrans(rpm_t, rpm_log_t, file)
+
+manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
+
+manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
+
+manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
+# Access /var/lib/rpm files
+manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+
+kernel_read_crypto_sysctls(rpm_t)
+kernel_read_network_state(rpm_t)
+kernel_read_system_state(rpm_t)
+kernel_read_kernel_sysctls(rpm_t)
+
+corecmd_exec_all_executables(rpm_t)
+
+corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_all_recvfrom_netlabel(rpm_t)
+corenet_tcp_sendrecv_generic_if(rpm_t)
+corenet_raw_sendrecv_generic_if(rpm_t)
+corenet_udp_sendrecv_generic_if(rpm_t)
+corenet_tcp_sendrecv_generic_node(rpm_t)
+corenet_raw_sendrecv_generic_node(rpm_t)
+corenet_udp_sendrecv_generic_node(rpm_t)
+corenet_tcp_sendrecv_all_ports(rpm_t)
+corenet_udp_sendrecv_all_ports(rpm_t)
+corenet_tcp_connect_all_ports(rpm_t)
+corenet_sendrecv_all_client_packets(rpm_t)
+
+dev_list_sysfs(rpm_t)
+dev_list_usbfs(rpm_t)
+dev_read_urand(rpm_t)
+
+fs_getattr_all_dirs(rpm_t)
+fs_list_inotifyfs(rpm_t)
+fs_manage_nfs_dirs(rpm_t)
+fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_symlinks(rpm_t)
+fs_getattr_all_fs(rpm_t)
+fs_search_auto_mountpoints(rpm_t)
+
+mls_file_read_all_levels(rpm_t)
+mls_file_write_all_levels(rpm_t)
+mls_file_upgrade(rpm_t)
+mls_file_downgrade(rpm_t)
+
+selinux_get_fs_mount(rpm_t)
+selinux_validate_context(rpm_t)
+selinux_compute_access_vector(rpm_t)
+selinux_compute_create_context(rpm_t)
+selinux_compute_relabel_context(rpm_t)
+selinux_compute_user_contexts(rpm_t)
+
+storage_raw_write_fixed_disk(rpm_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(rpm_t)
+
+term_list_ptys(rpm_t)
+
+auth_relabel_all_files_except_auth_files(rpm_t)
+auth_manage_all_files_except_auth_files(rpm_t)
+auth_dontaudit_read_shadow(rpm_t)
+auth_use_nsswitch(rpm_t)
+
+# transition to rpm script:
+rpm_domtrans_script(rpm_t)
+
+domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_dontaudit_ptrace_all_domains(rpm_t)
+domain_use_interactive_fds(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+
+files_exec_etc_files(rpm_t)
+
+init_domtrans_script(rpm_t)
+init_use_script_ptys(rpm_t)
+
+libs_exec_ld_so(rpm_t)
+libs_exec_lib_files(rpm_t)
+libs_domtrans_ldconfig(rpm_t)
+
+logging_send_syslog_msg(rpm_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(rpm_t)
+seutil_manage_bin_policy(rpm_t)
+
+userdom_use_user_terminals(rpm_t)
+userdom_use_unpriv_users_fds(rpm_t)
+
+optional_policy(`
+ cron_system_entry(rpm_t, rpm_exec_t)
+')
+
+optional_policy(`
+ dbus_system_domain(rpm_t, rpm_exec_t)
+ dbus_system_domain(rpm_t, debuginfo_exec_t)
+
+ optional_policy(`
+ hal_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(rpm_t)
+ ')
+')
+
+optional_policy(`
+ prelink_domtrans(rpm_t)
+')
+
+optional_policy(`
+ unconfined_domain(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
+')
+
+########################################
+#
+# rpm-script Local policy
+#
+
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+allow rpm_script_t self:fd use;
+allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_script_t self:unix_dgram_socket sendto;
+allow rpm_script_t self:unix_stream_socket connectto;
+allow rpm_script_t self:shm create_shm_perms;
+allow rpm_script_t self:sem create_sem_perms;
+allow rpm_script_t self:msgq create_msgq_perms;
+allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow rpm_script_t rpm_tmp_t:file read_file_perms;
+
+allow rpm_script_t rpm_script_tmp_t:dir mounton;
+manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+can_exec(rpm_script_t, rpm_script_tmp_t)
+
+manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
+kernel_read_crypto_sysctls(rpm_script_t)
+kernel_read_kernel_sysctls(rpm_script_t)
+kernel_read_system_state(rpm_script_t)
+kernel_read_network_state(rpm_script_t)
+kernel_read_software_raid_state(rpm_script_t)
+
+dev_list_sysfs(rpm_script_t)
+
+# ideally we would not need this
+dev_manage_generic_blk_files(rpm_script_t)
+dev_manage_generic_chr_files(rpm_script_t)
+dev_manage_all_blk_files(rpm_script_t)
+dev_manage_all_chr_files(rpm_script_t)
+
+fs_manage_nfs_files(rpm_script_t)
+fs_getattr_nfs(rpm_script_t)
+fs_search_all(rpm_script_t)
+fs_getattr_all_fs(rpm_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(rpm_script_t)
+fs_mount_xattr_fs(rpm_script_t)
+fs_unmount_xattr_fs(rpm_script_t)
+fs_search_auto_mountpoints(rpm_script_t)
+
+mcs_killall(rpm_script_t)
+mcs_ptrace_all(rpm_script_t)
+
+mls_file_read_all_levels(rpm_script_t)
+mls_file_write_all_levels(rpm_script_t)
+
+selinux_get_fs_mount(rpm_script_t)
+selinux_validate_context(rpm_script_t)
+selinux_compute_access_vector(rpm_script_t)
+selinux_compute_create_context(rpm_script_t)
+selinux_compute_relabel_context(rpm_script_t)
+selinux_compute_user_contexts(rpm_script_t)
+
+storage_raw_read_fixed_disk(rpm_script_t)
+storage_raw_write_fixed_disk(rpm_script_t)
+
+term_getattr_unallocated_ttys(rpm_script_t)
+term_list_ptys(rpm_script_t)
+term_use_all_terms(rpm_script_t)
+
+auth_dontaudit_getattr_shadow(rpm_script_t)
+auth_use_nsswitch(rpm_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_auth_files(rpm_script_t)
+auth_relabel_shadow(rpm_script_t)
+
+corecmd_exec_all_executables(rpm_script_t)
+
+domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_dontaudit_ptrace_all_domains(rpm_script_t)
+domain_use_interactive_fds(rpm_script_t)
+domain_signal_all_domains(rpm_script_t)
+domain_signull_all_domains(rpm_script_t)
+
+files_exec_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
+init_domtrans_script(rpm_script_t)
+init_telinit(rpm_script_t)
+
+libs_exec_ld_so(rpm_script_t)
+libs_exec_lib_files(rpm_script_t)
+libs_domtrans_ldconfig(rpm_script_t)
+
+logging_send_syslog_msg(rpm_script_t)
+
+miscfiles_read_localization(rpm_script_t)
+
+modutils_domtrans_depmod(rpm_script_t)
+modutils_domtrans_insmod(rpm_script_t)
+
+seutil_domtrans_loadpolicy(rpm_script_t)
+seutil_domtrans_setfiles(rpm_script_t)
+seutil_domtrans_semanage(rpm_script_t)
+
+userdom_use_all_users_fds(rpm_script_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ mta_send_mail(rpm_script_t)
+ ')
+')
+
+tunable_policy(`allow_execmem',`
+ allow rpm_script_t self:process execmem;
+')
+
+optional_policy(`
+ bootloader_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(rpm_script_t)
+')
+
+optional_policy(`
+ lvm_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ ntp_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ tzdata_domtrans(rpm_t)
+ tzdata_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ udev_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ unconfined_domain(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
+
+ optional_policy(`
+ java_domtrans_unconfined(rpm_script_t)
+ ')
+
+ optional_policy(`
+ mono_domtrans(rpm_script_t)
+ ')
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(rpm_script_t)
+ usermanage_domtrans_useradd(rpm_script_t)
+')
diff --git a/rshd.fc b/rshd.fc
new file mode 100644
index 0000000..6a4db03
--- /dev/null
+++ b/rshd.fc
@@ -0,0 +1,5 @@
+
+/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+
+/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/rshd.if b/rshd.if
new file mode 100644
index 0000000..2e87d76
--- /dev/null
+++ b/rshd.if
@@ -0,0 +1,21 @@
+## Remote shell service.
+
+########################################
+##
+## Domain transition to rshd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rshd_domtrans',`
+ gen_require(`
+ type rshd_exec_t, rshd_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rshd_exec_t, rshd_t)
+')
diff --git a/rshd.te b/rshd.te
new file mode 100644
index 0000000..0b405d1
--- /dev/null
+++ b/rshd.te
@@ -0,0 +1,96 @@
+policy_module(rshd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+type rshd_t;
+type rshd_exec_t;
+inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
+
+########################################
+#
+# Local policy
+#
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+allow rshd_t self:fifo_file rw_fifo_file_perms;
+allow rshd_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(rshd_t)
+
+corenet_all_recvfrom_unlabeled(rshd_t)
+corenet_all_recvfrom_netlabel(rshd_t)
+corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
+corenet_tcp_sendrecv_generic_node(rshd_t)
+corenet_udp_sendrecv_generic_node(rshd_t)
+corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
+corenet_tcp_bind_generic_node(rshd_t)
+corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
+corenet_sendrecv_rsh_server_packets(rshd_t)
+
+dev_read_urand(rshd_t)
+
+selinux_get_fs_mount(rshd_t)
+selinux_validate_context(rshd_t)
+selinux_compute_access_vector(rshd_t)
+selinux_compute_create_context(rshd_t)
+selinux_compute_relabel_context(rshd_t)
+selinux_compute_user_contexts(rshd_t)
+
+corecmd_read_bin_symlinks(rshd_t)
+
+files_list_home(rshd_t)
+files_read_etc_files(rshd_t)
+files_search_tmp(rshd_t)
+
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
+
+init_rw_utmp(rshd_t)
+
+logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
+
+miscfiles_read_localization(rshd_t)
+
+seutil_read_config(rshd_t)
+seutil_read_default_contexts(rshd_t)
+
+userdom_search_user_home_content(rshd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(rshd_t)
+ fs_read_nfs_symlinks(rshd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(rshd_t)
+ fs_read_cifs_symlinks(rshd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(rshd, rshd_t)
+ kerberos_manage_host_rcache(rshd_t)
+')
+
+optional_policy(`
+ rlogin_read_home_content(rshd_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(rshd_t, rshd_exec_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(rshd_t)
+ unconfined_signal(rshd_t)
+')
diff --git a/rssh.fc b/rssh.fc
new file mode 100644
index 0000000..4c091ca
--- /dev/null
+++ b/rssh.fc
@@ -0,0 +1 @@
+/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
diff --git a/rssh.if b/rssh.if
new file mode 100644
index 0000000..cb3d973
--- /dev/null
+++ b/rssh.if
@@ -0,0 +1,103 @@
+## Restricted (scp/sftp) only shell
+
+########################################
+##
+## Role access for rssh
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`rssh_role',`
+ gen_require(`
+ type rssh_t;
+ ')
+
+ role $1 types rssh_t;
+
+ # allow ps to show irc
+ ps_process_pattern($2, rssh_t)
+ allow $2 rssh_t:process signal;
+')
+
+########################################
+##
+## Transition to all user rssh domains.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rssh_spec_domtrans',`
+ gen_require(`
+ type rssh_t, rssh_exec_t;
+ ')
+
+ spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
+')
+
+########################################
+##
+## Execute the rssh program
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rssh_exec',`
+ gen_require(`
+ type rssh_exec_t;
+ ')
+
+ can_exec($1, rssh_exec_t)
+')
+
+########################################
+##
+## Execute a domain transition to run rssh_chroot_helper.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rssh_domtrans_chroot_helper',`
+ gen_require(`
+ type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
+')
+
+########################################
+##
+## Read all users rssh read-only content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rssh_read_ro_content',`
+ gen_require(`
+ type rssh_ro_t;
+ ')
+
+ allow $1 rssh_ro_t:dir list_dir_perms;
+ read_files_pattern($1, rssh_ro_t, rssh_ro_t)
+ read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
+')
diff --git a/rssh.te b/rssh.te
new file mode 100644
index 0000000..7e8bf64
--- /dev/null
+++ b/rssh.te
@@ -0,0 +1,105 @@
+policy_module(rssh, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rssh_t;
+type rssh_exec_t;
+typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t };
+typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t };
+application_domain(rssh_t, rssh_exec_t)
+domain_user_exemption_target(rssh_t)
+domain_interactive_fd(rssh_t)
+ubac_constrained(rssh_t)
+role system_r types rssh_t;
+
+type rssh_chroot_helper_t;
+type rssh_chroot_helper_exec_t;
+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
+
+type rssh_devpts_t;
+typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
+typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
+term_user_pty(rssh_t, rssh_devpts_t)
+ubac_constrained(rssh_devpts_t)
+
+type rssh_ro_t;
+typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t };
+typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t };
+userdom_user_home_content(rssh_ro_t)
+
+type rssh_rw_t;
+typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+userdom_user_home_content(rssh_rw_t)
+
+##############################
+#
+# Local policy
+#
+
+allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rssh_t self:fd use;
+allow rssh_t self:fifo_file rw_fifo_file_perms;
+allow rssh_t self:unix_dgram_socket create_socket_perms;
+allow rssh_t self:unix_stream_socket create_stream_socket_perms;
+allow rssh_t self:unix_dgram_socket sendto;
+allow rssh_t self:unix_stream_socket connectto;
+allow rssh_t self:shm create_shm_perms;
+allow rssh_t self:sem create_sem_perms;
+allow rssh_t self:msgq create_msgq_perms;
+allow rssh_t self:msg { send receive };
+
+allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(rssh_t, rssh_devpts_t)
+
+allow rssh_t rssh_ro_t:dir list_dir_perms;
+read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)
+
+manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+
+kernel_read_system_state(rssh_t)
+kernel_read_kernel_sysctls(rssh_t)
+
+files_read_etc_files(rssh_t)
+files_read_etc_runtime_files(rssh_t)
+files_list_home(rssh_t)
+files_read_usr_files(rssh_t)
+files_list_var(rssh_t)
+
+fs_search_auto_mountpoints(rssh_t)
+
+logging_send_syslog_msg(rssh_t)
+
+miscfiles_read_localization(rssh_t)
+
+rssh_domtrans_chroot_helper(rssh_t)
+
+ssh_rw_tcp_sockets(rssh_t)
+ssh_rw_stream_sockets(rssh_t)
+
+optional_policy(`
+ nis_use_ypbind(rssh_t)
+')
+
+########################################
+#
+# rssh_chroot_helper local policy
+#
+
+allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
+allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
+allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(rssh_chroot_helper_t)
+
+files_read_etc_files(rssh_chroot_helper_t)
+
+auth_use_nsswitch(rssh_chroot_helper_t)
+
+logging_send_syslog_msg(rssh_chroot_helper_t)
+
+miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
new file mode 100644
index 0000000..479615b
--- /dev/null
+++ b/rsync.fc
@@ -0,0 +1,7 @@
+/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
+
+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
+
+/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
new file mode 100644
index 0000000..3386f29
--- /dev/null
+++ b/rsync.if
@@ -0,0 +1,143 @@
+## Fast incremental file transfer for synchronization
+
+########################################
+##
+## Make rsync an entry point for
+## the specified domain.
+##
+##
+##
+## The domain for which init scripts are an entrypoint.
+##
+##
+# cjp: added for portage
+interface(`rsync_entry_type',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_entry_file($1, rsync_exec_t)
+')
+
+########################################
+##
+## Execute a rsync in a specified domain.
+##
+##
+##
+## Execute a rsync in a specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+# cjp: added for portage
+interface(`rsync_entry_spec_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_trans($1, rsync_exec_t, $2)
+')
+
+########################################
+##
+## Execute a rsync in a specified domain.
+##
+##
+##
+## Execute a rsync in a specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+# cjp: added for portage
+interface(`rsync_entry_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_auto_trans($1, rsync_exec_t, $2)
+')
+
+########################################
+##
+## Execute rsync in the caller domain domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`rsync_exec',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ can_exec($1, rsync_exec_t)
+')
+
+########################################
+##
+## Read rsync config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rsync_read_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ allow $1 rsync_etc_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+##
+## Write to rsync config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rsync_write_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ allow $1 rsync_etc_t:file read_file_perms;
+ files_search_etc($1)
+')
diff --git a/rsync.te b/rsync.te
new file mode 100644
index 0000000..5c17e84
--- /dev/null
+++ b/rsync.te
@@ -0,0 +1,133 @@
+policy_module(rsync, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow rsync to export any files/directories read only.
+##
+##
+gen_tunable(rsync_export_all_ro, false)
+
+##
+##
+## Allow rsync to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+##
+##
+gen_tunable(allow_rsync_anon_write, false)
+
+type rsync_t;
+type rsync_exec_t;
+init_daemon_domain(rsync_t, rsync_exec_t)
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
+
+type rsync_etc_t;
+files_config_file(rsync_etc_t)
+
+type rsync_data_t;
+files_type(rsync_data_t)
+
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
+type rsync_tmp_t;
+files_tmp_file(rsync_tmp_t)
+
+type rsync_var_run_t;
+files_pid_file(rsync_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+allow rsync_t self:process signal_perms;
+allow rsync_t self:fifo_file rw_fifo_file_perms;
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+#end for identd
+
+allow rsync_t rsync_etc_t:file read_file_perms;
+
+allow rsync_t rsync_data_t:dir list_dir_perms;
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
+logging_log_filetrans(rsync_t, rsync_log_t, file)
+
+manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
+
+manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
+files_pid_filetrans(rsync_t, rsync_var_run_t, file)
+
+kernel_read_kernel_sysctls(rsync_t)
+kernel_read_system_state(rsync_t)
+kernel_read_network_state(rsync_t)
+
+corenet_all_recvfrom_unlabeled(rsync_t)
+corenet_all_recvfrom_netlabel(rsync_t)
+corenet_tcp_sendrecv_generic_if(rsync_t)
+corenet_udp_sendrecv_generic_if(rsync_t)
+corenet_tcp_sendrecv_generic_node(rsync_t)
+corenet_udp_sendrecv_generic_node(rsync_t)
+corenet_tcp_sendrecv_all_ports(rsync_t)
+corenet_udp_sendrecv_all_ports(rsync_t)
+corenet_tcp_bind_generic_node(rsync_t)
+corenet_tcp_bind_rsync_port(rsync_t)
+corenet_sendrecv_rsync_server_packets(rsync_t)
+
+dev_read_urand(rsync_t)
+
+fs_getattr_xattr_fs(rsync_t)
+
+files_read_etc_files(rsync_t)
+files_search_home(rsync_t)
+
+auth_use_nsswitch(rsync_t)
+
+logging_send_syslog_msg(rsync_t)
+
+miscfiles_read_localization(rsync_t)
+miscfiles_read_public_files(rsync_t)
+
+tunable_policy(`allow_rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(rsync_t, rsync_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(rsync_t)
+')
+
+optional_policy(`
+ inetd_service_domain(rsync_t, rsync_exec_t)
+')
+
+tunable_policy(`rsync_export_all_ro',`
+ fs_read_noxattr_fs_files(rsync_t)
+ fs_read_nfs_files(rsync_t)
+ fs_read_cifs_files(rsync_t)
+ auth_read_all_dirs_except_auth_files(rsync_t)
+ auth_read_all_files_except_auth_files(rsync_t)
+ auth_read_all_symlinks_except_auth_files(rsync_t)
+ auth_tunable_read_shadow(rsync_t)
+')
+auth_can_read_shadow_passwords(rsync_t)
diff --git a/rtkit.fc b/rtkit.fc
new file mode 100644
index 0000000..52c441e
--- /dev/null
+++ b/rtkit.fc
@@ -0,0 +1 @@
+/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
diff --git a/rtkit.if b/rtkit.if
new file mode 100644
index 0000000..46dad1f
--- /dev/null
+++ b/rtkit.if
@@ -0,0 +1,60 @@
+## Realtime scheduling for user processes.
+
+########################################
+##
+## Execute a domain transition to run rtkit_daemon.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rtkit_daemon_domtrans',`
+ gen_require(`
+ type rtkit_daemon_t, rtkit_daemon_exec_t;
+ ')
+
+ domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## rtkit_daemon over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rtkit_daemon_dbus_chat',`
+ gen_require(`
+ type rtkit_daemon_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rtkit_daemon_t:dbus send_msg;
+ allow rtkit_daemon_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Allow rtkit to control scheduling for your process
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rtkit_scheduled',`
+ gen_require(`
+ type rtkit_daemon_t;
+ ')
+
+ ps_process_pattern(rtkit_daemon_t, $1)
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
diff --git a/rtkit.te b/rtkit.te
new file mode 100644
index 0000000..6f8e268
--- /dev/null
+++ b/rtkit.te
@@ -0,0 +1,35 @@
+policy_module(rtkit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rtkit_daemon_t;
+type rtkit_daemon_exec_t;
+dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+
+########################################
+#
+# rtkit_daemon local policy
+#
+
+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
+allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+
+kernel_read_system_state(rtkit_daemon_t)
+
+domain_getsched_all_domains(rtkit_daemon_t)
+domain_read_all_domains_state(rtkit_daemon_t)
+
+fs_rw_anon_inodefs_files(rtkit_daemon_t)
+
+auth_use_nsswitch(rtkit_daemon_t)
+
+logging_send_syslog_msg(rtkit_daemon_t)
+
+miscfiles_read_localization(rtkit_daemon_t)
+
+optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+')
diff --git a/rwho.fc b/rwho.fc
new file mode 100644
index 0000000..bc048ce
--- /dev/null
+++ b/rwho.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+
+/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
+
+/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
+
+/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)
diff --git a/rwho.if b/rwho.if
new file mode 100644
index 0000000..71ea0ea
--- /dev/null
+++ b/rwho.if
@@ -0,0 +1,154 @@
+## Who is logged in on other machines?
+
+########################################
+##
+## Execute a domain transition to run rwho.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rwho_domtrans',`
+ gen_require(`
+ type rwho_t, rwho_exec_t;
+ ')
+
+ domtrans_pattern($1, rwho_exec_t, rwho_t)
+')
+
+########################################
+##
+## Search rwho log directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rwho_search_log',`
+ gen_require(`
+ type rwho_log_t;
+ ')
+
+ allow $1 rwho_log_t:dir search_dir_perms;
+ logging_search_logs($1)
+')
+
+########################################
+##
+## Read rwho log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rwho_read_log_files',`
+ gen_require(`
+ type rwho_log_t;
+ ')
+
+ allow $1 rwho_log_t:file read_file_perms;
+ allow $1 rwho_log_t:dir list_dir_perms;
+ logging_search_logs($1)
+')
+
+########################################
+##
+## Search rwho spool directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rwho_search_spool',`
+ gen_require(`
+ type rwho_spool_t;
+ ')
+
+ allow $1 rwho_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+##
+## Read rwho spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rwho_read_spool_files',`
+ gen_require(`
+ type rwho_spool_t;
+ ')
+
+ read_files_pattern($1, rwho_spool_t, rwho_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## rwho spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rwho_manage_spool_files',`
+ gen_require(`
+ type rwho_spool_t;
+ ')
+
+ manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an rwho environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role allowed access.
+##
+##
+##
+#
+interface(`rwho_admin',`
+ gen_require(`
+ type rwho_t, rwho_log_t, rwho_spool_t;
+ type rwho_initrc_exec_t;
+ ')
+
+ allow $1 rwho_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rwho_t)
+
+ init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rwho_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, rwho_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, rwho_spool_t)
+')
diff --git a/rwho.te b/rwho.te
new file mode 100644
index 0000000..a07b2f4
--- /dev/null
+++ b/rwho.te
@@ -0,0 +1,60 @@
+policy_module(rwho, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type rwho_t;
+type rwho_exec_t;
+init_daemon_domain(rwho_t, rwho_exec_t)
+
+type rwho_initrc_exec_t;
+init_script_file(rwho_initrc_exec_t)
+
+type rwho_log_t;
+files_type(rwho_log_t)
+
+type rwho_spool_t;
+files_type(rwho_spool_t)
+
+########################################
+#
+# rwho local policy
+#
+
+allow rwho_t self:capability sys_chroot;
+allow rwho_t self:unix_dgram_socket create;
+allow rwho_t self:fifo_file rw_file_perms;
+allow rwho_t self:unix_stream_socket create_stream_socket_perms;
+allow rwho_t self:udp_socket create_socket_perms;
+
+allow rwho_t rwho_log_t:dir manage_dir_perms;
+allow rwho_t rwho_log_t:file manage_file_perms;
+logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
+
+allow rwho_t rwho_spool_t:dir manage_dir_perms;
+allow rwho_t rwho_spool_t:file manage_file_perms;
+files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
+
+kernel_read_system_state(rwho_t)
+
+corenet_all_recvfrom_unlabeled(rwho_t)
+corenet_all_recvfrom_netlabel(rwho_t)
+corenet_udp_sendrecv_generic_if(rwho_t)
+corenet_udp_sendrecv_generic_node(rwho_t)
+corenet_udp_sendrecv_all_ports(rwho_t)
+corenet_udp_bind_generic_node(rwho_t)
+corenet_udp_bind_rwho_port(rwho_t)
+corenet_sendrecv_rwho_server_packets(rwho_t)
+
+domain_use_interactive_fds(rwho_t)
+
+files_read_etc_files(rwho_t)
+
+init_read_utmp(rwho_t)
+init_dontaudit_write_utmp(rwho_t)
+
+miscfiles_read_localization(rwho_t)
+
+sysnet_dns_name_resolve(rwho_t)
diff --git a/samba.fc b/samba.fc
new file mode 100644
index 0000000..69a6074
--- /dev/null
+++ b/samba.fc
@@ -0,0 +1,53 @@
+
+#
+# /etc
+#
+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+
+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
+/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
+/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
+/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
diff --git a/samba.if b/samba.if
new file mode 100644
index 0000000..82cb169
--- /dev/null
+++ b/samba.if
@@ -0,0 +1,730 @@
+##
+## SMB and CIFS client/server programs for UNIX and
+## name Service Switch daemon for resolving names
+## from Windows NT servers.
+##
+
+########################################
+##
+## Execute nmbd net in the nmbd_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_nmbd',`
+ gen_require(`
+ type nmbd_t, nmbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
+')
+
+#######################################
+##
+## Allow domain to signal samba
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_signal_nmbd',`
+ gen_require(`
+ type nmbd_t;
+ ')
+ allow $1 nmbd_t:process signal;
+')
+
+########################################
+##
+## Execute samba server in the samba domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_initrc_domtrans',`
+ gen_require(`
+ type samba_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+##
+## Execute samba net in the samba_net domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_net',`
+ gen_require(`
+ type samba_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_net_t)
+')
+
+########################################
+##
+## Execute samba net in the samba_net domain, and
+## allow the specified role the samba_net domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`samba_run_net',`
+ gen_require(`
+ type samba_net_t;
+ ')
+
+ samba_domtrans_net($1)
+ role $2 types samba_net_t;
+')
+
+########################################
+##
+## Execute smbmount in the smbmount domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_smbmount',`
+ gen_require(`
+ type smbmount_t, smbmount_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, smbmount_exec_t, smbmount_t)
+')
+
+########################################
+##
+## Execute smbmount interactively and do
+## a domain transition to the smbmount domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`samba_run_smbmount',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ samba_domtrans_smbmount($1)
+ role $2 types smbmount_t;
+')
+
+########################################
+##
+## Allow the specified domain to read
+## samba configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`samba_read_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## and write samba configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`samba_rw_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ rw_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## and write samba configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`samba_manage_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
+ manage_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+##
+## Allow the specified domain to read samba's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`samba_read_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 samba_log_t:dir list_dir_perms;
+ read_files_pattern($1, samba_log_t, samba_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append to samba's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`samba_append_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 samba_log_t:dir list_dir_perms;
+ allow $1 samba_log_t:file append_file_perms;
+')
+
+########################################
+##
+## Execute samba log in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_exec_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ can_exec($1, samba_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to read samba's secrets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_read_secrets',`
+ gen_require(`
+ type samba_secrets_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_secrets_t:file read_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to read samba's shares
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_read_share_files',`
+ gen_require(`
+ type samba_share_t;
+ ')
+
+ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+##
+## Allow the specified domain to search
+## samba /var directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_search_var',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Allow the specified domain to
+## read samba /var files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_read_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ read_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+##
+## Do not audit attempts to write samba
+## /var files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`samba_dontaudit_write_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+##
+## Allow the specified domain to
+## read and write samba /var files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_rw_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ rw_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+##
+## Allow the specified domain to
+## read and write samba /var files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_manage_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ manage_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+##
+## Execute a domain transition to run smbcontrol.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
+ ')
+
+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
+')
+
+########################################
+##
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`samba_run_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ ')
+
+ samba_domtrans_smbcontrol($1)
+ role $2 types smbcontrol_t;
+')
+
+########################################
+##
+## Execute smbd in the smbd_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_smbd',`
+ gen_require(`
+ type smbd_t, smbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, smbd_exec_t, smbd_t)
+')
+
+######################################
+##
+## Allow domain to signal samba
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_signal_smbd',`
+ gen_require(`
+ type smbd_t;
+ ')
+ allow $1 smbd_t:process signal;
+')
+
+########################################
+##
+## Do not audit attempts to use file descriptors from samba.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`samba_dontaudit_use_fds',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ dontaudit $1 smbd_t:fd use;
+')
+
+########################################
+##
+## Allow the specified domain to write to smbmount tcp sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_write_smbmount_tcp_sockets',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ allow $1 smbmount_t:tcp_socket write;
+')
+
+########################################
+##
+## Allow the specified domain to read and write to smbmount tcp sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_rw_smbmount_tcp_sockets',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ allow $1 smbmount_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Execute winbind_helper in the winbind_helper domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samba_domtrans_winbind_helper',`
+ gen_require(`
+ type winbind_helper_t, winbind_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+')
+
+########################################
+##
+## Execute winbind_helper in the winbind_helper domain, and
+## allow the specified role the winbind_helper domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`samba_run_winbind_helper',`
+ gen_require(`
+ type winbind_helper_t;
+ ')
+
+ samba_domtrans_winbind_helper($1)
+ role $2 types winbind_helper_t;
+')
+
+########################################
+##
+## Allow the specified domain to read the winbind pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_read_winbind_pid',`
+ gen_require(`
+ type winbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 winbind_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Connect to winbind.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_stream_connect_winbind',`
+ gen_require(`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+ ifndef(`distro_redhat',`
+ gen_require(`
+ type winbind_tmp_t;
+ ')
+
+ # the default for the socket is (poorly named):
+ # /tmp/.winbindd/pipe
+ files_search_tmp($1)
+ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
+ ')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an samba environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the samba domain.
+##
+##
+##
+#
+interface(`samba_admin',`
+ gen_require(`
+ type nmbd_t, nmbd_var_run_t;
+ type smbd_t, smbd_tmp_t;
+ type smbd_var_run_t;
+ type smbd_spool_t;
+
+ type samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t;
+ type samba_secrets_t;
+
+ type swat_var_run_t, swat_tmp_t;
+
+ type winbind_var_run_t, winbind_tmp_t;
+ type winbind_log_t;
+
+ type samba_initrc_exec_t;
+ ')
+
+ allow $1 smbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, smbd_t)
+
+ allow $1 nmbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nmbd_t)
+
+ samba_run_smbcontrol($1, $2, $3)
+ samba_run_winbind_helper($1, $2, $3)
+ samba_run_smbmount($1, $2, $3)
+ samba_run_net($1, $2, $3)
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 samba_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, nmbd_var_run_t)
+
+ admin_pattern($1, samba_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, samba_log_t)
+ logging_list_logs($1)
+
+ admin_pattern($1, samba_secrets_t)
+
+ admin_pattern($1, samba_share_t)
+
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
+
+ admin_pattern($1, smbd_spool_t)
+ files_list_spool($1)
+
+ admin_pattern($1, smbd_var_run_t)
+ files_list_pids($1)
+
+ admin_pattern($1, smbd_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, swat_var_run_t)
+
+ admin_pattern($1, swat_tmp_t)
+
+ admin_pattern($1, winbind_log_t)
+
+ admin_pattern($1, winbind_tmp_t)
+
+ admin_pattern($1, winbind_var_run_t)
+')
diff --git a/samba.te b/samba.te
new file mode 100644
index 0000000..fff6675
--- /dev/null
+++ b/samba.te
@@ -0,0 +1,939 @@
+policy_module(samba, 1.14.0)
+
+#################################
+#
+# Declarations
+#
+
+##
+##
+## Allow samba to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
+##
+##
+gen_tunable(allow_smbd_anon_write, false)
+
+##
+##
+## Allow samba to create new home directories (e.g. via PAM)
+##
+##
+gen_tunable(samba_create_home_dirs, false)
+
+##
+##
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
+##
+##
+##
+gen_tunable(samba_domain_controller, false)
+
+##
+##
+## Allow samba to share users home directories.
+##
+##
+gen_tunable(samba_enable_home_dirs, false)
+
+##
+##
+## Allow samba to share any file/directory read only.
+##
+##
+gen_tunable(samba_export_all_ro, false)
+
+##
+##
+## Allow samba to share any file/directory read/write.
+##
+##
+gen_tunable(samba_export_all_rw, false)
+
+##
+##
+## Allow samba to run unconfined scripts
+##
+##
+gen_tunable(samba_run_unconfined, false)
+
+##
+##
+## Allow samba to export NFS volumes.
+##
+##
+gen_tunable(samba_share_nfs, false)
+
+##
+##
+## Allow samba to export ntfs/fusefs volumes.
+##
+##
+gen_tunable(samba_share_fusefs, false)
+
+type nmbd_t;
+type nmbd_exec_t;
+init_daemon_domain(nmbd_t, nmbd_exec_t)
+
+type nmbd_var_run_t;
+files_pid_file(nmbd_var_run_t)
+
+type samba_etc_t;
+files_config_file(samba_etc_t)
+
+type samba_initrc_exec_t;
+init_script_file(samba_initrc_exec_t)
+
+type samba_log_t;
+logging_log_file(samba_log_t)
+
+type samba_net_t;
+type samba_net_exec_t;
+application_domain(samba_net_t, samba_net_exec_t)
+role system_r types samba_net_t;
+
+type samba_net_tmp_t;
+files_tmp_file(samba_net_tmp_t)
+
+type samba_secrets_t;
+files_type(samba_secrets_t)
+
+type samba_share_t; # customizable
+files_type(samba_share_t)
+
+type samba_var_t;
+files_type(samba_var_t)
+
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
+type smbd_t;
+type smbd_exec_t;
+init_daemon_domain(smbd_t, smbd_exec_t)
+
+type smbd_tmp_t;
+files_tmp_file(smbd_tmp_t)
+
+type smbd_var_run_t;
+files_pid_file(smbd_var_run_t)
+
+type smbmount_t;
+domain_type(smbmount_t)
+
+type smbmount_exec_t;
+domain_entry_file(smbmount_t, smbmount_exec_t)
+
+type swat_t;
+type swat_exec_t;
+domain_type(swat_t)
+domain_entry_file(swat_t, swat_exec_t)
+role system_r types swat_t;
+
+type swat_tmp_t;
+files_tmp_file(swat_tmp_t)
+
+type swat_var_run_t;
+files_pid_file(swat_var_run_t)
+
+type winbind_t;
+type winbind_exec_t;
+init_daemon_domain(winbind_t, winbind_exec_t)
+
+type winbind_helper_t;
+domain_type(winbind_helper_t)
+role system_r types winbind_helper_t;
+
+type winbind_helper_exec_t;
+domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+
+type winbind_log_t;
+logging_log_file(winbind_log_t)
+
+type winbind_tmp_t;
+files_tmp_file(winbind_tmp_t)
+
+type winbind_var_run_t;
+files_pid_file(winbind_var_run_t)
+
+########################################
+#
+# Samba net local policy
+#
+allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
+
+allow samba_net_t samba_etc_t:file read_file_perms;
+
+manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
+filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
+manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
+files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+
+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+
+kernel_read_proc_symlinks(samba_net_t)
+kernel_read_system_state(samba_net_t)
+
+corenet_all_recvfrom_unlabeled(samba_net_t)
+corenet_all_recvfrom_netlabel(samba_net_t)
+corenet_tcp_sendrecv_generic_if(samba_net_t)
+corenet_udp_sendrecv_generic_if(samba_net_t)
+corenet_raw_sendrecv_generic_if(samba_net_t)
+corenet_tcp_sendrecv_generic_node(samba_net_t)
+corenet_udp_sendrecv_generic_node(samba_net_t)
+corenet_raw_sendrecv_generic_node(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_generic_node(samba_net_t)
+corenet_udp_bind_generic_node(samba_net_t)
+corenet_tcp_connect_smbd_port(samba_net_t)
+
+dev_read_urand(samba_net_t)
+
+domain_use_interactive_fds(samba_net_t)
+
+files_read_etc_files(samba_net_t)
+files_read_usr_symlinks(samba_net_t)
+
+auth_use_nsswitch(samba_net_t)
+auth_manage_cache(samba_net_t)
+
+logging_send_syslog_msg(samba_net_t)
+
+miscfiles_read_localization(samba_net_t)
+
+samba_read_var_files(samba_net_t)
+
+userdom_use_user_terminals(samba_net_t)
+userdom_list_user_home_dirs(samba_net_t)
+
+optional_policy(`
+ pcscd_read_pub_files(samba_net_t)
+')
+
+optional_policy(`
+ kerberos_use(samba_net_t)
+')
+
+########################################
+#
+# smbd Local policy
+#
+allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
+dontaudit smbd_t self:capability sys_tty_config;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:process setrlimit;
+allow smbd_t self:fd use;
+allow smbd_t self:fifo_file rw_fifo_file_perms;
+allow smbd_t self:msg { send receive };
+allow smbd_t self:msgq create_msgq_perms;
+allow smbd_t self:sem create_sem_perms;
+allow smbd_t self:shm create_shm_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow smbd_t nmbd_t:process { signal signull };
+
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+
+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
+
+allow smbd_t samba_net_tmp_t:file getattr;
+
+manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
+filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+allow smbd_t samba_share_t:filesystem getattr;
+
+manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
+
+allow smbd_t smbcontrol_t:process { signal signull };
+
+manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+
+manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+files_pid_filetrans(smbd_t, smbd_var_run_t, file)
+
+allow smbd_t swat_t:process signal;
+
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+
+allow smbd_t winbind_t:process { signal signull };
+
+kernel_getattr_core_if(smbd_t)
+kernel_getattr_message_if(smbd_t)
+kernel_read_network_state(smbd_t)
+kernel_read_fs_sysctls(smbd_t)
+kernel_read_kernel_sysctls(smbd_t)
+kernel_read_software_raid_state(smbd_t)
+kernel_read_system_state(smbd_t)
+
+corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
+
+corenet_all_recvfrom_unlabeled(smbd_t)
+corenet_all_recvfrom_netlabel(smbd_t)
+corenet_tcp_sendrecv_generic_if(smbd_t)
+corenet_udp_sendrecv_generic_if(smbd_t)
+corenet_raw_sendrecv_generic_if(smbd_t)
+corenet_tcp_sendrecv_generic_node(smbd_t)
+corenet_udp_sendrecv_generic_node(smbd_t)
+corenet_raw_sendrecv_generic_node(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
+corenet_tcp_bind_generic_node(smbd_t)
+corenet_udp_bind_generic_node(smbd_t)
+corenet_tcp_bind_smbd_port(smbd_t)
+corenet_tcp_connect_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
+
+dev_read_sysfs(smbd_t)
+dev_read_urand(smbd_t)
+dev_getattr_mtrr_dev(smbd_t)
+dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+# For redhat bug 566984
+dev_getattr_all_blk_files(smbd_t)
+dev_getattr_all_chr_files(smbd_t)
+
+fs_getattr_all_fs(smbd_t)
+fs_get_xattr_fs_quotas(smbd_t)
+fs_search_auto_mountpoints(smbd_t)
+fs_getattr_rpc_dirs(smbd_t)
+fs_list_inotifyfs(smbd_t)
+
+auth_use_nsswitch(smbd_t)
+auth_domtrans_chk_passwd(smbd_t)
+auth_domtrans_upd_passwd(smbd_t)
+auth_manage_cache(smbd_t)
+
+domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_files(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_read_usr_files(smbd_t)
+files_search_spool(smbd_t)
+# smbd seems to getattr all mountpoints
+files_dontaudit_getattr_all_dirs(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
+
+init_rw_utmp(smbd_t)
+
+logging_search_logs(smbd_t)
+logging_send_syslog_msg(smbd_t)
+
+miscfiles_read_localization(smbd_t)
+miscfiles_read_public_files(smbd_t)
+
+userdom_use_unpriv_users_fds(smbd_t)
+userdom_search_user_home_content(smbd_t)
+userdom_signal_all_users(smbd_t)
+
+usermanage_read_crack_db(smbd_t)
+
+term_use_ptmx(smbd_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_getattr_default_dirs(smbd_t)
+ files_dontaudit_getattr_boot_dirs(smbd_t)
+ fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+')
+
+tunable_policy(`allow_smbd_anon_write',`
+ miscfiles_manage_public_files(smbd_t)
+')
+
+tunable_policy(`samba_domain_controller',`
+ gen_require(`
+ class passwd passwd;
+ ')
+
+ usermanage_domtrans_passwd(smbd_t)
+ usermanage_kill_passwd(smbd_t)
+ usermanage_domtrans_useradd(smbd_t)
+ usermanage_domtrans_groupadd(smbd_t)
+ allow smbd_t self:passwd passwd;
+')
+
+tunable_policy(`samba_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(smbd_t)
+ userdom_manage_user_home_content_files(smbd_t)
+ userdom_manage_user_home_content_symlinks(smbd_t)
+ userdom_manage_user_home_content_sockets(smbd_t)
+ userdom_manage_user_home_content_pipes(smbd_t)
+ userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+')
+
+# Support Samba sharing of NFS mount points
+tunable_policy(`samba_share_nfs',`
+ fs_manage_nfs_dirs(smbd_t)
+ fs_manage_nfs_files(smbd_t)
+ fs_manage_nfs_symlinks(smbd_t)
+ fs_manage_nfs_named_pipes(smbd_t)
+ fs_manage_nfs_named_sockets(smbd_t)
+')
+
+# Support Samba sharing of ntfs/fusefs mount points
+tunable_policy(`samba_share_fusefs',`
+ fs_manage_fusefs_dirs(smbd_t)
+ fs_manage_fusefs_files(smbd_t)
+',`
+ fs_search_fusefs(smbd_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(smbd_t)
+ cups_stream_connect(smbd_t)
+')
+
+optional_policy(`
+ kerberos_use(smbd_t)
+ kerberos_keytab_template(smbd, smbd_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(smbd_t)
+')
+
+optional_policy(`
+ qemu_manage_tmp_dirs(smbd_t)
+ qemu_manage_tmp_files(smbd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(smbd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(smbd_t)
+')
+
+optional_policy(`
+ udev_read_db(smbd_t)
+')
+
+tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
+ userdom_create_user_home_dirs(smbd_t)
+ userdom_home_filetrans_user_home_dir(smbd_t)
+')
+
+tunable_policy(`samba_export_all_ro',`
+ fs_read_noxattr_fs_files(smbd_t)
+ auth_read_all_dirs_except_auth_files(smbd_t)
+ auth_read_all_files_except_auth_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ auth_read_all_dirs_except_auth_files(nmbd_t)
+ auth_read_all_files_except_auth_files(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
+ fs_read_noxattr_fs_files(smbd_t)
+ auth_manage_all_files_except_auth_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ auth_manage_all_files_except_auth_files(nmbd_t)
+ userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+')
+
+########################################
+#
+# nmbd Local policy
+#
+
+dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow nmbd_t self:fd use;
+allow nmbd_t self:fifo_file rw_fifo_file_perms;
+allow nmbd_t self:msg { send receive };
+allow nmbd_t self:msgq create_msgq_perms;
+allow nmbd_t self:sem create_sem_perms;
+allow nmbd_t self:shm create_shm_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
+
+read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+
+manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+
+allow nmbd_t smbcontrol_t:process signal;
+
+allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
+kernel_getattr_core_if(nmbd_t)
+kernel_getattr_message_if(nmbd_t)
+kernel_read_kernel_sysctls(nmbd_t)
+kernel_read_network_state(nmbd_t)
+kernel_read_software_raid_state(nmbd_t)
+kernel_read_system_state(nmbd_t)
+
+corenet_all_recvfrom_unlabeled(nmbd_t)
+corenet_all_recvfrom_netlabel(nmbd_t)
+corenet_tcp_sendrecv_generic_if(nmbd_t)
+corenet_udp_sendrecv_generic_if(nmbd_t)
+corenet_tcp_sendrecv_generic_node(nmbd_t)
+corenet_udp_sendrecv_generic_node(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_udp_sendrecv_all_ports(nmbd_t)
+corenet_udp_bind_generic_node(nmbd_t)
+corenet_udp_bind_nmbd_port(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
+corenet_tcp_connect_smbd_port(nmbd_t)
+
+dev_read_sysfs(nmbd_t)
+dev_getattr_mtrr_dev(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
+
+domain_use_interactive_fds(nmbd_t)
+
+files_read_usr_files(nmbd_t)
+files_read_etc_files(nmbd_t)
+files_list_var_lib(nmbd_t)
+
+auth_use_nsswitch(nmbd_t)
+
+logging_search_logs(nmbd_t)
+logging_send_syslog_msg(nmbd_t)
+
+miscfiles_read_localization(nmbd_t)
+
+userdom_use_unpriv_users_fds(nmbd_t)
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(nmbd_t)
+')
+
+optional_policy(`
+ udev_read_db(nmbd_t)
+')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+allow smbcontrol_t nmbd_t:process { signal signull };
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
+
+allow smbcontrol_t smbd_t:process signal;
+
+allow smbcontrol_t winbind_t:process { signal signull };
+
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+domain_use_interactive_fds(smbcontrol_t)
+
+files_read_etc_files(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+userdom_use_user_terminals(smbcontrol_t)
+
+########################################
+#
+# smbmount Local policy
+#
+
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+
+allow smbmount_t samba_etc_t:dir list_dir_perms;
+allow smbmount_t samba_etc_t:file read_file_perms;
+
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir list_dir_perms;
+allow smbmount_t samba_log_t:file manage_file_perms;
+
+allow smbmount_t samba_secrets_t:file manage_file_perms;
+
+manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+files_list_var_lib(smbmount_t)
+
+kernel_read_system_state(smbmount_t)
+
+corenet_all_recvfrom_unlabeled(smbmount_t)
+corenet_all_recvfrom_netlabel(smbmount_t)
+corenet_tcp_sendrecv_generic_if(smbmount_t)
+corenet_raw_sendrecv_generic_if(smbmount_t)
+corenet_udp_sendrecv_generic_if(smbmount_t)
+corenet_tcp_sendrecv_generic_node(smbmount_t)
+corenet_raw_sendrecv_generic_node(smbmount_t)
+corenet_udp_sendrecv_generic_node(smbmount_t)
+corenet_tcp_sendrecv_all_ports(smbmount_t)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_generic_node(smbmount_t)
+corenet_udp_bind_generic_node(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
+
+fs_getattr_cifs(smbmount_t)
+fs_mount_cifs(smbmount_t)
+fs_remount_cifs(smbmount_t)
+fs_unmount_cifs(smbmount_t)
+fs_list_cifs(smbmount_t)
+fs_read_cifs_files(smbmount_t)
+
+storage_raw_read_fixed_disk(smbmount_t)
+storage_raw_write_fixed_disk(smbmount_t)
+
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
+files_read_etc_files(smbmount_t)
+
+auth_use_nsswitch(smbmount_t)
+
+miscfiles_read_localization(smbmount_t)
+
+mount_use_fds(smbmount_t)
+
+locallogin_use_fds(smbmount_t)
+
+logging_search_logs(smbmount_t)
+
+userdom_use_user_terminals(smbmount_t)
+userdom_use_all_users_fds(smbmount_t)
+
+optional_policy(`
+ cups_read_rw_config(smbmount_t)
+')
+
+########################################
+#
+# SWAT Local policy
+#
+
+allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:process { setrlimit signal_perms };
+allow swat_t self:fifo_file rw_fifo_file_perms;
+allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow swat_t self:tcp_socket create_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
+allow swat_t self:unix_stream_socket connectto;
+
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
+
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
+
+allow swat_t smbd_var_run_t:file { lock unlink };
+
+allow swat_t smbd_port_t:tcp_socket name_bind;
+
+allow swat_t nmbd_port_t:udp_socket name_bind;
+
+rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
+
+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
+manage_files_pattern(swat_t, samba_var_t, samba_var_t)
+
+allow swat_t smbd_exec_t:file mmap_file_perms ;
+
+allow swat_t smbd_t:process signull;
+
+allow swat_t smbd_var_run_t:file read_file_perms;
+
+manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+
+manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
+files_pid_filetrans(swat_t, swat_var_run_t, file)
+
+allow swat_t winbind_exec_t:file mmap_file_perms;
+domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+allow swat_t winbind_t:process { signal signull };
+
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
+
+kernel_read_kernel_sysctls(swat_t)
+kernel_read_system_state(swat_t)
+kernel_read_network_state(swat_t)
+
+corecmd_search_bin(swat_t)
+
+corenet_all_recvfrom_unlabeled(swat_t)
+corenet_all_recvfrom_netlabel(swat_t)
+corenet_tcp_sendrecv_generic_if(swat_t)
+corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
+corenet_tcp_sendrecv_generic_node(swat_t)
+corenet_udp_sendrecv_generic_node(swat_t)
+corenet_raw_sendrecv_generic_node(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
+corenet_tcp_connect_smbd_port(swat_t)
+corenet_tcp_connect_ipp_port(swat_t)
+corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_sendrecv_ipp_client_packets(swat_t)
+
+dev_read_urand(swat_t)
+
+files_list_var_lib(swat_t)
+files_read_etc_files(swat_t)
+files_search_home(swat_t)
+files_read_usr_files(swat_t)
+fs_getattr_xattr_fs(swat_t)
+
+auth_domtrans_chk_passwd(swat_t)
+auth_use_nsswitch(swat_t)
+
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
+logging_search_logs(swat_t)
+
+miscfiles_read_localization(swat_t)
+
+optional_policy(`
+ cups_read_rw_config(swat_t)
+ cups_stream_connect(swat_t)
+')
+
+optional_policy(`
+ inetd_service_domain(swat_t, swat_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(swat_t)
+')
+
+########################################
+#
+# Winbind local policy
+#
+
+allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+dontaudit winbind_t self:capability sys_tty_config;
+allow winbind_t self:process { signal_perms getsched setsched };
+allow winbind_t self:fifo_file rw_fifo_file_perms;
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
+
+allow winbind_t nmbd_t:process { signal signull };
+
+allow winbind_t nmbd_var_run_t:file read_file_perms;
+
+allow winbind_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
+
+manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+
+manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
+manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+files_list_var_lib(winbind_t)
+
+rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+
+allow winbind_t winbind_log_t:file manage_file_perms;
+logging_log_filetrans(winbind_t, winbind_log_t, file)
+
+manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+
+manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+
+kernel_read_kernel_sysctls(winbind_t)
+kernel_read_system_state(winbind_t)
+
+corecmd_exec_bin(winbind_t)
+
+corenet_all_recvfrom_unlabeled(winbind_t)
+corenet_all_recvfrom_netlabel(winbind_t)
+corenet_tcp_sendrecv_generic_if(winbind_t)
+corenet_udp_sendrecv_generic_if(winbind_t)
+corenet_raw_sendrecv_generic_if(winbind_t)
+corenet_tcp_sendrecv_generic_node(winbind_t)
+corenet_udp_sendrecv_generic_node(winbind_t)
+corenet_raw_sendrecv_generic_node(winbind_t)
+corenet_tcp_sendrecv_all_ports(winbind_t)
+corenet_udp_sendrecv_all_ports(winbind_t)
+corenet_tcp_bind_generic_node(winbind_t)
+corenet_udp_bind_generic_node(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_epmap_port(winbind_t)
+corenet_tcp_connect_all_unreserved_ports(winbind_t)
+
+dev_read_sysfs(winbind_t)
+dev_read_urand(winbind_t)
+
+fs_getattr_all_fs(winbind_t)
+fs_search_auto_mountpoints(winbind_t)
+
+auth_domtrans_chk_passwd(winbind_t)
+auth_use_nsswitch(winbind_t)
+auth_manage_cache(winbind_t)
+
+domain_use_interactive_fds(winbind_t)
+
+files_read_etc_files(winbind_t)
+files_read_usr_symlinks(winbind_t)
+
+logging_send_syslog_msg(winbind_t)
+
+miscfiles_read_localization(winbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+userdom_manage_user_home_content_dirs(winbind_t)
+userdom_manage_user_home_content_files(winbind_t)
+userdom_manage_user_home_content_symlinks(winbind_t)
+userdom_manage_user_home_content_pipes(winbind_t)
+userdom_manage_user_home_content_sockets(winbind_t)
+userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ kerberos_use(winbind_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(winbind_t)
+')
+
+optional_policy(`
+ udev_read_db(winbind_t)
+')
+
+########################################
+#
+# Winbind helper local policy
+#
+
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+allow winbind_helper_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+
+allow winbind_helper_t samba_var_t:dir search_dir_perms;
+files_list_var_lib(winbind_helper_t)
+
+allow winbind_t smbcontrol_t:process signal;
+
+stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+term_list_ptys(winbind_helper_t)
+
+domain_use_interactive_fds(winbind_helper_t)
+
+auth_use_nsswitch(winbind_helper_t)
+
+logging_send_syslog_msg(winbind_helper_t)
+
+miscfiles_read_localization(winbind_helper_t)
+
+userdom_use_user_terminals(winbind_helper_t)
+
+optional_policy(`
+ apache_append_log(winbind_helper_t)
+')
+
+optional_policy(`
+ squid_read_log(winbind_helper_t)
+ squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
+')
+
+########################################
+#
+# samba_unconfined_script_t local policy
+#
+
+optional_policy(`
+ type samba_unconfined_script_t;
+ type samba_unconfined_script_exec_t;
+ domain_type(samba_unconfined_script_t)
+ domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+ corecmd_shell_entry_type(samba_unconfined_script_t)
+ role system_r types samba_unconfined_script_t;
+
+ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+ allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+ unconfined_domain(samba_unconfined_script_t)
+
+ tunable_policy(`samba_run_unconfined',`
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+ ')
+')
diff --git a/sambagui.fc b/sambagui.fc
new file mode 100644
index 0000000..c13d607
--- /dev/null
+++ b/sambagui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
diff --git a/sambagui.if b/sambagui.if
new file mode 100644
index 0000000..b31ed10
--- /dev/null
+++ b/sambagui.if
@@ -0,0 +1,2 @@
+## system-config-samba dbus service policy
+
diff --git a/sambagui.te b/sambagui.te
new file mode 100644
index 0000000..1898dbd
--- /dev/null
+++ b/sambagui.te
@@ -0,0 +1,61 @@
+policy_module(sambagui, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:capability dac_override;
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_read_usr_files(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+
+logging_send_syslog_msg(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+optional_policy(`
+ consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(sambagui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
+
+optional_policy(`
+ # handling with samba conf files
+ samba_append_log(sambagui_t)
+ samba_manage_config(sambagui_t)
+ samba_manage_var_files(sambagui_t)
+ samba_read_secrets(sambagui_t)
+ samba_initrc_domtrans(sambagui_t)
+ samba_domtrans_smbd(sambagui_t)
+ samba_domtrans_nmbd(sambagui_t)
+')
diff --git a/samhain.fc b/samhain.fc
new file mode 100644
index 0000000..94b2f73
--- /dev/null
+++ b/samhain.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,s0)
+
+/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
+
+/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0)
+/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0)
+
+/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
+
+/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
+/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
+
+/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
diff --git a/samhain.if b/samhain.if
new file mode 100644
index 0000000..c040ebf
--- /dev/null
+++ b/samhain.if
@@ -0,0 +1,292 @@
+## Samhain - check file integrity
+
+#######################################
+##
+## The template containing the most basic rules
+## common to the samhain domains.
