aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2012-04-21 20:07:46 +0200
committerSven Vermeulen <sven.vermeulen@siphos.be>2012-04-21 20:07:46 +0200
commit3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch)
treecae07463edd5b609a97513e00d63e1bd410cc8bb
parentInitial commit (diff)
downloadhardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip
Pushing 2.20120215 (current version)
-rw-r--r--COPYING340
-rw-r--r--Changelog925
-rw-r--r--INSTALL42
-rw-r--r--Makefile637
-rw-r--r--Makefile.orig637
-rw-r--r--README265
-rw-r--r--Rules.modular217
-rw-r--r--Rules.monolithic256
-rw-r--r--VERSION1
-rw-r--r--build.conf77
-rw-r--r--config/appconfig-mcs/dbus_contexts6
-rw-r--r--config/appconfig-mcs/default_contexts15
-rw-r--r--config/appconfig-mcs/default_type6
-rw-r--r--config/appconfig-mcs/failsafe_context1
-rw-r--r--config/appconfig-mcs/guest_u_default_contexts6
-rw-r--r--config/appconfig-mcs/initrc_context1
-rw-r--r--config/appconfig-mcs/media3
-rw-r--r--config/appconfig-mcs/removable_context1
-rw-r--r--config/appconfig-mcs/root_default_contexts11
-rw-r--r--config/appconfig-mcs/securetty_types1
-rw-r--r--config/appconfig-mcs/sepgsql_contexts40
-rw-r--r--config/appconfig-mcs/seusers3
-rw-r--r--config/appconfig-mcs/staff_u_default_contexts10
-rw-r--r--config/appconfig-mcs/unconfined_u_default_contexts9
-rw-r--r--config/appconfig-mcs/user_u_default_contexts8
-rw-r--r--config/appconfig-mcs/userhelper_context1
-rw-r--r--config/appconfig-mcs/virtual_domain_context1
-rw-r--r--config/appconfig-mcs/virtual_image_context2
-rw-r--r--config/appconfig-mcs/x_contexts105
-rw-r--r--config/appconfig-mcs/xguest_u_default_contexts7
-rw-r--r--config/appconfig-mls/dbus_contexts6
-rw-r--r--config/appconfig-mls/default_contexts15
-rw-r--r--config/appconfig-mls/default_type6
-rw-r--r--config/appconfig-mls/failsafe_context1
-rw-r--r--config/appconfig-mls/guest_u_default_contexts5
-rw-r--r--config/appconfig-mls/initrc_context1
-rw-r--r--config/appconfig-mls/media3
-rw-r--r--config/appconfig-mls/removable_context1
-rw-r--r--config/appconfig-mls/root_default_contexts11
-rw-r--r--config/appconfig-mls/securetty_types1
-rw-r--r--config/appconfig-mls/sepgsql_contexts40
-rw-r--r--config/appconfig-mls/seusers3
-rw-r--r--config/appconfig-mls/staff_u_default_contexts10
-rw-r--r--config/appconfig-mls/unconfined_u_default_contexts9
-rw-r--r--config/appconfig-mls/user_u_default_contexts8
-rw-r--r--config/appconfig-mls/userhelper_context1
-rw-r--r--config/appconfig-mls/virtual_domain_context1
-rw-r--r--config/appconfig-mls/virtual_image_context2
-rw-r--r--config/appconfig-mls/x_contexts105
-rw-r--r--config/appconfig-mls/xguest_u_default_contexts7
-rw-r--r--config/appconfig-standard/dbus_contexts6
-rw-r--r--config/appconfig-standard/default_contexts15
-rw-r--r--config/appconfig-standard/default_type6
-rw-r--r--config/appconfig-standard/failsafe_context1
-rw-r--r--config/appconfig-standard/guest_u_default_contexts7
-rw-r--r--config/appconfig-standard/initrc_context1
-rw-r--r--config/appconfig-standard/media3
-rw-r--r--config/appconfig-standard/removable_context1
-rw-r--r--config/appconfig-standard/root_default_contexts11
-rw-r--r--config/appconfig-standard/securetty_types1
-rw-r--r--config/appconfig-standard/sepgsql_contexts40
-rw-r--r--config/appconfig-standard/seusers3
-rw-r--r--config/appconfig-standard/staff_u_default_contexts10
-rw-r--r--config/appconfig-standard/unconfined_u_default_contexts9
-rw-r--r--config/appconfig-standard/user_u_default_contexts8
-rw-r--r--config/appconfig-standard/userhelper_context1
-rw-r--r--config/appconfig-standard/virtual_domain_context1
-rw-r--r--config/appconfig-standard/virtual_image_context2
-rw-r--r--config/appconfig-standard/x_contexts105
-rw-r--r--config/appconfig-standard/xguest_u_default_contexts7
-rw-r--r--config/file_contexts.subs_dist7
-rw-r--r--config/local.users21
-rw-r--r--doc/Makefile.example8
-rw-r--r--doc/example.fc6
-rw-r--r--doc/example.if54
-rw-r--r--doc/example.te28
-rw-r--r--doc/global_booleans.xml9
-rw-r--r--doc/global_tunables.xml108
-rw-r--r--doc/policy.dtd44
-rw-r--r--doc/policy.xml91784
-rw-r--r--doc/templates/bool_list.html23
-rw-r--r--doc/templates/boolean.html13
-rw-r--r--doc/templates/global_bool_list.html14
-rw-r--r--doc/templates/global_tun_list.html14
-rw-r--r--doc/templates/header.html15
-rw-r--r--doc/templates/int_list.html33
-rw-r--r--doc/templates/interface.html50
-rw-r--r--doc/templates/menu.html26
-rw-r--r--doc/templates/module.html52
-rw-r--r--doc/templates/module_list.html19
-rw-r--r--doc/templates/style.css216
-rw-r--r--doc/templates/temp_list.html33
-rw-r--r--doc/templates/template.html50
-rw-r--r--doc/templates/tun_list.html23
-rw-r--r--doc/templates/tunable.html13
-rw-r--r--man/man8/ftpd_selinux.865
-rw-r--r--man/man8/git_selinux.8109
-rw-r--r--man/man8/httpd_selinux.8120
-rw-r--r--man/man8/kerberos_selinux.828
-rw-r--r--man/man8/named_selinux.830
-rw-r--r--man/man8/nfs_selinux.831
-rw-r--r--man/man8/nis_selinux.81
-rw-r--r--man/man8/rsync_selinux.852
-rw-r--r--man/man8/samba_selinux.856
-rw-r--r--man/man8/ypbind_selinux.819
-rw-r--r--man/ru/man8/ftpd_selinux.857
-rw-r--r--man/ru/man8/httpd_selinux.8137
-rw-r--r--man/ru/man8/kerberos_selinux.830
-rw-r--r--man/ru/man8/named_selinux.831
-rw-r--r--man/ru/man8/nfs_selinux.833
-rw-r--r--man/ru/man8/rsync_selinux.850
-rw-r--r--man/ru/man8/samba_selinux.860
-rw-r--r--man/ru/man8/ypbind_selinux.819
-rw-r--r--policy/booleans.conf793
-rw-r--r--policy/constraints241
-rw-r--r--policy/flask/Makefile51
-rw-r--r--policy/flask/access_vectors864
-rw-r--r--policy/flask/flask.py536
-rw-r--r--policy/flask/initial_sids35
-rw-r--r--policy/flask/security_classes134
-rw-r--r--policy/global_booleans14
-rw-r--r--policy/global_tunables113
-rw-r--r--policy/mcs147
-rw-r--r--policy/mls882
-rw-r--r--policy/modules.conf2521
-rw-r--r--policy/modules/admin/bootloader.fc9
-rw-r--r--policy/modules/admin/bootloader.if124
-rw-r--r--policy/modules/admin/bootloader.te211
-rw-r--r--policy/modules/admin/consoletype.fc2
-rw-r--r--policy/modules/admin/consoletype.if71
-rw-r--r--policy/modules/admin/consoletype.te125
-rw-r--r--policy/modules/admin/dmesg.fc2
-rw-r--r--policy/modules/admin/dmesg.if40
-rw-r--r--policy/modules/admin/dmesg.te58
-rw-r--r--policy/modules/admin/metadata.xml3
-rw-r--r--policy/modules/admin/netutils.fc15
-rw-r--r--policy/modules/admin/netutils.if307
-rw-r--r--policy/modules/admin/netutils.te212
-rw-r--r--policy/modules/admin/su.fc5
-rw-r--r--policy/modules/admin/su.if337
-rw-r--r--policy/modules/admin/su.te11
-rw-r--r--policy/modules/admin/sudo.fc2
-rw-r--r--policy/modules/admin/sudo.if180
-rw-r--r--policy/modules/admin/sudo.te9
-rw-r--r--policy/modules/admin/usermanage.fc33
-rw-r--r--policy/modules/admin/usermanage.if297
-rw-r--r--policy/modules/admin/usermanage.te559
-rw-r--r--policy/modules/apps/metadata.xml1
-rw-r--r--policy/modules/apps/seunshare.fc1
-rw-r--r--policy/modules/apps/seunshare.if80
-rw-r--r--policy/modules/apps/seunshare.te44
-rw-r--r--policy/modules/contrib/abrt.fc20
-rw-r--r--policy/modules/contrib/abrt.if303
-rw-r--r--policy/modules/contrib/abrt.te227
-rw-r--r--policy/modules/contrib/accountsd.fc3
-rw-r--r--policy/modules/contrib/accountsd.if145
-rw-r--r--policy/modules/contrib/accountsd.te57
-rw-r--r--policy/modules/contrib/acct.fc9
-rw-r--r--policy/modules/contrib/acct.if80
-rw-r--r--policy/modules/contrib/acct.te89
-rw-r--r--policy/modules/contrib/ada.fc7
-rw-r--r--policy/modules/contrib/ada.if45
-rw-r--r--policy/modules/contrib/ada.te24
-rw-r--r--policy/modules/contrib/afs.fc32
-rw-r--r--policy/modules/contrib/afs.if109
-rw-r--r--policy/modules/contrib/afs.te355
-rw-r--r--policy/modules/contrib/aiccu.fc6
-rw-r--r--policy/modules/contrib/aiccu.if95
-rw-r--r--policy/modules/contrib/aiccu.te76
-rw-r--r--policy/modules/contrib/aide.fc6
-rw-r--r--policy/modules/contrib/aide.if71
-rw-r--r--policy/modules/contrib/aide.te42
-rw-r--r--policy/modules/contrib/aisexec.fc9
-rw-r--r--policy/modules/contrib/aisexec.if106
-rw-r--r--policy/modules/contrib/aisexec.te102
-rw-r--r--policy/modules/contrib/alsa.fc20
-rw-r--r--policy/modules/contrib/alsa.if208
-rw-r--r--policy/modules/contrib/alsa.te84
-rw-r--r--policy/modules/contrib/amanda.fc26
-rw-r--r--policy/modules/contrib/amanda.if161
-rw-r--r--policy/modules/contrib/amanda.te211
-rw-r--r--policy/modules/contrib/amavis.fc18
-rw-r--r--policy/modules/contrib/amavis.if261
-rw-r--r--policy/modules/contrib/amavis.te194
-rw-r--r--policy/modules/contrib/amtu.fc1
-rw-r--r--policy/modules/contrib/amtu.if46
-rw-r--r--policy/modules/contrib/amtu.te34
-rw-r--r--policy/modules/contrib/anaconda.fc1
-rw-r--r--policy/modules/contrib/anaconda.if1
-rw-r--r--policy/modules/contrib/anaconda.te59
-rw-r--r--policy/modules/contrib/apache.fc111
-rw-r--r--policy/modules/contrib/apache.if1324
-rw-r--r--policy/modules/contrib/apache.te915
-rw-r--r--policy/modules/contrib/apcupsd.fc15
-rw-r--r--policy/modules/contrib/apcupsd.if168
-rw-r--r--policy/modules/contrib/apcupsd.te127
-rw-r--r--policy/modules/contrib/apm.fc23
-rw-r--r--policy/modules/contrib/apm.if113
-rw-r--r--policy/modules/contrib/apm.te232
-rw-r--r--policy/modules/contrib/apt.fc21
-rw-r--r--policy/modules/contrib/apt.if225
-rw-r--r--policy/modules/contrib/apt.te162
-rw-r--r--policy/modules/contrib/arpwatch.fc12
-rw-r--r--policy/modules/contrib/arpwatch.if156
-rw-r--r--policy/modules/contrib/arpwatch.te98
-rw-r--r--policy/modules/contrib/asterisk.fc9
-rw-r--r--policy/modules/contrib/asterisk.if135
-rw-r--r--policy/modules/contrib/asterisk.te172
-rw-r--r--policy/modules/contrib/authbind.fc3
-rw-r--r--policy/modules/contrib/authbind.if20
-rw-r--r--policy/modules/contrib/authbind.te31
-rw-r--r--policy/modules/contrib/automount.fc16
-rw-r--r--policy/modules/contrib/automount.if168
-rw-r--r--policy/modules/contrib/automount.te182
-rw-r--r--policy/modules/contrib/avahi.fc9
-rw-r--r--policy/modules/contrib/avahi.if166
-rw-r--r--policy/modules/contrib/avahi.te112
-rw-r--r--policy/modules/contrib/awstats.fc5
-rw-r--r--policy/modules/contrib/awstats.if42
-rw-r--r--policy/modules/contrib/awstats.te85
-rw-r--r--policy/modules/contrib/backup.fc13
-rw-r--r--policy/modules/contrib/backup.if45
-rw-r--r--policy/modules/contrib/backup.te85
-rw-r--r--policy/modules/contrib/bacula.fc20
-rw-r--r--policy/modules/contrib/bacula.if45
-rw-r--r--policy/modules/contrib/bacula.te122
-rw-r--r--policy/modules/contrib/bind.fc63
-rw-r--r--policy/modules/contrib/bind.if399
-rw-r--r--policy/modules/contrib/bind.te260
-rw-r--r--policy/modules/contrib/bitlbee.fc6
-rw-r--r--policy/modules/contrib/bitlbee.if59
-rw-r--r--policy/modules/contrib/bitlbee.te94
-rw-r--r--policy/modules/contrib/bluetooth.fc30
-rw-r--r--policy/modules/contrib/bluetooth.if228
-rw-r--r--policy/modules/contrib/bluetooth.te241
-rw-r--r--policy/modules/contrib/brctl.fc1
-rw-r--r--policy/modules/contrib/brctl.if20
-rw-r--r--policy/modules/contrib/brctl.te44
-rw-r--r--policy/modules/contrib/bugzilla.fc4
-rw-r--r--policy/modules/contrib/bugzilla.if77
-rw-r--r--policy/modules/contrib/bugzilla.te50
-rw-r--r--policy/modules/contrib/calamaris.fc10
-rw-r--r--policy/modules/contrib/calamaris.if21
-rw-r--r--policy/modules/contrib/calamaris.te83
-rw-r--r--policy/modules/contrib/canna.fc23
-rw-r--r--policy/modules/contrib/canna.if61
-rw-r--r--policy/modules/contrib/canna.te93
-rw-r--r--policy/modules/contrib/ccs.fc6
-rw-r--r--policy/modules/contrib/ccs.if75
-rw-r--r--policy/modules/contrib/ccs.te122
-rw-r--r--policy/modules/contrib/cdrecord.fc6
-rw-r--r--policy/modules/contrib/cdrecord.if33
-rw-r--r--policy/modules/contrib/cdrecord.te119
-rw-r--r--policy/modules/contrib/certmaster.fc8
-rw-r--r--policy/modules/contrib/certmaster.if145
-rw-r--r--policy/modules/contrib/certmaster.te71
-rw-r--r--policy/modules/contrib/certmonger.fc6
-rw-r--r--policy/modules/contrib/certmonger.if174
-rw-r--r--policy/modules/contrib/certmonger.te72
-rw-r--r--policy/modules/contrib/certwatch.fc1
-rw-r--r--policy/modules/contrib/certwatch.if78
-rw-r--r--policy/modules/contrib/certwatch.te53
-rw-r--r--policy/modules/contrib/cgroup.fc15
-rw-r--r--policy/modules/contrib/cgroup.if199
-rw-r--r--policy/modules/contrib/cgroup.te109
-rw-r--r--policy/modules/contrib/chronyd.fc9
-rw-r--r--policy/modules/contrib/chronyd.if105
-rw-r--r--policy/modules/contrib/chronyd.te68
-rw-r--r--policy/modules/contrib/cipe.fc4
-rw-r--r--policy/modules/contrib/cipe.if1
-rw-r--r--policy/modules/contrib/cipe.te72
-rw-r--r--policy/modules/contrib/clamav.fc20
-rw-r--r--policy/modules/contrib/clamav.if192
-rw-r--r--policy/modules/contrib/clamav.te275
-rw-r--r--policy/modules/contrib/clockspeed.fc14
-rw-r--r--policy/modules/contrib/clockspeed.if44
-rw-r--r--policy/modules/contrib/clockspeed.te72
-rw-r--r--policy/modules/contrib/clogd.fc3
-rw-r--r--policy/modules/contrib/clogd.if79
-rw-r--r--policy/modules/contrib/clogd.te54
-rw-r--r--policy/modules/contrib/cmirrord.fc5
-rw-r--r--policy/modules/contrib/cmirrord.if113
-rw-r--r--policy/modules/contrib/cmirrord.te58
-rw-r--r--policy/modules/contrib/cobbler.fc7
-rw-r--r--policy/modules/contrib/cobbler.if185
-rw-r--r--policy/modules/contrib/cobbler.te128
-rw-r--r--policy/modules/contrib/colord.fc4
-rw-r--r--policy/modules/contrib/colord.if59
-rw-r--r--policy/modules/contrib/colord.te100
-rw-r--r--policy/modules/contrib/comsat.fc2
-rw-r--r--policy/modules/contrib/comsat.if1
-rw-r--r--policy/modules/contrib/comsat.te74
-rw-r--r--policy/modules/contrib/consolekit.fc7
-rw-r--r--policy/modules/contrib/consolekit.if98
-rw-r--r--policy/modules/contrib/consolekit.te131
-rw-r--r--policy/modules/contrib/corosync.fc12
-rw-r--r--policy/modules/contrib/corosync.if106
-rw-r--r--policy/modules/contrib/corosync.te103
-rw-r--r--policy/modules/contrib/courier.fc33
-rw-r--r--policy/modules/contrib/courier.if255
-rw-r--r--policy/modules/contrib/courier.te161
-rw-r--r--policy/modules/contrib/cpucontrol.fc10