+##
+##
+##
+## The prefix of the samhain domains(e.g., samhain
+## for the domain of command line access, samhaind
+## for the domain started by init script).
+##
+##
+##
+#
+template(`samhain_service_template',`
+ gen_require(`
+ type etc_t, samhain_etc_t, samhain_exec_t;
+ type samhain_log_t, samhain_var_run_t;
+ ')
+
+ type $1_t;
+ domain_type($1_t)
+ domain_entry_file($1_t, samhain_exec_t)
+
+ allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
+ dontaudit $1_t self:capability { sys_resource sys_ptrace };
+ allow $1_t self:fd use;
+ allow $1_t self:process { setsched setrlimit signull };
+
+ allow $1_t samhain_etc_t:file read_file_perms;
+ files_search_etc($1_t)
+
+ manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
+ logging_log_filetrans($1_t, samhain_log_t, file)
+
+ manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
+ files_pid_filetrans($1_t, samhain_var_run_t, file)
+
+ # Samhain needs to get the attribute of /proc/kcore.
+ kernel_getattr_core_if($1_t)
+
+ corecmd_list_bin($1_t)
+ corecmd_read_bin_symlinks($1_t)
+
+ # To get entropy
+ dev_read_urand($1_t)
+ dev_dontaudit_read_rand($1_t)
+
+ # Get the attributes of all kinds of files in the rootfs.
+ dev_getattr_all_blk_files($1_t)
+ dev_getattr_all_chr_files($1_t)
+ dev_getattr_generic_blk_files($1_t)
+ dev_getattr_generic_chr_files($1_t)
+
+ files_getattr_all_dirs($1_t)
+ files_getattr_all_files($1_t)
+ files_getattr_all_symlinks($1_t)
+ files_getattr_all_pipes($1_t)
+ files_getattr_all_sockets($1_t)
+ files_getattr_all_mountpoints($1_t)
+ files_read_all_files($1_t)
+ files_read_all_symlinks($1_t)
+
+ # Get the attribute of other filesystems mountpoint, such as /selinux
+ # /proc, /sys and /tmp, but not the contents inside, which suggests
+ # that following rules should be set in samhain configuration file:
+ # [Attributes]
+ # file = /tmp
+ # file = /proc
+ # file = /sys
+ # file = /selinux
+ # [IgnoreALL]
+ # dir = -1/tmp
+ # dir = -1/proc
+ # dir = -1/sys
+ # dir = -1/selinux
+ fs_getattr_all_dirs($1_t)
+
+ # Samhain pid, log and log.lock files are all in directories of s0,
+ # while samhain daemon is running with the clearance level.
+ mls_file_write_all_levels($1_t)
+
+ # Read from utmp when monitoring login/logout events.
+ auth_read_login_records($1_t)
+
+ # Read from wtmp when monitoring login/logout events.
+ init_read_utmp($1_t)
+
+ logging_send_syslog_msg($1_t)
+')
+
+########################################
+##
+## Execute samhain in the samhain domain
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`samhain_domtrans',`
+ gen_require(`
+ type samhain_t, samhain_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samhain_exec_t, samhain_t)
+')
+
+########################################
+##
+## Execute samhain in the samhain domain with the clearance security
+## level and allow the specifiled role the samhain domain.
+##
+##
+##
+## Execute samhain in the samhain domain with the clearance security
+## level and allow the specifiled role the samhain domain.
+##
+##
+## The range_transition rule used in this interface requires that
+## the calling domain should have the clearance security level
+## otherwise the MLS constraint for process transition would fail.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed to access.
+##
+##
+##
+#
+interface(`samhain_run',`
+ gen_require(`
+ type samhain_t, samhain_exec_t;
+ ')
+
+ samhain_domtrans($1)
+ role $2 types samhain_t;
+
+ ifdef(`enable_mls', `
+ range_transition $1 samhain_exec_t:process mls_systemhigh;
+ ')
+')
+
+########################################
+##
+## Manage samhain configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samhain_manage_config_files',`
+ gen_require(`
+ type samhain_etc_t;
+ ')
+
+ files_rw_etc_dirs($1)
+ allow $1 samhain_etc_t:file manage_file_perms;
+')
+
+########################################
+##
+## Manage samhain database files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samhain_manage_db_files',`
+ gen_require(`
+ type samhain_db_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, samhain_db_t, samhain_db_t)
+')
+
+#######################################
+##
+## Manage samhain init script files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samhain_manage_init_script_files',`
+ gen_require(`
+ type samhain_initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
+')
+
+########################################
+##
+## Manage samhain log and log.lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samhain_manage_log_files',`
+ gen_require(`
+ type samhain_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, samhain_log_t, samhain_log_t)
+')
+
+########################################
+##
+## Manage samhain pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samhain_manage_pid_files',`
+ gen_require(`
+ type samhain_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
+')
+
+#######################################
+##
+## All of the rules required to administrate
+## the samhain environment.
+##
+##
+##
+## This interface assumes that the calling domain has been able to
+## remove an entry from /var/lib/ or /var/log/ and belongs to the
+## mlsfilewrite attribute, since samhain files may be of clearance
+## security level while their parent directories are of s0.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samhain_admin',`
+ gen_require(`
+ type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
+ type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
+ ')
+
+ allow $1 samhain_t:process { ptrace signal_perms };
+ ps_process_pattern($1, samhain_t)
+
+ allow $1 samhaind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, samhaind_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, samhain_db_t)
+
+ files_list_etc($1)
+ admin_pattern($1, samhain_etc_t)
+ admin_pattern($1, samhain_initrc_exec_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, samhain_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, samhain_var_run_t)
+')
diff --git a/samhain.te b/samhain.te
new file mode 100644
index 0000000..acd1700
--- /dev/null
+++ b/samhain.te
@@ -0,0 +1,76 @@
+policy_module(samhain, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type samhain_etc_t;
+files_config_file(samhain_etc_t)
+
+type samhain_exec_t;
+corecmd_executable_file(samhain_exec_t)
+
+type samhain_log_t;
+logging_log_file(samhain_log_t)
+
+# Filesystem signature database
+type samhain_db_t;
+files_type(samhain_db_t)
+
+type samhain_initrc_exec_t;
+init_script_file(samhain_initrc_exec_t)
+
+type samhain_var_run_t;
+files_pid_file(samhain_var_run_t)
+
+# Domain for command line access
+samhain_service_template(samhain)
+application_domain(samhain_t, samhain_exec_t)
+
+# Domain for samhain service started by samhain init script
+samhain_service_template(samhaind)
+
+ifdef(`enable_mcs',`
+ # This is system instead of daemon to work around
+ # a type transition conflict
+ init_ranged_system_domain(samhaind_t, samhain_exec_t, mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ # This is system instead of daemon to work around
+ # a type transition conflict
+ init_ranged_system_domain(samhaind_t, samhain_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Samhain local policy
+#
+
+manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
+files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
+
+domain_use_interactive_fds(samhain_t)
+
+seutil_sigchld_newrole(samhain_t)
+
+userdom_use_user_terminals(samhain_t)
+
+########################################
+#
+# Samhaind local policy
+#
+
+# Need signal_perms to send SIGABRT/SIGKILL to termiate samhain_t
+# Need signull to get the status of samhain_t
+allow samhaind_t { samhain_t self }:process signal_perms;
+
+# Only needed when starting samhain daemon from its init script.
+can_exec(samhaind_t, samhain_exec_t)
+
+read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
+
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(samhaind_t)
diff --git a/sasl.fc b/sasl.fc
new file mode 100644
index 0000000..7e58679
--- /dev/null
+++ b/sasl.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
+/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/sasl.if b/sasl.if
new file mode 100644
index 0000000..f1aea88
--- /dev/null
+++ b/sasl.if
@@ -0,0 +1,58 @@
+## SASL authentication server
+
+########################################
+##
+## Connect to SASL.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sasl_connect',`
+ gen_require(`
+ type saslauthd_t, saslauthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an sasl environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`sasl_admin',`
+ gen_require(`
+ type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+ type saslauthd_initrc_exec_t;
+ ')
+
+ allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, saslauthd_t)
+
+ init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, saslauthd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+')
diff --git a/sasl.te b/sasl.te
new file mode 100644
index 0000000..9d9f8ce
--- /dev/null
+++ b/sasl.te
@@ -0,0 +1,110 @@
+policy_module(sasl, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow sasl to read shadow
+##
+##
+gen_tunable(allow_saslauthd_read_shadow, false)
+
+type saslauthd_t;
+type saslauthd_exec_t;
+init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+
+type saslauthd_initrc_exec_t;
+init_script_file(saslauthd_initrc_exec_t)
+
+type saslauthd_tmp_t;
+files_tmp_file(saslauthd_tmp_t)
+
+type saslauthd_var_run_t;
+files_pid_file(saslauthd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow saslauthd_t self:capability { setgid setuid };
+dontaudit saslauthd_t self:capability sys_tty_config;
+allow saslauthd_t self:process signal_perms;
+allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
+
+allow saslauthd_t saslauthd_tmp_t:dir setattr;
+manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
+files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+
+manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file)
+
+kernel_read_kernel_sysctls(saslauthd_t)
+kernel_read_system_state(saslauthd_t)
+
+corenet_all_recvfrom_unlabeled(saslauthd_t)
+corenet_all_recvfrom_netlabel(saslauthd_t)
+corenet_tcp_sendrecv_generic_if(saslauthd_t)
+corenet_tcp_sendrecv_generic_node(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
+corenet_tcp_connect_pop_port(saslauthd_t)
+corenet_sendrecv_pop_client_packets(saslauthd_t)
+
+dev_read_urand(saslauthd_t)
+
+fs_getattr_all_fs(saslauthd_t)
+fs_search_auto_mountpoints(saslauthd_t)
+
+selinux_compute_access_vector(saslauthd_t)
+
+auth_use_pam(saslauthd_t)
+
+domain_use_interactive_fds(saslauthd_t)
+
+files_read_etc_files(saslauthd_t)
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
+files_search_var_lib(saslauthd_t)
+files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dirs(saslauthd_t)
+
+init_dontaudit_stream_connect_script(saslauthd_t)
+
+logging_send_syslog_msg(saslauthd_t)
+
+miscfiles_read_localization(saslauthd_t)
+miscfiles_read_generic_certs(saslauthd_t)
+
+seutil_dontaudit_read_config(saslauthd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
+userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+
+# cjp: typeattribute doesnt work in conditionals
+auth_can_read_shadow_passwords(saslauthd_t)
+tunable_policy(`allow_saslauthd_read_shadow',`
+ auth_tunable_read_shadow(saslauthd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(saslauthd, saslauthd_t)
+')
+
+optional_policy(`
+ mysql_search_db(saslauthd_t)
+ mysql_stream_connect(saslauthd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(saslauthd_t)
+')
+
+optional_policy(`
+ udev_read_db(saslauthd_t)
+')
diff --git a/screen.fc b/screen.fc
new file mode 100644
index 0000000..c8254dd
--- /dev/null
+++ b/screen.fc
@@ -0,0 +1,15 @@
+#
+# /home
+#
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+
+#
+# /usr
+#
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+
+#
+# /var
+#
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
new file mode 100644
index 0000000..a57e81e
--- /dev/null
+++ b/screen.if
@@ -0,0 +1,163 @@
+## GNU terminal multiplexer
+
+#######################################
+##
+## The role template for the screen module.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`screen_role_template',`
+ gen_require(`
+ type screen_exec_t, screen_tmp_t;
+ type screen_home_t, screen_var_run_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_screen_t;
+ application_domain($1_screen_t, screen_exec_t)
+ domain_interactive_fd($1_screen_t)
+ ubac_constrained($1_screen_t)
+ role $2 types $1_screen_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_screen_t self:capability { setuid setgid fsetid };
+ allow $1_screen_t self:process signal_perms;
+ allow $1_screen_t self:fifo_file rw_fifo_file_perms;
+ allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+ allow $1_screen_t self:udp_socket create_socket_perms;
+ # Internal screen networking
+ allow $1_screen_t self:fd use;
+ allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+ allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
+
+ # Create fifo
+ manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+
+ allow $1_screen_t screen_home_t:dir list_dir_perms;
+ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+ read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+
+ allow $1_screen_t $3:process signal;
+
+ domtrans_pattern($3, screen_exec_t, $1_screen_t)
+ allow $3 $1_screen_t:process { signal sigchld };
+ dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+ allow $1_screen_t $3:process signal;
+
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+ manage_files_pattern($3, screen_home_t, screen_home_t)
+ manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_dirs_pattern($3, screen_home_t, screen_home_t)
+ relabel_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
+
+ manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+
+ kernel_read_system_state($1_screen_t)
+ kernel_read_kernel_sysctls($1_screen_t)
+
+ corecmd_list_bin($1_screen_t)
+ corecmd_read_bin_files($1_screen_t)
+ corecmd_read_bin_symlinks($1_screen_t)
+ corecmd_read_bin_pipes($1_screen_t)
+ corecmd_read_bin_sockets($1_screen_t)
+ # Revert to the user domain when a shell is executed.
+ corecmd_shell_domtrans($1_screen_t, $3)
+ corecmd_bin_domtrans($1_screen_t, $3)
+
+ corenet_all_recvfrom_unlabeled($1_screen_t)
+ corenet_all_recvfrom_netlabel($1_screen_t)
+ corenet_tcp_sendrecv_generic_if($1_screen_t)
+ corenet_udp_sendrecv_generic_if($1_screen_t)
+ corenet_tcp_sendrecv_generic_node($1_screen_t)
+ corenet_udp_sendrecv_generic_node($1_screen_t)
+ corenet_tcp_sendrecv_all_ports($1_screen_t)
+ corenet_udp_sendrecv_all_ports($1_screen_t)
+ corenet_tcp_connect_all_ports($1_screen_t)
+
+ dev_dontaudit_getattr_all_chr_files($1_screen_t)
+ dev_dontaudit_getattr_all_blk_files($1_screen_t)
+ # for SSP
+ dev_read_urand($1_screen_t)
+
+ domain_use_interactive_fds($1_screen_t)
+
+ files_search_tmp($1_screen_t)
+ files_search_home($1_screen_t)
+ files_list_home($1_screen_t)
+ files_read_usr_files($1_screen_t)
+ files_read_etc_files($1_screen_t)
+
+ fs_search_auto_mountpoints($1_screen_t)
+ fs_getattr_xattr_fs($1_screen_t)
+
+ auth_domtrans_chk_passwd($1_screen_t)
+ auth_use_nsswitch($1_screen_t)
+ auth_dontaudit_read_shadow($1_screen_t)
+ auth_dontaudit_exec_utempter($1_screen_t)
+
+ # Write to utmp.
+ init_rw_utmp($1_screen_t)
+
+ logging_send_syslog_msg($1_screen_t)
+
+ miscfiles_read_localization($1_screen_t)
+
+ seutil_read_config($1_screen_t)
+
+ userdom_use_user_terminals($1_screen_t)
+ userdom_create_user_pty($1_screen_t)
+ userdom_user_home_domtrans($1_screen_t, $3)
+ userdom_setattr_user_ptys($1_screen_t)
+ userdom_setattr_user_ttys($1_screen_t)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_cifs_domtrans($1_screen_t, $3)
+ fs_read_cifs_symlinks($1_screen_t)
+ fs_list_cifs($1_screen_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_nfs_domtrans($1_screen_t, $3)
+ fs_list_nfs($1_screen_t)
+ fs_read_nfs_symlinks($1_screen_t)
+ ')
+')
diff --git a/screen.te b/screen.te
new file mode 100644
index 0000000..84f648c
--- /dev/null
+++ b/screen.te
@@ -0,0 +1,26 @@
+policy_module(screen, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type screen_exec_t;
+application_executable_file(screen_exec_t)
+
+type screen_home_t;
+typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
+typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
+userdom_user_home_content(screen_home_t)
+
+type screen_tmp_t;
+typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
+typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
+files_tmp_file(screen_tmp_t)
+ubac_constrained(screen_tmp_t)
+
+type screen_var_run_t;
+typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
+typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
+files_pid_file(screen_var_run_t)
+ubac_constrained(screen_var_run_t)
diff --git a/sectoolm.fc b/sectoolm.fc
new file mode 100644
index 0000000..1ed6870
--- /dev/null
+++ b/sectoolm.fc
@@ -0,0 +1,4 @@
+/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/sectoolm.if b/sectoolm.if
new file mode 100644
index 0000000..9007451
--- /dev/null
+++ b/sectoolm.if
@@ -0,0 +1,2 @@
+## Sectool security audit tool
+
diff --git a/sectoolm.te b/sectoolm.te
new file mode 100644
index 0000000..c8ef84b
--- /dev/null
+++ b/sectoolm.te
@@ -0,0 +1,106 @@
+policy_module(sectoolm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sectoolm_t;
+type sectoolm_exec_t;
+dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+
+type sectool_var_lib_t;
+files_type(sectool_var_lib_t)
+
+type sectool_var_log_t;
+logging_log_file(sectool_var_log_t)
+
+type sectool_tmp_t;
+files_tmp_file(sectool_tmp_t)
+
+########################################
+#
+# sectool local policy
+#
+
+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:process { getcap getsched signull setsched };
+dontaudit sectoolm_t self:process { execstack execmem };
+allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
+
+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
+logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
+
+kernel_read_net_sysctls(sectoolm_t)
+kernel_read_network_state(sectoolm_t)
+kernel_read_kernel_sysctls(sectoolm_t)
+
+corecmd_exec_bin(sectoolm_t)
+corecmd_exec_shell(sectoolm_t)
+
+dev_read_sysfs(sectoolm_t)
+dev_read_urand(sectoolm_t)
+dev_getattr_all_blk_files(sectoolm_t)
+dev_getattr_all_chr_files(sectoolm_t)
+
+domain_getattr_all_domains(sectoolm_t)
+domain_read_all_domains_state(sectoolm_t)
+
+files_getattr_all_pipes(sectoolm_t)
+files_getattr_all_sockets(sectoolm_t)
+files_read_all_files(sectoolm_t)
+files_read_all_symlinks(sectoolm_t)
+
+fs_getattr_all_fs(sectoolm_t)
+fs_list_noxattr_fs(sectoolm_t)
+
+selinux_validate_context(sectoolm_t)
+
+# tcp_wrappers test
+application_exec_all(sectoolm_t)
+
+auth_use_nsswitch(sectoolm_t)
+
+# tests related to network
+hostname_exec(sectoolm_t)
+
+# tests related to network
+iptables_domtrans(sectoolm_t)
+
+libs_exec_ld_so(sectoolm_t)
+
+logging_send_syslog_msg(sectoolm_t)
+
+# tests related to network
+sysnet_domtrans_ifconfig(sectoolm_t)
+
+userdom_manage_user_tmp_sockets(sectoolm_t)
+
+optional_policy(`
+ mount_exec(sectoolm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(sectoolm_t)
+')
+
+# suid test using
+# rpm -Vf option
+optional_policy(`
+ prelink_domtrans(sectoolm_t)
+')
+
+optional_policy(`
+ rpm_exec(sectoolm_t)
+ rpm_dontaudit_manage_db(sectoolm_t)
+')
+
diff --git a/sendmail.fc b/sendmail.fc
new file mode 100644
index 0000000..a86ec50
--- /dev/null
+++ b/sendmail.fc
@@ -0,0 +1,6 @@
+
+/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
+/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
new file mode 100644
index 0000000..7e94c7c
--- /dev/null
+++ b/sendmail.if
@@ -0,0 +1,297 @@
+## Policy for sendmail.
+
+########################################
+##
+## Sendmail stub interface. No access allowed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sendmail_stub',`
+ gen_require(`
+ type sendmail_t;
+ ')
+')
+
+########################################
+##
+## Allow attempts to read and write to
+## sendmail unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sendmail_rw_pipes',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Domain transition to sendmail.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`sendmail_domtrans',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ mta_sendmail_domtrans($1, sendmail_t)
+
+ allow sendmail_t $1:fd use;
+ allow sendmail_t $1:fifo_file rw_file_perms;
+ allow sendmail_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute the sendmail program in the sendmail domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the sendmail domain.
+##
+##
+##
+#
+interface(`sendmail_run',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ sendmail_domtrans($1)
+ role $2 types sendmail_t;
+')
+
+########################################
+##
+## Send generic signals to sendmail.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sendmail_signal',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:process signal;
+')
+
+########################################
+##
+## Read and write sendmail TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sendmail_rw_tcp_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## sendmail TCP sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`sendmail_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ dontaudit $1 sendmail_t:tcp_socket { read write };
+')
+
+########################################
+##
+## Read and write sendmail unix_stream_sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sendmail_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## sendmail unix_stream_sockets.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
+##
+## Read sendmail logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`sendmail_read_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, sendmail_log_t, sendmail_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete sendmail logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`sendmail_manage_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, sendmail_log_t, sendmail_log_t)
+')
+
+########################################
+##
+## Create sendmail logs with the correct type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sendmail_create_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_log_filetrans($1, sendmail_log_t, file)
+')
+
+########################################
+##
+## Manage sendmail tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sendmail_manage_tmp_files',`
+ gen_require(`
+ type sendmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
+')
+
+########################################
+##
+## Execute sendmail in the unconfined sendmail domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`sendmail_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ mta_sendmail_domtrans($1, unconfined_sendmail_t)
+')
+
+########################################
+##
+## Execute sendmail in the unconfined sendmail domain, and
+## allow the specified role the unconfined sendmail domain,
+## and use the caller's terminal.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`sendmail_run_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ sendmail_domtrans_unconfined($1)
+ role $2 types unconfined_sendmail_t;
+')
diff --git a/sendmail.te b/sendmail.te
new file mode 100644
index 0000000..22dac1f
--- /dev/null
+++ b/sendmail.te
@@ -0,0 +1,187 @@
+policy_module(sendmail, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type sendmail_log_t;
+logging_log_file(sendmail_log_t)
+
+type sendmail_tmp_t;
+files_tmp_file(sendmail_tmp_t)
+
+type sendmail_var_run_t;
+files_pid_file(sendmail_var_run_t)
+
+type sendmail_t;
+mta_sendmail_mailserver(sendmail_t)
+mta_mailserver_delivery(sendmail_t)
+mta_mailserver_sender(sendmail_t)
+
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t, sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
+########################################
+#
+# Sendmail local policy
+#
+
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
+allow sendmail_t self:fifo_file rw_fifo_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
+
+allow sendmail_t sendmail_log_t:dir setattr;
+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
+
+manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+
+allow sendmail_t sendmail_var_run_t:file manage_file_perms;
+files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+
+kernel_read_network_state(sendmail_t)
+kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
+kernel_read_system_state(sendmail_t)
+
+corenet_all_recvfrom_unlabeled(sendmail_t)
+corenet_all_recvfrom_netlabel(sendmail_t)
+corenet_tcp_sendrecv_generic_if(sendmail_t)
+corenet_tcp_sendrecv_generic_node(sendmail_t)
+corenet_tcp_sendrecv_all_ports(sendmail_t)
+corenet_tcp_bind_generic_node(sendmail_t)
+corenet_tcp_bind_smtp_port(sendmail_t)
+corenet_tcp_connect_all_ports(sendmail_t)
+corenet_sendrecv_smtp_server_packets(sendmail_t)
+corenet_sendrecv_smtp_client_packets(sendmail_t)
+
+dev_read_urand(sendmail_t)
+dev_read_sysfs(sendmail_t)
+
+fs_getattr_all_fs(sendmail_t)
+fs_search_auto_mountpoints(sendmail_t)
+fs_rw_anon_inodefs_files(sendmail_t)
+
+term_dontaudit_use_console(sendmail_t)
+term_dontaudit_use_generic_ptys(sendmail_t)
+
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
+
+domain_use_interactive_fds(sendmail_t)
+
+files_read_etc_files(sendmail_t)
+files_read_usr_files(sendmail_t)
+files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
+
+init_use_fds(sendmail_t)
+init_use_script_ptys(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+init_read_utmp(sendmail_t)
+init_dontaudit_write_utmp(sendmail_t)
+
+auth_use_nsswitch(sendmail_t)
+
+# Read /usr/lib/sasl2/.*
+libs_read_lib_files(sendmail_t)
+
+logging_send_syslog_msg(sendmail_t)
+logging_dontaudit_write_generic_logs(sendmail_t)
+
+miscfiles_read_generic_certs(sendmail_t)
+miscfiles_read_localization(sendmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_dontaudit_search_user_home_dirs(sendmail_t)
+
+mta_read_config(sendmail_t)
+mta_etc_filetrans_aliases(sendmail_t)
+# Write to /etc/aliases and /etc/mail.
+mta_manage_aliases(sendmail_t)
+# Write to /var/spool/mail and /var/spool/mqueue.
+mta_manage_queue(sendmail_t)
+mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+ cron_read_pipes(sendmail_t)
+')
+
+optional_policy(`
+ clamav_search_lib(sendmail_t)
+ clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ exim_domtrans(sendmail_t)
+')
+
+optional_policy(`
+ fail2ban_read_lib_files(sendmail_t)
+ fail2ban_rw_stream_sockets(sendmail_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(sendmail, sendmail_t)
+')
+
+optional_policy(`
+ milter_stream_connect_all(sendmail_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
+ postfix_domtrans_master(sendmail_t)
+ postfix_read_config(sendmail_t)
+ postfix_search_spool(sendmail_t)
+')
+
+optional_policy(`
+ procmail_domtrans(sendmail_t)
+ procmail_rw_tmp_files(sendmail_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(sendmail_t)
+')
+
+optional_policy(`
+ sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+ udev_read_db(sendmail_t)
+')
+
+optional_policy(`
+ uucp_domtrans_uux(sendmail_t)
+')
+
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
+
+optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t)
+')
diff --git a/setroubleshoot.fc b/setroubleshoot.fc
new file mode 100644
index 0000000..397a522
--- /dev/null
+++ b/setroubleshoot.fc
@@ -0,0 +1,9 @@
+/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+
+/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+
+/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/setroubleshoot.if b/setroubleshoot.if
new file mode 100644
index 0000000..bcdd16c
--- /dev/null
+++ b/setroubleshoot.if
@@ -0,0 +1,135 @@
+## SELinux troubleshooting service
+
+########################################
+##
+## Connect to setroubleshootd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`setroubleshoot_stream_connect',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
+ allow $1 setroubleshoot_var_run_t:sock_file read;
+')
+
+########################################
+##
+## Dontaudit attempts to connect to setroubleshootd
+## over an unix stream socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`setroubleshoot_dontaudit_stream_connect',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_var_run_t;
+ ')
+
+ dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Send and receive messages from
+## setroubleshoot over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`setroubleshoot_dbus_chat',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshootd_t:dbus send_msg;
+ allow setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Do not audit send and receive messages from
+## setroubleshoot over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`setroubleshoot_dontaudit_dbus_chat',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 setroubleshootd_t:dbus send_msg;
+ dontaudit setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## setroubleshoot fixit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`setroubleshoot_dbus_chat_fixit',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshoot_fixit_t:dbus send_msg;
+ allow setroubleshoot_fixit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an setroubleshoot environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`setroubleshoot_admin',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_log_t;
+ type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+ ')
+
+ allow $1 setroubleshootd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, setroubleshootd_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, setroubleshoot_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, setroubleshoot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
diff --git a/setroubleshoot.te b/setroubleshoot.te
new file mode 100644
index 0000000..086cd5f
--- /dev/null
+++ b/setroubleshoot.te
@@ -0,0 +1,177 @@
+policy_module(setroubleshoot, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type setroubleshootd_t alias setroubleshoot_t;
+type setroubleshootd_exec_t;
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+
+type setroubleshoot_fixit_t;
+type setroubleshoot_fixit_exec_t;
+dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
+type setroubleshoot_var_lib_t;
+files_type(setroubleshoot_var_lib_t)
+
+# log files
+type setroubleshoot_var_log_t;
+logging_log_file(setroubleshoot_var_log_t)
+
+# pid files
+type setroubleshoot_var_run_t;
+files_pid_file(setroubleshoot_var_run_t)
+
+########################################
+#
+# setroubleshootd local policy
+#
+
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
+files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir })
+
+# log files
+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
+
+# pid file
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(setroubleshootd_t)
+kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
+kernel_read_network_state(setroubleshootd_t)
+
+corecmd_exec_bin(setroubleshootd_t)
+corecmd_exec_shell(setroubleshootd_t)
+
+corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+corenet_all_recvfrom_netlabel(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_generic_node(setroubleshootd_t)
+corenet_tcp_connect_smtp_port(setroubleshootd_t)
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+
+dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
+dev_getattr_all_blk_files(setroubleshootd_t)
+dev_getattr_all_chr_files(setroubleshootd_t)
+
+domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+domain_signull_all_domains(setroubleshootd_t)
+
+files_read_usr_files(setroubleshootd_t)
+files_read_etc_files(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
+files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
+files_read_all_symlinks(setroubleshootd_t)
+
+fs_getattr_all_dirs(setroubleshootd_t)
+fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_list_inotifyfs(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
+
+selinux_get_enforce_mode(setroubleshootd_t)
+selinux_validate_context(setroubleshootd_t)
+
+term_dontaudit_use_all_ptys(setroubleshootd_t)
+term_dontaudit_use_all_ttys(setroubleshootd_t)
+
+auth_use_nsswitch(setroubleshootd_t)
+
+init_read_utmp(setroubleshootd_t)
+init_dontaudit_write_utmp(setroubleshootd_t)
+
+miscfiles_read_localization(setroubleshootd_t)
+
+locallogin_dontaudit_use_fds(setroubleshootd_t)
+
+logging_send_audit_msgs(setroubleshootd_t)
+logging_send_syslog_msg(setroubleshootd_t)
+logging_stream_connect_dispatcher(setroubleshootd_t)
+
+modutils_read_module_config(setroubleshootd_t)
+
+seutil_read_config(setroubleshootd_t)
+seutil_read_file_contexts(setroubleshootd_t)
+seutil_read_bin_policy(setroubleshootd_t)
+
+userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
+
+optional_policy(`
+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+')
+
+optional_policy(`
+ rpm_signull(setroubleshootd_t)
+ rpm_read_db(setroubleshootd_t)
+ rpm_dontaudit_manage_db(setroubleshootd_t)
+ rpm_use_script_fds(setroubleshootd_t)
+')
+
+########################################
+#
+# setroubleshoot_fixit local policy
+#
+
+allow setroubleshoot_fixit_t self:capability sys_nice;
+allow setroubleshoot_fixit_t self:process { setsched getsched };
+allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
+
+allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
+
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+setroubleshoot_stream_connect(setroubleshoot_fixit_t)
+
+kernel_read_system_state(setroubleshoot_fixit_t)
+
+corecmd_exec_bin(setroubleshoot_fixit_t)
+corecmd_exec_shell(setroubleshoot_fixit_t)
+
+seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+
+files_read_usr_files(setroubleshoot_fixit_t)
+files_read_etc_files(setroubleshoot_fixit_t)
+files_list_tmp(setroubleshoot_fixit_t)
+
+auth_use_nsswitch(setroubleshoot_fixit_t)
+
+logging_send_audit_msgs(setroubleshoot_fixit_t)
+logging_send_syslog_msg(setroubleshoot_fixit_t)
+
+miscfiles_read_localization(setroubleshoot_fixit_t)
+
+optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
+ rpm_use_script_fds(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
diff --git a/shorewall.fc b/shorewall.fc
new file mode 100644
index 0000000..48d1363
--- /dev/null
+++ b/shorewall.fc
@@ -0,0 +1,16 @@
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+
+/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
+/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
+
+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --git a/shorewall.if b/shorewall.if
new file mode 100644
index 0000000..781ad7e
--- /dev/null
+++ b/shorewall.if
@@ -0,0 +1,202 @@
+## Shoreline Firewall high-level tool for configuring netfilter
+
+########################################
+##
+## Execute a domain transition to run shorewall.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`shorewall_domtrans',`
+ gen_require(`
+ type shorewall_t, shorewall_exec_t;
+ ')
+
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+')
+
+######################################
+##
+## Execute a domain transition to run shorewall.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`shorewall_lib_domtrans',`
+ gen_require(`
+ type shorewall_t, shorewall_var_lib_t;
+ ')
+
+ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
+')
+
+#######################################
+##
+## Read shorewall etc configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`shorewall_read_config',`
+ gen_require(`
+ type shorewall_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+')
+
+#######################################
+##
+## Read shorewall PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`shorewall_read_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+##
+## Read and write shorewall PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`shorewall_rw_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+######################################
+##
+## Read shorewall /var/lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`shorewall_read_lib_files',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+##
+## Read and write shorewall /var/lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`shorewall_rw_lib_files',`
+ gen_require(`
+ type shorewall_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+##
+## Read shorewall tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`shorewall_read_tmp_files',`
+ gen_require(`
+ type shorewall_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
+')
+
+#######################################
+##
+## All of the rules required to administrate
+## an shorewall environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
+##
+#
+interface(`shorewall_admin',`
+ gen_require(`
+ type shorewall_t, shorewall_lock_t;
+ type shorewall_log_t;
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
+ type shorewall_tmp_t, shorewall_etc_t;
+ ')
+
+ allow $1 shorewall_t:process { ptrace signal_perms };
+ ps_process_pattern($1, shorewall_t)
+
+ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 shorewall_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, shorewall_etc_t)
+
+ files_list_locks($1)
+ admin_pattern($1, shorewall_lock_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, shorewall_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, shorewall_var_lib_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, shorewall_tmp_t)
+')
diff --git a/shorewall.te b/shorewall.te
new file mode 100644
index 0000000..4723c6b
--- /dev/null
+++ b/shorewall.te
@@ -0,0 +1,108 @@
+policy_module(shorewall, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type shorewall_t;
+type shorewall_exec_t;
+init_daemon_domain(shorewall_t, shorewall_exec_t)
+
+type shorewall_initrc_exec_t;
+init_script_file(shorewall_initrc_exec_t)
+
+# etc files
+type shorewall_etc_t;
+files_config_file(shorewall_etc_t)
+
+# lock files
+type shorewall_lock_t;
+files_lock_file(shorewall_lock_t)
+
+# tmp files
+type shorewall_tmp_t;
+files_tmp_file(shorewall_tmp_t)
+
+# var/lib files
+type shorewall_var_lib_t;
+files_type(shorewall_var_lib_t)
+domain_entry_file(shorewall_t, shorewall_var_lib_t)
+
+type shorewall_log_t;
+logging_log_file(shorewall_log_t)
+
+########################################
+#
+# shorewall local policy
+#
+
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+
+manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
+
+manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
+
+exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+kernel_read_kernel_sysctls(shorewall_t)
+kernel_read_network_state(shorewall_t)
+kernel_read_system_state(shorewall_t)
+kernel_rw_net_sysctls(shorewall_t)
+
+corecmd_exec_bin(shorewall_t)
+corecmd_exec_shell(shorewall_t)
+
+dev_read_urand(shorewall_t)
+
+domain_read_all_domains_state(shorewall_t)
+
+files_getattr_kernel_modules(shorewall_t)
+files_read_etc_files(shorewall_t)
+files_read_usr_files(shorewall_t)
+files_search_kernel_modules(shorewall_t)
+
+fs_getattr_all_fs(shorewall_t)
+
+init_rw_utmp(shorewall_t)
+
+logging_send_syslog_msg(shorewall_t)
+
+miscfiles_read_localization(shorewall_t)
+
+sysnet_domtrans_ifconfig(shorewall_t)
+
+userdom_dontaudit_list_user_home_dirs(shorewall_t)
+
+optional_policy(`
+ hostname_exec(shorewall_t)
+')
+
+optional_policy(`
+ iptables_domtrans(shorewall_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(shorewall_t)
+')
+
+optional_policy(`
+ ulogd_search_log(shorewall_t)
+')
diff --git a/shutdown.fc b/shutdown.fc
new file mode 100644
index 0000000..97671a3
--- /dev/null
+++ b/shutdown.fc
@@ -0,0 +1,7 @@
+/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
+
+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/shutdown.if b/shutdown.if
new file mode 100644
index 0000000..d0604cf
--- /dev/null
+++ b/shutdown.if
@@ -0,0 +1,69 @@
+## System shutdown command
+
+########################################
+##
+## Execute a domain transition to run shutdown.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`shutdown_domtrans',`
+ gen_require(`
+ type shutdown_t, shutdown_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit shutdown_t $1:socket_class_set { read write };
+ dontaudit shutdown_t $1:fifo_file { read write };
+ ')
+')
+
+########################################
+##
+## Execute shutdown in the shutdown domain, and
+## allow the specified role the shutdown domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`shutdown_run',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ shutdown_domtrans($1)
+ role $2 types shutdown_t;
+')
+
+########################################
+##
+## Get attributes of shutdown executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`shutdown_getattr_exec_files',`
+ gen_require(`
+ type shutdown_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 shutdown_exec_t:file getattr_file_perms;
+')
diff --git a/shutdown.te b/shutdown.te
new file mode 100644
index 0000000..8966ec9
--- /dev/null
+++ b/shutdown.te
@@ -0,0 +1,63 @@
+policy_module(shutdown, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type shutdown_t;
+type shutdown_exec_t;
+application_domain(shutdown_t, shutdown_exec_t)
+role system_r types shutdown_t;
+
+type shutdown_etc_t;
+files_config_file(shutdown_etc_t)
+
+type shutdown_var_run_t;
+files_pid_file(shutdown_var_run_t)
+
+########################################
+#
+# shutdown local policy
+#
+
+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
+allow shutdown_t self:process { fork signal signull };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
+files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+
+manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
+domain_use_interactive_fds(shutdown_t)
+
+files_read_etc_files(shutdown_t)
+files_read_generic_pids(shutdown_t)
+
+term_use_all_terms(shutdown_t)
+
+auth_use_nsswitch(shutdown_t)
+auth_write_login_records(shutdown_t)
+
+init_dontaudit_write_utmp(shutdown_t)
+init_read_utmp(shutdown_t)
+init_stream_connect(shutdown_t)
+init_telinit(shutdown_t)
+
+logging_search_logs(shutdown_t)
+logging_send_audit_msgs(shutdown_t)
+
+miscfiles_read_localization(shutdown_t)
+
+optional_policy(`
+ dbus_system_bus_client(shutdown_t)
+ dbus_connect_system_bus(shutdown_t)
+')
+
+optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
+')
diff --git a/slocate.fc b/slocate.fc
new file mode 100644
index 0000000..1951c4b
--- /dev/null
+++ b/slocate.fc
@@ -0,0 +1,2 @@
+/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
+/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
diff --git a/slocate.if b/slocate.if
new file mode 100644
index 0000000..b7505a0
--- /dev/null
+++ b/slocate.if
@@ -0,0 +1,41 @@
+## Update database for mlocate
+
+########################################
+##
+## Create the locate log with append mode.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`slocate_create_append_log',`
+ gen_require(`
+ type locate_log_t;
+ ')
+
+ logging_search_logs($1)
+ create_files_pattern($1, locate_log_t, locate_log_t)
+ append_files_pattern($1, locate_log_t, locate_log_t)
+')
+
+########################################
+##
+## Read locate lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`locate_read_lib_files',`
+ gen_require(`
+ type locate_var_lib_t;
+ ')
+
+ read_files_pattern($1, locate_var_lib_t, locate_var_lib_t)
+ allow $1 locate_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
diff --git a/slocate.te b/slocate.te
new file mode 100644
index 0000000..a225c02
--- /dev/null
+++ b/slocate.te
@@ -0,0 +1,70 @@
+policy_module(slocate, 1.11.0)
+
+#################################
+#
+# Declarations
+#
+
+type locate_t;
+type locate_exec_t;
+init_system_domain(locate_t, locate_exec_t)
+
+type locate_log_t;
+logging_log_file(locate_log_t)
+
+type locate_var_lib_t;
+files_type(locate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:process { execmem execheap execstack signal };
+allow locate_t self:fifo_file rw_fifo_file_perms;
+allow locate_t self:unix_stream_socket create_socket_perms;
+
+manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+
+kernel_read_system_state(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
+kernel_dontaudit_search_sysctl(locate_t)
+
+corecmd_exec_bin(locate_t)
+
+dev_getattr_all_blk_files(locate_t)
+dev_getattr_all_chr_files(locate_t)
+
+files_list_all(locate_t)
+files_dontaudit_read_all_symlinks(locate_t)
+files_getattr_all_files(locate_t)
+files_getattr_all_pipes(locate_t)
+files_getattr_all_sockets(locate_t)
+files_read_etc_runtime_files(locate_t)
+files_read_etc_files(locate_t)
+
+fs_getattr_all_fs(locate_t)
+fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
+fs_list_all(locate_t)
+fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
+
+# getpwnam
+auth_use_nsswitch(locate_t)
+
+miscfiles_read_localization(locate_t)
+
+ifdef(`enable_mls',`
+ # On MLS machines will not be allowed to getattr Anything but SystemLow
+ files_dontaudit_getattr_all_dirs(locate_t)
+')
+
+optional_policy(`
+ cron_system_entry(locate_t, locate_exec_t)
+')
diff --git a/slrnpull.fc b/slrnpull.fc
new file mode 100644
index 0000000..1714ce0
--- /dev/null
+++ b/slrnpull.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+
+/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0)
+
+#
+# /var
+#
+/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0)
diff --git a/slrnpull.if b/slrnpull.if
new file mode 100644
index 0000000..d7e8289
--- /dev/null
+++ b/slrnpull.if
@@ -0,0 +1,42 @@
+## Service for downloading news feeds the slrn newsreader.