-rw-r--r--policy/modules/contrib/cpucontrol.if17
-rw-r--r--policy/modules/contrib/cpucontrol.te122
-rw-r--r--policy/modules/contrib/cpufreqselector.fc1
-rw-r--r--policy/modules/contrib/cpufreqselector.if22
-rw-r--r--policy/modules/contrib/cpufreqselector.te55
-rw-r--r--policy/modules/contrib/cron.fc56
-rw-r--r--policy/modules/contrib/cron.if632
-rw-r--r--policy/modules/contrib/cron.te631
-rw-r--r--policy/modules/contrib/cups.fc73
-rw-r--r--policy/modules/contrib/cups.if358
-rw-r--r--policy/modules/contrib/cups.te781
-rw-r--r--policy/modules/contrib/cvs.fc10
-rw-r--r--policy/modules/contrib/cvs.if82
-rw-r--r--policy/modules/contrib/cvs.te115
-rw-r--r--policy/modules/contrib/cyphesis.fc5
-rw-r--r--policy/modules/contrib/cyphesis.if19
-rw-r--r--policy/modules/contrib/cyphesis.te85
-rw-r--r--policy/modules/contrib/cyrus.fc7
-rw-r--r--policy/modules/contrib/cyrus.if81
-rw-r--r--policy/modules/contrib/cyrus.te145
-rw-r--r--policy/modules/contrib/daemontools.fc53
-rw-r--r--policy/modules/contrib/daemontools.if212
-rw-r--r--policy/modules/contrib/daemontools.te118
-rw-r--r--policy/modules/contrib/dante.fc6
-rw-r--r--policy/modules/contrib/dante.if1
-rw-r--r--policy/modules/contrib/dante.te78
-rw-r--r--policy/modules/contrib/dbadm.fc1
-rw-r--r--policy/modules/contrib/dbadm.if50
-rw-r--r--policy/modules/contrib/dbadm.te60
-rw-r--r--policy/modules/contrib/dbskk.fc2
-rw-r--r--policy/modules/contrib/dbskk.if1
-rw-r--r--policy/modules/contrib/dbskk.te69
-rw-r--r--policy/modules/contrib/dbus.fc26
-rw-r--r--policy/modules/contrib/dbus.if507
-rw-r--r--policy/modules/contrib/dbus.te161
-rw-r--r--policy/modules/contrib/dcc.fc30
-rw-r--r--policy/modules/contrib/dcc.if173
-rw-r--r--policy/modules/contrib/dcc.te404
-rw-r--r--policy/modules/contrib/ddclient.fc12
-rw-r--r--policy/modules/contrib/ddclient.if93
-rw-r--r--policy/modules/contrib/ddclient.te108
-rw-r--r--policy/modules/contrib/ddcprobe.fc4
-rw-r--r--policy/modules/contrib/ddcprobe.if45
-rw-r--r--policy/modules/contrib/ddcprobe.te51
-rw-r--r--policy/modules/contrib/denyhosts.fc7
-rw-r--r--policy/modules/contrib/denyhosts.if85
-rw-r--r--policy/modules/contrib/denyhosts.te72
-rw-r--r--policy/modules/contrib/devicekit.fc20
-rw-r--r--policy/modules/contrib/devicekit.if185
-rw-r--r--policy/modules/contrib/devicekit.te284
-rw-r--r--policy/modules/contrib/dhcp.fc8
-rw-r--r--policy/modules/contrib/dhcp.if99
-rw-r--r--policy/modules/contrib/dhcp.te135
-rw-r--r--policy/modules/contrib/dictd.fc9
-rw-r--r--policy/modules/contrib/dictd.if57
-rw-r--r--policy/modules/contrib/dictd.te98
-rw-r--r--policy/modules/contrib/distcc.fc2
-rw-r--r--policy/modules/contrib/distcc.if1
-rw-r--r--policy/modules/contrib/distcc.te93
-rw-r--r--policy/modules/contrib/djbdns.fc9
-rw-r--r--policy/modules/contrib/djbdns.if90
-rw-r--r--policy/modules/contrib/djbdns.te49
-rw-r--r--policy/modules/contrib/dkim.fc14
-rw-r--r--policy/modules/contrib/dkim.if1
-rw-r--r--policy/modules/contrib/dkim.te33
-rw-r--r--policy/modules/contrib/dmidecode.fc4
-rw-r--r--policy/modules/contrib/dmidecode.if50
-rw-r--r--policy/modules/contrib/dmidecode.te30
-rw-r--r--policy/modules/contrib/dnsmasq.fc12
-rw-r--r--policy/modules/contrib/dnsmasq.if211
-rw-r--r--policy/modules/contrib/dnsmasq.te117
-rw-r--r--policy/modules/contrib/dovecot.fc46
-rw-r--r--policy/modules/contrib/dovecot.if130
-rw-r--r--policy/modules/contrib/dovecot.te306
-rw-r--r--policy/modules/contrib/dpkg.fc12
-rw-r--r--policy/modules/contrib/dpkg.if224
-rw-r--r--policy/modules/contrib/dpkg.te341
-rw-r--r--policy/modules/contrib/dracut.fc4
-rw-r--r--policy/modules/contrib/dracut.if69
-rw-r--r--policy/modules/contrib/dracut.te74
-rw-r--r--policy/modules/contrib/entropyd.fc8
-rw-r--r--policy/modules/contrib/entropyd.if1
-rw-r--r--policy/modules/contrib/entropyd.te80
-rw-r--r--policy/modules/contrib/evolution.fc21
-rw-r--r--policy/modules/contrib/evolution.if153
-rw-r--r--policy/modules/contrib/evolution.te604
-rw-r--r--policy/modules/contrib/exim.fc8
-rw-r--r--policy/modules/contrib/exim.if196
-rw-r--r--policy/modules/contrib/exim.te203
-rw-r--r--policy/modules/contrib/fail2ban.fc8
-rw-r--r--policy/modules/contrib/fail2ban.if175
-rw-r--r--policy/modules/contrib/fail2ban.te102
-rw-r--r--policy/modules/contrib/fetchmail.fc19
-rw-r--r--policy/modules/contrib/fetchmail.if30
-rw-r--r--policy/modules/contrib/fetchmail.te104
-rw-r--r--policy/modules/contrib/finger.fc19
-rw-r--r--policy/modules/contrib/finger.if33
-rw-r--r--policy/modules/contrib/finger.te121
-rw-r--r--policy/modules/contrib/firstboot.fc3
-rw-r--r--policy/modules/contrib/firstboot.if157
-rw-r--r--policy/modules/contrib/firstboot.te135
-rw-r--r--policy/modules/contrib/fprintd.fc2
-rw-r--r--policy/modules/contrib/fprintd.if41
-rw-r--r--policy/modules/contrib/fprintd.te57
-rw-r--r--policy/modules/contrib/ftp.fc31
-rw-r--r--policy/modules/contrib/ftp.if206
-rw-r--r--policy/modules/contrib/ftp.te412
-rw-r--r--policy/modules/contrib/games.fc66
-rw-r--r--policy/modules/contrib/games.if51
-rw-r--r--policy/modules/contrib/games.te178
-rw-r--r--policy/modules/contrib/gatekeeper.fc8
-rw-r--r--policy/modules/contrib/gatekeeper.if1
-rw-r--r--policy/modules/contrib/gatekeeper.te99
-rw-r--r--policy/modules/contrib/gift.fc6
-rw-r--r--policy/modules/contrib/gift.if42
-rw-r--r--policy/modules/contrib/gift.te144
-rw-r--r--policy/modules/contrib/git.fc11
-rw-r--r--policy/modules/contrib/git.if50
-rw-r--r--policy/modules/contrib/git.te226
-rw-r--r--policy/modules/contrib/gitosis.fc9
-rw-r--r--policy/modules/contrib/gitosis.if86
-rw-r--r--policy/modules/contrib/gitosis.te41
-rw-r--r--policy/modules/contrib/glance.fc12
-rw-r--r--policy/modules/contrib/glance.if261
-rw-r--r--policy/modules/contrib/glance.te104
-rw-r--r--policy/modules/contrib/gnome.fc9
-rw-r--r--policy/modules/contrib/gnome.if190
-rw-r--r--policy/modules/contrib/gnome.te75
-rw-r--r--policy/modules/contrib/gnomeclock.fc2
-rw-r--r--policy/modules/contrib/gnomeclock.if65
-rw-r--r--policy/modules/contrib/gnomeclock.te46
-rw-r--r--policy/modules/contrib/gorg.fc3
-rw-r--r--policy/modules/contrib/gorg.if34
-rw-r--r--policy/modules/contrib/gorg.te63
-rw-r--r--policy/modules/contrib/gpg.fc11
-rw-r--r--policy/modules/contrib/gpg.if181
-rw-r--r--policy/modules/contrib/gpg.te358
-rw-r--r--policy/modules/contrib/gpm.fc7
-rw-r--r--policy/modules/contrib/gpm.if81
-rw-r--r--policy/modules/contrib/gpm.te79
-rw-r--r--policy/modules/contrib/gpsd.fc6
-rw-r--r--policy/modules/contrib/gpsd.if66
-rw-r--r--policy/modules/contrib/gpsd.te64
-rw-r--r--policy/modules/contrib/guest.fc1
-rw-r--r--policy/modules/contrib/guest.if50
-rw-r--r--policy/modules/contrib/guest.te17
-rw-r--r--policy/modules/contrib/hadoop.fc59
-rw-r--r--policy/modules/contrib/hadoop.if534
-rw-r--r--policy/modules/contrib/hadoop.te435
-rw-r--r--policy/modules/contrib/hal.fc33
-rw-r--r--policy/modules/contrib/hal.if433
-rw-r--r--policy/modules/contrib/hal.te531
-rw-r--r--policy/modules/contrib/hddtemp.fc5