+
+########################################
+##
+## Allow the domain to search slrnpull spools.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`slrnpull_search_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 slrnpull_spool_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Allow the domain to create, read,
+## write, and delete slrnpull spools.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`slrnpull_manage_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+ manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+ manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+')
diff --git a/slrnpull.te b/slrnpull.te
new file mode 100644
index 0000000..e5e72fd
--- /dev/null
+++ b/slrnpull.te
@@ -0,0 +1,70 @@
+policy_module(slrnpull, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type slrnpull_t;
+type slrnpull_exec_t;
+init_daemon_domain(slrnpull_t, slrnpull_exec_t)
+
+type slrnpull_var_run_t;
+files_pid_file(slrnpull_var_run_t)
+
+type slrnpull_spool_t;
+files_type(slrnpull_spool_t)
+
+type slrnpull_log_t;
+logging_log_file(slrnpull_log_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit slrnpull_t self:capability sys_tty_config;
+allow slrnpull_t self:process signal_perms;
+
+allow slrnpull_t slrnpull_log_t:file manage_file_perms;
+logging_log_filetrans(slrnpull_t, slrnpull_log_t, file)
+
+manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+files_search_spool(slrnpull_t)
+
+manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t)
+files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file)
+
+kernel_list_proc(slrnpull_t)
+kernel_read_kernel_sysctls(slrnpull_t)
+kernel_read_proc_symlinks(slrnpull_t)
+
+dev_read_sysfs(slrnpull_t)
+
+domain_use_interactive_fds(slrnpull_t)
+
+files_read_etc_files(slrnpull_t)
+
+fs_getattr_all_fs(slrnpull_t)
+fs_search_auto_mountpoints(slrnpull_t)
+
+logging_send_syslog_msg(slrnpull_t)
+
+miscfiles_read_localization(slrnpull_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
+userdom_dontaudit_search_user_home_dirs(slrnpull_t)
+
+optional_policy(`
+ cron_system_entry(slrnpull_t, slrnpull_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(slrnpull_t)
+')
+
+optional_policy(`
+ udev_read_db(slrnpull_t)
+')
diff --git a/smartmon.fc b/smartmon.fc
new file mode 100644
index 0000000..268ae3d
--- /dev/null
+++ b/smartmon.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
+#
+# /var
+#
+/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+
diff --git a/smartmon.if b/smartmon.if
new file mode 100644
index 0000000..adea9f9
--- /dev/null
+++ b/smartmon.if
@@ -0,0 +1,57 @@
+## Smart disk monitoring daemon policy
+
+#######################################
+##
+## Allow caller to read smartmon temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`smartmon_read_tmp_files',`
+ gen_require(`
+ type fsdaemon_tmp_t;
+ ')
+
+ allow $1 fsdaemon_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an smartmon environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`smartmon_admin',`
+ gen_require(`
+ type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
+ type fsdaemon_initrc_exec_t;
+ ')
+
+ allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, fsdaemon_t)
+
+ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fsdaemon_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, fsdaemon_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fsdaemon_var_run_t)
+')
diff --git a/smartmon.te b/smartmon.te
new file mode 100644
index 0000000..6b3322b
--- /dev/null
+++ b/smartmon.te
@@ -0,0 +1,121 @@
+policy_module(smartmon, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Enable additional permissions needed to support
+## devices on 3ware controllers.
+##
+##
+gen_tunable(smartmon_3ware, false)
+
+type fsdaemon_t;
+type fsdaemon_exec_t;
+init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
+
+type fsdaemon_initrc_exec_t;
+init_script_file(fsdaemon_initrc_exec_t)
+
+type fsdaemon_var_run_t;
+files_pid_file(fsdaemon_var_run_t)
+
+type fsdaemon_tmp_t;
+files_tmp_file(fsdaemon_tmp_t)
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
+dontaudit fsdaemon_t self:capability sys_tty_config;
+allow fsdaemon_t self:process { getcap setcap signal_perms };
+allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
+allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
+allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
+allow fsdaemon_t self:udp_socket create_socket_perms;
+allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
+
+manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
+files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
+
+kernel_read_kernel_sysctls(fsdaemon_t)
+kernel_read_software_raid_state(fsdaemon_t)
+kernel_read_system_state(fsdaemon_t)
+
+corecmd_exec_all_executables(fsdaemon_t)
+
+corenet_all_recvfrom_unlabeled(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
+dev_read_sysfs(fsdaemon_t)
+dev_read_urand(fsdaemon_t)
+
+domain_use_interactive_fds(fsdaemon_t)
+
+files_exec_etc_files(fsdaemon_t)
+files_read_etc_runtime_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
+# for config
+files_read_etc_files(fsdaemon_t)
+
+fs_getattr_all_fs(fsdaemon_t)
+fs_search_auto_mountpoints(fsdaemon_t)
+
+mls_file_read_all_levels(fsdaemon_t)
+#mls_rangetrans_target(fsdaemon_t)
+
+storage_raw_read_fixed_disk(fsdaemon_t)
+storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
+
+term_dontaudit_search_ptys(fsdaemon_t)
+
+libs_exec_ld_so(fsdaemon_t)
+libs_exec_lib_files(fsdaemon_t)
+
+logging_send_syslog_msg(fsdaemon_t)
+
+miscfiles_read_localization(fsdaemon_t)
+
+seutil_sigchld_newrole(fsdaemon_t)
+
+sysnet_dns_name_resolve(fsdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+
+tunable_policy(`smartmon_3ware',`
+ allow fsdaemon_t self:process setfscreate;
+
+ storage_create_fixed_disk_dev(fsdaemon_t)
+ storage_delete_fixed_disk_dev(fsdaemon_t)
+ storage_dev_filetrans_fixed_disk(fsdaemon_t)
+
+ selinux_validate_context(fsdaemon_t)
+
+ seutil_read_file_contexts(fsdaemon_t)
+')
+
+optional_policy(`
+ mta_send_mail(fsdaemon_t)
+')
+
+optional_policy(`
+ udev_read_db(fsdaemon_t)
+')
diff --git a/smokeping.fc b/smokeping.fc
new file mode 100644
index 0000000..9ff2d99
--- /dev/null
+++ b/smokeping.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
+
+/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
+
+/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
+
+/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
+
+/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0)
diff --git a/smokeping.if b/smokeping.if
new file mode 100644
index 0000000..8265278
--- /dev/null
+++ b/smokeping.if
@@ -0,0 +1,167 @@
+## Smokeping network latency measurement.
+
+########################################
+##
+## Execute a domain transition to run smokeping.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`smokeping_domtrans',`
+ gen_require(`
+ type smokeping_t, smokeping_exec_t;
+ ')
+
+ domtrans_pattern($1, smokeping_exec_t, smokeping_t)
+')
+
+########################################
+##
+## Execute smokeping server in the smokeping domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`smokeping_initrc_domtrans',`
+ gen_require(`
+ type smokeping_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, smokeping_initrc_exec_t)
+')
+
+########################################
+##
+## Read smokeping PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`smokeping_read_pid_files',`
+ gen_require(`
+ type smokeping_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 smokeping_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage smokeping PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`smokeping_manage_pid_files',`
+ gen_require(`
+ type smokeping_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t)
+')
+
+########################################
+##
+## Get attributes of smokeping lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`smokeping_getattr_lib_files',`
+ gen_require(`
+ type smokeping_var_lib_t;
+ ')
+
+ getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read smokeping lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`smokeping_read_lib_files',`
+ gen_require(`
+ type smokeping_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+')
+
+########################################
+##
+## Manage smokeping lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`smokeping_manage_lib_files',`
+ gen_require(`
+ type smokeping_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## a smokeping environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`smokeping_admin',`
+ gen_require(`
+ type smokeping_t, smokeping_initrc_exec_t;
+ ')
+
+ allow $1 smokeping_t:process { ptrace signal_perms };
+ ps_process_pattern($1, smokeping_t)
+
+ smokeping_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 smokeping_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ smokeping_manage_pid_files($1)
+
+ smokeping_manage_lib_files($1)
+')
diff --git a/smokeping.te b/smokeping.te
new file mode 100644
index 0000000..740994a
--- /dev/null
+++ b/smokeping.te
@@ -0,0 +1,77 @@
+policy_module(smokeping, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type smokeping_t;
+type smokeping_exec_t;
+init_daemon_domain(smokeping_t, smokeping_exec_t)
+
+type smokeping_initrc_exec_t;
+init_script_file(smokeping_initrc_exec_t)
+
+type smokeping_var_run_t;
+files_pid_file(smokeping_var_run_t)
+
+type smokeping_var_lib_t;
+files_type(smokeping_var_lib_t)
+
+########################################
+#
+# smokeping local policy
+#
+
+dontaudit smokeping_t self:capability { dac_read_search dac_override };
+allow smokeping_t self:fifo_file rw_fifo_file_perms;
+allow smokeping_t self:udp_socket create_socket_perms;
+allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir })
+
+manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
+
+corecmd_read_bin_symlinks(smokeping_t)
+
+dev_read_urand(smokeping_t)
+
+files_read_etc_files(smokeping_t)
+files_read_usr_files(smokeping_t)
+files_search_tmp(smokeping_t)
+
+auth_use_nsswitch(smokeping_t)
+auth_dontaudit_read_shadow(smokeping_t)
+
+logging_send_syslog_msg(smokeping_t)
+
+miscfiles_read_localization(smokeping_t)
+
+mta_send_mail(smokeping_t)
+
+netutils_domtrans_ping(smokeping_t)
+
+#######################################
+#
+# local policy for smokeping cgi scripts
+#
+
+optional_policy(`
+ apache_content_template(smokeping_cgi)
+
+ allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+ getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+
+ files_search_tmp(httpd_smokeping_cgi_script_t)
+ files_search_var_lib(httpd_smokeping_cgi_script_t)
+
+ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+')
diff --git a/smoltclient.fc b/smoltclient.fc
new file mode 100644
index 0000000..47cc440
--- /dev/null
+++ b/smoltclient.fc
@@ -0,0 +1,2 @@
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+
diff --git a/smoltclient.if b/smoltclient.if
new file mode 100644
index 0000000..a54079b
--- /dev/null
+++ b/smoltclient.if
@@ -0,0 +1 @@
+## The Fedora hardware profiler client
diff --git a/smoltclient.te b/smoltclient.te
new file mode 100644
index 0000000..bc00875
--- /dev/null
+++ b/smoltclient.te
@@ -0,0 +1,68 @@
+policy_module(smoltclient, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type smoltclient_t;
+type smoltclient_exec_t;
+application_domain(smoltclient_t, smoltclient_exec_t)
+cron_system_entry(smoltclient_t, smoltclient_exec_t)
+
+type smoltclient_tmp_t;
+files_tmp_file(smoltclient_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow smoltclient_t self:process { setsched getsched };
+
+allow smoltclient_t self:fifo_file rw_fifo_file_perms;
+allow smoltclient_t self:tcp_socket create_socket_perms;
+allow smoltclient_t self:udp_socket create_socket_perms;
+
+can_exec(smoltclient_t, smoltclient_tmp_t)
+manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
+
+kernel_read_system_state(smoltclient_t)
+kernel_read_network_state(smoltclient_t)
+kernel_read_kernel_sysctls(smoltclient_t)
+
+corecmd_exec_bin(smoltclient_t)
+corecmd_exec_shell(smoltclient_t)
+
+corenet_tcp_connect_http_port(smoltclient_t)
+
+dev_read_sysfs(smoltclient_t)
+
+fs_getattr_all_fs(smoltclient_t)
+fs_getattr_all_dirs(smoltclient_t)
+fs_list_auto_mountpoints(smoltclient_t)
+
+files_getattr_generic_locks(smoltclient_t)
+files_read_etc_files(smoltclient_t)
+files_read_usr_files(smoltclient_t)
+
+auth_use_nsswitch(smoltclient_t)
+
+logging_send_syslog_msg(smoltclient_t)
+
+miscfiles_read_localization(smoltclient_t)
+
+optional_policy(`
+ dbus_system_bus_client(smoltclient_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(smoltclient_t)
+')
+
+optional_policy(`
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+')
diff --git a/snmp.fc b/snmp.fc
new file mode 100644
index 0000000..623c8fa
--- /dev/null
+++ b/snmp.fc
@@ -0,0 +1,24 @@
+/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+
+/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+#
+# /var
+#
+/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
+
+/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
new file mode 100644
index 0000000..275f9fb
--- /dev/null
+++ b/snmp.if
@@ -0,0 +1,147 @@
+## Simple network management protocol services
+
+########################################
+##
+## Connect to snmpd using a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`snmp_stream_connect',`
+ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
+########################################
+##
+## Use snmp over a TCP connection. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`snmp_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Send and receive UDP traffic to SNMP (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`snmp_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Read snmpd libraries.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`snmp_read_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+##
+## dontaudit Read snmpd libraries.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+ dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
+ dontaudit $1 snmpd_var_lib_t:file read_file_perms;
+ dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+')
+
+########################################
+##
+## dontaudit write snmpd libraries files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ dontaudit $1 snmpd_var_lib_t:file write;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an snmp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the snmp domain.
+##
+##
+##
+#
+interface(`snmp_admin',`
+ gen_require(`
+ type snmpd_t, snmpd_log_t;
+ type snmpd_var_lib_t, snmpd_var_run_t;
+ type snmpd_initrc_exec_t;
+ ')
+
+ allow $1 snmpd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, snmpd_t)
+
+ init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 snmpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, snmpd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, snmpd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, snmpd_var_run_t)
+')
diff --git a/snmp.te b/snmp.te
new file mode 100644
index 0000000..eb3c1d0
--- /dev/null
+++ b/snmp.te
@@ -0,0 +1,172 @@
+policy_module(snmp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+type snmpd_t;
+type snmpd_exec_t;
+init_daemon_domain(snmpd_t, snmpd_exec_t)
+
+type snmpd_initrc_exec_t;
+init_script_file(snmpd_initrc_exec_t)
+
+type snmpd_log_t;
+logging_log_file(snmpd_log_t)
+
+type snmpd_var_run_t;
+files_pid_file(snmpd_var_run_t)
+
+type snmpd_var_lib_t;
+files_type(snmpd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:fifo_file rw_fifo_file_perms;
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
+allow snmpd_t self:udp_socket connected_stream_socket_perms;
+
+allow snmpd_t snmpd_log_t:file manage_file_perms;
+logging_log_filetrans(snmpd_t, snmpd_log_t, file)
+
+manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
+files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
+
+manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
+files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
+
+kernel_read_device_sysctls(snmpd_t)
+kernel_read_kernel_sysctls(snmpd_t)
+kernel_read_fs_sysctls(snmpd_t)
+kernel_read_net_sysctls(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_system_state(snmpd_t)
+kernel_read_network_state(snmpd_t)
+
+corecmd_exec_bin(snmpd_t)
+corecmd_exec_shell(snmpd_t)
+
+corenet_all_recvfrom_unlabeled(snmpd_t)
+corenet_all_recvfrom_netlabel(snmpd_t)
+corenet_tcp_sendrecv_generic_if(snmpd_t)
+corenet_udp_sendrecv_generic_if(snmpd_t)
+corenet_tcp_sendrecv_generic_node(snmpd_t)
+corenet_udp_sendrecv_generic_node(snmpd_t)
+corenet_tcp_sendrecv_all_ports(snmpd_t)
+corenet_udp_sendrecv_all_ports(snmpd_t)
+corenet_tcp_bind_generic_node(snmpd_t)
+corenet_udp_bind_generic_node(snmpd_t)
+corenet_tcp_bind_snmp_port(snmpd_t)
+corenet_udp_bind_snmp_port(snmpd_t)
+corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_connect_agentx_port(snmpd_t)
+corenet_tcp_bind_agentx_port(snmpd_t)
+corenet_udp_bind_agentx_port(snmpd_t)
+
+dev_list_sysfs(snmpd_t)
+dev_read_sysfs(snmpd_t)
+dev_read_urand(snmpd_t)
+dev_read_rand(snmpd_t)
+dev_getattr_usbfs_dirs(snmpd_t)
+
+domain_use_interactive_fds(snmpd_t)
+domain_signull_all_domains(snmpd_t)
+domain_read_all_domains_state(snmpd_t)
+domain_dontaudit_ptrace_all_domains(snmpd_t)
+domain_exec_all_entry_files(snmpd_t)
+
+files_read_etc_files(snmpd_t)
+files_read_usr_files(snmpd_t)
+files_read_etc_runtime_files(snmpd_t)
+files_search_home(snmpd_t)
+
+fs_getattr_all_dirs(snmpd_t)
+fs_getattr_all_fs(snmpd_t)
+fs_search_auto_mountpoints(snmpd_t)
+
+storage_dontaudit_read_fixed_disk(snmpd_t)
+storage_dontaudit_read_removable_device(snmpd_t)
+
+auth_use_nsswitch(snmpd_t)
+auth_read_all_dirs_except_auth_files(snmpd_t)
+
+init_read_utmp(snmpd_t)
+init_dontaudit_write_utmp(snmpd_t)
+
+logging_send_syslog_msg(snmpd_t)
+
+miscfiles_read_localization(snmpd_t)
+
+seutil_dontaudit_search_config(snmpd_t)
+
+sysnet_read_config(snmpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
+userdom_dontaudit_search_user_home_dirs(snmpd_t)
+
+ifdef(`distro_redhat', `
+ optional_policy(`
+ rpm_read_db(snmpd_t)
+ rpm_dontaudit_manage_db(snmpd_t)
+ ')
+')
+
+optional_policy(`
+ amanda_dontaudit_read_dumpdates(snmpd_t)
+')
+
+optional_policy(`
+ consoletype_exec(snmpd_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(snmpd_t)
+')
+
+optional_policy(`
+ mta_read_config(snmpd_t)
+ mta_search_queue(snmpd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(snmpd_t)
+')
+
+optional_policy(`
+ sendmail_read_log(snmpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(snmpd_t)
+')
+
+optional_policy(`
+ squid_read_config(snmpd_t)
+')
+
+optional_policy(`
+ udev_read_db(snmpd_t)
+')
+
+optional_policy(`
+ virt_stream_connect(snmpd_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(snmpd_t)
+ kernel_write_xen_state(snmpd_t)
+
+ xen_stream_connect(snmpd_t)
+ xen_stream_connect_xenstore(snmpd_t)
+')
diff --git a/snort.fc b/snort.fc
new file mode 100644
index 0000000..7bedd2f
--- /dev/null
+++ b/snort.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0)
+/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
+
+/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
+
+/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
+
+/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
diff --git a/snort.if b/snort.if
new file mode 100644
index 0000000..c117e8b
--- /dev/null
+++ b/snort.if
@@ -0,0 +1,60 @@
+## Snort network intrusion detection system
+
+########################################
+##
+## Execute a domain transition to run snort.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`snort_domtrans',`
+ gen_require(`
+ type snort_t, snort_exec_t;
+ ')
+
+ domtrans_pattern($1, snort_exec_t, snort_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an snort environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the snort domain.
+##
+##
+##
+#
+interface(`snort_admin',`
+ gen_require(`
+ type snort_t, snort_var_run_t, snort_log_t;
+ type snort_etc_t, snort_initrc_exec_t;
+ ')
+
+ allow $1 snort_t:process { ptrace signal_perms };
+ ps_process_pattern($1, snort_t)
+
+ init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 snort_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, snort_etc_t)
+ files_search_etc($1)
+
+ admin_pattern($1, snort_log_t)
+ logging_search_logs($1)
+
+ admin_pattern($1, snort_var_run_t)
+ files_search_pids($1)
+')
diff --git a/snort.te b/snort.te
new file mode 100644
index 0000000..179bc1b
--- /dev/null
+++ b/snort.te
@@ -0,0 +1,117 @@
+policy_module(snort, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type snort_t;
+type snort_exec_t;
+init_daemon_domain(snort_t, snort_exec_t)
+
+type snort_etc_t;
+files_config_file(snort_etc_t)
+
+type snort_initrc_exec_t;
+init_script_file(snort_initrc_exec_t)
+
+type snort_log_t;
+logging_log_file(snort_log_t)
+
+type snort_tmp_t;
+files_tmp_file(snort_tmp_t)
+
+type snort_var_run_t;
+files_pid_file(snort_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+dontaudit snort_t self:capability sys_tty_config;
+allow snort_t self:process signal_perms;
+allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:tcp_socket create_stream_socket_perms;
+allow snort_t self:udp_socket create_socket_perms;
+allow snort_t self:packet_socket create_socket_perms;
+allow snort_t self:socket create_socket_perms;
+# Snort IPS node. unverified.
+allow snort_t self:netlink_firewall_socket { bind create getattr };
+
+allow snort_t snort_etc_t:dir list_dir_perms;
+allow snort_t snort_etc_t:file read_file_perms;
+allow snort_t snort_etc_t:lnk_file { getattr read };
+
+manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+logging_log_filetrans(snort_t, snort_log_t, { file dir })
+
+manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
+
+manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
+files_pid_filetrans(snort_t, snort_var_run_t, file)
+
+kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
+kernel_list_proc(snort_t)
+kernel_read_proc_symlinks(snort_t)
+kernel_request_load_module(snort_t)
+kernel_dontaudit_read_system_state(snort_t)
+kernel_read_network_state(snort_t)
+
+corenet_all_recvfrom_unlabeled(snort_t)
+corenet_all_recvfrom_netlabel(snort_t)
+corenet_tcp_sendrecv_generic_if(snort_t)
+corenet_udp_sendrecv_generic_if(snort_t)
+corenet_raw_sendrecv_generic_if(snort_t)
+corenet_tcp_sendrecv_generic_node(snort_t)
+corenet_udp_sendrecv_generic_node(snort_t)
+corenet_raw_sendrecv_generic_node(snort_t)
+corenet_tcp_sendrecv_all_ports(snort_t)
+corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
+
+dev_read_sysfs(snort_t)
+dev_read_rand(snort_t)
+dev_read_urand(snort_t)
+dev_read_usbmon_dev(snort_t)
+# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
+# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
+dev_rw_generic_usb_dev(snort_t)
+
+domain_use_interactive_fds(snort_t)
+
+files_read_etc_files(snort_t)
+files_dontaudit_read_etc_runtime_files(snort_t)
+
+fs_getattr_all_fs(snort_t)
+fs_search_auto_mountpoints(snort_t)
+
+init_read_utmp(snort_t)
+
+logging_send_syslog_msg(snort_t)
+
+miscfiles_read_localization(snort_t)
+
+sysnet_read_config(snort_t)
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snort_t)
+userdom_dontaudit_search_user_home_dirs(snort_t)
+
+optional_policy(`
+ prelude_manage_spool(snort_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(snort_t)
+')
+
+optional_policy(`
+ udev_read_db(snort_t)
+')
diff --git a/sosreport.fc b/sosreport.fc
new file mode 100644
index 0000000..a40478e
--- /dev/null
+++ b/sosreport.fc
@@ -0,0 +1 @@
+/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
diff --git a/sosreport.if b/sosreport.if
new file mode 100644
index 0000000..94c01b5
--- /dev/null
+++ b/sosreport.if
@@ -0,0 +1,129 @@
+## sosreport - Generate debugging information for system
+
+########################################
+##
+## Execute a domain transition to run sosreport.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`sosreport_domtrans',`
+ gen_require(`
+ type sosreport_t, sosreport_exec_t;
+ ')
+
+ domtrans_pattern($1, sosreport_exec_t, sosreport_t)
+')
+
+########################################
+##
+## Execute sosreport in the sosreport domain, and
+## allow the specified role the sosreport domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`sosreport_run',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ sosreport_domtrans($1)
+ role $2 types sosreport_t;
+')
+
+########################################
+##
+## Role access for sosreport
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`sosreport_role',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ role $1 types sosreport_t;
+
+ sosreport_domtrans($2)
+
+ ps_process_pattern($2, sosreport_t)
+ allow $2 sosreport_t:process signal;
+')
+
+########################################
+##
+## Allow the specified domain to read
+## sosreport tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sosreport_read_tmp_files',`
+ gen_require(`
+ type sosreport_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+##
+## Append sosreport tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sosreport_append_tmp_files',`
+ gen_require(`
+ type sosreport_tmp_t;
+ ')
+
+ append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+##
+## Delete sosreport tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sosreport_delete_tmp_files',`
+ gen_require(`
+ type sosreport_tmp_t;
+ ')
+
+ files_delete_tmp_dir_entry($1)
+ delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
diff --git a/sosreport.te b/sosreport.te
new file mode 100644
index 0000000..ebaff2f
--- /dev/null
+++ b/sosreport.te
@@ -0,0 +1,148 @@
+policy_module(sosreport, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type sosreport_t;
+type sosreport_exec_t;
+application_domain(sosreport_t, sosreport_exec_t)
+role system_r types sosreport_t;
+
+type sosreport_tmp_t;
+files_tmp_file(sosreport_tmp_t)
+
+type sosreport_tmpfs_t;
+files_tmpfs_file(sosreport_tmpfs_t)
+
+########################################
+#
+# sosreport local policy
+#
+
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:fifo_file rw_fifo_file_perms;
+allow sosreport_t self:tcp_socket create_stream_socket_perms;
+allow sosreport_t self:udp_socket create_socket_perms;
+allow sosreport_t self:unix_dgram_socket create_socket_perms;
+allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
+allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
+manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+
+kernel_read_network_state(sosreport_t)
+kernel_read_all_sysctls(sosreport_t)
+kernel_read_software_raid_state(sosreport_t)
+kernel_search_debugfs(sosreport_t)
+kernel_read_messages(sosreport_t)
+
+corecmd_exec_all_executables(sosreport_t)
+
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
+dev_getattr_mtrr_dev(sosreport_t)
+dev_read_rand(sosreport_t)
+dev_read_urand(sosreport_t)
+dev_read_raw_memory(sosreport_t)
+dev_read_sysfs(sosreport_t)
+
+domain_getattr_all_domains(sosreport_t)
+domain_read_all_domains_state(sosreport_t)
+domain_getattr_all_sockets(sosreport_t)
+domain_getattr_all_pipes(sosreport_t)
+domain_signull_all_domains(sosreport_t)
+
+files_getattr_all_sockets(sosreport_t)
+files_exec_etc_files(sosreport_t)
+files_list_all(sosreport_t)
+files_read_config_files(sosreport_t)
+files_read_etc_files(sosreport_t)
+files_read_generic_tmp_files(sosreport_t)
+files_read_usr_files(sosreport_t)
+files_read_var_lib_files(sosreport_t)
+files_read_var_symlinks(sosreport_t)
+files_read_kernel_modules(sosreport_t)
+files_read_all_symlinks(sosreport_t)
+# for blkid.tab
+files_manage_etc_runtime_files(sosreport_t)
+files_etc_filetrans_etc_runtime(sosreport_t, file)
+
+fs_getattr_all_fs(sosreport_t)
+fs_list_inotifyfs(sosreport_t)
+
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+auth_read_all_files_except_auth_files(sosreport_t)
+auth_use_nsswitch(sosreport_t)
+
+init_domtrans_script(sosreport_t)
+
+libs_domtrans_ldconfig(sosreport_t)
+
+logging_read_all_logs(sosreport_t)
+logging_send_syslog_msg(sosreport_t)
+
+miscfiles_read_localization(sosreport_t)
+
+# needed by modinfo
+modutils_read_module_deps(sosreport_t)
+
+sysnet_read_config(sosreport_t)
+
+optional_policy(`
+ abrt_manage_pid_files(sosreport_t)
+')
+
+optional_policy(`
+ cups_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ dmesg_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ fstools_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sosreport_t)
+
+ optional_policy(`
+ hal_dbus_chat(sosreport_t)
+ ')
+')
+
+optional_policy(`
+ lvm_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ mount_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ rpm_exec(sosreport_t)
+ rpm_dontaudit_manage_db(sosreport_t)
+ rpm_read_db(sosreport_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ unconfined_domain(sosreport_t)
+')
diff --git a/soundserver.fc b/soundserver.fc
new file mode 100644
index 0000000..d89b2cb
--- /dev/null
+++ b/soundserver.fc
@@ -0,0 +1,13 @@
+/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
+/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
+/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+
+/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --git a/soundserver.if b/soundserver.if
new file mode 100644
index 0000000..93fe7bf
--- /dev/null
+++ b/soundserver.if
@@ -0,0 +1,57 @@
+## sound server for network audio server programs, nasd, yiff, etc
+
+########################################
+##
+## Connect to the sound server over a TCP socket (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`soundserver_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an soundd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the soundd domain.
+##
+##
+##
+#
+interface(`soundserver_admin',`
+ gen_require(`
+ type soundd_t, soundd_etc_t;
+ type soundd_tmp_t, soundd_var_run_t;
+ type soundd_initrc_exec_t;
+ ')
+
+ allow $1 soundd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, soundd_t)
+
+ init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 soundd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, soundd_etc_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, soundd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, soundd_var_run_t)
+')
diff --git a/soundserver.te b/soundserver.te
new file mode 100644
index 0000000..3217605
--- /dev/null
+++ b/soundserver.te
@@ -0,0 +1,114 @@
+policy_module(soundserver, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type soundd_t;
+type soundd_exec_t;
+init_daemon_domain(soundd_t, soundd_exec_t)
+
+type soundd_etc_t alias etc_soundd_t;
+files_config_file(soundd_etc_t)
+
+type soundd_initrc_exec_t;
+init_script_file(soundd_initrc_exec_t)
+
+type soundd_state_t;
+files_type(soundd_state_t)
+
+type soundd_tmp_t;
+files_tmp_file(soundd_tmp_t)
+
+# for yiff - probably need some rules for the client support too
+type soundd_tmpfs_t;
+files_tmpfs_file(soundd_tmpfs_t)
+
+type soundd_var_run_t;
+files_pid_file(soundd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow soundd_t self:capability dac_override;
+dontaudit soundd_t self:capability sys_tty_config;
+allow soundd_t self:process { setpgid signal_perms };
+allow soundd_t self:tcp_socket create_stream_socket_perms;
+allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+# for yiff
+allow soundd_t self:shm create_shm_perms;
+
+read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+
+manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
+manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
+
+manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t)
+manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir })
+
+manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(soundd_t)
+kernel_list_proc(soundd_t)
+kernel_read_proc_symlinks(soundd_t)
+
+corenet_all_recvfrom_unlabeled(soundd_t)
+corenet_all_recvfrom_netlabel(soundd_t)
+corenet_tcp_sendrecv_generic_if(soundd_t)
+corenet_udp_sendrecv_generic_if(soundd_t)
+corenet_tcp_sendrecv_generic_node(soundd_t)
+corenet_udp_sendrecv_generic_node(soundd_t)
+corenet_tcp_sendrecv_all_ports(soundd_t)
+corenet_udp_sendrecv_all_ports(soundd_t)
+corenet_tcp_bind_generic_node(soundd_t)
+corenet_tcp_bind_soundd_port(soundd_t)
+corenet_sendrecv_soundd_server_packets(soundd_t)
+
+dev_read_sysfs(soundd_t)
+dev_read_sound(soundd_t)
+dev_write_sound(soundd_t)
+
+domain_use_interactive_fds(soundd_t)
+
+files_read_etc_files(soundd_t)
+files_read_etc_runtime_files(soundd_t)
+
+fs_getattr_all_fs(soundd_t)
+fs_search_auto_mountpoints(soundd_t)
+
+logging_send_syslog_msg(soundd_t)
+
+miscfiles_read_localization(soundd_t)
+
+sysnet_read_config(soundd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(soundd_t)
+userdom_dontaudit_search_user_home_dirs(soundd_t)
+
+optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(soundd_t)
+')
+
+optional_policy(`
+ udev_read_db(soundd_t)
+')
diff --git a/spamassassin.fc b/spamassassin.fc
new file mode 100644
index 0000000..6b3abf9
--- /dev/null
+++ b/spamassassin.fc
@@ -0,0 +1,15 @@
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+
+/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
+/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
new file mode 100644
index 0000000..c954f31
--- /dev/null
+++ b/spamassassin.if
@@ -0,0 +1,227 @@
+## Filter used for removing unsolicited email.
+
+########################################
+##
+## Role access for spamassassin
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`spamassassin_role',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamc_tmp_t;
+ type spamassassin_t, spamassassin_exec_t;
+ type spamassassin_home_t, spamassassin_tmp_t;
+ ')
+
+ role $1 types { spamc_t spamassassin_t };
+
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+ ps_process_pattern($2, spamassassin_t)
+
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
+ ps_process_pattern($2, spamc_t)
+
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+')
+
+########################################
+##
+## Execute the standalone spamassassin
+## program in the caller directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_exec',`
+ gen_require(`
+ type spamassassin_exec_t;
+ ')
+
+ can_exec($1, spamassassin_exec_t)
+
+')
+
+########################################
+##
+## Singnal the spam assassin daemon
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_signal_spamd',`
+ gen_require(`
+ type spamd_t;
+ ')
+
+ allow $1 spamd_t:process signal;
+')
+
+########################################
+##
+## Execute the spamassassin daemon
+## program in the caller directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_exec_spamd',`
+ gen_require(`
+ type spamd_exec_t;
+ ')
+
+ can_exec($1, spamd_exec_t)
+')
+
+########################################
+##
+## Execute spamassassin client in the spamassassin client domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`spamassassin_domtrans_client',`
+ gen_require(`
+ type spamc_t, spamc_exec_t;
+ ')
+
+ domtrans_pattern($1, spamc_exec_t, spamc_t)
+')
+
+########################################
+##
+## Execute the spamassassin client
+## program in the caller directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_exec_client',`
+ gen_require(`
+ type spamc_exec_t;
+ ')
+
+ can_exec($1, spamc_exec_t)
+')
+
+########################################
+##
+## Execute spamassassin standalone client in the user spamassassin domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`spamassassin_domtrans_local_client',`
+ gen_require(`
+ type spamassassin_t, spamassassin_exec_t;
+ ')
+
+ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
+')
+
+########################################
+##
+## read spamd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_read_lib_files',`
+ gen_require(`
+ type spamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## spamd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_manage_lib_files',`
+ gen_require(`
+ type spamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+')
+
+########################################
+##
+## Read temporary spamd file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_read_spamd_tmp_files',`
+ gen_require(`
+ type spamd_tmp_t;
+ ')
+
+ allow $1 spamd_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to get attributes of temporary
+## spamd sockets/
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ gen_require(`
+ type spamd_tmp_t;
+ ')
+
+ dontaudit $1 spamd_tmp_t:sock_file getattr;
+')
diff --git a/spamassassin.te b/spamassassin.te
new file mode 100644
index 0000000..ec1eb1e
--- /dev/null
+++ b/spamassassin.te
@@ -0,0 +1,453 @@
+policy_module(spamassassin, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow user spamassassin clients to use the network.
+##
+##
+gen_tunable(spamassassin_can_network, false)
+
+##
+##
+## Allow spamd to read/write user home directories.
+##
+##
+gen_tunable(spamd_enable_home_dirs, true)
+
+type spamassassin_t;
+type spamassassin_exec_t;
+typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+application_domain(spamassassin_t, spamassassin_exec_t)
+ubac_constrained(spamassassin_t)
+
+type spamassassin_home_t;
+typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+userdom_user_home_content(spamassassin_home_t)
+
+type spamassassin_tmp_t;
+typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+files_tmp_file(spamassassin_tmp_t)
+ubac_constrained(spamassassin_tmp_t)
+
+type spamc_t;
+type spamc_exec_t;
+typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+application_domain(spamc_t, spamc_exec_t)
+ubac_constrained(spamc_t)
+
+type spamc_tmp_t;
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+files_tmp_file(spamc_tmp_t)
+ubac_constrained(spamc_tmp_t)
+
+type spamd_t;
+type spamd_exec_t;
+init_daemon_domain(spamd_t, spamd_exec_t)
+
+type spamd_spool_t;
+files_type(spamd_spool_t)
+
+type spamd_tmp_t;
+files_tmp_file(spamd_tmp_t)
+
+# var/lib files
+type spamd_var_lib_t;
+files_type(spamd_var_lib_t)
+
+type spamd_var_run_t;
+files_pid_file(spamd_var_run_t)
+
+##############################
+#
+# Standalone program local policy
+#
+
+allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamassassin_t self:fd use;
+allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+allow spamassassin_t self:unix_dgram_socket sendto;
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
+
+manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(spamassassin_t)
+
+dev_read_urand(spamassassin_t)
+
+fs_search_auto_mountpoints(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
+
+domain_use_interactive_fds(spamassassin_t)
+
+files_read_etc_files(spamassassin_t)
+files_read_etc_runtime_files(spamassassin_t)
+files_list_home(spamassassin_t)
+files_read_usr_files(spamassassin_t)
+files_dontaudit_search_var(spamassassin_t)
+
+logging_send_syslog_msg(spamassassin_t)
+
+miscfiles_read_localization(spamassassin_t)
+
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
+
+sysnet_dns_name_resolve(spamassassin_t)
+
+# set tunable if you have spamassassin do DNS lookups
+tunable_policy(`spamassassin_can_network',`
+ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+ allow spamassassin_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(spamassassin_t)
+ corenet_all_recvfrom_netlabel(spamassassin_t)
+ corenet_tcp_sendrecv_generic_if(spamassassin_t)
+ corenet_udp_sendrecv_generic_if(spamassassin_t)
+ corenet_tcp_sendrecv_generic_node(spamassassin_t)
+ corenet_udp_sendrecv_generic_node(spamassassin_t)
+ corenet_tcp_sendrecv_all_ports(spamassassin_t)
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
+ corenet_tcp_connect_all_ports(spamassassin_t)
+ corenet_sendrecv_all_client_packets(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
+')
+
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(spamd_t)
+ userdom_manage_user_home_content_files(spamd_t)
+ userdom_manage_user_home_content_symlinks(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamassassin_t)
+ fs_manage_nfs_files(spamassassin_t)
+ fs_manage_nfs_symlinks(spamassassin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamassassin_t)
+ fs_manage_cifs_files(spamassassin_t)
+ fs_manage_cifs_symlinks(spamassassin_t)
+')
+
+optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+')
+
+optional_policy(`
+ tunable_policy(`spamassassin_can_network && allow_ypbind',`
+ nis_use_ypbind_uncond(spamassassin_t)
+ ')
+')
+
+optional_policy(`
+ mta_read_config(spamassassin_t)
+ sendmail_stub(spamassassin_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:fd use;
+allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+allow spamc_t self:unix_dgram_socket sendto;
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+
+kernel_read_kernel_sysctls(spamc_t)
+
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_udp_sendrecv_generic_node(spamc_t)
+corenet_tcp_sendrecv_all_ports(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
+corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
+
+domain_use_interactive_fds(spamc_t)
+
+files_read_etc_files(spamc_t)
+files_read_etc_runtime_files(spamc_t)
+files_read_usr_files(spamc_t)
+files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
+files_list_home(spamc_t)
+
+logging_send_syslog_msg(spamc_t)
+
+miscfiles_read_localization(spamc_t)
+
+# cjp: this should probably be removed:
+seutil_read_config(spamc_t)
+
+sysnet_read_config(spamc_t)
+
+optional_policy(`
+ # Allow connection to spamd socket above
+ evolution_stream_connect(spamc_t)
+')
+
+optional_policy(`
+ # Needed for pyzor/razor called from spamd
+ milter_manage_spamass_state(spamc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(spamc_t)
+')
+
+optional_policy(`
+ nscd_socket_use(spamc_t)
+')
+
+optional_policy(`
+ mta_read_config(spamc_t)
+ sendmail_stub(spamc_t)
+')
+
+########################################
+#
+# Server local policy
+#
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:fd use;
+allow spamd_t self:fifo_file rw_fifo_file_perms;
+allow spamd_t self:sock_file read_sock_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_t self:unix_dgram_socket sendto;
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+
+# var/lib files for spamd
+allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+
+manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
+
+kernel_read_all_sysctls(spamd_t)
+kernel_read_system_state(spamd_t)
+
+corenet_all_recvfrom_unlabeled(spamd_t)
+corenet_all_recvfrom_netlabel(spamd_t)
+corenet_tcp_sendrecv_generic_if(spamd_t)
+corenet_udp_sendrecv_generic_if(spamd_t)
+corenet_tcp_sendrecv_generic_node(spamd_t)
+corenet_udp_sendrecv_generic_node(spamd_t)
+corenet_tcp_sendrecv_all_ports(spamd_t)
+corenet_udp_sendrecv_all_ports(spamd_t)
+corenet_tcp_bind_generic_node(spamd_t)
+corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_razor_port(spamd_t)
+corenet_tcp_connect_smtp_port(spamd_t)
+corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_sendrecv_spamd_server_packets(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_generic_node(spamd_t)
+corenet_udp_bind_generic_port(spamd_t)
+corenet_udp_bind_imaze_port(spamd_t)
+corenet_dontaudit_udp_bind_all_ports(spamd_t)
+corenet_sendrecv_imaze_server_packets(spamd_t)
+corenet_sendrecv_generic_server_packets(spamd_t)
+
+dev_read_sysfs(spamd_t)
+dev_read_urand(spamd_t)
+
+fs_getattr_all_fs(spamd_t)
+fs_search_auto_mountpoints(spamd_t)
+
+auth_dontaudit_read_shadow(spamd_t)
+
+corecmd_exec_bin(spamd_t)
+
+domain_use_interactive_fds(spamd_t)
+
+files_read_usr_files(spamd_t)
+files_read_etc_files(spamd_t)
+files_read_etc_runtime_files(spamd_t)
+# /var/lib/spamassin
+files_read_var_lib_files(spamd_t)
+
+init_dontaudit_rw_utmp(spamd_t)
+
+logging_send_syslog_msg(spamd_t)
+
+miscfiles_read_localization(spamd_t)
+
+sysnet_read_config(spamd_t)
+sysnet_use_ldap(spamd_t)
+sysnet_dns_name_resolve(spamd_t)
+
+userdom_use_unpriv_users_fds(spamd_t)
+userdom_search_user_home_dirs(spamd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(spamd_t)
+')
+
+optional_policy(`
+ amavis_manage_lib_files(spamd_t)
+')
+
+optional_policy(`
+ cron_system_entry(spamd_t, spamd_exec_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(spamd_t, spamd_exec_t)
+')
+
+optional_policy(`
+ dcc_domtrans_client(spamd_t)
+ dcc_stream_connect_dccifd(spamd_t)
+')
+
+optional_policy(`
+ milter_manage_spamass_state(spamd_t)
+')
+
+optional_policy(`
+ corenet_tcp_connect_mysqld_port(spamd_t)
+ corenet_sendrecv_mysqld_client_packets(spamd_t)
+
+ mysql_search_db(spamd_t)
+ mysql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(spamd_t)
+')
+
+optional_policy(`
+ postfix_read_config(spamd_t)
+')
+
+optional_policy(`
+ corenet_tcp_connect_postgresql_port(spamd_t)
+ corenet_sendrecv_postgresql_client_packets(spamd_t)
+
+ postgresql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(spamd_t)
+ pyzor_signal(spamd_t)
+')
+
+optional_policy(`
+ razor_domtrans(spamd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(spamd_t)
+')
+
+optional_policy(`
+ sendmail_stub(spamd_t)
+ mta_read_config(spamd_t)
+')
+
+optional_policy(`
+ udev_read_db(spamd_t)
+')
diff --git a/speedtouch.fc b/speedtouch.fc
new file mode 100644
index 0000000..9760d15
--- /dev/null
+++ b/speedtouch.fc
@@ -0,0 +1,2 @@
+/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
+
diff --git a/speedtouch.if b/speedtouch.if
new file mode 100644
index 0000000..826e2db
--- /dev/null
+++ b/speedtouch.if
@@ -0,0 +1 @@
+## Alcatel speedtouch USB ADSL modem
diff --git a/speedtouch.te b/speedtouch.te
new file mode 100644
index 0000000..ade10f5
--- /dev/null
+++ b/speedtouch.te
@@ -0,0 +1,61 @@
+policy_module(speedtouch, 1.4.0)
+
+#######################################
+#
+# Rules for the speedmgmt_t domain.
+#
+
+type speedmgmt_t;
+type speedmgmt_exec_t;
+init_daemon_domain(speedmgmt_t, speedmgmt_exec_t)
+
+type speedmgmt_tmp_t;
+files_tmp_file(speedmgmt_tmp_t)
+
+type speedmgmt_var_run_t;
+files_pid_file(speedmgmt_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit speedmgmt_t self:capability sys_tty_config;
+allow speedmgmt_t self:process signal_perms;
+
+manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t)
+manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t)
+files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir })
+
+manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t)
+files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file)
+
+kernel_read_kernel_sysctls(speedmgmt_t)
+kernel_list_proc(speedmgmt_t)
+kernel_read_proc_symlinks(speedmgmt_t)
+
+dev_read_sysfs(speedmgmt_t)
+dev_read_usbfs(speedmgmt_t)
+
+domain_use_interactive_fds(speedmgmt_t)
+
+files_read_etc_files(speedmgmt_t)
+files_read_usr_files(speedmgmt_t)
+
+fs_getattr_all_fs(speedmgmt_t)
+fs_search_auto_mountpoints(speedmgmt_t)
+
+logging_send_syslog_msg(speedmgmt_t)
+
+miscfiles_read_localization(speedmgmt_t)
+
+userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
+userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(speedmgmt_t)
+')
+
+optional_policy(`
+ udev_read_db(speedmgmt_t)
+')
diff --git a/squid.fc b/squid.fc
new file mode 100644
index 0000000..6cc4a90
--- /dev/null
+++ b/squid.fc
@@ -0,0 +1,14 @@
+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/squid.if b/squid.if
new file mode 100644
index 0000000..d2496bd
--- /dev/null
+++ b/squid.if
@@ -0,0 +1,233 @@
+## Squid caching http proxy server
+
+########################################
+##
+## Execute squid in the squid domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`squid_domtrans',`
+ gen_require(`
+ type squid_t, squid_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, squid_exec_t, squid_t)
+')
+
+########################################
+##
+## Execute squid
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`squid_exec',`
+ gen_require(`
+ type squid_exec_t;
+ ')
+
+ can_exec($1, squid_exec_t)
+')
+
+########################################
+##
+## Send generic signals to squid.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`squid_signal',`
+ gen_require(`
+ type squid_t;
+ ')
+
+ allow $1 squid_t:process signal;
+')
+
+########################################
+##
+## Allow read and write squid
+## unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`squid_rw_stream_sockets',`
+ gen_require(`
+ type squid_t;
+ ')
+
+ allow $1 squid_t:unix_stream_socket { getattr read write };
+')
+
+########################################
+##
+## Do not audit attempts to search squid cache dirs
+##
+##
+##
+## Domain to not audit.
+##
+##
+##
+#
+interface(`squid_dontaudit_search_cache',`
+ gen_require(`
+ type squid_cache_t;
+ ')
+
+ dontaudit $1 squid_cache_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read squid configuration file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`squid_read_config',`
+ gen_require(`
+ type squid_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, squid_conf_t, squid_conf_t)
+')
+
+########################################
+##
+## Append squid logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`squid_read_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+##
+## Append squid logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`squid_append_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## squid logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`squid_manage_logs',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+##
+## Use squid services by connecting over TCP. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`squid_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an squid environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the squid domain.
+##
+##
+##
+#
+interface(`squid_admin',`
+ gen_require(`
+ type squid_t, squid_cache_t, squid_conf_t;
+ type squid_log_t, squid_var_run_t;
+ type squid_initrc_exec_t;
+ ')
+
+ allow $1 squid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, squid_t)
+
+ init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 squid_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var($1)
+ admin_pattern($1, squid_cache_t)
+
+ files_list_etc($1)
+ admin_pattern($1, squid_conf_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, squid_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, squid_var_run_t)
+')
diff --git a/squid.te b/squid.te
new file mode 100644
index 0000000..4b2230e
--- /dev/null
+++ b/squid.te
@@ -0,0 +1,208 @@
+policy_module(squid, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+##
+##
+gen_tunable(squid_connect_any, false)
+
+##
+##
+## Allow squid to run as a transparent proxy (TPROXY)
+##
+##
+gen_tunable(squid_use_tproxy, false)
+
+type squid_t;
+type squid_exec_t;
+init_daemon_domain(squid_t, squid_exec_t)
+
+# type for /var/cache/squid
+type squid_cache_t;
+files_type(squid_cache_t)
+
+type squid_conf_t;
+files_type(squid_conf_t)
+
+type squid_initrc_exec_t;
+init_script_file(squid_initrc_exec_t)
+
+type squid_log_t;
+logging_log_file(squid_log_t)
+
+type squid_tmpfs_t;
+files_tmpfs_file(squid_tmpfs_t)
+
+type squid_var_run_t;
+files_pid_file(squid_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+dontaudit squid_t self:capability sys_tty_config;
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow squid_t self:fifo_file rw_fifo_file_perms;
+allow squid_t self:sock_file read_sock_file_perms;
+allow squid_t self:fd use;
+allow squid_t self:shm create_shm_perms;
+allow squid_t self:sem create_sem_perms;
+allow squid_t self:msgq create_msgq_perms;
+allow squid_t self:msg { send receive };
+allow squid_t self:unix_stream_socket create_stream_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket sendto;
+allow squid_t self:unix_stream_socket connectto;
+allow squid_t self:tcp_socket create_stream_socket_perms;
+allow squid_t self:udp_socket create_socket_perms;
+
+# Grant permissions to create, access, and delete cache files.
+manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+
+allow squid_t squid_conf_t:dir list_dir_perms;
+read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+
+can_exec(squid_t, squid_exec_t)
+
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
+manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
+logging_log_filetrans(squid_t, squid_log_t, { file dir })
+
+#squid requires the following when run in diskd mode, the recommended setting
+manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+
+manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+files_pid_filetrans(squid_t, squid_var_run_t, file)
+
+kernel_read_kernel_sysctls(squid_t)
+kernel_read_system_state(squid_t)
+
+files_dontaudit_getattr_boot_dirs(squid_t)
+
+corenet_all_recvfrom_unlabeled(squid_t)
+corenet_all_recvfrom_netlabel(squid_t)
+corenet_tcp_sendrecv_generic_if(squid_t)
+corenet_udp_sendrecv_generic_if(squid_t)
+corenet_tcp_sendrecv_generic_node(squid_t)
+corenet_udp_sendrecv_generic_node(squid_t)
+corenet_tcp_sendrecv_all_ports(squid_t)
+corenet_udp_sendrecv_all_ports(squid_t)
+corenet_tcp_bind_generic_node(squid_t)
+corenet_udp_bind_generic_node(squid_t)
+corenet_tcp_bind_http_port(squid_t)
+corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
+corenet_tcp_bind_ftp_port(squid_t)
+corenet_tcp_bind_gopher_port(squid_t)
+corenet_udp_bind_gopher_port(squid_t)
+corenet_tcp_bind_squid_port(squid_t)
+corenet_udp_bind_squid_port(squid_t)
+corenet_udp_bind_wccp_port(squid_t)
+corenet_tcp_connect_ftp_port(squid_t)
+corenet_tcp_connect_gopher_port(squid_t)
+corenet_tcp_connect_http_port(squid_t)
+corenet_tcp_connect_http_cache_port(squid_t)
+corenet_tcp_connect_pgpkeyserver_port(squid_t)
+corenet_sendrecv_ftp_client_packets(squid_t)
+corenet_sendrecv_gopher_client_packets(squid_t)
+corenet_sendrecv_http_client_packets(squid_t)
+corenet_sendrecv_http_server_packets(squid_t)
+corenet_sendrecv_http_cache_server_packets(squid_t)
+corenet_sendrecv_http_cache_client_packets(squid_t)
+corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
+corenet_sendrecv_squid_server_packets(squid_t)
+corenet_sendrecv_wccp_server_packets(squid_t)
+
+dev_read_sysfs(squid_t)
+dev_read_urand(squid_t)
+
+fs_getattr_all_fs(squid_t)
+fs_search_auto_mountpoints(squid_t)
+fs_list_inotifyfs(squid_t)
+
+selinux_dontaudit_getattr_dir(squid_t)
+
+term_dontaudit_getattr_pty_dirs(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+corecmd_exec_bin(squid_t)
+corecmd_exec_shell(squid_t)
+
+domain_use_interactive_fds(squid_t)
+
+files_read_etc_files(squid_t)
+files_read_etc_runtime_files(squid_t)
+files_read_usr_files(squid_t)
+files_search_spool(squid_t)
+files_dontaudit_getattr_tmp_dirs(squid_t)
+files_getattr_home_dir(squid_t)
+
+auth_use_nsswitch(squid_t)
+auth_domtrans_chk_passwd(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+libs_exec_lib_files(squid_t)
+
+logging_send_syslog_msg(squid_t)
+
+miscfiles_read_generic_certs(squid_t)
+miscfiles_read_localization(squid_t)
+
+userdom_use_unpriv_users_fds(squid_t)
+userdom_dontaudit_search_user_home_dirs(squid_t)
+
+tunable_policy(`squid_connect_any',`
+ corenet_tcp_connect_all_ports(squid_t)
+ corenet_tcp_bind_all_ports(squid_t)
+ corenet_sendrecv_all_packets(squid_t)
+')
+
+tunable_policy(`squid_use_tproxy',`
+ allow squid_t self:capability net_admin;
+ corenet_tcp_bind_netport_port(squid_t)
+')
+
+optional_policy(`
+ apache_content_template(squid)
+
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+
+ sysnet_dns_name_resolve(httpd_squid_script_t)
+
+ squid_read_config(httpd_squid_script_t)
+')
+
+optional_policy(`
+ cron_system_entry(squid_t, squid_exec_t)
+')
+
+optional_policy(`
+ samba_domtrans_winbind_helper(squid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(squid_t)
+')
+
+optional_policy(`
+ udev_read_db(squid_t)
+')
diff --git a/sssd.fc b/sssd.fc
new file mode 100644
index 0000000..4271815
--- /dev/null
+++ b/sssd.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
+
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
new file mode 100644
index 0000000..941380a
--- /dev/null
+++ b/sssd.if
@@ -0,0 +1,255 @@
+## System Security Services Daemon
+
+########################################
+##
+## Execute a domain transition to run sssd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`sssd_domtrans',`
+ gen_require(`
+ type sssd_t, sssd_exec_t;
+ ')
+
+ domtrans_pattern($1, sssd_exec_t, sssd_t)
+')
+
+########################################
+##
+## Execute sssd server in the sssd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`sssd_initrc_domtrans',`
+ gen_require(`
+ type sssd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sssd_initrc_exec_t)
+')
+
+########################################
+##
+## Read sssd public files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+##
+## Read sssd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_read_pid_files',`
+ gen_require(`
+ type sssd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 sssd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage sssd var_run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_manage_pids',`
+ gen_require(`
+ type sssd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+')
+
+########################################
+##
+## Search sssd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ allow $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Do not audit attempts to search sssd lib directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`sssd_dontaudit_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read sssd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_read_lib_files',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## sssd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_manage_lib_files',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+##
+## Send and receive messages from
+## sssd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_dbus_chat',`
+ gen_require(`
+ type sssd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 sssd_t:dbus send_msg;
+ allow sssd_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Connect to sssd over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_stream_connect',`
+ gen_require(`
+ type sssd_t, sssd_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an sssd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the sssd domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`sssd_admin',`
+ gen_require(`
+ type sssd_t, sssd_public_t;
+ type sssd_initrc_exec_t;
+ ')
+
+ allow $1 sssd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, sssd_t, sssd_t)
+
+ # Allow sssd_t to restart the apache service
+ sssd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 sssd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ sssd_manage_pids($1)
+
+ sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
+')
diff --git a/sssd.te b/sssd.te
new file mode 100644
index 0000000..8ffa257
--- /dev/null
+++ b/sssd.te
@@ -0,0 +1,90 @@
+policy_module(sssd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type sssd_t;
+type sssd_exec_t;
+init_daemon_domain(sssd_t, sssd_exec_t)
+
+type sssd_initrc_exec_t;
+init_script_file(sssd_initrc_exec_t)
+
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
+type sssd_var_lib_t;
+files_type(sssd_var_lib_t)
+
+type sssd_var_log_t;
+logging_log_file(sssd_var_log_t)
+
+type sssd_var_run_t;
+files_pid_file(sssd_var_run_t)
+
+########################################
+#
+# sssd local policy
+#
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
+allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
+kernel_read_system_state(sssd_t)
+
+corecmd_exec_bin(sssd_t)
+
+dev_read_urand(sssd_t)
+
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
+files_list_tmp(sssd_t)
+files_read_etc_files(sssd_t)
+files_read_usr_files(sssd_t)
+
+fs_list_inotifyfs(sssd_t)
+
+selinux_validate_context(sssd_t)
+
+seutil_read_file_contexts(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
+auth_use_nsswitch(sssd_t)
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
+
+init_read_utmp(sssd_t)
+
+logging_send_syslog_msg(sssd_t)
+logging_send_audit_msgs(sssd_t)
+
+miscfiles_read_localization(sssd_t)
+
+optional_policy(`
+ dbus_system_bus_client(sssd_t)
+ dbus_connect_system_bus(sssd_t)
+')
+
+optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
+')
diff --git a/stunnel.fc b/stunnel.fc
new file mode 100644
index 0000000..50e29aa
--- /dev/null
+++ b/stunnel.fc
@@ -0,0 +1,7 @@
+/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
+
+/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
+
+/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
+
+/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff --git a/stunnel.if b/stunnel.if
new file mode 100644
index 0000000..6073656
--- /dev/null
+++ b/stunnel.if
@@ -0,0 +1,25 @@
+## SSL Tunneling Proxy
+
+########################################
+##
+## Define the specified domain as a stunnel inetd service.
+##
+##
+##
+## The type associated with the stunnel inetd service process.
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`stunnel_service_domain',`
+ gen_require(`
+ type stunnel_t;
+ ')
+
+ domtrans_pattern(stunnel_t,$2,$1)
+ allow $1 stunnel_t:tcp_socket rw_socket_perms;
+')
diff --git a/stunnel.te b/stunnel.te
new file mode 100644
index 0000000..f646c66
--- /dev/null
+++ b/stunnel.te
@@ -0,0 +1,123 @@
+policy_module(stunnel, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type stunnel_t;
+domain_type(stunnel_t)
+role system_r types stunnel_t;
+
+type stunnel_exec_t;
+domain_entry_file(stunnel_t, stunnel_exec_t)
+
+ifdef(`distro_gentoo',`
+ init_daemon_domain(stunnel_t, stunnel_exec_t)
+',`
+ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
+')
+
+type stunnel_etc_t;
+files_config_file(stunnel_etc_t)
+
+type stunnel_tmp_t;
+files_tmp_file(stunnel_tmp_t)
+
+type stunnel_var_run_t;
+files_pid_file(stunnel_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:process signal_perms;
+allow stunnel_t self:fifo_file rw_fifo_file_perms;
+allow stunnel_t self:tcp_socket create_stream_socket_perms;
+allow stunnel_t self:udp_socket create_socket_perms;
+
+allow stunnel_t stunnel_etc_t:dir list_dir_perms;
+allow stunnel_t stunnel_etc_t:file read_file_perms;
+allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+
+manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
+
+manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
+manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
+files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(stunnel_t)
+kernel_read_system_state(stunnel_t)
+kernel_read_network_state(stunnel_t)
+
+corecmd_exec_bin(stunnel_t)
+
+corenet_all_recvfrom_unlabeled(stunnel_t)
+corenet_all_recvfrom_netlabel(stunnel_t)
+corenet_tcp_sendrecv_generic_if(stunnel_t)
+corenet_udp_sendrecv_generic_if(stunnel_t)
+corenet_tcp_sendrecv_generic_node(stunnel_t)
+corenet_udp_sendrecv_generic_node(stunnel_t)
+corenet_tcp_sendrecv_all_ports(stunnel_t)
+corenet_udp_sendrecv_all_ports(stunnel_t)
+corenet_tcp_bind_generic_node(stunnel_t)
+corenet_tcp_connect_all_ports(stunnel_t)
+
+fs_getattr_all_fs(stunnel_t)
+
+auth_use_nsswitch(stunnel_t)
+
+logging_send_syslog_msg(stunnel_t)
+
+miscfiles_read_localization(stunnel_t)
+
+sysnet_read_config(stunnel_t)
+
+ifdef(`distro_gentoo', `
+ dontaudit stunnel_t self:capability sys_tty_config;
+ allow stunnel_t self:udp_socket create_socket_perms;
+
+ dev_read_sysfs(stunnel_t)
+
+ fs_search_auto_mountpoints(stunnel_t)
+
+ domain_use_interactive_fds(stunnel_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
+ userdom_dontaudit_search_user_home_dirs(stunnel_t)
+
+ optional_policy(`
+ daemontools_service_domain(stunnel_t, stunnel_exec_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole(stunnel_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(stunnel_t)
+ ')
+',`
+ allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+ dev_read_urand(stunnel_t)
+
+ files_read_etc_files(stunnel_t)
+ files_read_etc_runtime_files(stunnel_t)
+ files_search_home(stunnel_t)
+
+ optional_policy(`
+ kerberos_use(stunnel_t)
+ ')
+')
+
+# hack since this port has no interfaces since it doesnt
+# have net_contexts
+gen_require(`
+ type stunnel_port_t;
+')
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/sxid.fc b/sxid.fc
new file mode 100644
index 0000000..bc3797b
--- /dev/null
+++ b/sxid.fc
@@ -0,0 +1,6 @@
+/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
+/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
+
+/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0)
diff --git a/sxid.if b/sxid.if
new file mode 100644
index 0000000..dd8ac62
--- /dev/null
+++ b/sxid.if
@@ -0,0 +1,22 @@
+## SUID/SGID program monitoring
+
+########################################
+##
+## Allow the specified domain to read
+## sxid log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`sxid_read_log',`
+ gen_require(`
+ type sxid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 sxid_log_t:file read_file_perms;
+')
diff --git a/sxid.te b/sxid.te
new file mode 100644
index 0000000..045fb86
--- /dev/null
+++ b/sxid.te
@@ -0,0 +1,97 @@
+policy_module(sxid, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type sxid_t;
+type sxid_exec_t;
+application_domain(sxid_t, sxid_exec_t)
+
+type sxid_log_t;
+logging_log_file(sxid_log_t)
+
+type sxid_tmp_t;
+files_tmp_file(sxid_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sxid_t self:capability { dac_override dac_read_search fsetid };
+dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+allow sxid_t self:process signal_perms;
+allow sxid_t self:fifo_file rw_fifo_file_perms;
+allow sxid_t self:tcp_socket create_stream_socket_perms;
+allow sxid_t self:udp_socket create_socket_perms;
+
+allow sxid_t sxid_log_t:file manage_file_perms;
+logging_log_filetrans(sxid_t, sxid_log_t, file)
+
+manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
+manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
+files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
+
+kernel_read_system_state(sxid_t)
+kernel_read_kernel_sysctls(sxid_t)
+
+corecmd_exec_bin(sxid_t)
+corecmd_exec_shell(sxid_t)
+
+corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_all_recvfrom_netlabel(sxid_t)
+corenet_tcp_sendrecv_generic_if(sxid_t)
+corenet_udp_sendrecv_generic_if(sxid_t)
+corenet_tcp_sendrecv_generic_node(sxid_t)
+corenet_udp_sendrecv_generic_node(sxid_t)
+corenet_tcp_sendrecv_all_ports(sxid_t)
+corenet_udp_sendrecv_all_ports(sxid_t)
+
+dev_read_sysfs(sxid_t)
+dev_getattr_all_blk_files(sxid_t)
+dev_getattr_all_chr_files(sxid_t)
+
+domain_use_interactive_fds(sxid_t)
+
+files_list_all(sxid_t)
+files_getattr_all_symlinks(sxid_t)
+files_getattr_all_pipes(sxid_t)
+files_getattr_all_sockets(sxid_t)
+
+fs_getattr_xattr_fs(sxid_t)
+fs_search_auto_mountpoints(sxid_t)
+fs_list_all(sxid_t)
+
+term_dontaudit_use_console(sxid_t)
+
+auth_read_all_files_except_auth_files(sxid_t)
+auth_dontaudit_getattr_shadow(sxid_t)
+
+init_use_fds(sxid_t)
+init_use_script_ptys(sxid_t)
+
+logging_send_syslog_msg(sxid_t)
+
+miscfiles_read_localization(sxid_t)
+
+mount_exec(sxid_t)
+
+sysnet_read_config(sxid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sxid_t)
+
+cron_system_entry(sxid_t, sxid_exec_t)
+
+optional_policy(`
+ mta_send_mail(sxid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(sxid_t)
+')
+
+optional_policy(`
+ udev_read_db(sxid_t)
+')
diff --git a/sysstat.fc b/sysstat.fc
new file mode 100644
index 0000000..08d999c
--- /dev/null
+++ b/sysstat.fc
@@ -0,0 +1,8 @@
+
+/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+
+/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/sysstat.if b/sysstat.if
new file mode 100644
index 0000000..7a23b3b
--- /dev/null
+++ b/sysstat.if
@@ -0,0 +1,21 @@
+## Policy for sysstat. Reports on various system states
+
+########################################
+##
+## Manage sysstat logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`sysstat_manage_log',`
+ gen_require(`
+ type sysstat_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, sysstat_log_t, sysstat_log_t)
+')
diff --git a/sysstat.te b/sysstat.te
new file mode 100644
index 0000000..52f0d6c
--- /dev/null
+++ b/sysstat.te
@@ -0,0 +1,70 @@
+policy_module(sysstat, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type sysstat_t;
+type sysstat_exec_t;
+init_system_domain(sysstat_t, sysstat_exec_t)
+role system_r types sysstat_t;
+
+type sysstat_log_t;
+logging_log_file(sysstat_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
+dontaudit sysstat_t self:capability sys_admin;
+allow sysstat_t self:fifo_file rw_fifo_file_perms;
+
+can_exec(sysstat_t, sysstat_exec_t)
+
+manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
+
+# get info from /proc
+kernel_read_system_state(sysstat_t)
+kernel_read_network_state(sysstat_t)
+kernel_read_kernel_sysctls(sysstat_t)
+kernel_read_fs_sysctls(sysstat_t)
+kernel_read_rpc_sysctls(sysstat_t)
+
+corecmd_exec_bin(sysstat_t)
+
+dev_read_urand(sysstat_t)
+dev_read_sysfs(sysstat_t)
+
+files_search_var(sysstat_t)
+# for mtab
+files_read_etc_runtime_files(sysstat_t)
+#for fstab
+files_read_etc_files(sysstat_t)
+
+fs_getattr_xattr_fs(sysstat_t)
+fs_list_inotifyfs(sysstat_t)
+
+term_use_console(sysstat_t)
+term_use_all_terms(sysstat_t)
+
+init_use_fds(sysstat_t)
+
+locallogin_use_fds(sysstat_t)
+
+miscfiles_read_localization(sysstat_t)
+
+userdom_dontaudit_list_user_home_dirs(sysstat_t)
+
+optional_policy(`
+ cron_system_entry(sysstat_t, sysstat_exec_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(sysstat_t)
+')
diff --git a/tcpd.fc b/tcpd.fc
new file mode 100644
index 0000000..2e8d7a1
--- /dev/null
+++ b/tcpd.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/tcpd.if b/tcpd.if
new file mode 100644
index 0000000..2075ebb
--- /dev/null
+++ b/tcpd.if
@@ -0,0 +1,45 @@
+## Policy for TCP daemon.
+
+########################################
+##
+## Execute tcpd in the tcpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tcpd_domtrans',`
+ gen_require(`
+ type tcpd_t, tcpd_exec_t;
+ ')
+
+ domtrans_pattern($1, tcpd_exec_t, tcpd_t)
+')
+
+########################################
+##
+## Create a domain for services that
+## utilize tcp wrappers.
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`tcpd_wrapped_domain',`
+ gen_require(`
+ type tcpd_t;
+ role system_r;
+ ')
+
+ domtrans_pattern(tcpd_t, $2, $1)
+ role system_r types $1;
+')
diff --git a/tcpd.te b/tcpd.te
new file mode 100644
index 0000000..7038b55
--- /dev/null
+++ b/tcpd.te
@@ -0,0 +1,50 @@
+policy_module(tcpd, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+type tcpd_t;
+type tcpd_exec_t;
+inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
+role system_r types tcpd_t;
+
+type tcpd_tmp_t;
+files_tmp_file(tcpd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow tcpd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
+
+corenet_all_recvfrom_unlabeled(tcpd_t)
+corenet_all_recvfrom_netlabel(tcpd_t)
+corenet_tcp_sendrecv_generic_if(tcpd_t)
+corenet_tcp_sendrecv_generic_node(tcpd_t)
+corenet_tcp_sendrecv_all_ports(tcpd_t)
+
+fs_getattr_xattr_fs(tcpd_t)
+
+# Run other daemons in the inetd child domain.
+corecmd_search_bin(tcpd_t)
+
+files_read_etc_files(tcpd_t)
+# no good reason for files_dontaudit_search_var, probably nscd
+files_dontaudit_search_var(tcpd_t)
+
+logging_send_syslog_msg(tcpd_t)
+
+miscfiles_read_localization(tcpd_t)
+
+sysnet_read_config(tcpd_t)
+
+inetd_domtrans_child(tcpd_t)
+
+optional_policy(`
+ nis_use_ypbind(tcpd_t)
+')
diff --git a/tcsd.fc b/tcsd.fc
new file mode 100644
index 0000000..1a6527c
--- /dev/null
+++ b/tcsd.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
+/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
diff --git a/tcsd.if b/tcsd.if
new file mode 100644
index 0000000..595f5a7
--- /dev/null
+++ b/tcsd.if
@@ -0,0 +1,150 @@
+## TSS Core Services (TCS) daemon (tcsd) policy
+
+########################################
+##
+## Execute a domain transition to run tcsd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tcsd_domtrans',`
+ gen_require(`
+ type tcsd_t, tcsd_exec_t;
+ ')
+
+ domtrans_pattern($1, tcsd_exec_t, tcsd_t)
+')
+
+########################################
+##
+## Execute tcsd server in the tcsd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`tcsd_initrc_domtrans',`
+ gen_require(`
+ type tcsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
+')
+
+########################################
+##
+## Search tcsd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tcsd_search_lib',`
+ gen_require(`
+ type tcsd_var_lib_t;
+ ')
+
+ allow $1 tcsd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Manage tcsd lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tcsd_manage_lib_dirs',`
+ gen_require(`
+ type tcsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
+')
+
+########################################
+##
+## Read tcsd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tcsd_read_lib_files',`
+ gen_require(`
+ type tcsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## tcsd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tcsd_manage_lib_files',`
+ gen_require(`
+ type tcsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an tcsd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`tcsd_admin',`
+ gen_require(`
+ type tcsd_t;
+ type tcsd_initrc_exec_t;
+ type tcsd_var_lib_t;
+ ')
+
+ allow $1 tcsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tcsd_t)
+
+ tcsd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 tcsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, tcsd_var_lib_t)
+')
diff --git a/tcsd.te b/tcsd.te
new file mode 100644
index 0000000..ee9f3c6
--- /dev/null
+++ b/tcsd.te
@@ -0,0 +1,50 @@
+policy_module(tcsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tcsd_t;
+type tcsd_exec_t;
+domain_type(tcsd_t)
+init_daemon_domain(tcsd_t, tcsd_exec_t)
+
+type tcsd_initrc_exec_t;
+init_script_file(tcsd_initrc_exec_t)
+
+type tcsd_var_lib_t;
+files_type(tcsd_var_lib_t)
+
+########################################
+#
+# tcsd local policy
+#
+
+allow tcsd_t self:capability { dac_override setuid };
+allow tcsd_t self:process { signal sigkill };
+allow tcsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
+manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
+files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
+
+# Accept connections on the TCS port over loopback.
+corenet_all_recvfrom_unlabeled(tcsd_t)
+corenet_tcp_bind_generic_node(tcsd_t)
+corenet_tcp_bind_tcs_port(tcsd_t)
+
+dev_read_urand(tcsd_t)
+# Access /dev/tpm0.
+dev_rw_tpm(tcsd_t)
+
+files_read_etc_files(tcsd_t)
+files_read_usr_files(tcsd_t)
+
+auth_use_nsswitch(tcsd_t)
+
+logging_send_syslog_msg(tcsd_t)
+
+miscfiles_read_localization(tcsd_t)
+
+sysnet_dns_name_resolve(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
new file mode 100644
index 0000000..b07ee19
--- /dev/null
+++ b/telepathy.fc
@@ -0,0 +1,18 @@
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
new file mode 100644
index 0000000..3cfb128
--- /dev/null
+++ b/telepathy.if
@@ -0,0 +1,181 @@
+## Telepathy communications framework.
+
+#######################################
+##
+## Creates basic types for telepathy
+## domain
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+#
+template(`telepathy_domain_template',`
+
+ gen_require(`
+ attribute telepathy_domain;
+ attribute telepathy_executable;
+ ')
+
+ type telepathy_$1_t, telepathy_domain;
+ type telepathy_$1_exec_t, telepathy_executable;
+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ubac_constrained(telepathy_$1_t)
+
+ type telepathy_$1_tmp_t;
+ files_tmp_file(telepathy_$1_tmp_t)
+ ubac_constrained(telepathy_$1_tmp_t)
+')
+
+#######################################
+##
+## Role access for telepathy domains
+### that executes via dbus-session
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`telepathy_role', `
+ gen_require(`
+ attribute telepathy_domain;
+ type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
+ type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
+ type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
+ type telepathy_sofiasip_exec_t, telepathy_idle_exec_t;
+ type telepathy_logger_t, telepathy_logger_exec_t;
+ type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
+ type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
+ type telepathy_msn_exec_t;
+ ')
+
+ role $1 types telepathy_domain;
+
+ allow $2 telepathy_domain:process signal_perms;
+ ps_process_pattern($2, telepathy_domain)
+
+ telepathy_gabble_stream_connect($2)
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
+
+ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
+ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
+ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
+ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
+ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
+ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+')
+
+########################################
+##
+## Stream connect to Telepathy Gabble
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`telepathy_gabble_stream_connect', `
+ gen_require(`
+ type telepathy_gabble_t, telepathy_gabble_tmp_t;
+ ')
+
+ stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Send DBus messages to and from
+## Telepathy Gabble.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`telepathy_gabble_dbus_chat', `
+ gen_require(`
+ type telepathy_gabble_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_gabble_t:dbus send_msg;
+ allow telepathy_gabble_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Read telepathy mission control state.
+##
+##
+##
+## Prefix to be used.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`telepathy_mission_control_read_state',`
+ gen_require(`
+ type telepathy_mission_control_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, telepathy_mission_control_t)
+')
+
+#######################################
+##
+## Stream connect to telepathy MSN managers
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`telepathy_msn_stream_connect', `
+ gen_require(`
+ type telepathy_msn_t, telepathy_msn_tmp_t;
+ ')
+
+ stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Stream connect to Telepathy Salut
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`telepathy_salut_stream_connect', `
+ gen_require(`
+ type telepathy_salut_t, telepathy_salut_tmp_t;
+ ')
+
+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+ files_search_tmp($1)
+')
diff --git a/telepathy.te b/telepathy.te
new file mode 100644
index 0000000..73311c2
--- /dev/null
+++ b/telepathy.te
@@ -0,0 +1,380 @@
+policy_module(telepathy, 1.1.0)
+
+########################################
+#
+# Declarations.
+#
+
+##
+##
+## Allow the Telepathy connection managers
+## to connect to any generic TCP port.
+##
+##
+gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
+
+##
+##
+## Allow the Telepathy connection managers
+## to connect to any network port.
+##
+##
+gen_tunable(telepathy_connect_all_ports, false)
+
+attribute telepathy_domain;
+attribute telepathy_executable;
+
+telepathy_domain_template(gabble)
+
+type telepathy_gabble_cache_home_t;
+userdom_user_home_content(telepathy_gabble_cache_home_t)
+
+telepathy_domain_template(idle)
+telepathy_domain_template(logger)
+
+type telepathy_logger_cache_home_t;
+userdom_user_home_content(telepathy_logger_cache_home_t)
+
+type telepathy_logger_data_home_t;
+userdom_user_home_content(telepathy_logger_data_home_t)
+
+telepathy_domain_template(mission_control)
+
+type telepathy_mission_control_home_t;
+userdom_user_home_content(telepathy_mission_control_home_t)
+
+type telepathy_mission_control_cache_home_t;
+userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
+telepathy_domain_template(msn)
+telepathy_domain_template(salut)
+telepathy_domain_template(sofiasip)
+telepathy_domain_template(stream_engine)
+telepathy_domain_template(sunshine)
+
+type telepathy_sunshine_home_t;
+userdom_user_home_content(telepathy_sunshine_home_t)
+
+#######################################
+#
+# Telepathy Gabble local policy.
+#
+
+allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms;
+allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
+
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+
+corenet_all_recvfrom_netlabel(telepathy_gabble_t)
+corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
+corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
+corenet_tcp_connect_http_port(telepathy_gabble_t)
+corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
+corenet_tcp_connect_vnc_port(telepathy_gabble_t)
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
+
+dev_read_rand(telepathy_gabble_t)
+
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
+fs_getattr_all_fs(telepathy_gabble_t)
+
+miscfiles_read_all_certs(telepathy_gabble_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_tcp_connect_all_ports(telepathy_gabble_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
+ corenet_udp_sendrecv_all_ports(telepathy_gabble_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_tcp_connect_generic_port(telepathy_gabble_t)
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_gabble_t)
+ fs_manage_nfs_files(telepathy_gabble_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_gabble_t)
+ fs_manage_cifs_files(telepathy_gabble_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_gabble_t)
+')
+
+#######################################
+#
+# Telepathy Idle local policy.
+#
+
+corenet_all_recvfrom_netlabel(telepathy_idle_t)
+corenet_all_recvfrom_unlabeled(telepathy_idle_t)
+corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
+corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
+corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+
+dev_read_rand(telepathy_idle_t)
+
+files_read_etc_files(telepathy_idle_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_tcp_connect_all_ports(telepathy_idle_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
+ corenet_udp_sendrecv_all_ports(telepathy_idle_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_tcp_connect_generic_port(telepathy_idle_t)
+ corenet_sendrecv_generic_client_packets(telepathy_idle_t)
+')
+
+#######################################
+#
+# Telepathy Logger local policy.
+#
+
+allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
+
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+
+files_read_etc_files(telepathy_logger_t)
+files_read_usr_files(telepathy_logger_t)
+files_search_pids(telepathy_logger_t)
+
+fs_getattr_all_fs(telepathy_logger_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_logger_t)
+ fs_manage_nfs_files(telepathy_logger_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_logger_t)
+ fs_manage_cifs_files(telepathy_logger_t)
+')
+
+#######################################
+#
+# Telepathy Mission-Control local policy.
+#
+
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+
+dev_read_rand(telepathy_mission_control_t)
+
+fs_getattr_all_fs(telepathy_mission_control_t)
+
+files_read_etc_files(telepathy_mission_control_t)
+files_read_usr_files(telepathy_mission_control_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_mission_control_t)
+ fs_manage_nfs_files(telepathy_mission_control_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_mission_control_t)
+ fs_manage_cifs_files(telepathy_mission_control_t)
+')
+
+#######################################
+#
+# Telepathy Butterfly and Haze local policy.
+#
+
+allow telepathy_msn_t self:process setsched;
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+
+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+
+corenet_all_recvfrom_netlabel(telepathy_msn_t)
+corenet_all_recvfrom_unlabeled(telepathy_msn_t)
+corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
+corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
+corenet_tcp_bind_generic_node(telepathy_msn_t)
+corenet_tcp_connect_http_port(telepathy_msn_t)
+corenet_tcp_connect_mmcc_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_connect_sip_port(telepathy_msn_t)
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
+corecmd_read_bin_symlinks(telepathy_msn_t)
+
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
+
+logging_send_syslog_msg(telepathy_msn_t)
+
+miscfiles_read_all_certs(telepathy_msn_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_tcp_connect_all_ports(telepathy_msn_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
+ corenet_udp_sendrecv_all_ports(telepathy_msn_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_tcp_connect_generic_port(telepathy_msn_t)
+ corenet_sendrecv_generic_client_packets(telepathy_msn_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_msn_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(telepathy_msn_t)
+ ')
+')
+
+#######################################
+#
+# Telepathy Salut local policy.
+#
+
+allow telepathy_salut_t self:tcp_socket create_stream_socket_perms;
+
+manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
+files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
+
+corenet_all_recvfrom_netlabel(telepathy_salut_t)
+corenet_all_recvfrom_unlabeled(telepathy_salut_t)
+corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
+corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
+corenet_tcp_bind_generic_node(telepathy_salut_t)
+corenet_tcp_bind_presence_port(telepathy_salut_t)
+corenet_tcp_connect_presence_port(telepathy_salut_t)
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+
+files_read_etc_files(telepathy_salut_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_tcp_connect_all_ports(telepathy_salut_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
+ corenet_udp_sendrecv_all_ports(telepathy_salut_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_tcp_connect_generic_port(telepathy_salut_t)
+ corenet_sendrecv_generic_client_packets(telepathy_salut_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_salut_t)
+
+ optional_policy(`
+ avahi_dbus_chat(telepathy_salut_t)
+ ')
+')
+
+#######################################
+#
+# Telepathy Sofiasip local policy.
+#
+
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
+
+corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
+corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
+corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
+corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
+corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
+corenet_raw_bind_generic_node(telepathy_sofiasip_t)
+corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
+corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
+ corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
+ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
+')
+
+#######################################
+#
+# Telepathy Sunshine local policy.
+#
+
+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_sunshine_t)
+
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
+corecmd_exec_bin(telepathy_sunshine_t)
+
+files_read_etc_files(telepathy_sunshine_t)
+files_read_usr_files(telepathy_sunshine_t)
+
+optional_policy(`
+ xserver_read_xdm_pid(telepathy_sunshine_t)
+ xserver_stream_connect(telepathy_sunshine_t)
+')
+
+#######################################
+#
+# telepathy domains common policy
+#
+
+allow telepathy_domain self:process { getsched signal sigkill };
+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
+
+dev_read_urand(telepathy_domain)
+
+kernel_read_system_state(telepathy_domain)
+
+fs_search_auto_mountpoints(telepathy_domain)
+
+auth_use_nsswitch(telepathy_domain)
+
+miscfiles_read_localization(telepathy_domain)
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+')
+
+optional_policy(`
+ xserver_rw_xdm_pipes(telepathy_domain)
+')
diff --git a/telnet.fc b/telnet.fc
new file mode 100644
index 0000000..7405170
--- /dev/null
+++ b/telnet.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
+
+/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/telnet.if b/telnet.if
new file mode 100644
index 0000000..58e7ec0
--- /dev/null
+++ b/telnet.if
@@ -0,0 +1 @@
+## Telnet daemon
diff --git a/telnet.te b/telnet.te
new file mode 100644
index 0000000..f40e67b
--- /dev/null
+++ b/telnet.te
@@ -0,0 +1,100 @@
+policy_module(telnet, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type telnetd_t;
+type telnetd_exec_t;
+inetd_service_domain(telnetd_t, telnetd_exec_t)
+role system_r types telnetd_t;
+
+type telnetd_devpts_t; #, userpty_type;
+term_login_pty(telnetd_devpts_t)
+
+type telnetd_tmp_t;
+files_tmp_file(telnetd_tmp_t)
+
+type telnetd_var_run_t;
+files_pid_file(telnetd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow telnetd_t self:process signal_perms;
+allow telnetd_t self:fifo_file rw_fifo_file_perms;
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow telnetd_t self:capability { setuid setgid };
+
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(telnetd_t, telnetd_devpts_t)
+
+manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+
+manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
+files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
+
+kernel_read_kernel_sysctls(telnetd_t)
+kernel_read_system_state(telnetd_t)
+kernel_read_network_state(telnetd_t)
+
+corenet_all_recvfrom_unlabeled(telnetd_t)
+corenet_all_recvfrom_netlabel(telnetd_t)
+corenet_tcp_sendrecv_generic_if(telnetd_t)
+corenet_udp_sendrecv_generic_if(telnetd_t)
+corenet_tcp_sendrecv_generic_node(telnetd_t)
+corenet_udp_sendrecv_generic_node(telnetd_t)
+corenet_tcp_sendrecv_all_ports(telnetd_t)
+corenet_udp_sendrecv_all_ports(telnetd_t)
+
+dev_read_urand(telnetd_t)
+
+domain_interactive_fd(telnetd_t)
+
+fs_getattr_xattr_fs(telnetd_t)
+
+auth_rw_login_records(telnetd_t)
+auth_use_nsswitch(telnetd_t)
+
+corecmd_search_bin(telnetd_t)
+
+files_read_usr_files(telnetd_t)
+files_read_etc_files(telnetd_t)
+files_read_etc_runtime_files(telnetd_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(telnetd_t)
+
+init_rw_utmp(telnetd_t)
+
+logging_send_syslog_msg(telnetd_t)
+
+miscfiles_read_localization(telnetd_t)
+
+seutil_read_config(telnetd_t)
+
+remotelogin_domtrans(telnetd_t)
+
+userdom_search_user_home_dirs(telnetd_t)
+userdom_setattr_user_ptys(telnetd_t)
+
+optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(telnetd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(telnetd_t)
+')
diff --git a/tftp.fc b/tftp.fc
new file mode 100644
index 0000000..25eee43
--- /dev/null
+++ b/tftp.fc
@@ -0,0 +1,8 @@
+
+/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+
+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --git a/tftp.if b/tftp.if
new file mode 100644
index 0000000..38bb312
--- /dev/null
+++ b/tftp.if
@@ -0,0 +1,67 @@
+## Trivial file transfer protocol daemon
+
+########################################
+##
+## Read tftp content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tftp_read_content',`
+ gen_require(`
+ type tftpdir_t;
+ ')
+
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
+')
+
+########################################
+##
+## Manage tftp /var/lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tftp_manage_rw_content',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an tftp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`tftp_admin',`
+ gen_require(`
+ type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+ ')
+
+ allow $1 tftpd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, tftpd_t)
+
+ admin_pattern($1, tftpdir_rw_t)
+
+ admin_pattern($1, tftpdir_t)
+
+ files_list_pids($1)
+ admin_pattern($1, tftpd_var_run_t)
+')
diff --git a/tftp.te b/tftp.te
new file mode 100644
index 0000000..d50c10d
--- /dev/null
+++ b/tftp.te
@@ -0,0 +1,106 @@
+policy_module(tftp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow tftp to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(tftp_anon_write, false)
+
+type tftpd_t;
+type tftpd_exec_t;
+init_daemon_domain(tftpd_t, tftpd_exec_t)
+
+type tftpd_var_run_t;
+files_pid_file(tftpd_var_run_t)
+
+type tftpdir_t;
+files_type(tftpdir_t)
+
+type tftpdir_rw_t;
+files_type(tftpdir_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tftpd_t self:capability { setgid setuid sys_chroot };
+allow tftpd_t self:tcp_socket create_stream_socket_perms;
+allow tftpd_t self:udp_socket create_socket_perms;
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit tftpd_t self:capability sys_tty_config;
+
+allow tftpd_t tftpdir_t:dir list_dir_perms;
+allow tftpd_t tftpdir_t:file read_file_perms;
+allow tftpd_t tftpdir_t:lnk_file { getattr read };
+
+manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+
+manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
+files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+
+kernel_read_system_state(tftpd_t)
+kernel_read_kernel_sysctls(tftpd_t)
+
+corenet_all_recvfrom_unlabeled(tftpd_t)
+corenet_all_recvfrom_netlabel(tftpd_t)
+corenet_tcp_sendrecv_generic_if(tftpd_t)
+corenet_udp_sendrecv_generic_if(tftpd_t)
+corenet_tcp_sendrecv_generic_node(tftpd_t)
+corenet_udp_sendrecv_generic_node(tftpd_t)
+corenet_tcp_sendrecv_all_ports(tftpd_t)
+corenet_udp_sendrecv_all_ports(tftpd_t)
+corenet_tcp_bind_generic_node(tftpd_t)
+corenet_udp_bind_generic_node(tftpd_t)
+corenet_udp_bind_tftp_port(tftpd_t)
+corenet_sendrecv_tftp_server_packets(tftpd_t)
+
+dev_read_sysfs(tftpd_t)
+
+fs_getattr_all_fs(tftpd_t)
+fs_search_auto_mountpoints(tftpd_t)
+
+domain_use_interactive_fds(tftpd_t)
+
+files_read_etc_files(tftpd_t)
+files_read_etc_runtime_files(tftpd_t)
+files_read_var_files(tftpd_t)
+files_read_var_symlinks(tftpd_t)
+files_search_var(tftpd_t)
+
+auth_use_nsswitch(tftpd_t)
+
+logging_send_syslog_msg(tftpd_t)
+
+miscfiles_read_localization(tftpd_t)
+miscfiles_read_public_files(tftpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
+userdom_dontaudit_use_user_terminals(tftpd_t)
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
+
+tunable_policy(`tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
+')
+
+optional_policy(`
+ inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(tftpd_t)
+')
+
+optional_policy(`
+ udev_read_db(tftpd_t)
+')
diff --git a/tgtd.fc b/tgtd.fc
new file mode 100644
index 0000000..8294f6f
--- /dev/null
+++ b/tgtd.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
diff --git a/tgtd.if b/tgtd.if
new file mode 100644
index 0000000..c2ed23a
--- /dev/null
+++ b/tgtd.if
@@ -0,0 +1,46 @@
+## Linux Target Framework Daemon.
+##
+##
+## Linux target framework (tgt) aims to simplify various
+## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
+## and maintenance. Our key goals are the clean integration into
+## the scsi-mid layer and implementing a great portion of tgt
+## in user space.