-rw-r--r--policy/modules/contrib/hddtemp.if77
-rw-r--r--policy/modules/contrib/hddtemp.te49
-rw-r--r--policy/modules/contrib/howl.fc5
-rw-r--r--policy/modules/contrib/howl.if19
-rw-r--r--policy/modules/contrib/howl.te80
-rw-r--r--policy/modules/contrib/i18n_input.fc19
-rw-r--r--policy/modules/contrib/i18n_input.if15
-rw-r--r--policy/modules/contrib/i18n_input.te102
-rw-r--r--policy/modules/contrib/icecast.fc7
-rw-r--r--policy/modules/contrib/icecast.if188
-rw-r--r--policy/modules/contrib/icecast.te61
-rw-r--r--policy/modules/contrib/ifplugd.fc7
-rw-r--r--policy/modules/contrib/ifplugd.if133
-rw-r--r--policy/modules/contrib/ifplugd.te76
-rw-r--r--policy/modules/contrib/imaze.fc4
-rw-r--r--policy/modules/contrib/imaze.if1
-rw-r--r--policy/modules/contrib/imaze.te99
-rw-r--r--policy/modules/contrib/inetd.fc12
-rw-r--r--policy/modules/contrib/inetd.if205
-rw-r--r--policy/modules/contrib/inetd.te243
-rw-r--r--policy/modules/contrib/inn.fc67
-rw-r--r--policy/modules/contrib/inn.if224
-rw-r--r--policy/modules/contrib/inn.te129
-rw-r--r--policy/modules/contrib/irc.fc11
-rw-r--r--policy/modules/contrib/irc.if31
-rw-r--r--policy/modules/contrib/irc.te102
-rw-r--r--policy/modules/contrib/ircd.fc7
-rw-r--r--policy/modules/contrib/ircd.if1
-rw-r--r--policy/modules/contrib/ircd.te93
-rw-r--r--policy/modules/contrib/irqbalance.fc2
-rw-r--r--policy/modules/contrib/irqbalance.if1
-rw-r--r--policy/modules/contrib/irqbalance.te56
-rw-r--r--policy/modules/contrib/iscsi.fc7
-rw-r--r--policy/modules/contrib/iscsi.if76
-rw-r--r--policy/modules/contrib/iscsi.te97
-rw-r--r--policy/modules/contrib/jabber.fc10
-rw-r--r--policy/modules/contrib/jabber.if56
-rw-r--r--policy/modules/contrib/jabber.te94
-rw-r--r--policy/modules/contrib/java.fc38
-rw-r--r--policy/modules/contrib/java.if200
-rw-r--r--policy/modules/contrib/java.te153
-rw-r--r--policy/modules/contrib/kdump.fc5
-rw-r--r--policy/modules/contrib/kdump.if111
-rw-r--r--policy/modules/contrib/kdump.te38
-rw-r--r--policy/modules/contrib/kdumpgui.fc1
-rw-r--r--policy/modules/contrib/kdumpgui.if2
-rw-r--r--policy/modules/contrib/kdumpgui.te65
-rw-r--r--policy/modules/contrib/kerberos.fc33
-rw-r--r--policy/modules/contrib/kerberos.if380
-rw-r--r--policy/modules/contrib/kerberos.te325
-rw-r--r--policy/modules/contrib/kerneloops.fc3
-rw-r--r--policy/modules/contrib/kerneloops.if115
-rw-r--r--policy/modules/contrib/kerneloops.te54
-rw-r--r--policy/modules/contrib/kismet.fc6
-rw-r--r--policy/modules/contrib/kismet.if247
-rw-r--r--policy/modules/contrib/kismet.te101
-rw-r--r--policy/modules/contrib/ksmtuned.fc5
-rw-r--r--policy/modules/contrib/ksmtuned.if74
-rw-r--r--policy/modules/contrib/ksmtuned.te39
-rw-r--r--policy/modules/contrib/ktalk.fc7
-rw-r--r--policy/modules/contrib/ktalk.if1
-rw-r--r--policy/modules/contrib/ktalk.te79
-rw-r--r--policy/modules/contrib/kudzu.fc5
-rw-r--r--policy/modules/contrib/kudzu.if64
-rw-r--r--policy/modules/contrib/kudzu.te145
-rw-r--r--policy/modules/contrib/ldap.fc21
-rw-r--r--policy/modules/contrib/ldap.if123
-rw-r--r--policy/modules/contrib/ldap.te134
-rw-r--r--policy/modules/contrib/likewise.fc54
-rw-r--r--policy/modules/contrib/likewise.if105
-rw-r--r--policy/modules/contrib/likewise.te238
-rw-r--r--policy/modules/contrib/links.fc2
-rw-r--r--policy/modules/contrib/links.if46
-rw-r--r--policy/modules/contrib/links.te67
-rw-r--r--policy/modules/contrib/lircd.fc10
-rw-r--r--policy/modules/contrib/lircd.if96
-rw-r--r--policy/modules/contrib/lircd.te64
-rw-r--r--policy/modules/contrib/livecd.fc1
-rw-r--r--policy/modules/contrib/livecd.if100
-rw-r--r--policy/modules/contrib/livecd.te43
-rw-r--r--policy/modules/contrib/loadkeys.fc3
-rw-r--r--policy/modules/contrib/loadkeys.if67
-rw-r--r--policy/modules/contrib/loadkeys.te50
-rw-r--r--policy/modules/contrib/lockdev.fc2
-rw-r--r--policy/modules/contrib/lockdev.if33
-rw-r--r--policy/modules/contrib/lockdev.te37
-rw-r--r--policy/modules/contrib/logrotate.fc9
-rw-r--r--policy/modules/contrib/logrotate.if120
-rw-r--r--policy/modules/contrib/logrotate.te230
-rw-r--r--policy/modules/contrib/logwatch.fc7
-rw-r--r--policy/modules/contrib/logwatch.if38
-rw-r--r--policy/modules/contrib/logwatch.te147
-rw-r--r--policy/modules/contrib/lpd.fc37
-rw-r--r--policy/modules/contrib/lpd.if214
-rw-r--r--policy/modules/contrib/lpd.te328
-rw-r--r--policy/modules/contrib/mailman.fc34
-rw-r--r--policy/modules/contrib/mailman.if352
-rw-r--r--policy/modules/contrib/mailman.te128
-rw-r--r--policy/modules/contrib/mcelog.fc1
-rw-r--r--policy/modules/contrib/mcelog.if20
-rw-r--r--policy/modules/contrib/mcelog.te32
-rw-r--r--policy/modules/contrib/mediawiki.fc8
-rw-r--r--policy/modules/contrib/mediawiki.if1
-rw-r--r--policy/modules/contrib/mediawiki.te17
-rw-r--r--policy/modules/contrib/memcached.fc5
-rw-r--r--policy/modules/contrib/memcached.if73
-rw-r--r--policy/modules/contrib/memcached.te58
-rw-r--r--policy/modules/contrib/metadata.xml1
-rw-r--r--policy/modules/contrib/milter.fc15
-rw-r--r--policy/modules/contrib/milter.if106
-rw-r--r--policy/modules/contrib/milter.te96
-rw-r--r--policy/modules/contrib/modemmanager.fc1
-rw-r--r--policy/modules/contrib/modemmanager.if40
-rw-r--r--policy/modules/contrib/modemmanager.te41
-rw-r--r--policy/modules/contrib/mojomojo.fc5
-rw-r--r--policy/modules/contrib/mojomojo.if40
-rw-r--r--policy/modules/contrib/mojomojo.te36
-rw-r--r--policy/modules/contrib/mono.fc1
-rw-r--r--policy/modules/contrib/mono.if138
-rw-r--r--policy/modules/contrib/mono.te52
-rw-r--r--policy/modules/contrib/monop.fc4
-rw-r--r--policy/modules/contrib/monop.if1
-rw-r--r--policy/modules/contrib/monop.te85
-rw-r--r--policy/modules/contrib/mozilla.fc47
-rw-r--r--policy/modules/contrib/mozilla.if302
-rw-r--r--policy/modules/contrib/mozilla.te480
-rw-r--r--policy/modules/contrib/mpd.fc8
-rw-r--r--policy/modules/contrib/mpd.if267
-rw-r--r--policy/modules/contrib/mpd.te126
-rw-r--r--policy/modules/contrib/mplayer.fc14
-rw-r--r--policy/modules/contrib/mplayer.if104
-rw-r--r--policy/modules/contrib/mplayer.te311
-rw-r--r--policy/modules/contrib/mrtg.fc18
-rw-r--r--policy/modules/contrib/mrtg.if20
-rw-r--r--policy/modules/contrib/mrtg.te160
-rw-r--r--policy/modules/contrib/mta.fc30
-rw-r--r--policy/modules/contrib/mta.if903
-rw-r--r--policy/modules/contrib/mta.te294
-rw-r--r--policy/modules/contrib/munin.fc69
-rw-r--r--policy/modules/contrib/munin.if203
-rw-r--r--policy/modules/contrib/munin.te315
-rw-r--r--policy/modules/contrib/mutt.fc10
-rw-r--r--policy/modules/contrib/mutt.if104
-rw-r--r--policy/modules/contrib/mutt.te101
-rw-r--r--policy/modules/contrib/mysql.fc32
-rw-r--r--policy/modules/contrib/mysql.if355
-rw-r--r--policy/modules/contrib/mysql.te239
-rw-r--r--policy/modules/contrib/nagios.fc88
-rw-r--r--policy/modules/contrib/nagios.if229
-rw-r--r--policy/modules/contrib/nagios.te393
-rw-r--r--policy/modules/contrib/ncftool.fc1
-rw-r--r--policy/modules/contrib/ncftool.if44
-rw-r--r--policy/modules/contrib/ncftool.te81