+##
+##
+
+#####################################
+##
+## Allow read and write access to tgtd semaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tgtd_rw_semaphores',`
+ gen_require(`
+ type tgtd_t;
+ ')
+
+ allow $1 tgtd_t:sem rw_sem_perms;
+')
+
+######################################
+##
+## Manage tgtd sempaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tgtd_manage_semaphores',`
+ gen_require(`
+ type tgtd_t;
+ ')
+
+ allow $1 tgtd_t:sem create_sem_perms;
+')
diff --git a/tgtd.te b/tgtd.te
new file mode 100644
index 0000000..80fe75c
--- /dev/null
+++ b/tgtd.te
@@ -0,0 +1,66 @@
+policy_module(tgtd, 1.2.0)
+
+########################################
+#
+# TGTD personal declarations.
+#
+
+type tgtd_t;
+type tgtd_exec_t;
+init_daemon_domain(tgtd_t, tgtd_exec_t)
+
+type tgtd_initrc_exec_t;
+init_script_file(tgtd_initrc_exec_t)
+
+type tgtd_tmp_t;
+files_tmp_file(tgtd_tmp_t)
+
+type tgtd_tmpfs_t;
+files_tmpfs_file(tgtd_tmpfs_t)
+
+type tgtd_var_lib_t;
+files_type(tgtd_var_lib_t)
+
+########################################
+#
+# TGTD personal policy.
+#
+
+allow tgtd_t self:capability sys_resource;
+allow tgtd_t self:process { setrlimit signal };
+allow tgtd_t self:fifo_file rw_fifo_file_perms;
+allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:shm create_shm_perms;
+allow tgtd_t self:sem create_sem_perms;
+allow tgtd_t self:tcp_socket create_stream_socket_perms;
+allow tgtd_t self:udp_socket create_socket_perms;
+allow tgtd_t self:unix_dgram_socket create_socket_perms;
+
+manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
+
+manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
+fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
+
+manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+
+kernel_read_fs_sysctls(tgtd_t)
+
+corenet_all_recvfrom_netlabel(tgtd_t)
+corenet_all_recvfrom_unlabeled(tgtd_t)
+corenet_tcp_sendrecv_generic_if(tgtd_t)
+corenet_tcp_sendrecv_generic_node(tgtd_t)
+corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+corenet_tcp_bind_generic_node(tgtd_t)
+corenet_tcp_bind_iscsi_port(tgtd_t)
+corenet_sendrecv_iscsi_server_packets(tgtd_t)
+
+files_read_etc_files(tgtd_t)
+
+storage_manage_fixed_disk(tgtd_t)
+
+logging_send_syslog_msg(tgtd_t)
+
+miscfiles_read_localization(tgtd_t)
diff --git a/thunderbird.fc b/thunderbird.fc
new file mode 100644
index 0000000..fb43a7b
--- /dev/null
+++ b/thunderbird.fc
@@ -0,0 +1,6 @@
+#
+# /usr
+#
+/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0)
diff --git a/thunderbird.if b/thunderbird.if
new file mode 100644
index 0000000..a76e9f9
--- /dev/null
+++ b/thunderbird.if
@@ -0,0 +1,63 @@
+## Thunderbird email client
+
+########################################
+##
+## Role access for thunderbird
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`thunderbird_role',`
+ gen_require(`
+ type thunderbird_t, thunderbird_exec_t;
+ type thunderbird_home_t, thunderbird_tmpfs_t;
+ ')
+
+ role $1 types thunderbird_t;
+
+ domain_auto_trans($2, thunderbird_exec_t, thunderbird_t)
+ allow $2 thunderbird_t:fd use;
+ allow $2 thunderbird_t:shm { associate getattr };
+ allow $2 thunderbird_t:unix_stream_socket connectto;
+ allow thunderbird_t $2:fd use;
+ allow thunderbird_t $2:process sigchld;
+ allow thunderbird_t $2:unix_stream_socket connectto;
+
+ # allow ps to show thunderbird and allow the user to kill it
+ ps_process_pattern($2, thunderbird_t)
+ allow $2 thunderbird_t:process signal;
+
+ # Access ~/.thunderbird
+ manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+')
+
+########################################
+##
+## Run thunderbird in the user thunderbird domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`thunderbird_domtrans',`
+ gen_require(`
+ type thunderbird_t, thunderbird_exec_t;
+ ')
+
+ domtrans_pattern($1, thunderbird_exec_t, thunderbird_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
new file mode 100644
index 0000000..f50789e
--- /dev/null
+++ b/thunderbird.te
@@ -0,0 +1,210 @@
+policy_module(thunderbird, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type thunderbird_t;
+type thunderbird_exec_t;
+typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
+typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
+application_domain(thunderbird_t, thunderbird_exec_t)
+ubac_constrained(thunderbird_t)
+
+type thunderbird_home_t;
+typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
+typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
+userdom_user_home_content(thunderbird_home_t)
+
+type thunderbird_tmpfs_t;
+typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
+typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
+files_tmpfs_file(thunderbird_tmpfs_t)
+ubac_constrained(thunderbird_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow thunderbird_t self:capability sys_nice;
+allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
+allow thunderbird_t self:fifo_file { ioctl read write getattr };
+allow thunderbird_t self:unix_dgram_socket { create connect };
+allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
+allow thunderbird_t self:tcp_socket create_socket_perms;
+allow thunderbird_t self:shm { read write create destroy unix_read unix_write };
+
+# Access ~/.thunderbird
+manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+userdom_search_user_home_dirs(thunderbird_t)
+
+manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Allow netstat
+kernel_read_network_state(thunderbird_t)
+kernel_read_net_sysctls(thunderbird_t)
+kernel_read_system_state(thunderbird_t)
+
+# Startup shellscript
+corecmd_exec_shell(thunderbird_t)
+
+corenet_all_recvfrom_unlabeled(thunderbird_t)
+corenet_all_recvfrom_netlabel(thunderbird_t)
+corenet_tcp_sendrecv_generic_if(thunderbird_t)
+corenet_tcp_sendrecv_generic_node(thunderbird_t)
+corenet_tcp_sendrecv_ipp_port(thunderbird_t)
+corenet_tcp_sendrecv_ldap_port(thunderbird_t)
+corenet_tcp_sendrecv_innd_port(thunderbird_t)
+corenet_tcp_sendrecv_smtp_port(thunderbird_t)
+corenet_tcp_sendrecv_pop_port(thunderbird_t)
+corenet_tcp_sendrecv_http_port(thunderbird_t)
+corenet_tcp_connect_ipp_port(thunderbird_t)
+corenet_tcp_connect_ldap_port(thunderbird_t)
+corenet_tcp_connect_innd_port(thunderbird_t)
+corenet_tcp_connect_smtp_port(thunderbird_t)
+corenet_tcp_connect_pop_port(thunderbird_t)
+corenet_tcp_connect_http_port(thunderbird_t)
+corenet_sendrecv_ipp_client_packets(thunderbird_t)
+corenet_sendrecv_ldap_client_packets(thunderbird_t)
+corenet_sendrecv_innd_client_packets(thunderbird_t)
+corenet_sendrecv_smtp_client_packets(thunderbird_t)
+corenet_sendrecv_pop_client_packets(thunderbird_t)
+corenet_sendrecv_http_client_packets(thunderbird_t)
+
+dev_read_urand(thunderbird_t)
+dev_dontaudit_search_sysfs(thunderbird_t)
+
+files_list_tmp(thunderbird_t)
+files_read_usr_files(thunderbird_t)
+files_read_etc_files(thunderbird_t)
+files_read_etc_runtime_files(thunderbird_t)
+files_read_var_files(thunderbird_t)
+files_read_var_symlinks(thunderbird_t)
+files_dontaudit_getattr_all_tmp_files(thunderbird_t)
+files_dontaudit_getattr_boot_dirs(thunderbird_t)
+files_dontaudit_getattr_lost_found_dirs(thunderbird_t)
+files_dontaudit_search_mnt(thunderbird_t)
+
+fs_getattr_xattr_fs(thunderbird_t)
+fs_list_inotifyfs(thunderbird_t)
+# Access ~/.thunderbird
+fs_search_auto_mountpoints(thunderbird_t)
+
+auth_use_nsswitch(thunderbird_t)
+
+miscfiles_read_fonts(thunderbird_t)
+miscfiles_read_localization(thunderbird_t)
+
+userdom_manage_user_tmp_dirs(thunderbird_t)
+userdom_read_user_tmp_files(thunderbird_t)
+userdom_manage_user_tmp_sockets(thunderbird_t)
+# .kde/....gtkrc
+userdom_read_user_home_content_files(thunderbird_t)
+
+xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+xserver_read_xdm_tmp_files(thunderbird_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+# Access ~/.thunderbird
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(thunderbird_t)
+ fs_manage_nfs_files(thunderbird_t)
+ fs_manage_nfs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(thunderbird_t)
+ fs_manage_cifs_files(thunderbird_t)
+ fs_manage_cifs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ files_list_home(thunderbird_t)
+
+ fs_list_auto_mountpoints(thunderbird_t)
+ fs_read_nfs_files(thunderbird_t)
+ fs_read_nfs_symlinks(thunderbird_t)
+',`
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+ fs_dontaudit_list_nfs(thunderbird_t)
+ fs_dontaudit_read_nfs_files(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ files_list_home(thunderbird_t)
+
+ fs_list_auto_mountpoints(thunderbird_t)
+ fs_read_cifs_files(thunderbird_t)
+ fs_read_cifs_symlinks(thunderbird_t)
+',`
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+ fs_dontaudit_read_cifs_files(thunderbird_t)
+ fs_dontaudit_list_cifs(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp(thunderbird_t)
+ userdom_read_user_tmp_files(thunderbird_t)
+ userdom_read_user_tmp_symlinks(thunderbird_t)
+ userdom_search_user_home_dirs(thunderbird_t)
+ userdom_read_user_home_content_files(thunderbird_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(thunderbird_t)
+ fs_read_removable_files(thunderbird_t)
+ fs_read_removable_symlinks(thunderbird_t)
+ ')
+',`
+ files_dontaudit_list_tmp(thunderbird_t)
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_removable(thunderbird_t)
+ fs_dontaudit_read_removable_files(thunderbird_t)
+
+ userdom_dontaudit_list_user_tmp(thunderbird_t)
+ userdom_dontaudit_read_user_tmp_files(thunderbird_t)
+ userdom_dontaudit_list_user_home_dirs(thunderbird_t)
+ userdom_dontaudit_read_user_home_content_files(thunderbird_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(thunderbird_t)
+ dbus_session_bus_client(thunderbird_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(thunderbird_t)
+ cups_dbus_chat(thunderbird_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(thunderbird_t)
+ gnome_domtrans_gconfd(thunderbird_t)
+ gnome_manage_config(thunderbird_t)
+')
+
+optional_policy(`
+ gpg_domtrans(thunderbird_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(thunderbird_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(thunderbird_t)
+ mozilla_domtrans(thunderbird_t)
+ mozilla_dbus_chat(thunderbird_t)
+')
diff --git a/timidity.fc b/timidity.fc
new file mode 100644
index 0000000..ed5eef3
--- /dev/null
+++ b/timidity.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0)
diff --git a/timidity.if b/timidity.if
new file mode 100644
index 0000000..989b240
--- /dev/null
+++ b/timidity.if
@@ -0,0 +1 @@
+## MIDI to WAV converter and player configured as a service
diff --git a/timidity.te b/timidity.te
new file mode 100644
index 0000000..67b5592
--- /dev/null
+++ b/timidity.te
@@ -0,0 +1,85 @@
+policy_module(timidity, 1.9.0)
+
+# Note: You only need this policy if you want to run timidity as a server
+
+########################################
+#
+# Declarations
+#
+
+type timidity_t;
+type timidity_exec_t;
+init_daemon_domain(timidity_t, timidity_exec_t)
+application_domain(timidity_t, timidity_exec_t)
+
+type timidity_tmpfs_t;
+files_tmpfs_file(timidity_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow timidity_t self:capability { dac_override dac_read_search };
+dontaudit timidity_t self:capability sys_tty_config;
+allow timidity_t self:process { signal_perms getsched };
+allow timidity_t self:shm create_shm_perms;
+allow timidity_t self:unix_stream_socket create_stream_socket_perms;
+allow timidity_t self:tcp_socket create_stream_socket_perms;
+allow timidity_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(timidity_t)
+# read /proc/cpuinfo
+kernel_read_system_state(timidity_t)
+
+corenet_all_recvfrom_unlabeled(timidity_t)
+corenet_all_recvfrom_netlabel(timidity_t)
+corenet_tcp_sendrecv_generic_if(timidity_t)
+corenet_udp_sendrecv_generic_if(timidity_t)
+corenet_tcp_sendrecv_generic_node(timidity_t)
+corenet_udp_sendrecv_generic_node(timidity_t)
+corenet_tcp_sendrecv_all_ports(timidity_t)
+corenet_udp_sendrecv_all_ports(timidity_t)
+
+dev_read_sysfs(timidity_t)
+dev_read_sound(timidity_t)
+dev_write_sound(timidity_t)
+
+fs_search_auto_mountpoints(timidity_t)
+
+domain_use_interactive_fds(timidity_t)
+
+files_search_tmp(timidity_t)
+# read /usr/share/alsa/alsa.conf
+files_read_usr_files(timidity_t)
+# read /etc/esd.conf
+files_read_etc_files(timidity_t)
+
+# read libartscbackend.la
+libs_read_lib_files(timidity_t)
+
+logging_send_syslog_msg(timidity_t)
+
+sysnet_read_config(timidity_t)
+
+userdom_dontaudit_use_unpriv_user_fds(timidity_t)
+
+# stupid timidity won't start if it can't search its current directory.
+# allow this so /etc/init.d/alsasound start works from /root
+# cjp: this should be fixed if possible so this rule can be removed.
+userdom_search_user_home_dirs(timidity_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(timidity_t)
+')
+
+optional_policy(`
+ udev_read_db(timidity_t)
+')
diff --git a/tmpreaper.fc b/tmpreaper.fc
new file mode 100644
index 0000000..81077db
--- /dev/null
+++ b/tmpreaper.fc
@@ -0,0 +1,2 @@
+/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/tmpreaper.if b/tmpreaper.if
new file mode 100644
index 0000000..8dfbd80
--- /dev/null
+++ b/tmpreaper.if
@@ -0,0 +1,21 @@
+## Manage temporary directory sizes and file ages
+
+########################################
+##
+## Execute tmpreaper in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tmpreaper_exec',`
+ gen_require(`
+ type tmpreaper_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, tmpreaper_exec_t)
+')
diff --git a/tmpreaper.te b/tmpreaper.te
new file mode 100644
index 0000000..6a5004b
--- /dev/null
+++ b/tmpreaper.te
@@ -0,0 +1,74 @@
+policy_module(tmpreaper, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type tmpreaper_t;
+type tmpreaper_exec_t;
+application_domain(tmpreaper_t, tmpreaper_exec_t)
+role system_r types tmpreaper_t;
+
+########################################
+#
+# Local Policy
+#
+
+allow tmpreaper_t self:process { fork sigchld };
+allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
+dev_read_urand(tmpreaper_t)
+
+fs_getattr_xattr_fs(tmpreaper_t)
+
+files_read_etc_files(tmpreaper_t)
+files_read_var_lib_files(tmpreaper_t)
+files_purge_tmp(tmpreaper_t)
+# why does it need setattr?
+files_setattr_all_tmp_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
+
+mls_file_read_all_levels(tmpreaper_t)
+mls_file_write_all_levels(tmpreaper_t)
+
+logging_send_syslog_msg(tmpreaper_t)
+
+miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)
+
+cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+
+ifdef(`distro_redhat',`
+ userdom_list_user_home_content(tmpreaper_t)
+ userdom_delete_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_user_home_content_files(tmpreaper_t)
+ userdom_delete_user_home_content_symlinks(tmpreaper_t)
+')
+
+optional_policy(`
+ amavis_manage_spool_files(tmpreaper_t)
+')
+
+optional_policy(`
+ apache_list_cache(tmpreaper_t)
+ apache_delete_cache_files(tmpreaper_t)
+ apache_setattr_cache_dirs(tmpreaper_t)
+')
+
+optional_policy(`
+ kismet_manage_log(tmpreaper_t)
+')
+
+optional_policy(`
+ lpd_manage_spool(tmpreaper_t)
+')
+
+optional_policy(`
+ rpm_manage_cache(tmpreaper_t)
+')
+
+optional_policy(`
+ unconfined_domain(tmpreaper_t)
+')
diff --git a/tor.fc b/tor.fc
new file mode 100644
index 0000000..e2e06b2
--- /dev/null
+++ b/tor.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
+/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
+
+/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+
+/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+
+/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0)
+
+/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0)
diff --git a/tor.if b/tor.if
new file mode 100644
index 0000000..904f13e
--- /dev/null
+++ b/tor.if
@@ -0,0 +1,64 @@
+## TOR, the onion router
+
+########################################
+##
+## Execute a domain transition to run TOR.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tor_domtrans',`
+ gen_require(`
+ type tor_t, tor_exec_t;
+ ')
+
+ domtrans_pattern($1, tor_exec_t, tor_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an tor environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the tor domain.
+##
+##
+##
+#
+interface(`tor_admin',`
+ gen_require(`
+ type tor_t, tor_var_log_t, tor_etc_t;
+ type tor_var_lib_t, tor_var_run_t;
+ type tor_initrc_exec_t;
+ ')
+
+ allow $1 tor_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, tor_t)
+
+ init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 tor_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, tor_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, tor_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, tor_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, tor_var_run_t)
+')
diff --git a/tor.te b/tor.te
new file mode 100644
index 0000000..c842cad
--- /dev/null
+++ b/tor.te
@@ -0,0 +1,120 @@
+policy_module(tor, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow tor daemon to bind
+## tcp sockets to all unreserved ports.
+##
+##
+gen_tunable(tor_bind_all_unreserved_ports, false)
+
+type tor_t;
+type tor_exec_t;
+init_daemon_domain(tor_t, tor_exec_t)
+
+# etc/tor
+type tor_etc_t;
+files_config_file(tor_etc_t)
+
+type tor_initrc_exec_t;
+init_script_file(tor_initrc_exec_t)
+
+# var/lib/tor
+type tor_var_lib_t;
+files_type(tor_var_lib_t)
+
+# log files
+type tor_var_log_t;
+logging_log_file(tor_var_log_t)
+
+# pid files
+type tor_var_run_t;
+files_pid_file(tor_var_run_t)
+
+########################################
+#
+# tor local policy
+#
+
+allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:fifo_file rw_fifo_file_perms;
+allow tor_t self:unix_stream_socket create_stream_socket_perms;
+allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+allow tor_t self:tcp_socket create_stream_socket_perms;
+
+# configuration files
+allow tor_t tor_etc_t:dir list_dir_perms;
+read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
+read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)
+
+# var/lib/tor files
+manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+files_usr_filetrans(tor_t, tor_var_lib_t, file)
+files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
+files_var_lib_filetrans(tor_t, tor_var_lib_t, file)
+
+# log files
+allow tor_t tor_var_log_t:dir setattr;
+manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
+
+# pid file
+manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(tor_t)
+
+# networking basics
+corenet_all_recvfrom_unlabeled(tor_t)
+corenet_all_recvfrom_netlabel(tor_t)
+corenet_tcp_sendrecv_generic_if(tor_t)
+corenet_udp_sendrecv_generic_if(tor_t)
+corenet_tcp_sendrecv_generic_node(tor_t)
+corenet_udp_sendrecv_generic_node(tor_t)
+corenet_tcp_sendrecv_all_ports(tor_t)
+corenet_udp_sendrecv_dns_port(tor_t)
+corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+corenet_tcp_bind_generic_node(tor_t)
+corenet_udp_bind_generic_node(tor_t)
+corenet_tcp_bind_tor_port(tor_t)
+corenet_udp_bind_dns_port(tor_t)
+corenet_sendrecv_tor_server_packets(tor_t)
+corenet_sendrecv_dns_server_packets(tor_t)
+# TOR will need to connect to various ports
+corenet_tcp_connect_all_ports(tor_t)
+corenet_sendrecv_all_client_packets(tor_t)
+# ... especially including port 80 and other privileged ports
+corenet_tcp_connect_all_reserved_ports(tor_t)
+
+# tor uses crypto and needs random
+dev_read_urand(tor_t)
+
+domain_use_interactive_fds(tor_t)
+
+files_read_etc_files(tor_t)
+files_read_etc_runtime_files(tor_t)
+files_read_usr_files(tor_t)
+
+auth_use_nsswitch(tor_t)
+
+logging_send_syslog_msg(tor_t)
+
+miscfiles_read_localization(tor_t)
+
+tunable_policy(`tor_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(tor_t)
+')
diff --git a/transproxy.fc b/transproxy.fc
new file mode 100644
index 0000000..ce33f17
--- /dev/null
+++ b/transproxy.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
+
+/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/transproxy.if b/transproxy.if
new file mode 100644
index 0000000..23323f9
--- /dev/null
+++ b/transproxy.if
@@ -0,0 +1 @@
+## HTTP transperant proxy
diff --git a/transproxy.te b/transproxy.te
new file mode 100644
index 0000000..95cf0c0
--- /dev/null
+++ b/transproxy.te
@@ -0,0 +1,65 @@
+policy_module(transproxy, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type transproxy_t;
+type transproxy_exec_t;
+init_daemon_domain(transproxy_t, transproxy_exec_t)
+
+type transproxy_var_run_t;
+files_pid_file(transproxy_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow transproxy_t self:capability { setgid setuid };
+dontaudit transproxy_t self:capability sys_tty_config;
+allow transproxy_t self:process signal_perms;
+allow transproxy_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t)
+files_pid_filetrans(transproxy_t, transproxy_var_run_t, file)
+
+kernel_read_kernel_sysctls(transproxy_t)
+kernel_list_proc(transproxy_t)
+kernel_read_proc_symlinks(transproxy_t)
+
+corenet_all_recvfrom_unlabeled(transproxy_t)
+corenet_all_recvfrom_netlabel(transproxy_t)
+corenet_tcp_sendrecv_generic_if(transproxy_t)
+corenet_tcp_sendrecv_generic_node(transproxy_t)
+corenet_tcp_sendrecv_all_ports(transproxy_t)
+corenet_tcp_bind_generic_node(transproxy_t)
+corenet_tcp_bind_transproxy_port(transproxy_t)
+corenet_sendrecv_transproxy_server_packets(transproxy_t)
+
+dev_read_sysfs(transproxy_t)
+
+domain_use_interactive_fds(transproxy_t)
+
+files_read_etc_files(transproxy_t)
+
+fs_getattr_all_fs(transproxy_t)
+fs_search_auto_mountpoints(transproxy_t)
+
+logging_send_syslog_msg(transproxy_t)
+
+miscfiles_read_localization(transproxy_t)
+
+sysnet_read_config(transproxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
+userdom_dontaudit_search_user_home_dirs(transproxy_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(transproxy_t)
+')
+
+optional_policy(`
+ udev_read_db(transproxy_t)
+')
diff --git a/tripwire.fc b/tripwire.fc
new file mode 100644
index 0000000..962662f
--- /dev/null
+++ b/tripwire.fc
@@ -0,0 +1,10 @@
+
+/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
+
+/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
+
+/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0)
+/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0)
diff --git a/tripwire.if b/tripwire.if
new file mode 100644
index 0000000..27abd88
--- /dev/null
+++ b/tripwire.if
@@ -0,0 +1,190 @@
+## Tripwire file integrity checker.
+##
+##
+## Tripwire file integrity checker.
+##
+##
+## NOTE: Tripwire creates temp file in its current working directory.
+## This policy does not allow write access to home directories, so
+## users will need to either cd to a directory where they have write
+## permission, or set the TEMPDIRECTORY variable in the tripwire config
+## file. The latter is preferable, as then the file_type_auto_trans
+## rules will kick in and label the files as private to tripwire.
+##
+##
+
+########################################
+##
+## Execute tripwire in the tripwire domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tripwire_domtrans_tripwire',`
+ gen_require(`
+ type tripwire_t, tripwire_exec_t;
+ ')
+
+ domtrans_pattern($1, tripwire_exec_t, tripwire_t)
+')
+
+########################################
+##
+## Execute tripwire in the tripwire domain, and
+## allow the specified role the tripwire domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`tripwire_run_tripwire',`
+ gen_require(`
+ type tripwire_t;
+ ')
+
+ tripwire_domtrans_tripwire($1)
+ role $2 types tripwire_t;
+')
+
+########################################
+##
+## Execute twadmin in the twadmin domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tripwire_domtrans_twadmin',`
+ gen_require(`
+ type twadmin_t, twadmin_exec_t;
+ ')
+
+ domtrans_pattern($1, twadmin_exec_t, twadmin_t)
+')
+
+########################################
+##
+## Execute twadmin in the twadmin domain, and
+## allow the specified role the twadmin domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`tripwire_run_twadmin',`
+ gen_require(`
+ type twadmin_t;
+ ')
+
+ tripwire_domtrans_twadmin($1)
+ role $2 types twadmin_t;
+')
+
+########################################
+##
+## Execute twprint in the twprint domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tripwire_domtrans_twprint',`
+ gen_require(`
+ type twprint_t, twprint_exec_t;
+ ')
+
+ domtrans_pattern($1, twprint_exec_t, twprint_t)
+')
+
+########################################
+##
+## Execute twprint in the twprint domain, and
+## allow the specified role the twprint domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`tripwire_run_twprint',`
+ gen_require(`
+ type twprint_t;
+ ')
+
+ tripwire_domtrans_twprint($1)
+ role $2 types twprint_t;
+')
+
+########################################
+##
+## Execute siggen in the siggen domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tripwire_domtrans_siggen',`
+ gen_require(`
+ type siggen_t, siggen_exec_t;
+ ')
+
+ domtrans_pattern($1, siggen_exec_t, siggen_t)
+')
+
+########################################
+##
+## Execute siggen in the siggen domain, and
+## allow the specified role the siggen domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`tripwire_run_siggen',`
+ gen_require(`
+ type siggen_t;
+ ')
+
+ tripwire_domtrans_siggen($1)
+ role $2 types siggen_t;
+')
diff --git a/tripwire.te b/tripwire.te
new file mode 100644
index 0000000..2ae8b62
--- /dev/null
+++ b/tripwire.te
@@ -0,0 +1,146 @@
+policy_module(tripwire, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type siggen_t;
+type siggen_exec_t;
+application_domain(siggen_t, siggen_exec_t)
+
+type tripwire_t;
+type tripwire_exec_t;
+application_domain(tripwire_t, tripwire_exec_t)
+role system_r types tripwire_t;
+
+type tripwire_etc_t;
+files_config_file(tripwire_etc_t)
+
+type tripwire_report_t;
+files_type(tripwire_report_t)
+
+type tripwire_tmp_t;
+files_tmp_file(tripwire_tmp_t)
+
+type tripwire_var_lib_t;
+files_type(tripwire_var_lib_t)
+
+type twadmin_t;
+type twadmin_exec_t;
+application_domain(twadmin_t, twadmin_exec_t)
+
+type twprint_t;
+type twprint_exec_t;
+application_domain(twprint_t, twprint_exec_t)
+
+########################################
+#
+# Tripwire local policy
+#
+
+allow tripwire_t self:capability { setgid setuid dac_override };
+
+allow tripwire_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
+read_lnk_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
+files_search_etc(tripwire_t)
+
+# Tripwire report files
+manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+
+manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t)
+files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file)
+
+kernel_read_system_state(tripwire_t)
+kernel_read_network_state(tripwire_t)
+kernel_read_software_raid_state(tripwire_t)
+kernel_getattr_core_if(tripwire_t)
+kernel_getattr_message_if(tripwire_t)
+kernel_read_kernel_sysctls(tripwire_t)
+
+corecmd_exec_shell(tripwire_t)
+corecmd_exec_bin(tripwire_t)
+
+domain_use_interactive_fds(tripwire_t)
+
+files_read_all_files(tripwire_t)
+files_read_all_symlinks(tripwire_t)
+files_getattr_all_pipes(tripwire_t)
+files_getattr_all_sockets(tripwire_t)
+
+logging_send_syslog_msg(tripwire_t)
+
+userdom_use_user_terminals(tripwire_t)
+
+optional_policy(`
+ cron_system_entry(tripwire_t, tripwire_exec_t)
+')
+
+########################################
+#
+# Twadmin local policy
+#
+
+manage_dirs_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+manage_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+manage_lnk_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+
+domain_use_interactive_fds(twadmin_t)
+
+logging_send_syslog_msg(twadmin_t)
+
+miscfiles_read_localization(twadmin_t)
+
+userdom_use_user_terminals(twadmin_t)
+
+########################################
+#
+# Twprint local policy
+#
+
+allow twprint_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
+read_lnk_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
+
+allow twprint_t tripwire_report_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
+read_lnk_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
+
+allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
+read_lnk_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
+files_search_var_lib(twprint_t)
+
+domain_use_interactive_fds(twprint_t)
+
+logging_send_syslog_msg(twprint_t)
+
+miscfiles_read_localization(twprint_t)
+
+userdom_use_user_terminals(twprint_t)
+
+########################################
+#
+# Siggen local policy
+#
+
+domain_use_interactive_fds(siggen_t)
+
+# Need permission to read files
+files_read_all_files(siggen_t)
+
+logging_send_syslog_msg(siggen_t)
+
+miscfiles_read_localization(siggen_t)
+
+userdom_use_user_terminals(siggen_t)
diff --git a/tuned.fc b/tuned.fc
new file mode 100644
index 0000000..639c962
--- /dev/null
+++ b/tuned.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+
+/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
+/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
+/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff --git a/tuned.if b/tuned.if
new file mode 100644
index 0000000..54b8605
--- /dev/null
+++ b/tuned.if
@@ -0,0 +1,129 @@
+## Dynamic adaptive system tuning daemon
+
+########################################
+##
+## Execute a domain transition to run tuned.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tuned_domtrans',`
+ gen_require(`
+ type tuned_t, tuned_exec_t;
+ ')
+
+ domtrans_pattern($1, tuned_exec_t, tuned_t)
+')
+
+#######################################
+##
+## Execute tuned in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tuned_exec',`
+ gen_require(`
+ type tuned_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, tuned_exec_t)
+')
+
+######################################
+##
+## Read tuned PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tuned_read_pid_files',`
+ gen_require(`
+ type tuned_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
+')
+
+#######################################
+##
+## Manage tuned PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tuned_manage_pid_files',`
+ gen_require(`
+ type tuned_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
+')
+
+########################################
+##
+## Execute tuned server in the tuned domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tuned_initrc_domtrans',`
+ gen_require(`
+ type tuned_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, tuned_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an tuned environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`tuned_admin',`
+ gen_require(`
+ type tuned_t, tuned_var_run_t;
+ type tuned_initrc_exec_t;
+ ')
+
+ allow $1 tuned_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tuned_t)
+
+ tuned_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 tuned_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, tuned_var_run_t)
+')
diff --git a/tuned.te b/tuned.te
new file mode 100644
index 0000000..db9d2a5
--- /dev/null
+++ b/tuned.te
@@ -0,0 +1,64 @@
+policy_module(tuned, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type tuned_t;
+type tuned_exec_t;
+init_daemon_domain(tuned_t, tuned_exec_t)
+
+type tuned_initrc_exec_t;
+init_script_file(tuned_initrc_exec_t)
+
+type tuned_log_t;
+logging_log_file(tuned_log_t)
+
+type tuned_var_run_t;
+files_pid_file(tuned_var_run_t)
+
+########################################
+#
+# tuned local policy
+#
+
+dontaudit tuned_t self:capability { dac_override sys_tty_config };
+
+manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file)
+
+manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+files_pid_filetrans(tuned_t, tuned_var_run_t, file)
+
+corecmd_exec_shell(tuned_t)
+corecmd_exec_bin(tuned_t)
+
+kernel_read_system_state(tuned_t)
+kernel_read_network_state(tuned_t)
+
+dev_read_urand(tuned_t)
+dev_read_sysfs(tuned_t)
+# to allow cpu tuning
+dev_rw_netcontrol(tuned_t)
+
+files_read_etc_files(tuned_t)
+files_read_usr_files(tuned_t)
+files_dontaudit_search_home(tuned_t)
+
+logging_send_syslog_msg(tuned_t)
+
+miscfiles_read_localization(tuned_t)
+
+userdom_dontaudit_search_user_home_dirs(tuned_t)
+
+# to allow disk tuning
+optional_policy(`
+ fstools_domtrans(tuned_t)
+')
+
+# to allow network interface tuning
+optional_policy(`
+ sysnet_domtrans_ifconfig(tuned_t)
+')
diff --git a/tvtime.fc b/tvtime.fc
new file mode 100644
index 0000000..8698a61
--- /dev/null
+++ b/tvtime.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
+
diff --git a/tvtime.if b/tvtime.if
new file mode 100644
index 0000000..8d89f21
--- /dev/null
+++ b/tvtime.if
@@ -0,0 +1,40 @@
+## tvtime - a high quality television application
+
+########################################
+##
+## Role access for tvtime
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`tvtime_role',`
+ gen_require(`
+ type tvtime_t, tvtime_exec_t;
+ type tvtime_home_t, tvtime_tmpfs_t;
+ ')
+
+ role $1 types tvtime_t;
+
+ # Type transition
+ domtrans_pattern($2, tvtime_exec_t, tvtime_t)
+
+ # X access, Home files
+ manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+ manage_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, tvtime_t)
+ allow $2 tvtime_t:process signal_perms;
+')
diff --git a/tvtime.te b/tvtime.te
new file mode 100644
index 0000000..11fe4f2
--- /dev/null
+++ b/tvtime.te
@@ -0,0 +1,93 @@
+policy_module(tvtime, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type tvtime_t;
+type tvtime_exec_t;
+typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
+typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
+application_domain(tvtime_t, tvtime_exec_t)
+ubac_constrained(tvtime_t)
+
+type tvtime_home_t alias tvtime_rw_t;
+typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
+typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
+userdom_user_home_content(tvtime_home_t)
+
+type tvtime_tmp_t;
+typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
+typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
+files_tmp_file(tvtime_tmp_t)
+ubac_constrained(tvtime_tmp_t)
+
+type tvtime_tmpfs_t;
+typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
+typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
+files_tmpfs_file(tvtime_tmpfs_t)
+ubac_constrained(tvtime_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tvtime_t self:capability { setuid sys_nice sys_resource };
+allow tvtime_t self:process setsched;
+allow tvtime_t self:unix_dgram_socket rw_socket_perms;
+allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+# X access, Home files
+manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
+
+manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir })
+
+manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_all_sysctls(tvtime_t)
+kernel_get_sysvipc_info(tvtime_t)
+
+dev_read_urand(tvtime_t)
+dev_read_realtime_clock(tvtime_t)
+dev_read_sound(tvtime_t)
+
+files_read_usr_files(tvtime_t)
+files_search_pids(tvtime_t)
+# Read /etc/tvtime
+files_read_etc_files(tvtime_t)
+
+# X access, Home files
+fs_search_auto_mountpoints(tvtime_t)
+
+miscfiles_read_localization(tvtime_t)
+miscfiles_read_fonts(tvtime_t)
+
+userdom_use_user_terminals(tvtime_t)
+userdom_read_user_home_content_files(tvtime_t)
+
+# X access, Home files
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(tvtime_t)
+ fs_manage_nfs_files(tvtime_t)
+ fs_manage_nfs_symlinks(tvtime_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(tvtime_t)
+ fs_manage_cifs_files(tvtime_t)
+ fs_manage_cifs_symlinks(tvtime_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+')
diff --git a/tzdata.fc b/tzdata.fc
new file mode 100644
index 0000000..04b8548
--- /dev/null
+++ b/tzdata.fc
@@ -0,0 +1 @@
+/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
diff --git a/tzdata.if b/tzdata.if
new file mode 100644
index 0000000..01c6c86
--- /dev/null
+++ b/tzdata.if
@@ -0,0 +1,45 @@
+## Time zone updater
+
+########################################
+##
+## Execute a domain transition to run tzdata.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tzdata_domtrans',`
+ gen_require(`
+ type tzdata_t, tzdata_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, tzdata_exec_t, tzdata_t)
+')
+
+########################################
+##
+## Execute the tzdata program in the tzdata domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to allow the tzdata domain.
+##
+##
+##
+#
+interface(`tzdata_run',`
+ gen_require(`
+ type tzdata_t;
+ ')
+
+ tzdata_domtrans($1)
+ role $2 types tzdata_t;
+')
diff --git a/tzdata.te b/tzdata.te
new file mode 100644
index 0000000..d0f2a64
--- /dev/null
+++ b/tzdata.te
@@ -0,0 +1,36 @@
+policy_module(tzdata, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type tzdata_t;
+type tzdata_exec_t;
+init_daemon_domain(tzdata_t, tzdata_exec_t)
+application_domain(tzdata_t, tzdata_exec_t)
+
+########################################
+#
+# tzdata local policy
+#
+
+files_read_etc_files(tzdata_t)
+files_search_spool(tzdata_t)
+
+fs_getattr_xattr_fs(tzdata_t)
+
+term_dontaudit_list_ptys(tzdata_t)
+
+locallogin_dontaudit_use_fds(tzdata_t)
+
+miscfiles_read_localization(tzdata_t)
+miscfiles_manage_localization(tzdata_t)
+miscfiles_etc_filetrans_localization(tzdata_t)
+
+userdom_use_user_terminals(tzdata_t)
+
+# tzdata looks for /var/spool/postfix/etc/localtime.
+optional_policy(`
+ postfix_search_spool(tzdata_t)
+')
diff --git a/ucspitcp.fc b/ucspitcp.fc
new file mode 100644
index 0000000..667d0b5
--- /dev/null
+++ b/ucspitcp.fc
@@ -0,0 +1,3 @@
+
+/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0)
+/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0)
diff --git a/ucspitcp.if b/ucspitcp.if
new file mode 100644
index 0000000..c1feba4
--- /dev/null
+++ b/ucspitcp.if
@@ -0,0 +1,38 @@
+## ucspitcp policy
+##
+##
+## Policy for DJB's ucspi-tcpd
+##
+##
+
+########################################
+##
+## Define a specified domain as a ucspitcp service.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type associated with the process program.
+##
+##
+#
+interface(`ucspitcp_service_domain', `
+ gen_require(`
+ type ucspitcp_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domain_auto_trans(ucspitcp_t, $2, $1)
+ allow $1 ucspitcp_t:fd use;
+ allow $1 ucspitcp_t:process sigchld;
+ allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+')
diff --git a/ucspitcp.te b/ucspitcp.te
new file mode 100644
index 0000000..a0794bf
--- /dev/null
+++ b/ucspitcp.te
@@ -0,0 +1,93 @@
+policy_module(ucspitcp, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type rblsmtpd_t;
+type rblsmtpd_exec_t;
+init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
+role system_r types rblsmtpd_t;
+
+type ucspitcp_t;
+type ucspitcp_exec_t;
+init_system_domain(ucspitcp_t, ucspitcp_exec_t)
+role system_r types ucspitcp_t;
+
+########################################
+#
+# Local policy for rblsmtpd
+#
+
+ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+corecmd_search_bin(rblsmtpd_t)
+
+corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+corenet_all_recvfrom_netlabel(rblsmtpd_t)
+corenet_tcp_sendrecv_generic_if(rblsmtpd_t)
+corenet_udp_sendrecv_generic_if(rblsmtpd_t)
+corenet_tcp_sendrecv_generic_node(rblsmtpd_t)
+corenet_udp_sendrecv_generic_node(rblsmtpd_t)
+corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
+corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+corenet_tcp_bind_generic_node(rblsmtpd_t)
+corenet_udp_bind_generic_port(rblsmtpd_t)
+
+files_read_etc_files(rblsmtpd_t)
+files_search_var(rblsmtpd_t)
+
+optional_policy(`
+ daemontools_ipc_domain(rblsmtpd_t)
+')
+
+########################################
+#
+# Local policy for tcpserver
+#
+
+allow ucspitcp_t self:capability { setgid setuid };
+allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
+allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+allow ucspitcp_t self:udp_socket create_socket_perms;
+
+corecmd_search_bin(ucspitcp_t)
+
+# base networking:
+corenet_all_recvfrom_unlabeled(ucspitcp_t)
+corenet_all_recvfrom_netlabel(ucspitcp_t)
+corenet_tcp_sendrecv_generic_if(ucspitcp_t)
+corenet_udp_sendrecv_generic_if(ucspitcp_t)
+corenet_tcp_sendrecv_generic_node(ucspitcp_t)
+corenet_udp_sendrecv_generic_node(ucspitcp_t)
+corenet_tcp_sendrecv_all_ports(ucspitcp_t)
+corenet_udp_sendrecv_all_ports(ucspitcp_t)
+corenet_tcp_bind_generic_node(ucspitcp_t)
+corenet_udp_bind_generic_node(ucspitcp_t)
+
+# server ports:
+corenet_tcp_bind_ftp_port(ucspitcp_t)
+corenet_tcp_bind_ftp_data_port(ucspitcp_t)
+corenet_tcp_bind_http_port(ucspitcp_t)
+corenet_tcp_bind_smtp_port(ucspitcp_t)
+corenet_tcp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_generic_port(ucspitcp_t)
+
+# server packets:
+corenet_sendrecv_ftp_server_packets(ucspitcp_t)
+corenet_sendrecv_http_server_packets(ucspitcp_t)
+corenet_sendrecv_smtp_server_packets(ucspitcp_t)
+corenet_sendrecv_dns_server_packets(ucspitcp_t)
+corenet_sendrecv_generic_server_packets(ucspitcp_t)
+
+files_search_var(ucspitcp_t)
+files_read_etc_files(ucspitcp_t)
+
+sysnet_read_config(ucspitcp_t)
+
+optional_policy(`
+ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ daemontools_read_svc(ucspitcp_t)
+')
diff --git a/ulogd.fc b/ulogd.fc
new file mode 100644
index 0000000..831b4a3
--- /dev/null
+++ b/ulogd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
+/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --git a/ulogd.if b/ulogd.if
new file mode 100644
index 0000000..d23be5c
--- /dev/null
+++ b/ulogd.if
@@ -0,0 +1,142 @@
+## Iptables/netfilter userspace logging daemon.
+
+########################################
+##
+## Execute a domain transition to run ulogd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ulogd_domtrans',`
+ gen_require(`
+ type ulogd_t, ulogd_exec_t;
+ ')
+
+ domtrans_pattern($1, ulogd_exec_t, ulogd_t)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## ulogd configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ulogd_read_config',`
+ gen_require(`
+ type ulogd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
+')
+
+########################################
+##
+## Allow the specified domain to read ulogd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ulogd_read_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
+#######################################
+##
+## Allow the specified domain to search ulogd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ulogd_search_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Allow the specified domain to append to ulogd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ulogd_append_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ allow $1 ulogd_var_log_t:file append_file_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an ulogd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
+##
+#
+interface(`ulogd_admin',`
+ gen_require(`
+ type ulogd_t, ulogd_etc_t, ulogd_modules_t;
+ type ulogd_var_log_t, ulogd_initrc_exec_t;
+ ')
+
+ allow $1 ulogd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ulogd_t)
+
+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ulogd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ulogd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ulogd_var_log_t)
+
+ files_list_usr($1)
+ admin_pattern($1, ulogd_modules_t)
+')
diff --git a/ulogd.te b/ulogd.te
new file mode 100644
index 0000000..3b953f5
--- /dev/null
+++ b/ulogd.te
@@ -0,0 +1,67 @@
+policy_module(ulogd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type ulogd_t;
+type ulogd_exec_t;
+init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+# config files
+type ulogd_etc_t;
+files_type(ulogd_etc_t)
+
+type ulogd_initrc_exec_t;
+init_script_file(ulogd_initrc_exec_t)
+
+# /usr/lib files
+type ulogd_modules_t;
+files_type(ulogd_modules_t)
+
+# log files
+type ulogd_var_log_t;
+logging_log_file(ulogd_var_log_t)
+
+########################################
+#
+# ulogd local policy
+#
+
+allow ulogd_t self:capability net_admin;
+allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+
+# config files
+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+
+# modules for ulogd
+list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+
+# log files
+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+files_read_etc_files(ulogd_t)
+files_read_usr_files(ulogd_t)
+
+miscfiles_read_localization(ulogd_t)
+
+optional_policy(`
+ allow ulogd_t self:tcp_socket create_stream_socket_perms;
+
+ mysql_stream_connect(ulogd_t)
+ mysql_tcp_connect(ulogd_t)
+
+ sysnet_dns_name_resolve(ulogd_t)
+')
+
+optional_policy(`
+ allow ulogd_t self:tcp_socket create_stream_socket_perms;
+
+ postgresql_stream_connect(ulogd_t)
+ postgresql_tcp_connect(ulogd_t)
+
+ sysnet_dns_name_resolve(ulogd_t)
+')
diff --git a/uml.fc b/uml.fc
new file mode 100644
index 0000000..b8b9520
--- /dev/null
+++ b/uml.fc
@@ -0,0 +1,14 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0)
+
+#
+# /usr
+#
+/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0)
+
+#
+# /var
+#
+/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
diff --git a/uml.if b/uml.if
new file mode 100644
index 0000000..d2ab7cb
--- /dev/null
+++ b/uml.if
@@ -0,0 +1,99 @@
+## Policy for UML
+
+########################################
+##
+## Role access for uml
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`uml_role',`
+ gen_require(`
+ type uml_t, uml_exec_t;
+ type uml_ro_t, uml_rw_t, uml_tmp_t;
+ type uml_devpts_t, uml_tmpfs_t;
+ ')
+
+ role $1 types uml_t;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($2, uml_exec_t, uml_t)
+
+ # for mconsole
+ allow $2 uml_t:unix_dgram_socket sendto;
+ allow uml_t $2:unix_dgram_socket sendto;
+
+ # allow ps, ptrace, signal
+ ps_process_pattern($2, uml_t)
+ allow $2 uml_t:process { ptrace signal_perms };
+
+ allow $2 uml_ro_t:dir list_dir_perms;
+ read_files_pattern($2, uml_ro_t, uml_ro_t)
+ read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)
+
+ manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+
+ manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+
+ manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
+')
+
+########################################
+##
+## Set attributes on uml utility socket files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`uml_setattr_util_sockets',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ allow $1 uml_switch_var_run_t:sock_file setattr;
+')
+
+########################################
+##
+## Manage uml utility files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`uml_manage_util_files',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+ manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+')
diff --git a/uml.te b/uml.te
new file mode 100644
index 0000000..2df1343
--- /dev/null
+++ b/uml.te
@@ -0,0 +1,191 @@
+policy_module(uml, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uml_t;
+type uml_exec_t;
+typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };
+typealias uml_t alias { auditadm_uml_t secadm_uml_t };
+application_domain(uml_t, uml_exec_t)
+ubac_constrained(uml_t)
+
+type uml_ro_t;
+typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
+userdom_user_home_content(uml_ro_t)
+
+type uml_rw_t;
+typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+userdom_user_home_content(uml_rw_t)
+
+type uml_tmp_t;
+typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
+typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
+files_tmp_file(uml_tmp_t)
+ubac_constrained(uml_tmp_t)
+
+type uml_tmpfs_t;
+typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
+typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
+files_tmpfs_file(uml_tmpfs_t)
+ubac_constrained(uml_tmpfs_t)
+
+type uml_devpts_t;
+typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
+typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t };
+term_pty(uml_devpts_t)
+ubac_constrained(uml_devpts_t)
+
+type uml_switch_t;
+type uml_switch_exec_t;
+init_daemon_domain(uml_switch_t, uml_switch_exec_t)
+
+type uml_switch_var_run_t;
+files_pid_file(uml_switch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow uml_t self:fifo_file rw_fifo_file_perms;
+allow uml_t self:process { signal_perms ptrace };
+allow uml_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_t self:unix_dgram_socket create_socket_perms;
+# Use the network.
+allow uml_t self:tcp_socket create_stream_socket_perms;
+allow uml_t self:udp_socket create_socket_perms;
+allow uml_t self:tun_socket create;
+# for mconsole
+allow uml_t self:unix_dgram_socket sendto;
+
+# allow the UML thing to happen
+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(uml_t, uml_devpts_t)
+
+manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })
+can_exec(uml_t, uml_tmp_t)
+
+manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })
+can_exec(uml_t, uml_tmpfs_t)
+
+# access config files
+allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms;
+read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+
+manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file })
+
+can_exec(uml_t, { uml_exec_t uml_exec_t })
+
+kernel_read_system_state(uml_t)
+# for SKAS - need something better
+kernel_write_proc_files(uml_t)
+
+# for xterm
+corecmd_exec_bin(uml_t)
+
+corenet_all_recvfrom_unlabeled(uml_t)
+corenet_all_recvfrom_netlabel(uml_t)
+corenet_tcp_sendrecv_generic_if(uml_t)
+corenet_udp_sendrecv_generic_if(uml_t)
+corenet_tcp_sendrecv_generic_node(uml_t)
+corenet_udp_sendrecv_generic_node(uml_t)
+corenet_tcp_sendrecv_all_ports(uml_t)
+corenet_udp_sendrecv_all_ports(uml_t)
+corenet_tcp_connect_all_ports(uml_t)
+corenet_sendrecv_all_client_packets(uml_t)
+corenet_rw_tun_tap_dev(uml_t)
+
+domain_use_interactive_fds(uml_t)
+
+# for xterm
+files_read_etc_files(uml_t)
+files_dontaudit_read_etc_runtime_files(uml_t)
+# putting uml data under /var is usual...
+files_search_var(uml_t)
+
+fs_getattr_xattr_fs(uml_t)
+
+init_read_utmp(uml_t)
+init_dontaudit_write_utmp(uml_t)
+
+# for xterm
+libs_exec_lib_files(uml_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(uml_t)
+
+# Use the network.
+sysnet_read_config(uml_t)
+
+userdom_use_user_terminals(uml_t)
+userdom_attach_admin_tun_iface(uml_t)
+
+optional_policy(`
+ nis_use_ypbind(uml_t)
+')
+
+optional_policy(`
+ virt_attach_tun_iface(uml_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uml_switch_t self:capability sys_tty_config;
+allow uml_switch_t self:process signal_perms;
+allow uml_switch_t self:unix_dgram_socket create_socket_perms;
+allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file)
+
+kernel_read_kernel_sysctls(uml_switch_t)
+kernel_list_proc(uml_switch_t)
+kernel_read_proc_symlinks(uml_switch_t)
+
+dev_read_sysfs(uml_switch_t)
+
+domain_use_interactive_fds(uml_switch_t)
+
+fs_getattr_all_fs(uml_switch_t)
+fs_search_auto_mountpoints(uml_switch_t)
+
+term_dontaudit_use_console(uml_switch_t)
+
+init_use_fds(uml_switch_t)
+init_use_script_ptys(uml_switch_t)
+
+logging_send_syslog_msg(uml_switch_t)
+
+miscfiles_read_localization(uml_switch_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
+userdom_dontaudit_search_user_home_dirs(uml_switch_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(uml_switch_t)
+')
+
+optional_policy(`
+ udev_read_db(uml_switch_t)
+')
diff --git a/updfstab.fc b/updfstab.fc
new file mode 100644
index 0000000..e534c88
--- /dev/null
+++ b/updfstab.fc
@@ -0,0 +1,3 @@
+
+/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/updfstab.if b/updfstab.if
new file mode 100644
index 0000000..4d4b60e
--- /dev/null
+++ b/updfstab.if
@@ -0,0 +1,21 @@
+## Red Hat utility to change /etc/fstab.
+
+########################################
+##
+## Execute updfstab in the updfstab domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`updfstab_domtrans',`
+ gen_require(`
+ type updfstab_t, updfstab_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, updfstab_exec_t, updfstab_t)
+')
diff --git a/updfstab.te b/updfstab.te
new file mode 100644
index 0000000..ef12ed5
--- /dev/null
+++ b/updfstab.te
@@ -0,0 +1,116 @@
+policy_module(updfstab, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type updfstab_t;
+type updfstab_exec_t;
+init_system_domain(updfstab_t, updfstab_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow updfstab_t self:capability dac_override;
+dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
+allow updfstab_t self:process signal_perms;
+allow updfstab_t self:fifo_file rw_fifo_file_perms;
+
+kernel_use_fds(updfstab_t)
+kernel_read_kernel_sysctls(updfstab_t)
+kernel_dontaudit_write_kernel_sysctl(updfstab_t)
+# for /proc/partitions
+kernel_read_system_state(updfstab_t)
+# cjp: why is this required
+kernel_change_ring_buffer_level(updfstab_t)
+
+dev_read_sysfs(updfstab_t)
+dev_manage_generic_symlinks(updfstab_t)
+
+fs_getattr_xattr_fs(updfstab_t)
+fs_getattr_tmpfs(updfstab_t)
+fs_getattr_tmpfs_dirs(updfstab_t)
+fs_search_auto_mountpoints(updfstab_t)
+
+selinux_get_fs_mount(updfstab_t)
+selinux_validate_context(updfstab_t)
+selinux_compute_access_vector(updfstab_t)
+selinux_compute_create_context(updfstab_t)
+selinux_compute_relabel_context(updfstab_t)
+selinux_compute_user_contexts(updfstab_t)
+
+storage_raw_read_fixed_disk(updfstab_t)
+storage_raw_write_fixed_disk(updfstab_t)
+storage_raw_read_removable_device(updfstab_t)
+storage_raw_write_removable_device(updfstab_t)
+storage_read_scsi_generic(updfstab_t)
+storage_write_scsi_generic(updfstab_t)
+
+term_dontaudit_use_console(updfstab_t)
+
+corecmd_exec_bin(updfstab_t)
+
+domain_use_interactive_fds(updfstab_t)
+
+files_manage_mnt_files(updfstab_t)
+files_manage_mnt_dirs(updfstab_t)
+files_manage_mnt_symlinks(updfstab_t)
+files_manage_etc_files(updfstab_t)
+files_dontaudit_search_home(updfstab_t)
+# for /etc/mtab
+files_read_etc_runtime_files(updfstab_t)
+
+init_use_fds(updfstab_t)
+init_use_script_ptys(updfstab_t)
+
+logging_send_syslog_msg(updfstab_t)
+logging_search_logs(updfstab_t)
+
+miscfiles_read_localization(updfstab_t)
+
+seutil_read_config(updfstab_t)
+seutil_read_default_contexts(updfstab_t)
+seutil_read_file_contexts(updfstab_t)
+
+userdom_dontaudit_search_user_home_content(updfstab_t)
+userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
+
+optional_policy(`
+ auth_domtrans_pam_console(updfstab_t)
+')
+
+optional_policy(`
+ init_dbus_chat_script(updfstab_t)
+
+ dbus_system_bus_client(updfstab_t)
+')
+
+optional_policy(`
+ fstools_getattr_swap_files(updfstab_t)
+')
+
+optional_policy(`
+ hal_stream_connect(updfstab_t)
+ hal_dbus_chat(updfstab_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(updfstab_t)
+ modutils_exec_insmod(updfstab_t)
+ modutils_read_module_deps(updfstab_t)
+')
+
+optional_policy(`
+ nscd_socket_use(updfstab_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(updfstab_t)
+')
+
+optional_policy(`
+ udev_read_db(updfstab_t)
+')
diff --git a/uptime.fc b/uptime.fc
new file mode 100644
index 0000000..e30d6fc
--- /dev/null
+++ b/uptime.fc
@@ -0,0 +1,6 @@
+
+/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0)
+
+/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
+
+/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0)
diff --git a/uptime.if b/uptime.if
new file mode 100644
index 0000000..447abf7
--- /dev/null
+++ b/uptime.if
@@ -0,0 +1 @@
+## Uptime daemon
diff --git a/uptime.te b/uptime.te
new file mode 100644
index 0000000..c2cf97e
--- /dev/null
+++ b/uptime.te
@@ -0,0 +1,73 @@
+policy_module(uptime, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type uptimed_t;
+type uptimed_exec_t;
+init_daemon_domain(uptimed_t, uptimed_exec_t)
+
+type uptimed_etc_t alias etc_uptimed_t;
+files_config_file(uptimed_etc_t)
+
+type uptimed_spool_t;
+files_type(uptimed_spool_t)
+
+type uptimed_var_run_t;
+files_pid_file(uptimed_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uptimed_t self:capability sys_tty_config;
+allow uptimed_t self:process signal_perms;
+allow uptimed_t self:fifo_file write_file_perms;
+
+allow uptimed_t uptimed_etc_t:file read_file_perms;
+files_search_etc(uptimed_t)
+
+allow uptimed_t uptimed_spool_t:file manage_file_perms;
+
+manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t)
+files_pid_filetrans(uptimed_t, uptimed_var_run_t, file)
+
+manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t)
+manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t)
+files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file })
+
+kernel_read_system_state(uptimed_t)
+kernel_read_kernel_sysctls(uptimed_t)
+
+corecmd_exec_shell(uptimed_t)
+
+dev_read_sysfs(uptimed_t)
+
+domain_use_interactive_fds(uptimed_t)
+
+files_read_etc_runtime_files(uptimed_t)
+
+fs_getattr_all_fs(uptimed_t)
+fs_search_auto_mountpoints(uptimed_t)
+
+logging_send_syslog_msg(uptimed_t)
+
+miscfiles_read_localization(uptimed_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
+userdom_dontaudit_search_user_home_dirs(uptimed_t)
+
+optional_policy(`
+ mta_send_mail(uptimed_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(uptimed_t)
+')
+
+optional_policy(`
+ udev_read_db(uptimed_t)
+')
diff --git a/usbmodules.fc b/usbmodules.fc
new file mode 100644
index 0000000..a008efb
--- /dev/null
+++ b/usbmodules.fc
@@ -0,0 +1,9 @@
+#
+# /sbin
+#
+/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/usbmodules.if b/usbmodules.if
new file mode 100644
index 0000000..b7eade3
--- /dev/null
+++ b/usbmodules.if
@@ -0,0 +1,46 @@
+## List kernel modules of USB devices
+
+########################################
+##
+## Execute usbmodules in the usbmodules domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`usbmodules_domtrans',`
+ gen_require(`
+ type usbmodules_t, usbmodules_exec_t;
+ ')
+
+ domtrans_pattern($1, usbmodules_exec_t, usbmodules_t)
+')
+
+########################################
+##
+## Execute usbmodules in the usbmodules domain, and
+## allow the specified role the usbmodules domain,
+## and use the caller's terminal.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`usbmodules_run',`
+ gen_require(`
+ type usbmodules_t;
+ ')
+
+ usbmodules_domtrans($1)
+ role $2 types usbmodules_t;
+')
diff --git a/usbmodules.te b/usbmodules.te
new file mode 100644
index 0000000..74354da
--- /dev/null
+++ b/usbmodules.te
@@ -0,0 +1,47 @@
+policy_module(usbmodules, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmodules_t;
+type usbmodules_exec_t;
+init_system_domain(usbmodules_t, usbmodules_exec_t)
+role system_r types usbmodules_t;
+
+########################################
+#
+# Local policy
+#
+
+kernel_list_proc(usbmodules_t)
+
+files_list_kernel_modules(usbmodules_t)
+
+dev_list_usbfs(usbmodules_t)
+# allow usb device access
+dev_rw_usbfs(usbmodules_t)
+
+files_list_etc(usbmodules_t)
+# needs etc_t read access for the hotplug config, maybe should have a new type
+files_read_etc_files(usbmodules_t)
+
+term_read_console(usbmodules_t)
+term_write_console(usbmodules_t)
+
+init_use_fds(usbmodules_t)
+
+miscfiles_read_hwdata(usbmodules_t)
+
+modutils_read_module_deps(usbmodules_t)
+
+userdom_use_user_terminals(usbmodules_t)
+
+optional_policy(`
+ hotplug_read_config(usbmodules_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(usbmodules_t)
+')
diff --git a/usbmuxd.fc b/usbmuxd.fc
new file mode 100644
index 0000000..40b8b8d
--- /dev/null
+++ b/usbmuxd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
new file mode 100644
index 0000000..53792d3
--- /dev/null
+++ b/usbmuxd.if
@@ -0,0 +1,39 @@
+## USB multiplexing daemon for communicating with Apple iPod Touch and iPhone
+
+########################################
+##
+## Execute a domain transition to run usbmuxd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`usbmuxd_domtrans',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_exec_t;
+ ')
+
+ domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
+')
+
+#####################################
+##
+## Connect to usbmuxd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`usbmuxd_stream_connect',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
diff --git a/usbmuxd.te b/usbmuxd.te
new file mode 100644
index 0000000..4440aa6
--- /dev/null
+++ b/usbmuxd.te
@@ -0,0 +1,42 @@
+policy_module(usbmuxd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmuxd_t;
+type usbmuxd_exec_t;
+application_domain(usbmuxd_t, usbmuxd_exec_t)
+role system_r types usbmuxd_t;
+
+type usbmuxd_var_run_t;
+files_pid_file(usbmuxd_var_run_t)
+
+########################################
+#
+# usbmuxd local policy
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
+allow usbmuxd_t self:process { fork signal signull };
+allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
+kernel_read_kernel_sysctls(usbmuxd_t)
+kernel_read_system_state(usbmuxd_t)
+
+dev_read_sysfs(usbmuxd_t)
+dev_rw_generic_usb_dev(usbmuxd_t)
+
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
+
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
diff --git a/userhelper.fc b/userhelper.fc
new file mode 100644
index 0000000..e70b0e8
--- /dev/null
+++ b/userhelper.fc
@@ -0,0 +1,9 @@
+#
+# /etc
+#
+/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
new file mode 100644
index 0000000..ced285a
--- /dev/null
+++ b/userhelper.if
@@ -0,0 +1,258 @@
+## SELinux utility to run a shell with a new role
+
+#######################################
+##
+## The role template for the userhelper module.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## The user role.
+##
+##
+##
+##
+## The user domain associated with the role.
+##
+##
+#
+template(`userhelper_role_template',`
+ gen_require(`
+ attribute userhelper_type;
+ type userhelper_exec_t, userhelper_conf_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_userhelper_t, userhelper_type;
+ application_domain($1_userhelper_t, userhelper_exec_t)
+ domain_role_change_exemption($1_userhelper_t)
+ domain_obj_id_change_exemption($1_userhelper_t)
+ domain_interactive_fd($1_userhelper_t)
+ domain_subj_id_change_exemption($1_userhelper_t)
+ ubac_constrained($1_userhelper_t)
+ role $2 types $1_userhelper_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_userhelper_t self:process setexec;
+ allow $1_userhelper_t self:fd use;
+ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
+ allow $1_userhelper_t self:shm create_shm_perms;
+ allow $1_userhelper_t self:sem create_sem_perms;
+ allow $1_userhelper_t self:msgq create_msgq_perms;
+ allow $1_userhelper_t self:msg { send receive };
+ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
+ allow $1_userhelper_t self:unix_stream_socket connectto;
+ allow $1_userhelper_t self:sock_file read_sock_file_perms;
+
+ #Transition to the derived domain.
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
+
+ can_exec($1_userhelper_t, userhelper_exec_t)
+
+ dontaudit $3 $1_userhelper_t:process signal;
+
+ kernel_read_all_sysctls($1_userhelper_t)
+ kernel_getattr_debugfs($1_userhelper_t)
+ kernel_read_system_state($1_userhelper_t)
+
+ # Execute shells
+ corecmd_exec_shell($1_userhelper_t)
+ # By default, revert to the calling domain when a program is executed
+ corecmd_bin_domtrans($1_userhelper_t, $3)
+
+ # Inherit descriptors from the current session.
+ domain_use_interactive_fds($1_userhelper_t)
+ # for when the user types "exec userhelper" at the command line
+ domain_sigchld_interactive_fds($1_userhelper_t)
+
+ dev_read_urand($1_userhelper_t)
+ # Read /dev directories and any symbolic links.
+ dev_list_all_dev_nodes($1_userhelper_t)
+
+ files_list_var_lib($1_userhelper_t)
+ # Read the /etc/security/default_type file
+ files_read_etc_files($1_userhelper_t)
+ # Read /var.
+ files_read_var_files($1_userhelper_t)
+ files_read_var_symlinks($1_userhelper_t)
+ # for some PAM modules and for cwd
+ files_search_home($1_userhelper_t)
+
+ fs_search_auto_mountpoints($1_userhelper_t)
+ fs_read_nfs_files($1_userhelper_t)
+ fs_read_nfs_symlinks($1_userhelper_t)
+
+ # Allow $1_userhelper to obtain contexts to relabel TTYs
+ selinux_get_fs_mount($1_userhelper_t)
+ selinux_validate_context($1_userhelper_t)
+ selinux_compute_access_vector($1_userhelper_t)
+ selinux_compute_create_context($1_userhelper_t)
+ selinux_compute_relabel_context($1_userhelper_t)
+ selinux_compute_user_contexts($1_userhelper_t)
+
+ # Read the devpts root directory.
+ term_list_ptys($1_userhelper_t)
+ # Relabel terminals.
+ term_relabel_all_ttys($1_userhelper_t)
+ term_relabel_all_ptys($1_userhelper_t)
+ # Access terminals.
+ term_use_all_ttys($1_userhelper_t)
+ term_use_all_ptys($1_userhelper_t)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
+
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+ # Write to utmp.
+ init_manage_utmp($1_userhelper_t)
+ init_pid_filetrans_utmp($1_userhelper_t)
+
+ miscfiles_read_localization($1_userhelper_t)
+
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
+
+ # Allow $1_userhelper_t to transition to user domains.
+ userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ # Allow transitioning to rpm_t, for up2date
+ rpm_domtrans($1_userhelper_t)
+ ')
+ ')
+
+ optional_policy(`
+ logging_send_syslog_msg($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+ sysadm_entry_spec_domtrans($1_userhelper_t)
+ ')
+ ')
+')
+
+########################################
+##
+## Search the userhelper configuration directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userhelper_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to search
+## the userhelper configuration directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`userhelper_dontaudit_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ dontaudit $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Allow domain to use userhelper file descriptor.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userhelper_use_fd',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:fd use;
+')
+
+########################################
+##
+## Allow domain to send sigchld to userhelper.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userhelper_sigchld',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:process sigchld;
+')
+
+########################################
+##
+## Execute the userhelper program in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userhelper_exec',`
+ gen_require(`
+ type userhelper_exec_t;
+ ')
+
+ can_exec($1, userhelper_exec_t)
+')
diff --git a/userhelper.te b/userhelper.te
new file mode 100644
index 0000000..13b2cea
--- /dev/null
+++ b/userhelper.te
@@ -0,0 +1,14 @@
+policy_module(userhelper, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute userhelper_type;
+
+type userhelper_conf_t;
+files_type(userhelper_conf_t)
+
+type userhelper_exec_t;
+application_executable_file(userhelper_exec_t)
diff --git a/usernetctl.fc b/usernetctl.fc
new file mode 100644
index 0000000..aa07e1e
--- /dev/null
+++ b/usernetctl.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/usernetctl.if b/usernetctl.if
new file mode 100644
index 0000000..ba9b9d6
--- /dev/null
+++ b/usernetctl.if
@@ -0,0 +1,64 @@
+## User network interface configuration helper
+
+########################################
+##
+## Execute usernetctl in the usernetctl domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`usernetctl_domtrans',`
+ gen_require(`
+ type usernetctl_t, usernetctl_exec_t;
+ ')
+
+ domtrans_pattern($1, usernetctl_exec_t, usernetctl_t)
+')
+
+########################################
+##
+## Execute usernetctl in the usernetctl domain, and
+## allow the specified role the usernetctl domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`usernetctl_run',`
+ gen_require(`
+ type usernetctl_t;
+ ')
+
+ usernetctl_domtrans($1)
+ role $2 types usernetctl_t;
+
+ sysnet_run_ifconfig(usernetctl_t, $2)
+ sysnet_run_dhcpc(usernetctl_t, $2)
+
+ optional_policy(`
+ consoletype_run(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ iptables_run(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ ppp_run(usernetctl_t, $2)
+ ')
+')
diff --git a/usernetctl.te b/usernetctl.te
new file mode 100644
index 0000000..9586818
--- /dev/null
+++ b/usernetctl.te
@@ -0,0 +1,69 @@
+policy_module(usernetctl, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type usernetctl_t;
+type usernetctl_exec_t;
+application_domain(usernetctl_t, usernetctl_exec_t)
+domain_interactive_fd(usernetctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow usernetctl_t self:fd use;
+allow usernetctl_t self:fifo_file rw_fifo_file_perms;
+allow usernetctl_t self:shm create_shm_perms;
+allow usernetctl_t self:sem create_sem_perms;
+allow usernetctl_t self:msgq create_msgq_perms;
+allow usernetctl_t self:msg { send receive };
+allow usernetctl_t self:unix_dgram_socket create_socket_perms;
+allow usernetctl_t self:unix_stream_socket create_stream_socket_perms;
+allow usernetctl_t self:unix_dgram_socket sendto;
+allow usernetctl_t self:unix_stream_socket connectto;
+
+can_exec(usernetctl_t, usernetctl_exec_t)
+
+kernel_read_system_state(usernetctl_t)
+kernel_read_kernel_sysctls(usernetctl_t)
+
+corecmd_list_bin(usernetctl_t)
+corecmd_exec_bin(usernetctl_t)
+corecmd_exec_shell(usernetctl_t)
+
+domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+files_read_etc_files(usernetctl_t)
+files_exec_etc_files(usernetctl_t)
+files_read_etc_runtime_files(usernetctl_t)
+files_list_pids(usernetctl_t)
+files_list_home(usernetctl_t)
+files_read_usr_files(usernetctl_t)
+
+fs_search_auto_mountpoints(usernetctl_t)
+
+auth_use_nsswitch(usernetctl_t)
+
+logging_send_syslog_msg(usernetctl_t)
+
+miscfiles_read_localization(usernetctl_t)
+
+seutil_read_config(usernetctl_t)
+
+sysnet_read_config(usernetctl_t)
+
+userdom_use_user_terminals(usernetctl_t)
+
+optional_policy(`
+ hostname_exec(usernetctl_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(usernetctl_t)
+')
diff --git a/uucp.fc b/uucp.fc
new file mode 100644
index 0000000..e1c0d8d
--- /dev/null
+++ b/uucp.fc
@@ -0,0 +1,11 @@
+
+/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0)
+
+/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
+
+/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
+/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
+
+/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
+
+/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
diff --git a/uucp.if b/uucp.if
new file mode 100644
index 0000000..ebc5414
--- /dev/null
+++ b/uucp.if
@@ -0,0 +1,120 @@
+## Unix to Unix Copy
+
+########################################
+##
+## Execute the uucico program in the
+## uucpd_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`uucp_domtrans',`
+ gen_require(`
+ type uucpd_t, uucpd_exec_t;
+ ')
+
+ domtrans_pattern($1, uucpd_exec_t, uucpd_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## to uucp log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`uucp_append_log',`
+ gen_require(`
+ type uucpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 uucpd_log_t:dir list_dir_perms;
+ append_files_pattern($1, uucpd_log_t, uucpd_log_t)
+')
+
+########################################
+##
+## Create, read, write, and delete uucp spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`uucp_manage_spool',`
+ gen_require(`
+ type uucpd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t)
+ manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+ manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+')
+
+########################################
+##
+## Execute the master uux program in the
+## uux_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`uucp_domtrans_uux',`
+ gen_require(`
+ type uux_t, uux_exec_t;
+ ')
+
+ domtrans_pattern($1, uux_exec_t, uux_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an uucp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`uucp_admin',`
+ gen_require(`
+ type uucpd_t, uucpd_tmp_t, uucpd_log_t;
+ type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
+ type uucpd_var_run_t;
+ ')
+
+ allow $1 uucpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uucpd_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, uucpd_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, uucpd_spool_t)
+
+ admin_pattern($1, uucpd_ro_t)
+
+ admin_pattern($1, uucpd_rw_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, uucpd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, uucpd_var_run_t)
+')
diff --git a/uucp.te b/uucp.te
new file mode 100644
index 0000000..d4349e9
--- /dev/null
+++ b/uucp.te
@@ -0,0 +1,149 @@
+policy_module(uucp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+type uucpd_t;
+type uucpd_exec_t;
+inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
+
+type uucpd_lock_t;
+files_lock_file(uucpd_lock_t)
+
+type uucpd_tmp_t;
+files_tmp_file(uucpd_tmp_t)
+
+type uucpd_var_run_t;
+files_pid_file(uucpd_var_run_t)
+
+type uucpd_rw_t;
+files_type(uucpd_rw_t)
+
+type uucpd_ro_t;
+files_type(uucpd_ro_t)
+
+type uucpd_spool_t;
+files_type(uucpd_spool_t)
+
+type uucpd_log_t;
+logging_log_file(uucpd_log_t)
+
+type uux_t;
+type uux_exec_t;
+application_domain(uux_t, uux_exec_t)
+role system_r types uux_t;
+
+########################################
+#
+# UUCPd Local policy
+#
+allow uucpd_t self:capability { setuid setgid };
+allow uucpd_t self:process signal_perms;
+allow uucpd_t self:fifo_file rw_fifo_file_perms;
+allow uucpd_t self:tcp_socket connected_stream_socket_perms;
+allow uucpd_t self:udp_socket create_socket_perms;
+allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+allow uucpd_t uucpd_log_t:dir setattr;
+manage_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t)
+logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir })
+
+allow uucpd_t uucpd_ro_t:dir list_dir_perms;
+read_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
+read_lnk_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+
+uucp_manage_spool(uucpd_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+files_search_locks(uucpd_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
+
+manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t)
+files_pid_filetrans(uucpd_t, uucpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(uucpd_t)
+kernel_read_system_state(uucpd_t)
+kernel_read_network_state(uucpd_t)
+
+corenet_all_recvfrom_unlabeled(uucpd_t)
+corenet_all_recvfrom_netlabel(uucpd_t)
+corenet_tcp_sendrecv_generic_if(uucpd_t)
+corenet_udp_sendrecv_generic_if(uucpd_t)
+corenet_tcp_sendrecv_generic_node(uucpd_t)
+corenet_udp_sendrecv_generic_node(uucpd_t)
+corenet_tcp_sendrecv_all_ports(uucpd_t)
+corenet_udp_sendrecv_all_ports(uucpd_t)
+corenet_tcp_connect_ssh_port(uucpd_t)
+
+dev_read_urand(uucpd_t)
+
+fs_getattr_xattr_fs(uucpd_t)
+
+corecmd_exec_bin(uucpd_t)
+corecmd_exec_shell(uucpd_t)
+
+files_read_etc_files(uucpd_t)
+files_search_home(uucpd_t)
+files_search_spool(uucpd_t)
+
+term_setattr_controlling_term(uucpd_t)
+
+auth_use_nsswitch(uucpd_t)
+
+logging_send_syslog_msg(uucpd_t)
+
+miscfiles_read_localization(uucpd_t)
+
+mta_send_mail(uucpd_t)
+
+optional_policy(`
+ cron_system_entry(uucpd_t, uucpd_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(uucpd_t)
+')
+
+optional_policy(`
+ ssh_exec(uucpd_t)
+')
+
+########################################
+#
+# UUX Local policy
+#
+
+allow uux_t self:capability { setuid setgid };
+allow uux_t self:fifo_file write_fifo_file_perms;
+
+uucp_append_log(uux_t)
+uucp_manage_spool(uux_t)
+
+corecmd_exec_bin(uux_t)
+
+files_read_etc_files(uux_t)
+
+fs_rw_anon_inodefs_files(uux_t)
+
+logging_send_syslog_msg(uux_t)
+
+miscfiles_read_localization(uux_t)
+
+optional_policy(`
+ mta_send_mail(uux_t)
+ mta_read_queue(uux_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
+')
+
+optional_policy(`
+ nscd_socket_use(uux_t)
+')
diff --git a/uwimap.fc b/uwimap.fc
new file mode 100644
index 0000000..43bdef0
--- /dev/null
+++ b/uwimap.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
diff --git a/uwimap.if b/uwimap.if
new file mode 100644
index 0000000..8337684
--- /dev/null
+++ b/uwimap.if
@@ -0,0 +1,20 @@
+## University of Washington IMAP toolkit POP3 and IMAP mail server
+
+########################################
+##
+## Execute the UW IMAP/POP3 servers with a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`uwimap_domtrans',`
+ gen_require(`
+ type imapd_t, imapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, imapd_exec_t, imapd_t)
+')
diff --git a/uwimap.te b/uwimap.te
new file mode 100644
index 0000000..41fa663
--- /dev/null
+++ b/uwimap.te
@@ -0,0 +1,95 @@
+policy_module(uwimap, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type imapd_t;
+type imapd_exec_t;
+init_daemon_domain(imapd_t, imapd_exec_t)
+inetd_tcp_service_domain(imapd_t, imapd_exec_t)
+
+type imapd_tmp_t;
+files_tmp_file(imapd_tmp_t)
+
+type imapd_var_run_t;
+files_pid_file(imapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit imapd_t self:capability sys_tty_config;
+allow imapd_t self:process signal_perms;
+allow imapd_t self:fifo_file rw_fifo_file_perms;
+allow imapd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
+manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
+files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
+
+manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t)
+files_pid_filetrans(imapd_t, imapd_var_run_t, file)
+
+kernel_read_kernel_sysctls(imapd_t)
+kernel_list_proc(imapd_t)
+kernel_read_proc_symlinks(imapd_t)
+
+corenet_all_recvfrom_unlabeled(imapd_t)
+corenet_all_recvfrom_netlabel(imapd_t)
+corenet_tcp_sendrecv_generic_if(imapd_t)
+corenet_tcp_sendrecv_generic_node(imapd_t)
+corenet_tcp_sendrecv_all_ports(imapd_t)
+corenet_tcp_bind_generic_node(imapd_t)
+corenet_tcp_bind_pop_port(imapd_t)
+corenet_tcp_connect_all_ports(imapd_t)
+corenet_sendrecv_pop_server_packets(imapd_t)
+corenet_sendrecv_all_client_packets(imapd_t)
+
+dev_read_sysfs(imapd_t)
+#urandom, for ssl
+dev_read_rand(imapd_t)
+dev_read_urand(imapd_t)
+
+domain_use_interactive_fds(imapd_t)
+
+#read /etc/ for hostname nsswitch.conf
+files_read_etc_files(imapd_t)
+
+fs_getattr_all_fs(imapd_t)
+fs_search_auto_mountpoints(imapd_t)
+
+auth_domtrans_chk_passwd(imapd_t)
+
+logging_send_syslog_msg(imapd_t)
+
+miscfiles_read_localization(imapd_t)
+
+sysnet_read_config(imapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(imapd_t)
+# cjp: this is excessive, should be limited to the
+# mail directories
+userdom_manage_user_home_content_dirs(imapd_t)
+userdom_manage_user_home_content_files(imapd_t)
+userdom_manage_user_home_content_symlinks(imapd_t)
+userdom_manage_user_home_content_pipes(imapd_t)
+userdom_manage_user_home_content_sockets(imapd_t)
+userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file })
+
+mta_rw_spool(imapd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(imapd_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(imapd_t, imapd_exec_t)
+')
+
+optional_policy(`
+ udev_read_db(imapd_t)
+')
diff --git a/varnishd.fc b/varnishd.fc
new file mode 100644
index 0000000..194d123
--- /dev/null
+++ b/varnishd.fc
@@ -0,0 +1,18 @@
+/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+
+/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0)
+
+/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
+/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
+
+/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0)
+
+/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0)
+
+/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0)
+
+/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0)
+/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
diff --git a/varnishd.if b/varnishd.if
new file mode 100644
index 0000000..93975d6
--- /dev/null
+++ b/varnishd.if
@@ -0,0 +1,216 @@
+## Varnishd http accelerator daemon
+
+#######################################
+##
+## Execute varnishd in the varnishd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`varnishd_domtrans',`
+ gen_require(`
+ type varnishd_t, varnishd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, varnishd_exec_t, varnishd_t)
+')
+
+#######################################
+##
+## Execute varnishd
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`varnishd_exec',`
+ gen_require(`
+ type varnishd_exec_t;
+ ')
+
+ can_exec($1, varnishd_exec_t)
+')
+
+######################################
+##
+## Read varnishd configuration file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`varnishd_read_config',`
+ gen_require(`
+ type varnishd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
+')
+
+#####################################
+##
+## Read varnish lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`varnishd_read_lib_files',`
+ gen_require(`
+ type varnishd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
+')
+
+#######################################
+##
+## Read varnish logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`varnishd_read_log',`
+ gen_require(`
+ type varnishlog_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+##
+## Append varnish logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`varnishd_append_log',`
+ gen_require(`
+ type varnishlog_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+#####################################
+##
+## Manage varnish logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`varnishd_manage_log',`
+ gen_require(`
+ type varnishlog_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+##
+## All of the rules required to administrate
+## an varnishlog environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the varnishlog domain.
+##
+##
+##
+#
+interface(`varnishd_admin_varnishlog',`
+ gen_require(`
+ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
+ type varnishlog_var_run_t;
+ ')
+
+ allow $1 varnishlog_t:process { ptrace signal_perms };
+ ps_process_pattern($1, varnishlog_t)
+
+ init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 varnishlog_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, varnishlog_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, varnishlog_log_t)
+')
+
+#######################################
+##
+## All of the rules required to administrate
+## an varnishd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the varnishd domain.
+##
+##
+##
+#
+interface(`varnishd_admin',`
+ gen_require(`
+ type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
+ type varnishd_var_run_t, varnishd_tmp_t;
+ type varnishd_initrc_exec_t;
+ ')
+
+ allow $1 varnishd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, varnishd_t)
+
+ init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 varnishd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, varnishd_var_lib_t)
+
+ files_list_etc($1)
+ admin_pattern($1, varnishd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, varnishd_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, varnishd_tmp_t)
+')
diff --git a/varnishd.te b/varnishd.te
new file mode 100644
index 0000000..f9310f3
--- /dev/null
+++ b/varnishd.te
@@ -0,0 +1,118 @@
+policy_module(varnishd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow varnishd to connect to all ports,
+## not just HTTP.
+##
+##
+gen_tunable(varnishd_connect_any, false)
+
+type varnishd_t;
+type varnishd_exec_t;
+init_daemon_domain(varnishd_t, varnishd_exec_t)
+
+type varnishd_initrc_exec_t;
+init_script_file(varnishd_initrc_exec_t)
+
+type varnishd_etc_t;
+files_type(varnishd_etc_t)
+
+type varnishd_tmp_t;
+files_tmp_file(varnishd_tmp_t)
+
+type varnishd_var_lib_t;
+files_type(varnishd_var_lib_t)
+
+type varnishd_var_run_t;
+files_pid_file(varnishd_var_run_t)
+
+type varnishlog_t;
+type varnishlog_exec_t;
+init_daemon_domain(varnishlog_t, varnishlog_exec_t)
+
+type varnishlog_initrc_exec_t;
+init_script_file(varnishlog_initrc_exec_t)
+
+type varnishlog_var_run_t;
+files_pid_file(varnishlog_var_run_t)
+
+type varnishlog_log_t;
+files_type(varnishlog_log_t)
+
+########################################
+#
+# varnishd local policy
+#
+
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+dontaudit varnishd_t self:capability sys_tty_config;
+allow varnishd_t self:process signal;
+allow varnishd_t self:fifo_file rw_fifo_file_perms;
+allow varnishd_t self:tcp_socket create_stream_socket_perms;
+allow varnishd_t self:udp_socket create_socket_perms;
+
+read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+
+manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
+
+exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
+
+manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
+files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
+
+kernel_read_system_state(varnishd_t)
+
+corecmd_exec_bin(varnishd_t)
+corecmd_exec_shell(varnishd_t)
+
+corenet_tcp_sendrecv_generic_if(varnishd_t)
+corenet_tcp_bind_generic_node(varnishd_t)
+corenet_tcp_bind_http_port(varnishd_t)
+corenet_tcp_bind_http_cache_port(varnishd_t)
+corenet_tcp_bind_varnishd_port(varnishd_t)
+corenet_tcp_connect_http_cache_port(varnishd_t)
+corenet_tcp_connect_http_port(varnishd_t)
+
+dev_read_urand(varnishd_t)
+
+fs_getattr_all_fs(varnishd_t)
+
+auth_use_nsswitch(varnishd_t)
+
+logging_send_syslog_msg(varnishd_t)
+
+miscfiles_read_localization(varnishd_t)
+
+sysnet_read_config(varnishd_t)
+
+tunable_policy(`varnishd_connect_any',`
+ corenet_tcp_connect_all_ports(varnishd_t)
+ corenet_tcp_bind_all_ports(varnishd_t)
+')
+
+#######################################
+#
+# varnishlog local policy
+#
+
+manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
+files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
+
+manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
+
+files_search_var_lib(varnishlog_t)
+read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
diff --git a/vbetool.fc b/vbetool.fc
new file mode 100644
index 0000000..d00970f
--- /dev/null
+++ b/vbetool.fc
@@ -0,0 +1 @@
+/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/vbetool.if b/vbetool.if
new file mode 100644
index 0000000..f46ab17
--- /dev/null
+++ b/vbetool.if
@@ -0,0 +1,45 @@
+## run real-mode video BIOS code to alter hardware state
+
+########################################
+##
+## Execute vbetool application in the vbetool domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`vbetool_domtrans',`
+ gen_require(`
+ type vbetool_t, vbetool_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, vbetool_exec_t, vbetool_t)
+')
+
+########################################
+##
+## Execute vbetool in the vbetool domain, and
+## allow the specified role the vbetool domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`vbetool_run',`
+ gen_require(`
+ type vbetool_t;
+ ')
+
+ vbetool_domtrans($1)
+ role $2 types vbetool_t;
+')
diff --git a/vbetool.te b/vbetool.te
new file mode 100644
index 0000000..001c93c
--- /dev/null
+++ b/vbetool.te
@@ -0,0 +1,51 @@
+policy_module(vbetool, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Ignore vbetool mmap_zero errors.