-rw-r--r--policy/modules/contrib/nessus.fc10
-rw-r--r--policy/modules/contrib/nessus.if15
-rw-r--r--policy/modules/contrib/nessus.te105
-rw-r--r--policy/modules/contrib/networkmanager.fc28
-rw-r--r--policy/modules/contrib/networkmanager.if258
-rw-r--r--policy/modules/contrib/networkmanager.te319
-rw-r--r--policy/modules/contrib/nginx.fc63
-rw-r--r--policy/modules/contrib/nginx.if101
-rw-r--r--policy/modules/contrib/nginx.te193
-rw-r--r--policy/modules/contrib/nis.fc21
-rw-r--r--policy/modules/contrib/nis.if396
-rw-r--r--policy/modules/contrib/nis.te347
-rw-r--r--policy/modules/contrib/nscd.fc13
-rw-r--r--policy/modules/contrib/nscd.if291
-rw-r--r--policy/modules/contrib/nscd.te129
-rw-r--r--policy/modules/contrib/nsd.fc14
-rw-r--r--policy/modules/contrib/nsd.if29
-rw-r--r--policy/modules/contrib/nsd.te180
-rw-r--r--policy/modules/contrib/nslcd.fc4
-rw-r--r--policy/modules/contrib/nslcd.if114
-rw-r--r--policy/modules/contrib/nslcd.te45
-rw-r--r--policy/modules/contrib/ntop.fc6
-rw-r--r--policy/modules/contrib/ntop.if1
-rw-r--r--policy/modules/contrib/ntop.te114
-rw-r--r--policy/modules/contrib/ntp.fc22
-rw-r--r--policy/modules/contrib/ntp.if165
-rw-r--r--policy/modules/contrib/ntp.te156
-rw-r--r--policy/modules/contrib/nut.fc12
-rw-r--r--policy/modules/contrib/nut.if1
-rw-r--r--policy/modules/contrib/nut.te171
-rw-r--r--policy/modules/contrib/nx.fc12
-rw-r--r--policy/modules/contrib/nx.if85
-rw-r--r--policy/modules/contrib/nx.te98
-rw-r--r--policy/modules/contrib/oav.fc9
-rw-r--r--policy/modules/contrib/oav.if46
-rw-r--r--policy/modules/contrib/oav.te146
-rw-r--r--policy/modules/contrib/oddjob.fc7
-rw-r--r--policy/modules/contrib/oddjob.if111
-rw-r--r--policy/modules/contrib/oddjob.te106
-rw-r--r--policy/modules/contrib/oident.fc8
-rw-r--r--policy/modules/contrib/oident.if68
-rw-r--r--policy/modules/contrib/oident.te75
-rw-r--r--policy/modules/contrib/openca.fc9
-rw-r--r--policy/modules/contrib/openca.if76
-rw-r--r--policy/modules/contrib/openca.te82
-rw-r--r--policy/modules/contrib/openct.fc10
-rw-r--r--policy/modules/contrib/openct.if95
-rw-r--r--policy/modules/contrib/openct.te61
-rw-r--r--policy/modules/contrib/openvpn.fc18
-rw-r--r--policy/modules/contrib/openvpn.if163
-rw-r--r--policy/modules/contrib/openvpn.te140
-rw-r--r--policy/modules/contrib/pads.fc10
-rw-r--r--policy/modules/contrib/pads.if44
-rw-r--r--policy/modules/contrib/pads.te63
-rw-r--r--policy/modules/contrib/pan.fc6
-rw-r--r--policy/modules/contrib/pan.if38
-rw-r--r--policy/modules/contrib/pan.te116
-rw-r--r--policy/modules/contrib/passenger.fc11
-rw-r--r--policy/modules/contrib/passenger.if39
-rw-r--r--policy/modules/contrib/passenger.te77
-rw-r--r--policy/modules/contrib/pcmcia.fc10
-rw-r--r--policy/modules/contrib/pcmcia.if156
-rw-r--r--policy/modules/contrib/pcmcia.te137
-rw-r--r--policy/modules/contrib/pcscd.fc6
-rw-r--r--policy/modules/contrib/pcscd.if95
-rw-r--r--policy/modules/contrib/pcscd.te79
-rw-r--r--policy/modules/contrib/pegasus.fc12
-rw-r--r--policy/modules/contrib/pegasus.if1
-rw-r--r--policy/modules/contrib/pegasus.te138
-rw-r--r--policy/modules/contrib/perdition.fc3
-rw-r--r--policy/modules/contrib/perdition.if15
-rw-r--r--policy/modules/contrib/perdition.te75
-rw-r--r--policy/modules/contrib/pingd.fc6
-rw-r--r--policy/modules/contrib/pingd.if97
-rw-r--r--policy/modules/contrib/pingd.te47
-rw-r--r--policy/modules/contrib/plymouthd.fc7
-rw-r--r--policy/modules/contrib/plymouthd.if260
-rw-r--r--policy/modules/contrib/plymouthd.te99
-rw-r--r--policy/modules/contrib/podsleuth.fc3
-rw-r--r--policy/modules/contrib/podsleuth.if45
-rw-r--r--policy/modules/contrib/podsleuth.te87
-rw-r--r--policy/modules/contrib/policykit.fc16
-rw-r--r--policy/modules/contrib/policykit.if209
-rw-r--r--policy/modules/contrib/policykit.te210
-rw-r--r--policy/modules/contrib/portage.fc35
-rw-r--r--policy/modules/contrib/portage.if394
-rw-r--r--policy/modules/contrib/portage.te367
-rw-r--r--policy/modules/contrib/portmap.fc16
-rw-r--r--policy/modules/contrib/portmap.if89
-rw-r--r--policy/modules/contrib/portmap.te150
-rw-r--r--policy/modules/contrib/portreserve.fc7
-rw-r--r--policy/modules/contrib/portreserve.if120
-rw-r--r--policy/modules/contrib/portreserve.te54
-rw-r--r--policy/modules/contrib/portslave.fc4
-rw-r--r--policy/modules/contrib/portslave.if19
-rw-r--r--policy/modules/contrib/portslave.te125
-rw-r--r--policy/modules/contrib/postfix.fc53
-rw-r--r--policy/modules/contrib/postfix.if683
-rw-r--r--policy/modules/contrib/postfix.te635
-rw-r--r--policy/modules/contrib/postfixpolicyd.fc6
-rw-r--r--policy/modules/contrib/postfixpolicyd.if40
-rw-r--r--policy/modules/contrib/postfixpolicyd.te53
-rw-r--r--policy/modules/contrib/postgrey.fc12
-rw-r--r--policy/modules/contrib/postgrey.if81
-rw-r--r--policy/modules/contrib/postgrey.te107
-rw-r--r--policy/modules/contrib/ppp.fc38
-rw-r--r--policy/modules/contrib/ppp.if390
-rw-r--r--policy/modules/contrib/ppp.te325
-rw-r--r--policy/modules/contrib/prelink.fc11
-rw-r--r--policy/modules/contrib/prelink.if204
-rw-r--r--policy/modules/contrib/prelink.te164
-rw-r--r--policy/modules/contrib/prelude.fc18
-rw-r--r--policy/modules/contrib/prelude.if144
-rw-r--r--policy/modules/contrib/prelude.te308
-rw-r--r--policy/modules/contrib/privoxy.fc6
-rw-r--r--policy/modules/contrib/privoxy.if42
-rw-r--r--policy/modules/contrib/privoxy.te103
-rw-r--r--policy/modules/contrib/procmail.fc5
-rw-r--r--policy/modules/contrib/procmail.if79
-rw-r--r--policy/modules/contrib/procmail.te150
-rw-r--r--policy/modules/contrib/psad.fc8
-rw-r--r--policy/modules/contrib/psad.if262
-rw-r--r--policy/modules/contrib/psad.te106
-rw-r--r--policy/modules/contrib/ptchown.fc1
-rw-r--r--policy/modules/contrib/ptchown.if44
-rw-r--r--policy/modules/contrib/ptchown.te31
-rw-r--r--policy/modules/contrib/publicfile.fc7
-rw-r--r--policy/modules/contrib/publicfile.if1
-rw-r--r--policy/modules/contrib/publicfile.te34
-rw-r--r--policy/modules/contrib/pulseaudio.fc7
-rw-r--r--policy/modules/contrib/pulseaudio.if260
-rw-r--r--policy/modules/contrib/pulseaudio.te148
-rw-r--r--policy/modules/contrib/puppet.fc13
-rw-r--r--policy/modules/contrib/puppet.if31
-rw-r--r--policy/modules/contrib/puppet.te282
-rw-r--r--policy/modules/contrib/pxe.fc6
-rw-r--r--policy/modules/contrib/pxe.if1
-rw-r--r--policy/modules/contrib/pxe.te63
-rw-r--r--policy/modules/contrib/pyicqt.fc7
-rw-r--r--policy/modules/contrib/pyicqt.if1
-rw-r--r--policy/modules/contrib/pyicqt.te59
-rw-r--r--policy/modules/contrib/pyzor.fc9
-rw-r--r--policy/modules/contrib/pyzor.if90
-rw-r--r--policy/modules/contrib/pyzor.te146
-rw-r--r--policy/modules/contrib/qemu.fc4
-rw-r--r--policy/modules/contrib/qemu.if309
-rw-r--r--policy/modules/contrib/qemu.te135
-rw-r--r--policy/modules/contrib/qmail.fc47
-rw-r--r--policy/modules/contrib/qmail.if151
-rw-r--r--policy/modules/contrib/qmail.te321
-rw-r--r--policy/modules/contrib/qpid.fc8
-rw-r--r--policy/modules/contrib/qpid.if186