+##
+##
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
+type vbetool_t;
+type vbetool_exec_t;
+init_system_domain(vbetool_t, vbetool_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:process execmem;
+
+dev_wx_raw_memory(vbetool_t)
+dev_read_raw_memory(vbetool_t)
+dev_rwx_zero(vbetool_t)
+dev_rw_sysfs(vbetool_t)
+dev_rw_xserver_misc(vbetool_t)
+dev_rw_mtrr(vbetool_t)
+
+domain_mmap_low(vbetool_t)
+
+mls_file_read_all_levels(vbetool_t)
+mls_file_write_all_levels(vbetool_t)
+
+term_use_unallocated_ttys(vbetool_t)
+
+miscfiles_read_localization(vbetool_t)
+
+tunable_policy(`vbetool_mmap_zero_ignore',`
+ dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
+optional_policy(`
+ hal_rw_pid_files(vbetool_t)
+ hal_write_log(vbetool_t)
+ hal_dontaudit_append_lib_files(vbetool_t)
+')
diff --git a/vhostmd.fc b/vhostmd.fc
new file mode 100644
index 0000000..c1fb329
--- /dev/null
+++ b/vhostmd.fc
@@ -0,0 +1,5 @@
+/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+
+/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
+/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
diff --git a/vhostmd.if b/vhostmd.if
new file mode 100644
index 0000000..1f872b5
--- /dev/null
+++ b/vhostmd.if
@@ -0,0 +1,224 @@
+## Virtual host metrics daemon
+
+########################################
+##
+## Execute a domain transition to run vhostmd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`vhostmd_domtrans',`
+ gen_require(`
+ type vhostmd_t, vhostmd_exec_t;
+ ')
+
+ domtrans_pattern($1, vhostmd_exec_t, vhostmd_t)
+')
+
+########################################
+##
+## Execute vhostmd server in the vhostmd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`vhostmd_initrc_domtrans',`
+ gen_require(`
+ type vhostmd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, vhostmd_initrc_exec_t)
+')
+
+########################################
+##
+## Allow domain to read, vhostmd tmpfs files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vhostmd_read_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ allow $1 vhostmd_tmpfs_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Do not audit attempts to read,
+## vhostmd tmpfs files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`vhostmd_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ dontaudit $1 vhostmd_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+##
+## Allow domain to read and write vhostmd tmpfs files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vhostmd_rw_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Create, read, write, and delete vhostmd tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vhostmd_manage_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Read vhostmd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vhostmd_read_pid_files',`
+ gen_require(`
+ type vhostmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 vhostmd_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Manage vhostmd var_run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vhostmd_manage_pid_files',`
+ gen_require(`
+ type vhostmd_var_run_t;
+ ')
+
+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+')
+
+########################################
+##
+## Connect to vhostmd over an unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vhostmd_stream_connect',`
+ gen_require(`
+ type vhostmd_t, vhostmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t)
+')
+
+#######################################
+##
+## Dontaudit read and write to vhostmd
+## over an unix domain stream socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`vhostmd_dontaudit_rw_stream_connect',`
+ gen_require(`
+ type vhostmd_t;
+ ')
+
+ dontaudit $1 vhostmd_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an vhostmd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`vhostmd_admin',`
+ gen_require(`
+ type vhostmd_t, vhostmd_initrc_exec_t;
+ ')
+
+ allow $1 vhostmd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, vhostmd_t)
+
+ vhostmd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 vhostmd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ vhostmd_manage_tmpfs_files($1)
+
+ vhostmd_manage_pid_files($1)
+
+')
diff --git a/vhostmd.te b/vhostmd.te
new file mode 100644
index 0000000..32a3c13
--- /dev/null
+++ b/vhostmd.te
@@ -0,0 +1,76 @@
+policy_module(vhostmd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vhostmd_t;
+type vhostmd_exec_t;
+init_daemon_domain(vhostmd_t, vhostmd_exec_t)
+
+type vhostmd_initrc_exec_t;
+init_script_file(vhostmd_initrc_exec_t)
+
+type vhostmd_tmpfs_t;
+files_tmpfs_file(vhostmd_tmpfs_t)
+
+type vhostmd_var_run_t;
+files_pid_file(vhostmd_var_run_t)
+
+########################################
+#
+# vhostmd local policy
+#
+
+allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:process { setsched getsched };
+allow vhostmd_t self:fifo_file rw_file_perms;
+
+manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir })
+
+manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
+kernel_read_system_state(vhostmd_t)
+kernel_read_network_state(vhostmd_t)
+kernel_write_xen_state(vhostmd_t)
+
+corecmd_exec_bin(vhostmd_t)
+corecmd_exec_shell(vhostmd_t)
+
+corenet_tcp_connect_soundd_port(vhostmd_t)
+
+files_read_etc_files(vhostmd_t)
+files_read_usr_files(vhostmd_t)
+
+dev_read_sysfs(vhostmd_t)
+
+auth_use_nsswitch(vhostmd_t)
+
+logging_send_syslog_msg(vhostmd_t)
+
+miscfiles_read_localization(vhostmd_t)
+
+optional_policy(`
+ hostname_exec(vhostmd_t)
+')
+
+optional_policy(`
+ rpm_exec(vhostmd_t)
+ rpm_read_db(vhostmd_t)
+')
+
+optional_policy(`
+ virt_stream_connect(vhostmd_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(vhostmd_t)
+ xen_stream_connect(vhostmd_t)
+ xen_stream_connect_xenstore(vhostmd_t)
+ xen_stream_connect_xm(vhostmd_t)
+')
diff --git a/virt.fc b/virt.fc
new file mode 100644
index 0000000..2124b6a
--- /dev/null
+++ b/virt.fc
@@ -0,0 +1,29 @@
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+
+/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+
+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/virt.if b/virt.if
new file mode 100644
index 0000000..7c5d8d8
--- /dev/null
+++ b/virt.if
@@ -0,0 +1,518 @@
+## Libvirt virtualization API
+
+########################################
+##
+## Creates types and rules for a basic
+## qemu process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`virt_domain_template',`
+ gen_require(`
+ type virtd_t;
+ attribute virt_image_type;
+ attribute virt_domain;
+ ')
+
+ type $1_t, virt_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ role system_r types $1_t;
+
+ type $1_devpts_t;
+ term_pty($1_devpts_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_image_t, virt_image_type;
+ files_type($1_image_t)
+ dev_node($1_image_t)
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+ term_create_pty($1_t, $1_devpts_t)
+
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
+ stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
+ manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file })
+ stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+ optional_policy(`
+ xserver_rw_shm($1_t)
+ ')
+')
+
+########################################
+##
+## Make the specified type usable as a virt image
+##
+##
+##
+## Type to be used as a virtual image
+##
+##
+#
+interface(`virt_image',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ typeattribute $1 virt_image_type;
+ files_type($1)
+
+ # virt images can be assigned to blk devices
+ dev_node($1)
+')
+
+########################################
+##
+## Execute a domain transition to run virt.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`virt_domtrans',`
+ gen_require(`
+ type virtd_t, virtd_exec_t;
+ ')
+
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
+')
+
+#######################################
+##
+## Connect to virt over an unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_stream_connect',`
+ gen_require(`
+ type virtd_t, virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+')
+
+########################################
+##
+## Allow domain to attach to virt TUN devices
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_attach_tun_iface',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+##
+## Read virt config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_read_config',`
+ gen_require(`
+ type virt_etc_t;
+ type virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, virt_etc_t, virt_etc_t)
+ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+##
+## manage virt config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_manage_config',`
+ gen_require(`
+ type virt_etc_t;
+ type virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, virt_etc_t, virt_etc_t)
+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+##
+## Allow domain to manage virt image files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_read_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_content_t:dir list_dir_perms;
+ list_dirs_pattern($1, virt_content_t, virt_content_t)
+ read_files_pattern($1, virt_content_t, virt_content_t)
+ read_lnk_files_pattern($1, virt_content_t, virt_content_t)
+ read_blk_files_pattern($1, virt_content_t, virt_content_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+##
+## Read virt PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_read_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
+##
+## Manage virt pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_manage_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
+##
+## Search virt lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_search_lib',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ allow $1 virt_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read virt lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## virt lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+##
+## Allow the specified domain to read virt's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`virt_read_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## virt log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_append_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+##
+## Allow domain to manage virt log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_manage_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
+ manage_files_pattern($1, virt_log_t, virt_log_t)
+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+##
+## Allow domain to read virt image files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_read_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+##
+## Create, read, write, and delete
+## svirt cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_manage_svirt_cache',`
+ gen_require(`
+ type svirt_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
+
+########################################
+##
+## Allow domain to manage virt image files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_manage_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files($1)
+ fs_manage_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an virt environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`virt_admin',`
+ gen_require(`
+ type virtd_t, virtd_initrc_exec_t;
+ ')
+
+ allow $1 virtd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, virtd_t)
+
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 virtd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ virt_manage_pid_files($1)
+
+ virt_manage_lib_files($1)
+
+ virt_manage_log($1)
+')
diff --git a/virt.te b/virt.te
new file mode 100644
index 0000000..3eca020
--- /dev/null
+++ b/virt.te
@@ -0,0 +1,464 @@
+policy_module(virt, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow virt to use serial/parallell communication ports
+##
+##
+gen_tunable(virt_use_comm, false)
+
+##
+##
+## Allow virt to read fuse files
+##
+##
+gen_tunable(virt_use_fusefs, false)
+
+##
+##
+## Allow virt to manage nfs files
+##
+##
+gen_tunable(virt_use_nfs, false)
+
+##
+##
+## Allow virt to manage cifs files
+##
+##
+gen_tunable(virt_use_samba, false)
+
+##
+##
+## Allow virt to manage device configuration, (pci)
+##
+##
+gen_tunable(virt_use_sysfs, false)
+
+##
+##
+## Allow virt to use usb devices
+##
+##
+gen_tunable(virt_use_usb, true)
+
+virt_domain_template(svirt)
+role system_r types svirt_t;
+
+type svirt_cache_t;
+files_type(svirt_cache_t)
+
+attribute virt_domain;
+attribute virt_image_type;
+
+type virt_etc_t;
+files_config_file(virt_etc_t)
+
+type virt_etc_rw_t;
+files_type(virt_etc_rw_t)
+
+# virt Image files
+type virt_image_t; # customizable
+virt_image(virt_image_t)
+
+# virt Image files
+type virt_content_t; # customizable
+virt_image(virt_content_t)
+userdom_user_home_content(virt_content_t)
+
+type virt_log_t;
+logging_log_file(virt_log_t)
+
+type virt_var_run_t;
+files_pid_file(virt_var_run_t)
+
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
+
+type virtd_t;
+type virtd_exec_t;
+init_daemon_domain(virtd_t, virtd_exec_t)
+domain_obj_id_change_exemption(virtd_t)
+domain_subj_id_change_exemption(virtd_t)
+
+type virtd_initrc_exec_t;
+init_script_file(virtd_initrc_exec_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# svirt local policy
+#
+
+allow svirt_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+dontaudit svirt_t virt_content_t:file write_file_perms;
+dontaudit svirt_t virt_content_t:dir write;
+
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
+corenet_udp_bind_generic_node(svirt_t)
+corenet_udp_bind_all_ports(svirt_t)
+corenet_tcp_bind_all_ports(svirt_t)
+corenet_tcp_connect_all_ports(svirt_t)
+
+dev_list_sysfs(svirt_t)
+
+userdom_search_user_home_content(svirt_t)
+userdom_read_user_home_content_symlinks(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(svirt_t)
+ dev_rw_printer(svirt_t)
+')
+
+tunable_policy(`virt_use_fusefs',`
+ fs_read_fusefs_files(svirt_t)
+ fs_read_fusefs_symlinks(svirt_t)
+')
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_t)
+ fs_manage_nfs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(svirt_t)
+ fs_manage_cifs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_sysfs',`
+ dev_rw_sysfs(svirt_t)
+')
+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(svirt_t)
+ fs_manage_dos_dirs(svirt_t)
+ fs_manage_dos_files(svirt_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
+')
+
+########################################
+#
+# virtd local policy
+#
+
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+
+allow virtd_t self:fifo_file rw_fifo_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:tcp_socket create_stream_socket_perms;
+allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file { relabelfrom relabelto };
+allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+
+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
+kernel_rw_net_sysctls(virtd_t)
+kernel_request_load_module(virtd_t)
+kernel_search_debugfs(virtd_t)
+
+corecmd_exec_bin(virtd_t)
+corecmd_exec_shell(virtd_t)
+
+corenet_all_recvfrom_unlabeled(virtd_t)
+corenet_all_recvfrom_netlabel(virtd_t)
+corenet_tcp_sendrecv_generic_if(virtd_t)
+corenet_tcp_sendrecv_generic_node(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_generic_node(virtd_t)
+corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t)
+corenet_tcp_connect_vnc_port(virtd_t)
+corenet_tcp_connect_soundd_port(virtd_t)
+corenet_rw_tun_tap_dev(virtd_t)
+
+dev_rw_sysfs(virtd_t)
+dev_read_rand(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
+dev_rw_mtrr(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
+domain_read_all_domains_state(virtd_t)
+
+files_read_usr_files(virtd_t)
+files_read_etc_files(virtd_t)
+files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+files_read_kernel_modules(virtd_t)
+files_read_usr_src_files(virtd_t)
+files_manage_etc_files(virtd_t)
+
+fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
+fs_manage_cgroup_dirs(virtd_t)
+fs_rw_cgroup_files(virtd_t)
+
+mcs_process_set_categories(virtd_t)
+
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
+storage_raw_write_removable_device(virtd_t)
+storage_raw_read_removable_device(virtd_t)
+
+term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
+term_use_ptmx(virtd_t)
+
+auth_use_nsswitch(virtd_t)
+
+miscfiles_read_localization(virtd_t)
+miscfiles_read_generic_certs(virtd_t)
+miscfiles_read_hwdata(virtd_t)
+
+modutils_read_module_deps(virtd_t)
+modutils_read_module_config(virtd_t)
+modutils_manage_module_config(virtd_t)
+
+logging_send_syslog_msg(virtd_t)
+
+seutil_read_default_contexts(virtd_t)
+
+sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+ fs_manage_nfs_files(virtd_t)
+ fs_read_nfs_symlinks(virtd_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_nfs_files(virtd_t)
+ fs_manage_cifs_files(virtd_t)
+ fs_read_cifs_symlinks(virtd_t)
+')
+
+optional_policy(`
+ brctl_domtrans(virtd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virtd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(virtd_t)
+ ')
+')
+
+optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
+ dnsmasq_kill(virtd_t)
+ dnsmasq_read_pid_files(virtd_t)
+ dnsmasq_signull(virtd_t)
+')
+
+optional_policy(`
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
+ iptables_manage_config(virtd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
+
+optional_policy(`
+ qemu_domtrans(virtd_t)
+ qemu_read_state(virtd_t)
+ qemu_signal(virtd_t)
+ qemu_kill(virtd_t)
+ qemu_setsched(virtd_t)
+')
+
+optional_policy(`
+ sasl_connect(virtd_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+')
+
+optional_policy(`
+ udev_domtrans(virtd_t)
+ udev_read_db(virtd_t)
+')
+
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
+########################################
+#
+# virtual domains common policy
+#
+
+allow virt_domain self:capability { dac_read_search dac_override kill };
+allow virt_domain self:process { execmem execstack signal getsched signull };
+allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+kernel_read_system_state(virt_domain)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_all_recvfrom_unlabeled(virt_domain)
+corenet_all_recvfrom_netlabel(virt_domain)
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_rw_tun_tap_dev(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+
+dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
+dev_read_urand(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_etc_files(virt_domain)
+files_read_usr_files(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_tmpfs_files(virt_domain)
+
+term_use_all_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
+
+auth_use_nsswitch(virt_domain)
+
+logging_send_syslog_msg(virt_domain)
+
+miscfiles_read_localization(virt_domain)
+
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+')
diff --git a/vlock.fc b/vlock.fc
new file mode 100644
index 0000000..621d5fd
--- /dev/null
+++ b/vlock.fc
@@ -0,0 +1 @@
+/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
diff --git a/vlock.if b/vlock.if
new file mode 100644
index 0000000..c5eeea0
--- /dev/null
+++ b/vlock.if
@@ -0,0 +1,46 @@
+## Lock one or more sessions on the Linux console.
+
+#######################################
+##
+## Execute vlock in the vlock domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`vlock_domtrans',`
+ gen_require(`
+ type vlock_t, vlock_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, vlock_exec_t, vlock_t)
+')
+
+########################################
+##
+## Execute vlock in the vlock domain, and
+## allow the specified role the vlock domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed to access.
+##
+##
+##
+#
+interface(`vlock_run',`
+ gen_require(`
+ type vlock_t;
+ ')
+
+ vlock_domtrans($1)
+ role $2 types vlock_t;
+')
diff --git a/vlock.te b/vlock.te
new file mode 100644
index 0000000..2511093
--- /dev/null
+++ b/vlock.te
@@ -0,0 +1,53 @@
+policy_module(vlock, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type vlock_t;
+type vlock_exec_t;
+application_domain(vlock_t, vlock_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# --enable-pam is recommended when configuring vlock, making it
+# unnecessary to be a setuid program.
+dontaudit vlock_t self:capability { setuid setgid };
+allow vlock_t self:fd use;
+allow vlock_t self:fifo_file rw_fifo_file_perms;
+allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow vlock_t self:unix_dgram_socket { create connect };
+
+kernel_read_system_state(vlock_t)
+
+corecmd_list_bin(vlock_t)
+corecmd_read_bin_symlinks(vlock_t)
+
+# Must call this interface otherwise PAM session will fail
+# with message of "terminal=? res=failed"
+domain_use_interactive_fds(vlock_t)
+
+files_dontaudit_search_home(vlock_t)
+files_read_etc_files(vlock_t)
+
+# pam_tally2 module could be used by vlock for authentication,
+# /var/log/tallylog's SL is usually s0, while the caller's SL could
+# be higher than s0.
+mls_file_write_all_levels(vlock_t)
+
+selinux_dontaudit_getattr_fs(vlock_t)
+
+auth_domtrans_chk_passwd(vlock_t)
+
+init_dontaudit_rw_utmp(vlock_t)
+
+logging_send_syslog_msg(vlock_t)
+
+miscfiles_read_localization(vlock_t)
+
+userdom_dontaudit_search_user_home_dirs(vlock_t)
+userdom_use_user_terminals(vlock_t)
diff --git a/vmware.fc b/vmware.fc
new file mode 100644
index 0000000..f647c7e
--- /dev/null
+++ b/vmware.fc
@@ -0,0 +1,71 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0)
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
+
+#
+# /etc
+#
+/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+')
+
+/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+')
+
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
+/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/vmware.if b/vmware.if
new file mode 100644
index 0000000..853f575
--- /dev/null
+++ b/vmware.if
@@ -0,0 +1,104 @@
+## VMWare Workstation virtual machines
+
+########################################
+##
+## Role access for vmware
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`vmware_role',`
+ gen_require(`
+ type vmware_t, vmware_exec_t;
+ ')
+
+ role $1 types vmware_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, vmware_exec_t, vmware_t)
+
+ # allow ps to show vmware and allow the user to kill it
+ ps_process_pattern($2, vmware_t)
+ allow $2 vmware_t:process signal;
+')
+
+########################################
+##
+## Execute vmware host executables
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vmware_exec_host',`
+ gen_require(`
+ type vmware_host_exec_t;
+ ')
+
+ can_exec($1, vmware_host_exec_t)
+')
+
+########################################
+##
+## Read VMWare system configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vmware_read_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ allow $1 vmware_sys_conf_t:file { getattr read };
+')
+
+########################################
+##
+## Append to VMWare system configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vmware_append_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ allow $1 vmware_sys_conf_t:file append;
+')
+
+########################################
+##
+## Append to VMWare log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vmware_append_log',`
+ gen_require(`
+ type vmware_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, vmware_log_t, vmware_log_t)
+')
diff --git a/vmware.te b/vmware.te
new file mode 100644
index 0000000..722e59f
--- /dev/null
+++ b/vmware.te
@@ -0,0 +1,286 @@
+policy_module(vmware, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+# VMWare user program
+type vmware_t;
+type vmware_exec_t;
+typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
+typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
+application_domain(vmware_t, vmware_exec_t)
+ubac_constrained(vmware_t)
+
+type vmware_conf_t;
+typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
+typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t };
+userdom_user_home_content(vmware_conf_t)
+
+type vmware_file_t;
+typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t };
+typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
+userdom_user_home_content(vmware_file_t)
+
+# VMWare host programs
+type vmware_host_t;
+type vmware_host_exec_t;
+init_daemon_domain(vmware_host_t, vmware_host_exec_t)
+
+type vmware_host_pid_t alias vmware_var_run_t;
+files_pid_file(vmware_host_pid_t)
+
+type vmware_host_tmp_t;
+files_tmp_file(vmware_host_tmp_t)
+ubac_constrained(vmware_host_tmp_t)
+
+type vmware_log_t;
+typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
+typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
+logging_log_file(vmware_log_t)
+ubac_constrained(vmware_log_t)
+
+type vmware_pid_t;
+typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
+typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
+files_pid_file(vmware_pid_t)
+ubac_constrained(vmware_pid_t)
+
+# Systemwide configuration files
+type vmware_sys_conf_t;
+files_type(vmware_sys_conf_t)
+
+type vmware_tmp_t;
+typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
+typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
+files_tmp_file(vmware_tmp_t)
+ubac_constrained(vmware_tmp_t)
+
+type vmware_tmpfs_t;
+typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
+typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
+files_tmpfs_file(vmware_tmpfs_t)
+ubac_constrained(vmware_tmpfs_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# VMWare host local policy
+#
+
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+dontaudit vmware_host_t self:capability sys_tty_config;
+allow vmware_host_t self:process { execstack execmem signal_perms };
+allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_host_t self:rawip_socket create_socket_perms;
+allow vmware_host_t self:tcp_socket create_socket_perms;
+
+can_exec(vmware_host_t, vmware_host_exec_t)
+
+# cjp: the ro and rw files should be split up
+manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
+
+manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
+
+manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+
+kernel_read_kernel_sysctls(vmware_host_t)
+kernel_read_system_state(vmware_host_t)
+kernel_read_network_state(vmware_host_t)
+
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
+corenet_tcp_sendrecv_generic_if(vmware_host_t)
+corenet_udp_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_tcp_sendrecv_generic_node(vmware_host_t)
+corenet_udp_sendrecv_generic_node(vmware_host_t)
+corenet_raw_sendrecv_generic_node(vmware_host_t)
+corenet_tcp_sendrecv_all_ports(vmware_host_t)
+corenet_udp_sendrecv_all_ports(vmware_host_t)
+corenet_raw_bind_generic_node(vmware_host_t)
+corenet_tcp_bind_generic_node(vmware_host_t)
+corenet_udp_bind_generic_node(vmware_host_t)
+corenet_tcp_connect_all_ports(vmware_host_t)
+corenet_sendrecv_all_client_packets(vmware_host_t)
+corenet_sendrecv_all_server_packets(vmware_host_t)
+
+corecmd_exec_bin(vmware_host_t)
+corecmd_exec_shell(vmware_host_t)
+
+dev_getattr_all_blk_files(vmware_host_t)
+dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
+dev_rw_vmware(vmware_host_t)
+
+domain_use_interactive_fds(vmware_host_t)
+domain_dontaudit_read_all_domains_state(vmware_host_t)
+
+files_list_tmp(vmware_host_t)
+files_read_etc_files(vmware_host_t)
+files_read_etc_runtime_files(vmware_host_t)
+files_read_usr_files(vmware_host_t)
+
+fs_getattr_all_fs(vmware_host_t)
+fs_search_auto_mountpoints(vmware_host_t)
+
+storage_getattr_fixed_disk_dev(vmware_host_t)
+
+term_dontaudit_use_console(vmware_host_t)
+
+init_use_fds(vmware_host_t)
+init_use_script_ptys(vmware_host_t)
+
+libs_exec_ld_so(vmware_host_t)
+
+logging_send_syslog_msg(vmware_host_t)
+
+miscfiles_read_localization(vmware_host_t)
+
+sysnet_dns_name_resolve(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t)
+
+userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+
+netutils_domtrans_ping(vmware_host_t)
+
+optional_policy(`
+ hostname_exec(vmware_host_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(vmware_host_t)
+')
+
+optional_policy(`
+ samba_read_config(vmware_host_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(vmware_host_t)
+')
+
+optional_policy(`
+ udev_read_db(vmware_host_t)
+')
+
+optional_policy(`
+ xserver_read_tmp_files(vmware_host_t)
+ xserver_read_xdm_pid(vmware_host_t)
+')
+
+##############################
+#
+# VMWare guest local policy
+#
+
+allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+dontaudit vmware_t self:capability sys_tty_config;
+allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow vmware_t self:process { execmem execstack };
+allow vmware_t self:fd use;
+allow vmware_t self:fifo_file rw_fifo_file_perms;
+allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
+allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow vmware_t self:shm create_shm_perms;
+allow vmware_t self:sem create_sem_perms;
+allow vmware_t self:msgq create_msgq_perms;
+allow vmware_t self:msg { send receive };
+
+can_exec(vmware_t, vmware_exec_t)
+
+# User configuration files
+allow vmware_t vmware_conf_t:file manage_file_perms;
+
+# VMWare disks
+manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+
+allow vmware_t vmware_tmp_t:file execute;
+manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
+
+manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Read clobal configuration files
+allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
+read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
+
+kernel_read_system_state(vmware_t)
+kernel_read_network_state(vmware_t)
+kernel_read_kernel_sysctls(vmware_t)
+
+# startup scripts
+corecmd_exec_bin(vmware_t)
+corecmd_exec_shell(vmware_t)
+
+dev_read_raw_memory(vmware_t)
+dev_write_raw_memory(vmware_t)
+dev_read_mouse(vmware_t)
+dev_write_sound(vmware_t)
+dev_read_realtime_clock(vmware_t)
+dev_rwx_vmware(vmware_t)
+dev_rw_usbfs(vmware_t)
+dev_search_sysfs(vmware_t)
+
+domain_use_interactive_fds(vmware_t)
+
+files_read_etc_files(vmware_t)
+files_read_etc_runtime_files(vmware_t)
+files_read_usr_files(vmware_t)
+files_list_home(vmware_t)
+
+fs_getattr_all_fs(vmware_t)
+fs_search_auto_mountpoints(vmware_t)
+
+storage_raw_read_removable_device(vmware_t)
+storage_raw_write_removable_device(vmware_t)
+
+# startup scripts run ldd
+libs_exec_ld_so(vmware_t)
+# Access X11 config files
+libs_read_lib_files(vmware_t)
+
+miscfiles_read_localization(vmware_t)
+
+userdom_use_user_terminals(vmware_t)
+userdom_list_user_home_dirs(vmware_t)
+# cjp: why?
+userdom_read_user_home_content_files(vmware_t)
+
+sysnet_dns_name_resolve(vmware_t)
+sysnet_read_config(vmware_t)
+
+xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
diff --git a/vnstatd.fc b/vnstatd.fc
new file mode 100644
index 0000000..11533cc
--- /dev/null
+++ b/vnstatd.fc
@@ -0,0 +1,7 @@
+/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
+
+/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0)
diff --git a/vnstatd.if b/vnstatd.if
new file mode 100644
index 0000000..727fe95
--- /dev/null
+++ b/vnstatd.if
@@ -0,0 +1,143 @@
+## Console network traffic monitor.
+
+########################################
+##
+## Execute a domain transition to run vnstat.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`vnstatd_domtrans_vnstat',`
+ gen_require(`
+ type vnstat_t, vnstat_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+##
+## Execute a domain transition to run vnstatd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`vnstatd_domtrans',`
+ gen_require(`
+ type vnstatd_t, vnstatd_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+########################################
+##
+## Search vnstatd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_search_lib',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Manage vnstatd lib dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_manage_lib_dirs',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+##
+## Read vnstatd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_read_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## vnstatd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_manage_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an vnstatd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`vnstatd_admin',`
+ gen_require(`
+ type vnstatd_t, vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vnstatd_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, vnstatd_var_lib_t)
+')
diff --git a/vnstatd.te b/vnstatd.te
new file mode 100644
index 0000000..8121937
--- /dev/null
+++ b/vnstatd.te
@@ -0,0 +1,80 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstatd_var_run_t;
+files_pid_file(vnstatd_var_run_t)
+
+########################################
+#
+# vnstatd local policy
+#
+
+allow vnstatd_t self:process signal;
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
+
+kernel_read_network_state(vnstatd_t)
+kernel_read_system_state(vnstatd_t)
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+fs_getattr_xattr_fs(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+optional_policy(`
+ cron_system_entry(vnstat_t, vnstat_exec_t)
+')
+
+########################################
+#
+# vnstat local policy
+#
+
+allow vnstat_t self:process signal;
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
diff --git a/vpn.fc b/vpn.fc
new file mode 100644
index 0000000..076dcc3
--- /dev/null
+++ b/vpn.fc
@@ -0,0 +1,13 @@
+#
+# sbin
+#
+/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/vpn.if b/vpn.if
new file mode 100644
index 0000000..64f8cdc
--- /dev/null
+++ b/vpn.if
@@ -0,0 +1,139 @@
+## Virtual Private Networking client
+
+########################################
+##
+## Execute VPN clients in the vpnc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`vpn_domtrans',`
+ gen_require(`
+ type vpnc_t, vpnc_exec_t;
+ ')
+
+ domtrans_pattern($1, vpnc_exec_t, vpnc_t)
+')
+
+########################################
+##
+## Execute VPN clients in the vpnc domain, and
+## allow the specified role the vpnc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`vpn_run',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ vpn_domtrans($1)
+ role $2 types vpnc_t;
+ sysnet_run_ifconfig(vpnc_t, $2)
+')
+
+########################################
+##
+## Send VPN clients the kill signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vpn_kill',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process sigkill;
+')
+
+########################################
+##
+## Send generic signals to VPN clients.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vpn_signal',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process signal;
+')
+
+########################################
+##
+## Send signull to VPN clients.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vpn_signull',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process signull;
+')
+
+########################################
+##
+## Send and receive messages from
+## Vpnc over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vpn_dbus_chat',`
+ gen_require(`
+ type vpnc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 vpnc_t:dbus send_msg;
+ allow vpnc_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Relabelfrom from vpnc socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vpn_relabelfrom_tun_socket',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:tun_socket relabelfrom;
+')
diff --git a/vpn.te b/vpn.te
new file mode 100644
index 0000000..ebf4b26
--- /dev/null
+++ b/vpn.te
@@ -0,0 +1,121 @@
+policy_module(vpn, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type vpnc_t;
+type vpnc_exec_t;
+application_domain(vpnc_t, vpnc_exec_t)
+role system_r types vpnc_t;
+
+type vpnc_tmp_t;
+files_tmp_file(vpnc_tmp_t)
+
+type vpnc_var_run_t;
+files_pid_file(vpnc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:process { getsched signal };
+allow vpnc_t self:fifo_file rw_fifo_file_perms;
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
+# cjp: this needs to be fixed
+allow vpnc_t self:socket create_socket_perms;
+
+manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
+
+manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
+
+kernel_read_system_state(vpnc_t)
+kernel_read_network_state(vpnc_t)
+kernel_read_all_sysctls(vpnc_t)
+kernel_request_load_module(vpnc_t)
+kernel_rw_net_sysctls(vpnc_t)
+
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
+corenet_tcp_sendrecv_generic_if(vpnc_t)
+corenet_udp_sendrecv_generic_if(vpnc_t)
+corenet_raw_sendrecv_generic_if(vpnc_t)
+corenet_tcp_sendrecv_generic_node(vpnc_t)
+corenet_udp_sendrecv_generic_node(vpnc_t)
+corenet_raw_sendrecv_generic_node(vpnc_t)
+corenet_tcp_sendrecv_all_ports(vpnc_t)
+corenet_udp_sendrecv_all_ports(vpnc_t)
+corenet_udp_bind_generic_node(vpnc_t)
+corenet_udp_bind_generic_port(vpnc_t)
+corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_udp_bind_ipsecnat_port(vpnc_t)
+corenet_tcp_connect_all_ports(vpnc_t)
+corenet_sendrecv_all_client_packets(vpnc_t)
+corenet_sendrecv_isakmp_server_packets(vpnc_t)
+corenet_sendrecv_generic_server_packets(vpnc_t)
+corenet_rw_tun_tap_dev(vpnc_t)
+
+dev_read_rand(vpnc_t)
+dev_read_urand(vpnc_t)
+dev_read_sysfs(vpnc_t)
+
+domain_use_interactive_fds(vpnc_t)
+
+fs_getattr_xattr_fs(vpnc_t)
+fs_getattr_tmpfs(vpnc_t)
+
+term_use_all_ptys(vpnc_t)
+term_use_all_ttys(vpnc_t)
+
+corecmd_exec_all_executables(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_read_etc_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
+
+auth_use_nsswitch(vpnc_t)
+
+libs_exec_ld_so(vpnc_t)
+libs_exec_lib_files(vpnc_t)
+
+locallogin_use_fds(vpnc_t)
+
+logging_send_syslog_msg(vpnc_t)
+logging_dontaudit_search_logs(vpnc_t)
+
+miscfiles_read_localization(vpnc_t)
+
+seutil_dontaudit_search_config(vpnc_t)
+seutil_use_newrole_fds(vpnc_t)
+
+sysnet_etc_filetrans_config(vpnc_t)
+sysnet_manage_config(vpnc_t)
+
+userdom_use_all_users_fds(vpnc_t)
+userdom_dontaudit_search_user_home_content(vpnc_t)
+
+optional_policy(`
+ dbus_system_bus_client(vpnc_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(vpnc_t)
+ ')
+')
+
+optional_policy(`
+ networkmanager_attach_tun_iface(vpnc_t)
+')
diff --git a/w3c.fc b/w3c.fc
new file mode 100644
index 0000000..a9cc9a8
--- /dev/null
+++ b/w3c.fc
@@ -0,0 +1,4 @@
+/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --git a/w3c.if b/w3c.if
new file mode 100644
index 0000000..8f678a9
--- /dev/null
+++ b/w3c.if
@@ -0,0 +1 @@
+## W3C Markup Validator
diff --git a/w3c.te b/w3c.te
new file mode 100644
index 0000000..1174ad8
--- /dev/null
+++ b/w3c.te
@@ -0,0 +1,24 @@
+policy_module(w3c, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(w3c_validator)
+
+########################################
+#
+# Local policy
+#
+
+corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
+
+sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
diff --git a/watchdog.fc b/watchdog.fc
new file mode 100644
index 0000000..7551c51
--- /dev/null
+++ b/watchdog.fc
@@ -0,0 +1,5 @@
+/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
+/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
+
+/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.if b/watchdog.if
new file mode 100644
index 0000000..f8acf10
--- /dev/null
+++ b/watchdog.if
@@ -0,0 +1 @@
+## Software watchdog
diff --git a/watchdog.te b/watchdog.te
new file mode 100644
index 0000000..b10bb05
--- /dev/null
+++ b/watchdog.te
@@ -0,0 +1,105 @@
+policy_module(watchdog, 1.7.0)
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+type watchdog_t;
+type watchdog_exec_t;
+init_daemon_domain(watchdog_t, watchdog_exec_t)
+
+type watchdog_log_t;
+logging_log_file(watchdog_log_t)
+
+type watchdog_var_run_t;
+files_pid_file(watchdog_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+dontaudit watchdog_t self:capability sys_tty_config;
+allow watchdog_t self:process { setsched signal_perms };
+allow watchdog_t self:fifo_file rw_fifo_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+allow watchdog_t self:tcp_socket create_stream_socket_perms;
+allow watchdog_t self:udp_socket create_socket_perms;
+
+allow watchdog_t watchdog_log_t:file manage_file_perms;
+logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+
+manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
+files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+
+kernel_read_system_state(watchdog_t)
+kernel_read_kernel_sysctls(watchdog_t)
+kernel_unmount_proc(watchdog_t)
+
+# for orderly shutdown
+corecmd_exec_shell(watchdog_t)
+
+# cjp: why networking?
+corenet_all_recvfrom_unlabeled(watchdog_t)
+corenet_all_recvfrom_netlabel(watchdog_t)
+corenet_tcp_sendrecv_generic_if(watchdog_t)
+corenet_udp_sendrecv_generic_if(watchdog_t)
+corenet_tcp_sendrecv_generic_node(watchdog_t)
+corenet_udp_sendrecv_generic_node(watchdog_t)
+corenet_tcp_sendrecv_all_ports(watchdog_t)
+corenet_udp_sendrecv_all_ports(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
+corenet_sendrecv_all_client_packets(watchdog_t)
+
+dev_read_sysfs(watchdog_t)
+dev_write_watchdog(watchdog_t)
+# do not care about saving the random seed
+dev_dontaudit_read_rand(watchdog_t)
+dev_dontaudit_read_urand(watchdog_t)
+
+domain_use_interactive_fds(watchdog_t)
+domain_getsession_all_domains(watchdog_t)
+domain_sigchld_all_domains(watchdog_t)
+domain_sigstop_all_domains(watchdog_t)
+domain_signull_all_domains(watchdog_t)
+domain_signal_all_domains(watchdog_t)
+domain_kill_all_domains(watchdog_t)
+
+files_read_etc_files(watchdog_t)
+# for updating mtab on umount
+files_manage_etc_runtime_files(watchdog_t)
+files_etc_filetrans_etc_runtime(watchdog_t, file)
+
+fs_unmount_xattr_fs(watchdog_t)
+fs_getattr_all_fs(watchdog_t)
+fs_search_auto_mountpoints(watchdog_t)
+
+# record the fact that we are going down
+auth_append_login_records(watchdog_t)
+
+logging_send_syslog_msg(watchdog_t)
+
+miscfiles_read_localization(watchdog_t)
+
+sysnet_read_config(watchdog_t)
+
+userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+userdom_dontaudit_search_user_home_dirs(watchdog_t)
+
+optional_policy(`
+ mta_send_mail(watchdog_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(watchdog_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(watchdog_t)
+')
+
+optional_policy(`
+ udev_read_db(watchdog_t)
+')
diff --git a/webadm.fc b/webadm.fc
new file mode 100644
index 0000000..d46378a
--- /dev/null
+++ b/webadm.fc
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --git a/webadm.if b/webadm.if
new file mode 100644
index 0000000..cc34f8b
--- /dev/null
+++ b/webadm.if
@@ -0,0 +1,50 @@
+## Web administrator role
+
+########################################
+##
+## Change to the web administrator role.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`webadm_role_change',`
+ gen_require(`
+ role webadm_r;
+ ')
+
+ allow $1 webadm_r;
+')
+
+########################################
+##
+## Change from the web administrator role.
+##
+##
+##
+## Change from the web administrator role to
+## the specified role.
+##
+##
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`webadm_role_change_to',`
+ gen_require(`
+ role webadm_r;
+ ')
+
+ allow webadm_r $1;
+')
diff --git a/webadm.te b/webadm.te
new file mode 100644
index 0000000..0ecc786
--- /dev/null
+++ b/webadm.te
@@ -0,0 +1,55 @@
+policy_module(webadm, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow webadm to manage files in users home directories
+##
+##
+gen_tunable(webadm_manage_user_files, false)
+
+##
+##
+## Allow webadm to read files in users home directories
+##
+##
+gen_tunable(webadm_read_user_files, false)
+
+role webadm_r;
+
+userdom_base_user_template(webadm)
+
+########################################
+#
+# webadmin local policy
+#
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+apache_admin(webadm_t, webadm_r)
+
+tunable_policy(`webadm_manage_user_files',`
+ userdom_manage_user_home_content_files(webadm_t)
+ userdom_read_user_tmp_files(webadm_t)
+ userdom_write_user_tmp_files(webadm_t)
+')
+
+tunable_policy(`webadm_read_user_files',`
+ userdom_read_user_home_content_files(webadm_t)
+ userdom_read_user_tmp_files(webadm_t)
+')
diff --git a/webalizer.fc b/webalizer.fc
new file mode 100644
index 0000000..e4f7d30
--- /dev/null
+++ b/webalizer.fc
@@ -0,0 +1,10 @@
+
+#
+# /usr
+#
+/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
diff --git a/webalizer.if b/webalizer.if
new file mode 100644
index 0000000..3c78e7c
--- /dev/null
+++ b/webalizer.if
@@ -0,0 +1,45 @@
+## Web server log analysis
+
+########################################
+##
+## Execute webalizer in the webalizer domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`webalizer_domtrans',`
+ gen_require(`
+ type webalizer_t, webalizer_exec_t;
+ ')
+
+ domtrans_pattern($1, webalizer_exec_t, webalizer_t)
+')
+
+########################################
+##
+## Execute webalizer in the webalizer domain, and
+## allow the specified role the webalizer domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`webalizer_run',`
+ gen_require(`
+ type webalizer_t;
+ ')
+
+ webalizer_domtrans($1)
+ role $2 types webalizer_t;
+')
diff --git a/webalizer.te b/webalizer.te
new file mode 100644
index 0000000..75629b6
--- /dev/null
+++ b/webalizer.te
@@ -0,0 +1,109 @@
+policy_module(webalizer, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type webalizer_t;
+type webalizer_exec_t;
+application_domain(webalizer_t, webalizer_exec_t)
+role system_r types webalizer_t;
+
+type webalizer_etc_t;
+files_config_file(webalizer_etc_t)
+
+type webalizer_usage_t;
+files_type(webalizer_usage_t)
+
+type webalizer_tmp_t;
+files_tmp_file(webalizer_tmp_t)
+
+type webalizer_var_lib_t;
+files_type(webalizer_var_lib_t)
+
+type webalizer_write_t;
+files_type(webalizer_write_t)
+
+########################################
+#
+# Local policy
+#
+
+allow webalizer_t self:capability dac_override;
+allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow webalizer_t self:fd use;
+allow webalizer_t self:fifo_file rw_fifo_file_perms;
+allow webalizer_t self:sock_file read_sock_file_perms;
+allow webalizer_t self:shm create_shm_perms;
+allow webalizer_t self:sem create_sem_perms;
+allow webalizer_t self:msgq create_msgq_perms;
+allow webalizer_t self:msg { send receive };
+allow webalizer_t self:unix_dgram_socket create_socket_perms;
+allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
+allow webalizer_t self:unix_dgram_socket sendto;
+allow webalizer_t self:unix_stream_socket connectto;
+allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
+allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow webalizer_t webalizer_etc_t:file read_file_perms;
+
+manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+
+manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
+files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
+
+kernel_read_kernel_sysctls(webalizer_t)
+kernel_read_system_state(webalizer_t)
+
+corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
+corenet_tcp_sendrecv_generic_if(webalizer_t)
+corenet_tcp_sendrecv_generic_node(webalizer_t)
+corenet_tcp_sendrecv_all_ports(webalizer_t)
+
+fs_search_auto_mountpoints(webalizer_t)
+fs_getattr_xattr_fs(webalizer_t)
+fs_rw_anon_inodefs_files(webalizer_t)
+
+files_read_etc_files(webalizer_t)
+files_read_etc_runtime_files(webalizer_t)
+
+logging_list_logs(webalizer_t)
+logging_send_syslog_msg(webalizer_t)
+
+miscfiles_read_localization(webalizer_t)
+miscfiles_read_public_files(webalizer_t)
+
+sysnet_dns_name_resolve(webalizer_t)
+sysnet_read_config(webalizer_t)
+
+userdom_use_user_terminals(webalizer_t)
+userdom_use_unpriv_users_fds(webalizer_t)
+userdom_dontaudit_search_user_home_content(webalizer_t)
+
+apache_read_log(webalizer_t)
+apache_manage_sys_content(webalizer_t)
+
+optional_policy(`
+ cron_system_entry(webalizer_t, webalizer_exec_t)
+')
+
+optional_policy(`
+ ftp_read_log(webalizer_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(webalizer_t)
+')
+
+optional_policy(`
+ nscd_socket_use(webalizer_t)
+')
+
+optional_policy(`
+ squid_read_log(webalizer_t)
+')
diff --git a/wine.fc b/wine.fc
new file mode 100644
index 0000000..9d24449
--- /dev/null
+++ b/wine.fc
@@ -0,0 +1,21 @@
+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/wine.if b/wine.if
new file mode 100644
index 0000000..f9a73d0
--- /dev/null
+++ b/wine.if
@@ -0,0 +1,178 @@
+## Wine Is Not an Emulator. Run Windows programs in Linux.
+
+#######################################
+##
+## The per role template for the wine module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for wine applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`wine_role',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ role $1 types wine_t;
+
+ domain_auto_trans($2, wine_exec_t, wine_t)
+ allow wine_t $2:fd use;
+ allow wine_t $2:process { sigchld signull };
+ allow wine_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, wine_t)
+ allow $2 wine_t:process signal_perms;
+
+ allow $2 wine_t:fd use;
+ allow $2 wine_t:shm { associate getattr };
+ allow $2 wine_t:shm { unix_read unix_write };
+ allow $2 wine_t:unix_stream_socket connectto;
+
+ # X access, Home files
+ manage_dirs_pattern($2, wine_home_t, wine_home_t)
+ manage_files_pattern($2, wine_home_t, wine_home_t)
+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
+
+#######################################
+##
+## The role template for the wine module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for wine applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`wine_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t, wine_exec_t)
+ ubac_constrained($1_wine_t)
+ role $2 types $1_wine_t;
+
+ allow $1_wine_t self:process { execmem execstack };
+ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, wine_exec_t, $1_wine_t)
+ corecmd_bin_domtrans($1_wine_t, $1_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+ userdom_manage_user_tmpfs_files($1_wine_t)
+
+ domain_mmap_low($1_wine_t)
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
+ optional_policy(`
+ xserver_role($1_r, $1_wine_t)
+ ')
+')
+
+########################################
+##
+## Execute the wine program in the wine domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`wine_domtrans',`
+ gen_require(`
+ type wine_t, wine_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, wine_exec_t, wine_t)
+')
+
+########################################
+##
+## Execute wine in the wine domain, and
+## allow the specified role the wine domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`wine_run',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ wine_domtrans($1)
+ role $2 types wine_t;
+')
+
+########################################
+##
+## Read and write wine Shared
+## memory segments.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`wine_rw_shm',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ allow $1 wine_t:shm rw_shm_perms;
+')
diff --git a/wine.te b/wine.te
new file mode 100644
index 0000000..4a539d9
--- /dev/null
+++ b/wine.te
@@ -0,0 +1,64 @@
+policy_module(wine, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Ignore wine mmap_zero errors.
+##
+##
+gen_tunable(wine_mmap_zero_ignore, false)
+
+type wine_t;
+type wine_exec_t;
+application_domain(wine_t, wine_exec_t)
+ubac_constrained(wine_t)
+role system_r types wine_t;
+
+type wine_tmp_t;
+files_tmp_file(wine_tmp_t)
+ubac_constrained(wine_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow wine_t self:process { execstack execmem execheap };
+allow wine_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+
+domain_mmap_low(wine_t)
+
+files_execmod_all_files(wine_t)
+
+userdom_use_user_terminals(wine_t)
+
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
+
+optional_policy(`
+ hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ unconfined_domain(wine_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(wine_t)
+ xserver_rw_shm(wine_t)
+')
diff --git a/wireshark.fc b/wireshark.fc
new file mode 100644
index 0000000..96844ae
--- /dev/null
+++ b/wireshark.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0)
+
+/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/wireshark.if b/wireshark.if
new file mode 100644
index 0000000..ea6ffe6
--- /dev/null
+++ b/wireshark.if
@@ -0,0 +1,55 @@
+## Wireshark packet capture tool.
+
+############################################################
+##
+## Role access for wireshark
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`wireshark_role',`
+ gen_require(`
+ type wireshark_t, wireshark_exec_t;
+ type wireshark_home_t, wireshark_tmp_t;
+ type wireshark_tmpfs_t;
+ ')
+
+ role $1 types wireshark_t;
+
+ domain_auto_trans($2, wireshark_exec_t, wireshark_t)
+ allow wireshark_t $2:fd use;
+ allow wireshark_t $2:process sigchld;
+
+ manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+ manage_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+')
+
+########################################
+##
+## Run wireshark in wireshark domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`wireshark_domtrans',`
+ gen_require(`
+ type wireshark_t, wireshark_exec_t;
+ ')
+
+ domtrans_pattern($1, wireshark_exec_t, wireshark_t)
+')
diff --git a/wireshark.te b/wireshark.te
new file mode 100644
index 0000000..8bfe97d
--- /dev/null
+++ b/wireshark.te
@@ -0,0 +1,122 @@
+policy_module(wireshark, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type wireshark_t;
+type wireshark_exec_t;
+typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
+typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
+application_domain(wireshark_t, wireshark_exec_t)
+ubac_constrained(wireshark_t)
+
+type wireshark_home_t;
+typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
+typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+userdom_user_home_content(wireshark_home_t)
+
+type wireshark_tmp_t;
+typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
+typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
+files_tmp_file(wireshark_tmp_t)
+ubac_constrained(wireshark_tmp_t)
+
+type wireshark_tmpfs_t;
+typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
+typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
+files_tmpfs_file(wireshark_tmpfs_t)
+ubac_constrained(wireshark_tmpfs_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:process { signal getsched };
+allow wireshark_t self:fifo_file { getattr read write };
+allow wireshark_t self:shm destroy;
+allow wireshark_t self:shm create_shm_perms;
+allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:tcp_socket create_socket_perms;
+allow wireshark_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(wireshark_t, wireshark_exec_t)
+corecmd_search_bin(wireshark_t)
+
+# /home/.wireshark
+manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir)
+
+# Store temporary files
+manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file })
+
+manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(wireshark_t)
+kernel_read_system_state(wireshark_t)
+kernel_read_sysctl(wireshark_t)
+
+corecmd_search_bin(wireshark_t)
+
+corenet_tcp_connect_generic_port(wireshark_t)
+corenet_tcp_sendrecv_generic_if(wireshark_t)
+
+dev_read_urand(wireshark_t)
+
+files_read_etc_files(wireshark_t)
+files_read_usr_files(wireshark_t)
+
+fs_list_inotifyfs(wireshark_t)
+fs_search_auto_mountpoints(wireshark_t)
+
+libs_read_lib_files(wireshark_t)
+
+miscfiles_read_fonts(wireshark_t)
+miscfiles_read_localization(wireshark_t)
+
+seutil_use_newrole_fds(wireshark_t)
+
+sysnet_read_config(wireshark_t)
+
+userdom_manage_user_home_content_files(wireshark_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(wireshark_t)
+ fs_manage_nfs_files(wireshark_t)
+ fs_manage_nfs_symlinks(wireshark_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(wireshark_t)
+ fs_manage_cifs_files(wireshark_t)
+ fs_manage_cifs_symlinks(wireshark_t)
+')
+
+optional_policy(`
+ nscd_socket_use(wireshark_t)
+')
+
+# Manual transition from userhelper
+optional_policy(`
+ userhelper_use_fd(wireshark_t)
+ userhelper_sigchld(wireshark_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(wireshark_t)
+')
diff --git a/wm.fc b/wm.fc
new file mode 100644
index 0000000..c1d10a1
--- /dev/null
+++ b/wm.fc
@@ -0,0 +1,4 @@
+/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
new file mode 100644
index 0000000..b3efef7
--- /dev/null
+++ b/wm.if
@@ -0,0 +1,111 @@
+## X Window Managers
+
+#######################################
+##
+## The role template for the wm module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for window manager applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`wm_role_template',`
+ gen_require(`
+ type wm_exec_t;
+ class dbus send_msg;
+ ')
+
+ type $1_wm_t;
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t, wm_exec_t)
+ role $2 types $1_wm_t;
+
+ allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+ allow $1_wm_t self:process getsched;
+ allow $1_wm_t self:shm create_shm_perms;
+
+ allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $3 $1_wm_t:process { signal sigchld signull };
+ allow $1_wm_t $3:process { signull sigkill };
+
+ allow $1_wm_t $3:dbus send_msg;
+ allow $3 $1_wm_t:dbus send_msg;
+
+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+ kernel_read_system_state($1_wm_t)
+
+ corecmd_bin_domtrans($1_wm_t, $3)
+ corecmd_shell_domtrans($1_wm_t, $3)
+
+ dev_read_urand($1_wm_t)
+
+ files_read_etc_files($1_wm_t)
+ files_read_usr_files($1_wm_t)
+
+ fs_getattr_tmpfs($1_wm_t)
+
+ mls_file_read_all_levels($1_wm_t)
+ mls_file_write_all_levels($1_wm_t)
+ mls_xwin_read_all_levels($1_wm_t)
+ mls_xwin_write_all_levels($1_wm_t)
+ mls_fd_use_all_levels($1_wm_t)
+
+ auth_use_nsswitch($1_wm_t)
+
+ application_signull($1_wm_t)
+
+ miscfiles_read_fonts($1_wm_t)
+ miscfiles_read_localization($1_wm_t)
+
+ optional_policy(`
+ dbus_system_bus_client($1_wm_t)
+ dbus_session_bus_client($1_wm_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect($1_wm_t)
+ ')
+
+ optional_policy(`
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
+ ')
+')
+
+########################################
+##
+## Execute the wm program in the wm domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`wm_exec',`
+ gen_require(`
+ type wm_exec_t;
+ ')
+
+ can_exec($1, wm_exec_t)
+')
diff --git a/wm.te b/wm.te
new file mode 100644
index 0000000..19d447e
--- /dev/null
+++ b/wm.te
@@ -0,0 +1,9 @@
+policy_module(wm, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+corecmd_executable_file(wm_exec_t)
diff --git a/xen.fc b/xen.fc
new file mode 100644
index 0000000..a865da7
--- /dev/null
+++ b/xen.fc
@@ -0,0 +1,43 @@
+/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
+
+/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
+
+/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+
+/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+',`
+/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+')
+
+/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
+/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+
+/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+
+/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+
+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/xen.if b/xen.if
new file mode 100644
index 0000000..77d41b6
--- /dev/null
+++ b/xen.if
@@ -0,0 +1,238 @@
+## Xen hypervisor
+
+########################################
+##
+## Execute a domain transition to run xend.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`xen_domtrans',`
+ gen_require(`
+ type xend_t, xend_exec_t;
+ ')
+
+ domtrans_pattern($1, xend_exec_t, xend_t)
+')
+
+########################################
+##
+## Inherit and use xen file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_use_fds',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ allow $1 xend_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit
+## xen file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`xen_dontaudit_use_fds',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ dontaudit $1 xend_t:fd use;
+')
+
+########################################
+##
+## Read xend image files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_read_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+
+ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+ read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
+')
+
+########################################
+##
+## Allow the specified domain to read/write
+## xend image files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_rw_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1, xen_image_t, xen_image_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## xend log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_append_log',`
+ gen_require(`
+ type xend_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, xend_var_log_t, xend_var_log_t)
+ dontaudit $1 xend_var_log_t:file write;
+')
+
+########################################
+##
+## Create, read, write, and delete the
+## xend log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_manage_log',`
+ gen_require(`
+ type xend_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t)
+ manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## Xen unix domain stream sockets. These
+## are leaked file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`xen_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ dontaudit $1 xend_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## Connect to xenstored over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_stream_connect_xenstore',`
+ gen_require(`
+ type xenstored_t, xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t)
+')
+
+########################################
+##
+## Connect to xend over an unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_stream_connect',`
+ gen_require(`
+ type xend_t, xend_var_run_t, xend_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
+')
+
+########################################
+##
+## Execute a domain transition to run xm.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`xen_domtrans_xm',`
+ gen_require(`
+ type xm_t, xm_exec_t;
+ ')
+
+ domtrans_pattern($1, xm_exec_t, xm_t)
+')
+
+########################################
+##
+## Connect to xm over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xen_stream_connect_xm',`
+ gen_require(`
+ type xm_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t)
+')
diff --git a/xen.te b/xen.te
new file mode 100644
index 0000000..c4d18e8
--- /dev/null
+++ b/xen.te
@@ -0,0 +1,566 @@
+policy_module(xen, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow xend to run blktapctrl/tapdisk.