-rw-r--r--policy/modules/contrib/qpid.te63
-rw-r--r--policy/modules/contrib/quota.fc19
-rw-r--r--policy/modules/contrib/quota.if85
-rw-r--r--policy/modules/contrib/quota.te84
-rw-r--r--policy/modules/contrib/radius.fc23
-rw-r--r--policy/modules/contrib/radius.if62
-rw-r--r--policy/modules/contrib/radius.te143
-rw-r--r--policy/modules/contrib/radvd.fc7
-rw-r--r--policy/modules/contrib/radvd.if39
-rw-r--r--policy/modules/contrib/radvd.te82
-rw-r--r--policy/modules/contrib/raid.fc6
-rw-r--r--policy/modules/contrib/raid.if75
-rw-r--r--policy/modules/contrib/raid.te102
-rw-r--r--policy/modules/contrib/razor.fc8
-rw-r--r--policy/modules/contrib/razor.if159
-rw-r--r--policy/modules/contrib/razor.te121
-rw-r--r--policy/modules/contrib/rdisc.fc2
-rw-r--r--policy/modules/contrib/rdisc.if20
-rw-r--r--policy/modules/contrib/rdisc.te58
-rw-r--r--policy/modules/contrib/readahead.fc3
-rw-r--r--policy/modules/contrib/readahead.if1
-rw-r--r--policy/modules/contrib/readahead.te101
-rw-r--r--policy/modules/contrib/remotelogin.fc2
-rw-r--r--policy/modules/contrib/remotelogin.if37
-rw-r--r--policy/modules/contrib/remotelogin.te123
-rw-r--r--policy/modules/contrib/resmgr.fc7
-rw-r--r--policy/modules/contrib/resmgr.if22
-rw-r--r--policy/modules/contrib/resmgr.te66
-rw-r--r--policy/modules/contrib/rgmanager.fc7
-rw-r--r--policy/modules/contrib/rgmanager.if77
-rw-r--r--policy/modules/contrib/rgmanager.te202
-rw-r--r--policy/modules/contrib/rhcs.fc22
-rw-r--r--policy/modules/contrib/rhcs.if355
-rw-r--r--policy/modules/contrib/rhcs.te240
-rw-r--r--policy/modules/contrib/rhgb.fc4
-rw-r--r--policy/modules/contrib/rhgb.if198
-rw-r--r--policy/modules/contrib/rhgb.te142
-rw-r--r--policy/modules/contrib/rhsmcertd.fc11
-rw-r--r--policy/modules/contrib/rhsmcertd.if296
-rw-r--r--policy/modules/contrib/rhsmcertd.te59
-rw-r--r--policy/modules/contrib/ricci.fc16
-rw-r--r--policy/modules/contrib/ricci.if167
-rw-r--r--policy/modules/contrib/ricci.te488
-rw-r--r--policy/modules/contrib/rlogin.fc7
-rw-r--r--policy/modules/contrib/rlogin.if47
-rw-r--r--policy/modules/contrib/rlogin.te116
-rw-r--r--policy/modules/contrib/roundup.fc11
-rw-r--r--policy/modules/contrib/roundup.if39
-rw-r--r--policy/modules/contrib/roundup.te96
-rw-r--r--policy/modules/contrib/rpc.fc31
-rw-r--r--policy/modules/contrib/rpc.if436
-rw-r--r--policy/modules/contrib/rpc.te237
-rw-r--r--policy/modules/contrib/rpcbind.fc9
-rw-r--r--policy/modules/contrib/rpcbind.if148
-rw-r--r--policy/modules/contrib/rpcbind.te69
-rw-r--r--policy/modules/contrib/rpm.fc52
-rw-r--r--policy/modules/contrib/rpm.if575
-rw-r--r--policy/modules/contrib/rpm.te399
-rw-r--r--policy/modules/contrib/rshd.fc5
-rw-r--r--policy/modules/contrib/rshd.if21
-rw-r--r--policy/modules/contrib/rshd.te96
-rw-r--r--policy/modules/contrib/rssh.fc1
-rw-r--r--policy/modules/contrib/rssh.if103
-rw-r--r--policy/modules/contrib/rssh.te104
-rw-r--r--policy/modules/contrib/rsync.fc7
-rw-r--r--policy/modules/contrib/rsync.if143
-rw-r--r--policy/modules/contrib/rsync.te133
-rw-r--r--policy/modules/contrib/rtkit.fc1
-rw-r--r--policy/modules/contrib/rtkit.if60
-rw-r--r--policy/modules/contrib/rtkit.te35
-rw-r--r--policy/modules/contrib/rwho.fc7
-rw-r--r--policy/modules/contrib/rwho.if154
-rw-r--r--policy/modules/contrib/rwho.te60
-rw-r--r--policy/modules/contrib/samba.fc53
-rw-r--r--policy/modules/contrib/samba.if730
-rw-r--r--policy/modules/contrib/samba.te939
-rw-r--r--policy/modules/contrib/sambagui.fc1
-rw-r--r--policy/modules/contrib/sambagui.if2
-rw-r--r--policy/modules/contrib/sambagui.te61
-rw-r--r--policy/modules/contrib/samhain.fc13
-rw-r--r--policy/modules/contrib/samhain.if292
-rw-r--r--policy/modules/contrib/samhain.te76
-rw-r--r--policy/modules/contrib/sanlock.fc7
-rw-r--r--policy/modules/contrib/sanlock.if107
-rw-r--r--policy/modules/contrib/sanlock.te93
-rw-r--r--policy/modules/contrib/sasl.fc12
-rw-r--r--policy/modules/contrib/sasl.if58
-rw-r--r--policy/modules/contrib/sasl.te110
-rw-r--r--policy/modules/contrib/sblim.fc5
-rw-r--r--policy/modules/contrib/sblim.if73
-rw-r--r--policy/modules/contrib/sblim.te104
-rw-r--r--policy/modules/contrib/screen.fc15
-rw-r--r--policy/modules/contrib/screen.if162
-rw-r--r--policy/modules/contrib/screen.te25
-rw-r--r--policy/modules/contrib/sectoolm.fc4
-rw-r--r--policy/modules/contrib/sectoolm.if2
-rw-r--r--policy/modules/contrib/sectoolm.te106
-rw-r--r--policy/modules/contrib/sendmail.fc6
-rw-r--r--policy/modules/contrib/sendmail.if297
-rw-r--r--policy/modules/contrib/sendmail.te187
-rw-r--r--policy/modules/contrib/setroubleshoot.fc9
-rw-r--r--policy/modules/contrib/setroubleshoot.if135
-rw-r--r--policy/modules/contrib/setroubleshoot.te177
-rw-r--r--policy/modules/contrib/shorewall.fc16
-rw-r--r--policy/modules/contrib/shorewall.if202
-rw-r--r--policy/modules/contrib/shorewall.te108
-rw-r--r--policy/modules/contrib/shutdown.fc7
-rw-r--r--policy/modules/contrib/shutdown.if69
-rw-r--r--policy/modules/contrib/shutdown.te63
-rw-r--r--policy/modules/contrib/skype.fc11
-rw-r--r--policy/modules/contrib/skype.if39
-rw-r--r--policy/modules/contrib/skype.te111
-rw-r--r--policy/modules/contrib/slocate.fc2
-rw-r--r--policy/modules/contrib/slocate.if41
-rw-r--r--policy/modules/contrib/slocate.te70
-rw-r--r--policy/modules/contrib/slrnpull.fc10
-rw-r--r--policy/modules/contrib/slrnpull.if42
-rw-r--r--policy/modules/contrib/slrnpull.te70
-rw-r--r--policy/modules/contrib/smartmon.fc12
-rw-r--r--policy/modules/contrib/smartmon.if57
-rw-r--r--policy/modules/contrib/smartmon.te121
-rw-r--r--policy/modules/contrib/smokeping.fc9
-rw-r--r--policy/modules/contrib/smokeping.if167
-rw-r--r--policy/modules/contrib/smokeping.te77
-rw-r--r--policy/modules/contrib/smoltclient.fc2
-rw-r--r--policy/modules/contrib/smoltclient.if1
-rw-r--r--policy/modules/contrib/smoltclient.te68
-rw-r--r--policy/modules/contrib/snmp.fc24
-rw-r--r--policy/modules/contrib/snmp.if147
-rw-r--r--policy/modules/contrib/snmp.te172
-rw-r--r--policy/modules/contrib/snort.fc9
-rw-r--r--policy/modules/contrib/snort.if60
-rw-r--r--policy/modules/contrib/snort.te117
-rw-r--r--policy/modules/contrib/sosreport.fc1
-rw-r--r--policy/modules/contrib/sosreport.if129
-rw-r--r--policy/modules/contrib/sosreport.te148
-rw-r--r--policy/modules/contrib/soundserver.fc13
-rw-r--r--policy/modules/contrib/soundserver.if57
-rw-r--r--policy/modules/contrib/soundserver.te114
-rw-r--r--policy/modules/contrib/spamassassin.fc15
-rw-r--r--policy/modules/contrib/spamassassin.if227
-rw-r--r--policy/modules/contrib/spamassassin.te449
-rw-r--r--policy/modules/contrib/speedtouch.fc2
-rw-r--r--policy/modules/contrib/speedtouch.if1
-rw-r--r--policy/modules/contrib/speedtouch.te61
-rw-r--r--policy/modules/contrib/squid.fc14
-rw-r--r--policy/modules/contrib/squid.if233
-rw-r--r--policy/modules/contrib/squid.te208
-rw-r--r--policy/modules/contrib/sssd.fc11
-rw-r--r--policy/modules/contrib/sssd.if255
-rw-r--r--policy/modules/contrib/sssd.te90