+## Not required if using dedicated logical volumes for disk images.
+##
+##
+gen_tunable(xend_run_blktap, true)
+
+##
+##
+## Allow xend to run qemu-dm.
+## Not required if using paravirt and no vfb.
+##
+##
+gen_tunable(xend_run_qemu, true)
+
+##
+##
+## Allow xen to manage nfs files
+##
+##
+gen_tunable(xen_use_nfs, false)
+
+type blktap_t;
+type blktap_exec_t;
+domain_type(blktap_t)
+domain_entry_file(blktap_t, blktap_exec_t)
+role system_r types blktap_t;
+
+type blktap_var_run_t;
+files_pid_file(blktap_var_run_t)
+
+type evtchnd_t;
+type evtchnd_exec_t;
+init_daemon_domain(evtchnd_t, evtchnd_exec_t)
+
+# log files
+type evtchnd_var_log_t;
+logging_log_file(evtchnd_var_log_t)
+
+# pid files
+type evtchnd_var_run_t;
+files_pid_file(evtchnd_var_run_t)
+
+type qemu_dm_t;
+type qemu_dm_exec_t;
+domain_type(qemu_dm_t)
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
+role system_r types qemu_dm_t;
+
+# console ptys
+type xen_devpts_t;
+term_pty(xen_devpts_t)
+files_type(xen_devpts_t)
+
+# Xen Image files
+type xen_image_t; # customizable
+files_type(xen_image_t)
+# xen_image_t can be assigned to blk devices
+dev_node(xen_image_t)
+
+type xenctl_t;
+files_type(xenctl_t)
+
+type xend_t;
+type xend_exec_t;
+domain_type(xend_t)
+init_daemon_domain(xend_t, xend_exec_t)
+
+# tmp files
+type xend_tmp_t;
+files_tmp_file(xend_tmp_t)
+
+# var/lib files
+type xend_var_lib_t;
+files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
+
+# log files
+type xend_var_log_t;
+logging_log_file(xend_var_log_t)
+
+# pid files
+type xend_var_run_t;
+files_pid_file(xend_var_run_t)
+files_mountpoint(xend_var_run_t)
+
+type xenstored_t;
+type xenstored_exec_t;
+init_daemon_domain(xenstored_t, xenstored_exec_t)
+
+type xenstored_tmp_t;
+files_tmp_file(xenstored_tmp_t)
+
+# var/lib files
+type xenstored_var_lib_t;
+files_type(xenstored_var_lib_t)
+files_mountpoint(xenstored_var_lib_t)
+
+# log files
+type xenstored_var_log_t;
+logging_log_file(xenstored_var_log_t)
+
+# pid files
+type xenstored_var_run_t;
+files_pid_file(xenstored_var_run_t)
+
+type xenconsoled_t;
+type xenconsoled_exec_t;
+init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+
+# pid files
+type xenconsoled_var_run_t;
+files_pid_file(xenconsoled_var_run_t)
+
+type xm_t;
+type xm_exec_t;
+domain_type(xm_t)
+init_system_domain(xm_t, xm_exec_t)
+
+########################################
+#
+# blktap local policy
+#
+# Do we need to allow execution of blktap?
+tunable_policy(`xend_run_blktap',`
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
+
+ allow blktap_t self:fifo_file { read write };
+
+ dev_read_sysfs(blktap_t)
+ dev_rw_xen(blktap_t)
+
+ files_read_etc_files(blktap_t)
+
+ logging_send_syslog_msg(blktap_t)
+
+ miscfiles_read_localization(blktap_t)
+
+ xen_stream_connect_xenstore(blktap_t)
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+')
+
+#######################################
+#
+# evtchnd local policy
+#
+
+manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
+
+manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+
+########################################
+#
+# qemu-dm local policy
+#
+# Do we need to allow execution of qemu-dm?
+tunable_policy(`xend_run_qemu',`
+ allow qemu_dm_t self:capability sys_resource;
+ allow qemu_dm_t self:process setrlimit;
+ allow qemu_dm_t self:fifo_file { read write };
+ allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
+
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
+
+ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
+
+ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
+
+ corenet_tcp_bind_generic_node(qemu_dm_t)
+ corenet_tcp_bind_vnc_port(qemu_dm_t)
+
+ dev_rw_xen(qemu_dm_t)
+
+ files_read_etc_files(qemu_dm_t)
+ files_read_usr_files(qemu_dm_t)
+
+ fs_manage_xenfs_dirs(qemu_dm_t)
+ fs_manage_xenfs_files(qemu_dm_t)
+
+ miscfiles_read_localization(qemu_dm_t)
+
+ xen_stream_connect_xenstore(qemu_dm_t)
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+#
+# xend local policy
+#
+
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+dontaudit xend_t self:capability { sys_ptrace };
+allow xend_t self:process { signal sigkill };
+dontaudit xend_t self:process ptrace;
+# internal communication is often done using fifo and unix sockets.
+allow xend_t self:fifo_file rw_fifo_file_perms;
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+allow xend_t self:tcp_socket create_stream_socket_perms;
+allow xend_t self:packet_socket create_socket_perms;
+
+allow xend_t xen_image_t:dir list_dir_perms;
+manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
+manage_files_pattern(xend_t, xen_image_t, xen_image_t)
+read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
+rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
+
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(xend_t, xenctl_t, fifo_file)
+
+manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
+# pid file
+manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
+
+# log files
+manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
+
+# var/lib files for xend
+manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
+
+# transition to store
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+
+# manage xenstored pid file
+manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
+
+# mount tmpfs on /var/lib/xenstored
+allow xend_t xenstored_var_lib_t:dir read;
+
+# transition to console
+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
+
+kernel_read_kernel_sysctls(xend_t)
+kernel_read_system_state(xend_t)
+kernel_write_xen_state(xend_t)
+kernel_read_xen_state(xend_t)
+kernel_rw_net_sysctls(xend_t)
+kernel_read_network_state(xend_t)
+
+corecmd_exec_bin(xend_t)
+corecmd_exec_shell(xend_t)
+
+corenet_all_recvfrom_unlabeled(xend_t)
+corenet_all_recvfrom_netlabel(xend_t)
+corenet_tcp_sendrecv_generic_if(xend_t)
+corenet_tcp_sendrecv_generic_node(xend_t)
+corenet_tcp_sendrecv_all_ports(xend_t)
+corenet_tcp_bind_generic_node(xend_t)
+corenet_tcp_bind_xen_port(xend_t)
+corenet_tcp_bind_soundd_port(xend_t)
+corenet_tcp_bind_generic_port(xend_t)
+corenet_tcp_bind_vnc_port(xend_t)
+corenet_tcp_connect_xserver_port(xend_t)
+corenet_tcp_connect_xen_port(xend_t)
+corenet_sendrecv_xserver_client_packets(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_xen_client_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
+corenet_rw_tun_tap_dev(xend_t)
+
+dev_read_urand(xend_t)
+dev_filetrans_xen(xend_t)
+dev_rw_sysfs(xend_t)
+dev_rw_xen(xend_t)
+
+domain_dontaudit_read_all_domains_state(xend_t)
+domain_dontaudit_ptrace_all_domains(xend_t)
+
+files_read_etc_files(xend_t)
+files_read_kernel_symbol_table(xend_t)
+files_read_kernel_img(xend_t)
+files_manage_etc_runtime_files(xend_t)
+files_etc_filetrans_etc_runtime(xend_t, file)
+files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
+
+term_getattr_all_ptys(xend_t)
+term_use_generic_ptys(xend_t)
+term_use_ptmx(xend_t)
+term_getattr_pty_fs(xend_t)
+
+init_stream_connect_script(xend_t)
+
+locallogin_dontaudit_use_fds(xend_t)
+
+logging_send_syslog_msg(xend_t)
+
+lvm_domtrans(xend_t)
+
+miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
+
+mount_domtrans(xend_t)
+
+sysnet_domtrans_dhcpc(xend_t)
+sysnet_signal_dhcpc(xend_t)
+sysnet_domtrans_ifconfig(xend_t)
+sysnet_dns_name_resolve(xend_t)
+sysnet_delete_dhcpc_pid(xend_t)
+sysnet_read_dhcpc_pid(xend_t)
+sysnet_rw_dhcp_config(xend_t)
+
+userdom_dontaudit_search_user_home_dirs(xend_t)
+
+xen_stream_connect_xenstore(xend_t)
+
+netutils_domtrans(xend_t)
+
+optional_policy(`
+ brctl_domtrans(xend_t)
+')
+
+optional_policy(`
+ consoletype_exec(xend_t)
+')
+
+########################################
+#
+# Xen console local policy
+#
+
+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
+allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+
+# pid file
+manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(xenconsoled_t)
+kernel_write_xen_state(xenconsoled_t)
+kernel_read_xen_state(xenconsoled_t)
+
+dev_rw_xen(xenconsoled_t)
+dev_filetrans_xen(xenconsoled_t)
+dev_rw_sysfs(xenconsoled_t)
+
+domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+
+files_read_etc_files(xenconsoled_t)
+files_read_usr_files(xenconsoled_t)
+
+fs_list_tmpfs(xenconsoled_t)
+fs_manage_xenfs_dirs(xenconsoled_t)
+fs_manage_xenfs_files(xenconsoled_t)
+
+term_create_pty(xenconsoled_t, xen_devpts_t)
+term_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
+
+init_use_fds(xenconsoled_t)
+init_use_script_ptys(xenconsoled_t)
+
+miscfiles_read_localization(xenconsoled_t)
+
+xen_manage_log(xenconsoled_t)
+xen_stream_connect_xenstore(xenconsoled_t)
+
+optional_policy(`
+ ptchown_domtrans(xenconsoled_t)
+')
+
+########################################
+#
+# Xen store local policy
+#
+
+allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
+
+# pid file
+manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
+
+# log files
+manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
+
+# var/lib files for xenstored
+manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file })
+
+stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
+
+kernel_write_xen_state(xenstored_t)
+kernel_read_xen_state(xenstored_t)
+
+dev_filetrans_xen(xenstored_t)
+dev_rw_xen(xenstored_t)
+dev_read_sysfs(xenstored_t)
+
+files_read_etc_files(xenstored_t)
+
+files_read_usr_files(xenstored_t)
+
+fs_manage_xenfs_files(xenstored_t)
+
+term_use_generic_ptys(xenstored_t)
+
+init_use_fds(xenstored_t)
+init_use_script_ptys(xenstored_t)
+
+logging_send_syslog_msg(xenstored_t)
+
+miscfiles_read_localization(xenstored_t)
+
+xen_append_log(xenstored_t)
+
+########################################
+#
+# xm local policy
+#
+
+allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+allow xm_t self:process { getsched signal };
+
+# internal communication is often done using fifo and unix sockets.
+allow xm_t self:fifo_file rw_fifo_file_perms;
+allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow xm_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+files_search_var_lib(xm_t)
+
+allow xm_t xen_image_t:dir rw_dir_perms;
+allow xm_t xen_image_t:file read_file_perms;
+allow xm_t xen_image_t:blk_file read_blk_file_perms;
+
+kernel_read_system_state(xm_t)
+kernel_read_kernel_sysctls(xm_t)
+kernel_read_sysctl(xm_t)
+kernel_read_xen_state(xm_t)
+kernel_write_xen_state(xm_t)
+
+corecmd_exec_bin(xm_t)
+corecmd_exec_shell(xm_t)
+
+corenet_tcp_sendrecv_generic_if(xm_t)
+corenet_tcp_sendrecv_generic_node(xm_t)
+corenet_tcp_connect_soundd_port(xm_t)
+
+dev_read_urand(xm_t)
+dev_read_sysfs(xm_t)
+
+files_read_etc_runtime_files(xm_t)
+files_read_usr_files(xm_t)
+files_list_mnt(xm_t)
+# Some common macros (you might be able to remove some)
+files_read_etc_files(xm_t)
+
+fs_getattr_all_fs(xm_t)
+fs_manage_xenfs_dirs(xm_t)
+fs_manage_xenfs_files(xm_t)
+
+term_use_all_terms(xm_t)
+
+init_stream_connect_script(xm_t)
+init_rw_script_stream_sockets(xm_t)
+init_use_fds(xm_t)
+
+miscfiles_read_localization(xm_t)
+
+sysnet_dns_name_resolve(xm_t)
+
+xen_append_log(xm_t)
+xen_stream_connect(xm_t)
+xen_stream_connect_xenstore(xm_t)
+
+optional_policy(`
+ dbus_system_bus_client(xm_t)
+
+ optional_policy(`
+ hal_dbus_chat(xm_t)
+ ')
+')
+
+optional_policy(`
+ virt_domtrans(xm_t)
+ virt_manage_images(xm_t)
+ virt_manage_config(xm_t)
+ virt_stream_connect(xm_t)
+')
+
+########################################
+#
+# SSH component local policy
+#
+optional_policy(`
+ ssh_basic_client_template(xm, xm_t, system_r)
+
+ kernel_read_xen_state(xm_ssh_t)
+ kernel_write_xen_state(xm_ssh_t)
+
+ files_search_tmp(xm_ssh_t)
+
+ fs_manage_xenfs_dirs(xm_ssh_t)
+ fs_manage_xenfs_files(xm_ssh_t)
+
+ #Should have a boolean wrapping these
+ fs_list_auto_mountpoints(xend_t)
+ files_search_mnt(xend_t)
+ fs_getattr_all_fs(xend_t)
+ fs_read_dos_files(xend_t)
+ fs_manage_xenfs_dirs(xend_t)
+ fs_manage_xenfs_files(xend_t)
+
+ tunable_policy(`xen_use_nfs',`
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+ ')
+
+ optional_policy(`
+ unconfined_domain(xend_t)
+ ')
+')
diff --git a/xfs.fc b/xfs.fc
new file mode 100644
index 0000000..8e70038
--- /dev/null
+++ b/xfs.fc
@@ -0,0 +1,8 @@
+
+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0)
+
+/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0)
+
+/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0)
diff --git a/xfs.if b/xfs.if
new file mode 100644
index 0000000..aa6e5a8
--- /dev/null
+++ b/xfs.if
@@ -0,0 +1,59 @@
+## X Windows Font Server
+
+########################################
+##
+## Read a X font server named socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xfs_read_sockets',`
+ gen_require(`
+ type xfs_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t)
+')
+
+########################################
+##
+## Connect to a X font server over
+## a unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xfs_stream_connect',`
+ gen_require(`
+ type xfs_tmp_t, xfs_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t)
+')
+
+########################################
+##
+## Allow the specified domain to execute xfs
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xfs_exec',`
+ gen_require(`
+ type xfs_exec_t;
+ ')
+
+ can_exec($1, xfs_exec_t)
+')
diff --git a/xfs.te b/xfs.te
new file mode 100644
index 0000000..11c1b12
--- /dev/null
+++ b/xfs.te
@@ -0,0 +1,87 @@
+policy_module(xfs, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type xfs_t;
+type xfs_exec_t;
+init_daemon_domain(xfs_t, xfs_exec_t)
+
+type xfs_tmp_t;
+files_tmp_file(xfs_tmp_t)
+
+type xfs_var_run_t;
+files_pid_file(xfs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xfs_t self:capability { dac_override setgid setuid };
+dontaudit xfs_t self:capability sys_tty_config;
+allow xfs_t self:process { signal_perms setpgid };
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
+allow xfs_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
+manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
+files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })
+
+manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t)
+files_pid_filetrans(xfs_t, xfs_var_run_t, file)
+
+kernel_read_kernel_sysctls(xfs_t)
+kernel_read_system_state(xfs_t)
+
+corenet_all_recvfrom_unlabeled(xfs_t)
+corenet_all_recvfrom_netlabel(xfs_t)
+corenet_tcp_sendrecv_generic_if(xfs_t)
+corenet_tcp_sendrecv_generic_node(xfs_t)
+corenet_tcp_sendrecv_all_ports(xfs_t)
+corenet_tcp_bind_generic_node(xfs_t)
+corenet_tcp_bind_xfs_port(xfs_t)
+corenet_sendrecv_xfs_server_packets(xfs_t)
+
+corecmd_list_bin(xfs_t)
+
+dev_read_sysfs(xfs_t)
+dev_read_urand(xfs_t)
+dev_read_rand(xfs_t)
+
+fs_getattr_all_fs(xfs_t)
+fs_search_auto_mountpoints(xfs_t)
+
+domain_use_interactive_fds(xfs_t)
+
+files_read_etc_files(xfs_t)
+files_read_etc_runtime_files(xfs_t)
+files_read_usr_files(xfs_t)
+
+auth_use_nsswitch(xfs_t)
+
+logging_send_syslog_msg(xfs_t)
+
+miscfiles_read_localization(xfs_t)
+miscfiles_read_fonts(xfs_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xfs_t)
+userdom_dontaudit_search_user_home_dirs(xfs_t)
+
+xfs_exec(xfs_t)
+
+ifdef(`distro_debian',`
+ # for /tmp/.font-unix/fs7100
+ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xfs_t)
+')
+
+optional_policy(`
+ udev_read_db(xfs_t)
+')
diff --git a/xguest.fc b/xguest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/xguest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/xguest.if b/xguest.if
new file mode 100644
index 0000000..d2234e3
--- /dev/null
+++ b/xguest.if
@@ -0,0 +1,50 @@
+## Least privledge xwindows user role
+
+########################################
+##
+## Change to the xguest role.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`xguest_role_change',`
+ gen_require(`
+ role xguest_r;
+ ')
+
+ allow $1 xguest_r;
+')
+
+########################################
+##
+## Change from the xguest role.
+##
+##
+##
+## Change from the xguest role to
+## the specified role.
+##
+##
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`xguest_role_change_to',`
+ gen_require(`
+ role xguest_r;
+ ')
+
+ allow xguest_r $1;
+')
diff --git a/xguest.te b/xguest.te
new file mode 100644
index 0000000..e88b95f
--- /dev/null
+++ b/xguest.te
@@ -0,0 +1,98 @@
+policy_module(xguest, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow xguest users to mount removable media
+##
+##
+gen_tunable(xguest_mount_media, true)
+
+##
+##
+## Allow xguest to configure Network Manager
+##
+##
+gen_tunable(xguest_connect_network, true)
+
+##
+##
+## Allow xguest to use blue tooth devices
+##
+##
+gen_tunable(xguest_use_bluetooth, true)
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+
+########################################
+#
+# Local policy
+#
+
+ifndef(`enable_mls',`
+ fs_exec_noxattr(xguest_t)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ # Write floppies
+ storage_raw_read_removable_device(xguest_t)
+ storage_raw_write_removable_device(xguest_t)
+ ',`
+ storage_raw_read_removable_device(xguest_t)
+ ')
+')
+
+# Allow mounting of file systems
+optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+
+ init_read_utmp(xguest_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`xguest_use_bluetooth',`
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
+
+optional_policy(`
+ hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ java_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mozilla_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ networkmanager_dbus_chat(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
+ corenet_tcp_connect_ipp_port(xguest_t)
+ ')
+')
+
+#gen_user(xguest_u,, xguest_r, s0, s0)
diff --git a/xprint.fc b/xprint.fc
new file mode 100644
index 0000000..6a857ff
--- /dev/null
+++ b/xprint.fc
@@ -0,0 +1 @@
+/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0)
diff --git a/xprint.if b/xprint.if
new file mode 100644
index 0000000..e69a82a
--- /dev/null
+++ b/xprint.if
@@ -0,0 +1 @@
+## X print server
diff --git a/xprint.te b/xprint.te
new file mode 100644
index 0000000..68d13e5
--- /dev/null
+++ b/xprint.te
@@ -0,0 +1,82 @@
+policy_module(xprint, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type xprint_t;
+type xprint_exec_t;
+init_daemon_domain(xprint_t, xprint_exec_t)
+
+type xprint_var_run_t;
+files_pid_file(xprint_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit xprint_t self:capability sys_tty_config;
+allow xprint_t self:process signal_perms;
+allow xprint_t self:fifo_file rw_file_perms;
+allow xprint_t self:tcp_socket create_stream_socket_perms;
+allow xprint_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t)
+files_pid_filetrans(xprint_t, xprint_var_run_t, file)
+
+kernel_read_system_state(xprint_t)
+kernel_read_kernel_sysctls(xprint_t)
+
+corecmd_exec_bin(xprint_t)
+corecmd_exec_shell(xprint_t)
+
+corenet_all_recvfrom_unlabeled(xprint_t)
+corenet_all_recvfrom_netlabel(xprint_t)
+corenet_tcp_sendrecv_generic_if(xprint_t)
+corenet_udp_sendrecv_generic_if(xprint_t)
+corenet_tcp_sendrecv_generic_node(xprint_t)
+corenet_udp_sendrecv_generic_node(xprint_t)
+corenet_tcp_sendrecv_all_ports(xprint_t)
+corenet_udp_sendrecv_all_ports(xprint_t)
+
+dev_read_sysfs(xprint_t)
+dev_read_urand(xprint_t)
+
+domain_use_interactive_fds(xprint_t)
+
+files_read_etc_files(xprint_t)
+files_read_etc_runtime_files(xprint_t)
+files_read_usr_files(xprint_t)
+files_search_var_lib(xprint_t)
+files_search_tmp(xprint_t)
+
+fs_getattr_all_fs(xprint_t)
+fs_search_auto_mountpoints(xprint_t)
+
+logging_send_syslog_msg(xprint_t)
+
+miscfiles_read_fonts(xprint_t)
+miscfiles_read_localization(xprint_t)
+
+sysnet_read_config(xprint_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xprint_t)
+userdom_dontaudit_search_user_home_dirs(xprint_t)
+
+optional_policy(`
+ cups_read_config(xprint_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(xprint_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xprint_t)
+')
+
+optional_policy(`
+ udev_read_db(xprint_t)
+')
diff --git a/xscreensaver.fc b/xscreensaver.fc
new file mode 100644
index 0000000..29396da
--- /dev/null
+++ b/xscreensaver.fc
@@ -0,0 +1 @@
+/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
diff --git a/xscreensaver.if b/xscreensaver.if
new file mode 100644
index 0000000..1067bd1
--- /dev/null
+++ b/xscreensaver.if
@@ -0,0 +1,30 @@
+## X Screensaver
+
+########################################
+##
+## Role access for xscreensaver
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`xscreensaver_role',`
+ gen_require(`
+ type xscreensaver_t, xscreensaver_exec_t;
+ ')
+
+ role $1 types xscreensaver_t;
+
+ domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, xscreensaver_t)
+ allow $2 xscreensaver_t:process signal_perms;
+')
diff --git a/xscreensaver.te b/xscreensaver.te
new file mode 100644
index 0000000..1bdeb16
--- /dev/null
+++ b/xscreensaver.te
@@ -0,0 +1,44 @@
+policy_module(xscreensaver, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type xscreensaver_t;
+type xscreensaver_exec_t;
+application_domain(xscreensaver_t, xscreensaver_exec_t)
+ubac_constrained(xscreensaver_t)
+
+type xscreensaver_tmpfs_t;
+files_tmpfs_file(xscreensaver_tmpfs_t)
+ubac_constrained(xscreensaver_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
+allow xscreensaver_t self:process signal;
+
+kernel_read_system_state(xscreensaver_t)
+
+files_read_usr_files(xscreensaver_t)
+
+auth_use_nsswitch(xscreensaver_t)
+auth_domtrans_chk_passwd(xscreensaver_t)
+
+#/var/run/utmp
+init_read_utmp(xscreensaver_t)
+
+logging_send_audit_msgs(xscreensaver_t)
+logging_send_syslog_msg(xscreensaver_t)
+
+miscfiles_read_localization(xscreensaver_t)
+
+userdom_use_user_ptys(xscreensaver_t)
+#access to .icons and ~/.xscreensaver
+userdom_read_user_home_content_files(xscreensaver_t)
+
+xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/yam.fc b/yam.fc
new file mode 100644
index 0000000..4ec6ede
--- /dev/null
+++ b/yam.fc
@@ -0,0 +1,6 @@
+/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0)
+
+/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0)
+
+/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
+/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
diff --git a/yam.if b/yam.if
new file mode 100644
index 0000000..07015a2
--- /dev/null
+++ b/yam.if
@@ -0,0 +1,66 @@
+## Yum/Apt Mirroring
+
+########################################
+##
+## Execute yam in the yam domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`yam_domtrans',`
+ gen_require(`
+ type yam_t, yam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, yam_exec_t, yam_t)
+')
+
+########################################
+##
+## Execute yam in the yam domain, and
+## allow the specified role the yam domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`yam_run',`
+ gen_require(`
+ type yam_t;
+ ')
+
+ yam_domtrans($1)
+ role $2 types yam_t;
+')
+
+########################################
+##
+## Read yam content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`yam_read_content',`
+ gen_require(`
+ type yam_content_t;
+ ')
+
+ allow $1 yam_content_t:dir list_dir_perms;
+ read_files_pattern($1, yam_content_t, yam_content_t)
+ read_lnk_files_pattern($1, yam_content_t, yam_content_t)
+')
diff --git a/yam.te b/yam.te
new file mode 100644
index 0000000..223ad43
--- /dev/null
+++ b/yam.te
@@ -0,0 +1,124 @@
+policy_module(yam, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type yam_t alias yam_crond_t;
+type yam_exec_t;
+application_domain(yam_t, yam_exec_t)
+
+type yam_content_t;
+files_mountpoint(yam_content_t)
+
+type yam_etc_t;
+files_config_file(yam_etc_t)
+
+type yam_tmp_t;
+files_tmp_file(yam_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow yam_t self:process execmem;
+allow yam_t self:fd use;
+allow yam_t self:fifo_file rw_fifo_file_perms;
+allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
+allow yam_t self:shm create_shm_perms;
+allow yam_t self:sem create_sem_perms;
+allow yam_t self:msgq create_msgq_perms;
+allow yam_t self:msg { send receive };
+allow yam_t self:tcp_socket create_socket_perms;
+
+# Update the content being managed by yam.
+manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
+manage_files_pattern(yam_t, yam_content_t, yam_content_t)
+manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
+
+allow yam_t yam_etc_t:file read_file_perms;
+files_search_etc(yam_t)
+
+manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(yam_t)
+kernel_read_proc_symlinks(yam_t)
+# Python works fine without reading /proc/meminfo
+kernel_dontaudit_read_system_state(yam_t)
+
+corecmd_exec_shell(yam_t)
+corecmd_exec_bin(yam_t)
+
+# Rsync and lftp need to network. They also set files attributes to
+# match whats on the remote server.
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
+corenet_tcp_sendrecv_generic_if(yam_t)
+corenet_tcp_sendrecv_generic_node(yam_t)
+corenet_tcp_sendrecv_all_ports(yam_t)
+corenet_tcp_connect_http_port(yam_t)
+corenet_tcp_connect_rsync_port(yam_t)
+corenet_sendrecv_http_client_packets(yam_t)
+corenet_sendrecv_rsync_client_packets(yam_t)
+
+# mktemp
+dev_read_urand(yam_t)
+
+files_read_etc_files(yam_t)
+files_read_etc_runtime_files(yam_t)
+# /usr/share/createrepo/genpkgmetadata.py:
+files_exec_usr_files(yam_t)
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+files_rw_var_files(yam_t)
+
+fs_search_auto_mountpoints(yam_t)
+# Content can also be on ISO image files.
+fs_read_iso9660_files(yam_t)
+
+logging_send_syslog_msg(yam_t)
+
+miscfiles_read_localization(yam_t)
+
+seutil_read_config(yam_t)
+
+sysnet_dns_name_resolve(yam_t)
+sysnet_read_config(yam_t)
+
+userdom_use_user_terminals(yam_t)
+userdom_use_unpriv_users_fds(yam_t)
+# Reading dotfiles...
+# cjp: ?
+userdom_search_user_home_dirs(yam_t)
+
+# The whole point of this program is to make updates available on a
+# local web server. Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+apache_search_sys_content(yam_t)
+
+optional_policy(`
+ cron_system_entry(yam_t, yam_exec_t)
+')
+
+optional_policy(`
+ mount_domtrans(yam_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(yam_t)
+')
+
+optional_policy(`
+ nscd_socket_use(yam_t)
+')
+
+optional_policy(`
+ rsync_exec(yam_t)
+')
diff --git a/zabbix.fc b/zabbix.fc
new file mode 100644
index 0000000..aa5a521
--- /dev/null
+++ b/zabbix.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
+
+/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+
+/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+
+/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/zabbix.if b/zabbix.if
new file mode 100644
index 0000000..c9981d1
--- /dev/null
+++ b/zabbix.if
@@ -0,0 +1,158 @@
+## Distributed infrastructure monitoring
+
+########################################
+##
+## Execute a domain transition to run zabbix.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`zabbix_domtrans',`
+ gen_require(`
+ type zabbix_t, zabbix_exec_t;
+ ')
+
+ domtrans_pattern($1, zabbix_exec_t, zabbix_t)
+')
+
+########################################
+##
+## Allow connectivity to the zabbix server
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zabbix_tcp_connect',`
+ gen_require(`
+ type zabbix_t;
+ ')
+
+ corenet_sendrecv_zabbix_agent_client_packets($1)
+ corenet_tcp_connect_zabbix_port($1)
+ corenet_tcp_recvfrom_labeled($1, zabbix_t)
+ corenet_tcp_sendrecv_zabbix_port($1)
+')
+
+########################################
+##
+## Allow the specified domain to read zabbix's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`zabbix_read_log',`
+ gen_require(`
+ type zabbix_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, zabbix_log_t, zabbix_log_t)
+')
+
+########################################
+##
+## Allow the specified domain to append
+## zabbix log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zabbix_append_log',`
+ gen_require(`
+ type zabbix_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, zabbix_log_t, zabbix_log_t)
+')
+
+########################################
+##
+## Read zabbix PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zabbix_read_pid_files',`
+ gen_require(`
+ type zabbix_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 zabbix_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Allow connectivity to a zabbix agent
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zabbix_agent_tcp_connect',`
+ gen_require(`
+ type zabbix_agent_t;
+ ')
+
+ corenet_sendrecv_zabbix_agent_client_packets($1)
+ corenet_tcp_connect_zabbix_agent_port($1)
+ corenet_tcp_recvfrom_labeled($1, zabbix_t)
+ corenet_tcp_sendrecv_zabbix_agent_port($1)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an zabbix environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the zabbix domain.
+##
+##
+##
+#
+interface(`zabbix_admin',`
+ gen_require(`
+ type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+ type zabbix_initrc_exec_t;
+ ')
+
+ allow $1 zabbix_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zabbix_t)
+
+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 zabbix_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, zabbix_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, zabbix_var_run_t)
+')
diff --git a/zabbix.te b/zabbix.te
new file mode 100644
index 0000000..5e0bd88
--- /dev/null
+++ b/zabbix.te
@@ -0,0 +1,137 @@
+policy_module(zabbix, 1.4.1)
+
+########################################
+#
+# Declarations
+#
+
+type zabbix_t;
+type zabbix_exec_t;
+init_daemon_domain(zabbix_t, zabbix_exec_t)
+
+type zabbix_initrc_exec_t;
+init_script_file(zabbix_initrc_exec_t)
+
+type zabbix_agent_t;
+type zabbix_agent_exec_t;
+init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
+
+type zabbix_agent_initrc_exec_t;
+init_script_file(zabbix_agent_initrc_exec_t)
+
+# log files
+type zabbix_log_t;
+logging_log_file(zabbix_log_t)
+
+# shared memory
+type zabbix_tmpfs_t;
+files_tmpfs_file(zabbix_tmpfs_t)
+
+# pid files
+type zabbix_var_run_t;
+files_pid_file(zabbix_var_run_t)
+
+########################################
+#
+# zabbix local policy
+#
+
+allow zabbix_t self:capability { setuid setgid };
+allow zabbix_t self:fifo_file rw_file_perms;
+allow zabbix_t self:process { setsched getsched signal };
+allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+allow zabbix_t self:sem create_sem_perms;
+allow zabbix_t self:shm create_shm_perms;
+allow zabbix_t self:tcp_socket create_stream_socket_perms;
+
+# log files
+allow zabbix_t zabbix_log_t:dir setattr;
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+
+# shared memory
+rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
+
+# pid file
+manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
+corenet_tcp_bind_generic_node(zabbix_t)
+corenet_tcp_bind_zabbix_port(zabbix_t)
+
+files_read_etc_files(zabbix_t)
+
+miscfiles_read_localization(zabbix_t)
+
+sysnet_dns_name_resolve(zabbix_t)
+
+zabbix_agent_tcp_connect(zabbix_t)
+
+optional_policy(`
+ mysql_stream_connect(zabbix_t)
+ mysql_tcp_connect(zabbix_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(zabbix_t)
+')
+
+########################################
+#
+# zabbix agent local policy
+#
+
+allow zabbix_agent_t self:capability { setuid setgid };
+allow zabbix_agent_t self:process { setsched getsched signal };
+allow zabbix_agent_t self:fifo_file rw_file_perms;
+allow zabbix_agent_t self:sem create_sem_perms;
+allow zabbix_agent_t self:shm create_shm_perms;
+allow zabbix_agent_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+
+# Logging access
+filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+
+# Shared Memory support
+rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+
+# PID file management
+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+
+kernel_read_all_sysctls(zabbix_agent_t)
+kernel_read_system_state(zabbix_agent_t)
+
+corecmd_read_all_executables(zabbix_agent_t)
+
+corenet_tcp_bind_generic_node(zabbix_agent_t)
+corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
+corenet_tcp_connect_ssh_port(zabbix_agent_t)
+corenet_tcp_connect_zabbix_port(zabbix_agent_t)
+
+dev_getattr_all_blk_files(zabbix_agent_t)
+dev_getattr_all_chr_files(zabbix_agent_t)
+
+domain_search_all_domains_state(zabbix_agent_t)
+
+files_getattr_all_dirs(zabbix_agent_t)
+files_getattr_all_files(zabbix_agent_t)
+files_read_all_symlinks(zabbix_agent_t)
+files_read_etc_files(zabbix_agent_t)
+
+fs_getattr_all_fs(zabbix_agent_t)
+
+init_read_utmp(zabbix_agent_t)
+
+logging_search_logs(zabbix_agent_t)
+
+miscfiles_read_localization(zabbix_agent_t)
+
+sysnet_dns_name_resolve(zabbix_agent_t)
+
+# Network access to zabbix server
+zabbix_tcp_connect(zabbix_agent_t)
diff --git a/zarafa.fc b/zarafa.fc
new file mode 100644
index 0000000..3defaa1
--- /dev/null
+++ b/zarafa.fc
@@ -0,0 +1,26 @@
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+
+/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
+/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
+/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+
+/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
+/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+
+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
+/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
+/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
+/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/zarafa.if b/zarafa.if
new file mode 100644
index 0000000..21ae664
--- /dev/null
+++ b/zarafa.if
@@ -0,0 +1,120 @@
+## Zarafa collaboration platform.
+
+######################################
+##
+## Creates types and rules for a basic
+## zararfa init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`zarafa_domain_template',`
+ gen_require(`
+ attribute zarafa_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type zarafa_$1_t, zarafa_domain;
+ type zarafa_$1_exec_t;
+ init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
+
+ type zarafa_$1_log_t;
+ logging_log_file(zarafa_$1_log_t)
+
+ type zarafa_$1_var_run_t;
+ files_pid_file(zarafa_$1_var_run_t)
+
+ ##############################
+ #
+ # $1_t local policy
+ #
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
+')
+
+######################################
+##
+## Allow the specified domain to search
+## zarafa configuration dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zarafa_search_config',`
+ gen_require(`
+ type zarafa_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 zarafa_etc_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Execute a domain transition to run zarafa_deliver.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`zarafa_domtrans_deliver',`
+ gen_require(`
+ type zarafa_deliver_t, zarafa_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
+')
+
+########################################
+##
+## Execute a domain transition to run zarafa_server.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`zarafa_domtrans_server',`
+ gen_require(`
+ type zarafa_server_t, zarafa_server_exec_t;
+ ')
+
+ domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
+')
+
+#######################################
+##
+## Connect to zarafa-server unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zarafa_stream_connect_server',`
+ gen_require(`
+ type zarafa_server_t, zarafa_server_var_run_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
diff --git a/zarafa.te b/zarafa.te
new file mode 100644
index 0000000..9fb4747
--- /dev/null
+++ b/zarafa.te
@@ -0,0 +1,161 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute zarafa_domain;
+
+zarafa_domain_template(deliver)
+
+type zarafa_deliver_tmp_t;
+files_tmp_file(zarafa_deliver_tmp_t)
+
+type zarafa_etc_t;
+files_config_file(zarafa_etc_t)
+
+zarafa_domain_template(gateway)
+zarafa_domain_template(ical)
+zarafa_domain_template(indexer)
+zarafa_domain_template(monitor)
+zarafa_domain_template(server)
+
+type zarafa_server_tmp_t;
+files_tmp_file(zarafa_server_tmp_t)
+
+type zarafa_share_t;
+files_type(zarafa_share_t)
+
+zarafa_domain_template(spooler)
+
+type zarafa_var_lib_t;
+files_tmp_file(zarafa_var_lib_t)
+
+########################################
+#
+# zarafa-deliver local policy
+#
+
+manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
+########################################
+#
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
+corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
+corenet_all_recvfrom_netlabel(zarafa_gateway_t)
+corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
+corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
+corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+corenet_tcp_bind_generic_node(zarafa_gateway_t)
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
+#
+# zarafa-ical local policy
+#
+
+allow zarafa_ical_t self:capability chown;
+
+corenet_all_recvfrom_unlabeled(zarafa_ical_t)
+corenet_all_recvfrom_netlabel(zarafa_ical_t)
+corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
+corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
+corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
+corenet_tcp_bind_generic_node(zarafa_ical_t)
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
+#
+# zarafa-monitor local policy
+#
+
+allow zarafa_monitor_t self:capability chown;
+
+########################################
+#
+# zarafa_server local policy
+#
+
+allow zarafa_server_t self:capability { chown kill net_bind_service };
+allow zarafa_server_t self:process setrlimit;
+
+manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+
+manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
+
+stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
+
+corenet_all_recvfrom_unlabeled(zarafa_server_t)
+corenet_all_recvfrom_netlabel(zarafa_server_t)
+corenet_tcp_sendrecv_generic_if(zarafa_server_t)
+corenet_tcp_sendrecv_generic_node(zarafa_server_t)
+corenet_tcp_sendrecv_all_ports(zarafa_server_t)
+corenet_tcp_bind_generic_node(zarafa_server_t)
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
+files_read_usr_files(zarafa_server_t)
+
+logging_send_syslog_msg(zarafa_server_t)
+logging_send_audit_msgs(zarafa_server_t)
+
+sysnet_dns_name_resolve(zarafa_server_t)
+
+optional_policy(`
+ kerberos_use(zarafa_server_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(zarafa_server_t)
+')
+
+########################################
+#
+# zarafa_spooler local policy
+#
+
+allow zarafa_spooler_t self:capability { chown kill };
+
+can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
+
+corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
+corenet_all_recvfrom_netlabel(zarafa_spooler_t)
+corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
+corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
+corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
+########################################
+#
+# zarafa domains local policy
+#
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { dac_override setgid setuid };
+allow zarafa_domain self:process signal;
+allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+
+stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+
+read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
+kernel_read_system_state(zarafa_domain)
+
+files_read_etc_files(zarafa_domain)
+
+auth_use_nsswitch(zarafa_domain)
+
+miscfiles_read_localization(zarafa_domain)
diff --git a/zebra.fc b/zebra.fc
new file mode 100644
index 0000000..e1b30b2
--- /dev/null
+++ b/zebra.fc
@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+
+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+
+/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+
+/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
new file mode 100644
index 0000000..6b87605
--- /dev/null
+++ b/zebra.if
@@ -0,0 +1,88 @@
+## Zebra border gateway protocol network routing service
+
+########################################
+##
+## Read the configuration files for zebra.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`zebra_read_config',`
+ gen_require(`
+ type zebra_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 zebra_conf_t:dir list_dir_perms;
+ read_files_pattern($1, zebra_conf_t, zebra_conf_t)
+ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
+')
+
+########################################
+##
+## Connect to zebra over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zebra_stream_connect',`
+ gen_require(`
+ type zebra_t, zebra_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 zebra_var_run_t:sock_file write;
+ allow $1 zebra_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an zebra environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the zebra domain.
+##
+##
+##
+#
+interface(`zebra_admin',`
+ gen_require(`
+ type zebra_t, zebra_tmp_t, zebra_log_t;
+ type zebra_conf_t, zebra_var_run_t;
+ type zebra_initrc_exec_t;
+ ')
+
+ allow $1 zebra_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zebra_t)
+
+ init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 zebra_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, zebra_conf_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, zebra_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, zebra_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, zebra_var_run_t)
+')
diff --git a/zebra.te b/zebra.te
new file mode 100644
index 0000000..ade6c2c
--- /dev/null
+++ b/zebra.te
@@ -0,0 +1,140 @@
+policy_module(zebra, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow zebra daemon to write it configuration files
+##
+##
+#
+gen_tunable(allow_zebra_write_config, false)
+
+type zebra_t;
+type zebra_exec_t;
+init_daemon_domain(zebra_t, zebra_exec_t)
+
+type zebra_conf_t;
+files_type(zebra_conf_t)
+
+type zebra_initrc_exec_t;
+init_script_file(zebra_initrc_exec_t)
+
+type zebra_log_t;
+logging_log_file(zebra_log_t)
+
+type zebra_tmp_t;
+files_tmp_file(zebra_tmp_t)
+
+type zebra_var_run_t;
+files_pid_file(zebra_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow zebra_t self:capability { setgid setuid net_admin net_raw };
+dontaudit zebra_t self:capability sys_tty_config;
+allow zebra_t self:process { signal_perms getcap setcap };
+allow zebra_t self:file rw_file_perms;
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
+allow zebra_t self:udp_socket create_socket_perms;
+allow zebra_t self:rawip_socket create_socket_perms;
+
+allow zebra_t zebra_conf_t:dir list_dir_perms;
+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+
+allow zebra_t zebra_log_t:dir setattr;
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+
+# /tmp/.bgpd is such a bad idea!
+allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+
+manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(zebra_t)
+kernel_read_network_state(zebra_t)
+kernel_read_kernel_sysctls(zebra_t)
+kernel_rw_net_sysctls(zebra_t)
+
+corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_all_recvfrom_netlabel(zebra_t)
+corenet_tcp_sendrecv_generic_if(zebra_t)
+corenet_udp_sendrecv_generic_if(zebra_t)
+corenet_raw_sendrecv_generic_if(zebra_t)
+corenet_tcp_sendrecv_generic_node(zebra_t)
+corenet_udp_sendrecv_generic_node(zebra_t)
+corenet_raw_sendrecv_generic_node(zebra_t)
+corenet_tcp_sendrecv_all_ports(zebra_t)
+corenet_udp_sendrecv_all_ports(zebra_t)
+corenet_tcp_bind_generic_node(zebra_t)
+corenet_udp_bind_generic_node(zebra_t)
+corenet_tcp_bind_bgp_port(zebra_t)
+corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
+corenet_tcp_connect_bgp_port(zebra_t)
+corenet_sendrecv_zebra_server_packets(zebra_t)
+corenet_sendrecv_router_server_packets(zebra_t)
+
+dev_associate_usbfs(zebra_var_run_t)
+dev_list_all_dev_nodes(zebra_t)
+dev_read_sysfs(zebra_t)
+dev_rw_zero(zebra_t)
+
+fs_getattr_all_fs(zebra_t)
+fs_search_auto_mountpoints(zebra_t)
+
+term_list_ptys(zebra_t)
+
+domain_use_interactive_fds(zebra_t)
+
+files_search_etc(zebra_t)
+files_read_etc_files(zebra_t)
+files_read_etc_runtime_files(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
+
+miscfiles_read_localization(zebra_t)
+
+sysnet_read_config(zebra_t)
+
+userdom_dontaudit_use_unpriv_user_fds(zebra_t)
+userdom_dontaudit_search_user_home_dirs(zebra_t)
+
+tunable_policy(`allow_zebra_write_config',`
+ manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(zebra_t)
+')
+
+optional_policy(`
+ rpm_read_pipes(zebra_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(zebra_t)
+')
+
+optional_policy(`
+ udev_read_db(zebra_t)
+')
+
+optional_policy(`
+ unconfined_sigchld(zebra_t)
+')
diff --git a/zosremote.fc b/zosremote.fc
new file mode 100644
index 0000000..d719d0b
--- /dev/null
+++ b/zosremote.fc
@@ -0,0 +1 @@
+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/zosremote.if b/zosremote.if
new file mode 100644
index 0000000..702e768
--- /dev/null
+++ b/zosremote.if
@@ -0,0 +1,45 @@
+## policy for z/OS Remote-services Audit dispatcher plugin
+
+########################################
+##
+## Execute a domain transition to run audispd-zos-remote.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`zosremote_domtrans',`
+ gen_require(`
+ type zos_remote_t, zos_remote_exec_t;
+ ')
+
+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
+')
+
+########################################
+##
+## Allow specified type and role to transition and
+## run in the zos_remote_t domain. Allow specified type
+## to use zos_remote_t terminal.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`zosremote_run',`
+ gen_require(`
+ type zos_remote_t;
+ ')
+
+ zosremote_domtrans($1)
+ role $2 types zos_remote_t;
+')
diff --git a/zosremote.te b/zosremote.te
new file mode 100644
index 0000000..f9a06d2
--- /dev/null
+++ b/zosremote.te
@@ -0,0 +1,28 @@
+policy_module(zosremote, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:process signal;
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t)
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)