-rw-r--r--policy/modules/contrib/stunnel.fc7
-rw-r--r--policy/modules/contrib/stunnel.if25
-rw-r--r--policy/modules/contrib/stunnel.te123
-rw-r--r--policy/modules/contrib/sxid.fc6
-rw-r--r--policy/modules/contrib/sxid.if22
-rw-r--r--policy/modules/contrib/sxid.te97
-rw-r--r--policy/modules/contrib/sysstat.fc8
-rw-r--r--policy/modules/contrib/sysstat.if21
-rw-r--r--policy/modules/contrib/sysstat.te70
-rw-r--r--policy/modules/contrib/tcpd.fc2
-rw-r--r--policy/modules/contrib/tcpd.if45
-rw-r--r--policy/modules/contrib/tcpd.te50
-rw-r--r--policy/modules/contrib/tcsd.fc3
-rw-r--r--policy/modules/contrib/tcsd.if150
-rw-r--r--policy/modules/contrib/tcsd.te50
-rw-r--r--policy/modules/contrib/telepathy.fc18
-rw-r--r--policy/modules/contrib/telepathy.if178
-rw-r--r--policy/modules/contrib/telepathy.te380
-rw-r--r--policy/modules/contrib/telnet.fc4
-rw-r--r--policy/modules/contrib/telnet.if1
-rw-r--r--policy/modules/contrib/telnet.te102
-rw-r--r--policy/modules/contrib/tftp.fc8
-rw-r--r--policy/modules/contrib/tftp.if67
-rw-r--r--policy/modules/contrib/tftp.te106
-rw-r--r--policy/modules/contrib/tgtd.fc3
-rw-r--r--policy/modules/contrib/tgtd.if46
-rw-r--r--policy/modules/contrib/tgtd.te66
-rw-r--r--policy/modules/contrib/thunderbird.fc6
-rw-r--r--policy/modules/contrib/thunderbird.if63
-rw-r--r--policy/modules/contrib/thunderbird.te208
-rw-r--r--policy/modules/contrib/timidity.fc2
-rw-r--r--policy/modules/contrib/timidity.if1
-rw-r--r--policy/modules/contrib/timidity.te85
-rw-r--r--policy/modules/contrib/tmpreaper.fc7
-rw-r--r--policy/modules/contrib/tmpreaper.if21
-rw-r--r--policy/modules/contrib/tmpreaper.te74
-rw-r--r--policy/modules/contrib/tor.fc12
-rw-r--r--policy/modules/contrib/tor.if64
-rw-r--r--policy/modules/contrib/tor.te120
-rw-r--r--policy/modules/contrib/transproxy.fc3
-rw-r--r--policy/modules/contrib/transproxy.if1
-rw-r--r--policy/modules/contrib/transproxy.te65
-rw-r--r--policy/modules/contrib/tripwire.fc10
-rw-r--r--policy/modules/contrib/tripwire.if190
-rw-r--r--policy/modules/contrib/tripwire.te146
-rw-r--r--policy/modules/contrib/tuned.fc8
-rw-r--r--policy/modules/contrib/tuned.if129
-rw-r--r--policy/modules/contrib/tuned.te64
-rw-r--r--policy/modules/contrib/tvtime.fc5
-rw-r--r--policy/modules/contrib/tvtime.if40
-rw-r--r--policy/modules/contrib/tvtime.te90
-rw-r--r--policy/modules/contrib/tzdata.fc1
-rw-r--r--policy/modules/contrib/tzdata.if45
-rw-r--r--policy/modules/contrib/tzdata.te36
-rw-r--r--policy/modules/contrib/ucspitcp.fc3
-rw-r--r--policy/modules/contrib/ucspitcp.if38
-rw-r--r--policy/modules/contrib/ucspitcp.te93
-rw-r--r--policy/modules/contrib/ulogd.fc7
-rw-r--r--policy/modules/contrib/ulogd.if142
-rw-r--r--policy/modules/contrib/ulogd.te67
-rw-r--r--policy/modules/contrib/uml.fc14
-rw-r--r--policy/modules/contrib/uml.if99
-rw-r--r--policy/modules/contrib/uml.te188
-rw-r--r--policy/modules/contrib/updfstab.fc3
-rw-r--r--policy/modules/contrib/updfstab.if21
-rw-r--r--policy/modules/contrib/updfstab.te116
-rw-r--r--policy/modules/contrib/uptime.fc6
-rw-r--r--policy/modules/contrib/uptime.if1
-rw-r--r--policy/modules/contrib/uptime.te73
-rw-r--r--policy/modules/contrib/usbmodules.fc9
-rw-r--r--policy/modules/contrib/usbmodules.if46
-rw-r--r--policy/modules/contrib/usbmodules.te47
-rw-r--r--policy/modules/contrib/usbmuxd.fc3
-rw-r--r--policy/modules/contrib/usbmuxd.if39
-rw-r--r--policy/modules/contrib/usbmuxd.te42
-rw-r--r--policy/modules/contrib/userhelper.fc9
-rw-r--r--policy/modules/contrib/userhelper.if257
-rw-r--r--policy/modules/contrib/userhelper.te14
-rw-r--r--policy/modules/contrib/usernetctl.fc2
-rw-r--r--policy/modules/contrib/usernetctl.if45
-rw-r--r--policy/modules/contrib/usernetctl.te90
-rw-r--r--policy/modules/contrib/uucp.fc11
-rw-r--r--policy/modules/contrib/uucp.if120
-rw-r--r--policy/modules/contrib/uucp.te149
-rw-r--r--policy/modules/contrib/uuidd.fc7
-rw-r--r--policy/modules/contrib/uuidd.if190
-rw-r--r--policy/modules/contrib/uuidd.te44
-rw-r--r--policy/modules/contrib/uwimap.fc2
-rw-r--r--policy/modules/contrib/uwimap.if20
-rw-r--r--policy/modules/contrib/uwimap.te98
-rw-r--r--policy/modules/contrib/varnishd.fc18
-rw-r--r--policy/modules/contrib/varnishd.if216
-rw-r--r--policy/modules/contrib/varnishd.te118
-rw-r--r--policy/modules/contrib/vbetool.fc1
-rw-r--r--policy/modules/contrib/vbetool.if45
-rw-r--r--policy/modules/contrib/vbetool.te51
-rw-r--r--policy/modules/contrib/vdagent.fc7
-rw-r--r--policy/modules/contrib/vdagent.if124
-rw-r--r--policy/modules/contrib/vdagent.te51
-rw-r--r--policy/modules/contrib/vde.fc5
-rw-r--r--policy/modules/contrib/vde.if65
-rw-r--r--policy/modules/contrib/vde.te49
-rw-r--r--policy/modules/contrib/vhostmd.fc5
-rw-r--r--policy/modules/contrib/vhostmd.if224
-rw-r--r--policy/modules/contrib/vhostmd.te76
-rw-r--r--policy/modules/contrib/virt.fc29
-rw-r--r--policy/modules/contrib/virt.if518
-rw-r--r--policy/modules/contrib/virt.te473
-rw-r--r--policy/modules/contrib/vlock.fc1
-rw-r--r--policy/modules/contrib/vlock.if46
-rw-r--r--policy/modules/contrib/vlock.te53
-rw-r--r--policy/modules/contrib/vmware.fc71
-rw-r--r--policy/modules/contrib/vmware.if104
-rw-r--r--policy/modules/contrib/vmware.te282
-rw-r--r--policy/modules/contrib/vnstatd.fc7
-rw-r--r--policy/modules/contrib/vnstatd.if143
-rw-r--r--policy/modules/contrib/vnstatd.te80
-rw-r--r--policy/modules/contrib/vpn.fc13
-rw-r--r--policy/modules/contrib/vpn.if138
-rw-r--r--policy/modules/contrib/vpn.te125
-rw-r--r--policy/modules/contrib/w3c.fc4
-rw-r--r--policy/modules/contrib/w3c.if1
-rw-r--r--policy/modules/contrib/w3c.te24
-rw-r--r--policy/modules/contrib/watchdog.fc5
-rw-r--r--policy/modules/contrib/watchdog.if1
-rw-r--r--policy/modules/contrib/watchdog.te105
-rw-r--r--policy/modules/contrib/webadm.fc1
-rw-r--r--policy/modules/contrib/webadm.if50
-rw-r--r--policy/modules/contrib/webadm.te55
-rw-r--r--policy/modules/contrib/webalizer.fc11
-rw-r--r--policy/modules/contrib/webalizer.if45
-rw-r--r--policy/modules/contrib/webalizer.te109
-rw-r--r--policy/modules/contrib/wine.fc21
-rw-r--r--policy/modules/contrib/wine.if178
-rw-r--r--policy/modules/contrib/wine.te62
-rw-r--r--policy/modules/contrib/wireshark.fc3
-rw-r--r--policy/modules/contrib/wireshark.if55
-rw-r--r--policy/modules/contrib/wireshark.te122
-rw-r--r--policy/modules/contrib/wm.fc4
-rw-r--r--policy/modules/contrib/wm.if111
-rw-r--r--policy/modules/contrib/wm.te9
-rw-r--r--policy/modules/contrib/xdg.fc8
-rw-r--r--policy/modules/contrib/xdg.if581
-rw-r--r--policy/modules/contrib/xdg.te26
-rw-r--r--policy/modules/contrib/xen.fc43
-rw-r--r--policy/modules/contrib/xen.if238
-rw-r--r--policy/modules/contrib/xen.te566
-rw-r--r--policy/modules/contrib/xfs.fc8
-rw-r--r--policy/modules/contrib/xfs.if59
-rw-r--r--policy/modules/contrib/xfs.te87
-rw-r--r--policy/modules/contrib/xguest.fc1
-rw-r--r--policy/modules/contrib/xguest.if50
-rw-r--r--policy/modules/contrib/xguest.te98
-rw-r--r--policy/modules/contrib/xprint.fc1
-rw-r--r--policy/modules/contrib/xprint.if1
-rw-r--r--policy/modules/contrib/xprint.te82
-rw-r--r--policy/modules/contrib/xscreensaver.fc1
-rw-r--r--policy/modules/contrib/xscreensaver.if30
-rw-r--r--policy/modules/contrib/xscreensaver.te42
-rw-r--r--policy/modules/contrib/yam.fc6
-rw-r--r--policy/modules/contrib/yam.if66
-rw-r--r--policy/modules/contrib/yam.te124
-rw-r--r--policy/modules/contrib/zabbix.fc9
-rw-r--r--policy/modules/contrib/zabbix.if158
-rw-r--r--policy/modules/contrib/zabbix.te137
-rw-r--r--policy/modules/contrib/zarafa.fc26
-rw-r--r--policy/modules/contrib/zarafa.if120
-rw-r--r--policy/modules/contrib/zarafa.te161
-rw-r--r--policy/modules/contrib/zebra.fc22
-rw-r--r--policy/modules/contrib/zebra.if88
-rw-r--r--policy/modules/contrib/zebra.te140
-rw-r--r--policy/modules/contrib/zosremote.fc1
-rw-r--r--policy/modules/contrib/zosremote.if45
-rw-r--r--policy/modules/contrib/zosremote.te28
-rw-r--r--policy/modules/kernel/corecommands.fc425
-rw-r--r--policy/modules/kernel/corecommands.if1093
-rw-r--r--policy/modules/kernel/corecommands.te27
-rw-r--r--policy/modules/kernel/corenetwork.fc10
-rw-r--r--policy/modules/kernel/corenetwork.if78582
-rw-r--r--policy/modules/kernel/corenetwork.if.in3136
-rw-r--r--policy/modules/kernel/corenetwork.if.m4853
-rw-r--r--policy/modules/kernel/corenetwork.te1537
-rw-r--r--policy/modules/kernel/corenetwork.te.in305
-rw-r--r--policy/modules/kernel/corenetwork.te.m4113
-rw-r--r--policy/modules/kernel/devices.fc206
-rw-r--r--policy/modules/kernel/devices.if4822
-rw-r--r--policy/modules/kernel/devices.te314
-rw-r--r--policy/modules/kernel/domain.fc1
-rw-r--r--policy/modules/kernel/domain.if1533
-rw-r--r--policy/modules/kernel/domain.te170
-rw-r--r--policy/modules/kernel/files.fc265
-rw-r--r--policy/modules/kernel/files.if6223
-rw-r--r--policy/modules/kernel/files.te228
-rw-r--r--policy/modules/kernel/filesystem.fc16
-rw-r--r--policy/modules/kernel/filesystem.if4868
-rw-r--r--policy/modules/kernel/filesystem.te302
-rw-r--r--policy/modules/kernel/kernel.fc1
-rw-r--r--policy/modules/kernel/kernel.if2960
-rw-r--r--policy/modules/kernel/kernel.te413
-rw-r--r--policy/modules/kernel/mcs.fc1
-rw-r--r--policy/modules/kernel/mcs.if104
-rw-r--r--policy/modules/kernel/mcs.te12
-rw-r--r--policy/modules/kernel/metadata.xml1
-rw-r--r--policy/modules/kernel/mls.fc1
-rw-r--r--policy/modules/kernel/mls.if984
-rw-r--r--policy/modules/kernel/mls.te69
-rw-r--r--policy/modules/kernel/selinux.fc1
-rw-r--r--policy/modules/kernel/selinux.if712
-rw-r--r--policy/modules/kernel/selinux.te70
-rw-r--r--policy/modules/kernel/storage.fc83
-rw-r--r--policy/modules/kernel/storage.if810
-rw-r--r--policy/modules/kernel/storage.te59
-rw-r--r--policy/modules/kernel/terminal.fc43
-rw-r--r--policy/modules/kernel/terminal.if1495
-rw-r--r--policy/modules/kernel/terminal.te58
-rw-r--r--policy/modules/kernel/ubac.fc1
-rw-r--r--policy/modules/kernel/ubac.if197
-rw-r--r--policy/modules/kernel/ubac.te19
-rw-r--r--policy/modules/roles/auditadm.fc1
-rw-r--r--policy/modules/roles/auditadm.if50
-rw-r--r--policy/modules/roles/auditadm.te65
-rw-r--r--policy/modules/roles/logadm.fc1
-rw-r--r--policy/modules/roles/logadm.if50
-rw-r--r--policy/modules/roles/logadm.te19
-rw-r--r--policy/modules/roles/metadata.xml1
-rw-r--r--policy/modules/roles/secadm.fc1
-rw-r--r--policy/modules/roles/secadm.if51
-rw-r--r--policy/modules/roles/secadm.te76
-rw-r--r--policy/modules/roles/staff.fc1
-rw-r--r--policy/modules/roles/staff.if50
-rw-r--r--policy/modules/roles/staff.te198
-rw-r--r--policy/modules/roles/sysadm.fc1
-rw-r--r--policy/modules/roles/sysadm.if238
-rw-r--r--policy/modules/roles/sysadm.te509
-rw-r--r--policy/modules/roles/unprivuser.fc1
-rw-r--r--policy/modules/roles/unprivuser.if50
-rw-r--r--policy/modules/roles/unprivuser.te183
-rw-r--r--policy/modules/services/metadata.xml4
-rw-r--r--policy/modules/services/postgresql.fc55
-rw-r--r--policy/modules/services/postgresql.if566
-rw-r--r--policy/modules/services/postgresql.te540
-rw-r--r--policy/modules/services/ssh.fc16
-rw-r--r--policy/modules/services/ssh.if756
-rw-r--r--policy/modules/services/ssh.te341
-rw-r--r--policy/modules/services/xserver.fc114
-rw-r--r--policy/modules/services/xserver.if1252
-rw-r--r--policy/modules/services/xserver.te1006
-rw-r--r--policy/modules/system/application.fc1
-rw-r--r--policy/modules/system/application.if207
-rw-r--r--policy/modules/system/application.te20
-rw-r--r--policy/modules/system/authlogin.fc51
-rw-r--r--policy/modules/system/authlogin.if1822
-rw-r--r--policy/modules/system/authlogin.te398
-rw-r--r--policy/modules/system/clock.fc5
-rw-r--r--policy/modules/system/clock.if100
-rw-r--r--policy/modules/system/clock.te81
-rw-r--r--policy/modules/system/fstools.fc47
-rw-r--r--policy/modules/system/fstools.if156
-rw-r--r--policy/modules/system/fstools.te197
-rw-r--r--policy/modules/system/getty.fc12
-rw-r--r--policy/modules/system/getty.if98
-rw-r--r--policy/modules/system/getty.te141
-rw-r--r--policy/modules/system/hostname.fc2
-rw-r--r--policy/modules/system/hostname.if65
-rw-r--r--policy/modules/system/hostname.te69
-rw-r--r--policy/modules/system/hotplug.fc11
-rw-r--r--policy/modules/system/hotplug.if175
-rw-r--r--policy/modules/system/hotplug.te203
-rw-r--r--policy/modules/system/init.fc79
-rw-r--r--policy/modules/system/init.if1793
-rw-r--r--policy/modules/system/init.te901
-rw-r--r--policy/modules/system/ipsec.fc46
-rw-r--r--policy/modules/system/ipsec.if371
-rw-r--r--policy/modules/system/ipsec.te445
-rw-r--r--policy/modules/system/iptables.fc20
-rw-r--r--policy/modules/system/iptables.if165
-rw-r--r--policy/modules/system/iptables.te145
-rw-r--r--policy/modules/system/libraries.fc328
-rw-r--r--policy/modules/system/libraries.if536
-rw-r--r--policy/modules/system/libraries.te150
-rw-r--r--policy/modules/system/locallogin.fc3
-rw-r--r--policy/modules/system/locallogin.if131
-rw-r--r--policy/modules/system/locallogin.te266
-rw-r--r--policy/modules/system/logging.fc77
-rw-r--r--policy/modules/system/logging.if1064
-rw-r--r--policy/modules/system/logging.te515
-rw-r--r--policy/modules/system/lvm.fc106
-rw-r--r--policy/modules/system/lvm.if125
-rw-r--r--policy/modules/system/lvm.te353
-rw-r--r--policy/modules/system/metadata.xml3
-rw-r--r--policy/modules/system/miscfiles.fc93
-rw-r--r--policy/modules/system/miscfiles.if771
-rw-r--r--policy/modules/system/miscfiles.te63
-rw-r--r--policy/modules/system/modutils.fc24
-rw-r--r--policy/modules/system/modutils.if355
-rw-r--r--policy/modules/system/modutils.te326
-rw-r--r--policy/modules/system/mount.fc4
-rw-r--r--policy/modules/system/mount.if175
-rw-r--r--policy/modules/system/mount.te219
-rw-r--r--policy/modules/system/netlabel.fc1
-rw-r--r--policy/modules/system/netlabel.if46
-rw-r--r--policy/modules/system/netlabel.te28
-rw-r--r--policy/modules/system/selinuxutil.fc53
-rw-r--r--policy/modules/system/selinuxutil.if1139
-rw-r--r--policy/modules/system/selinuxutil.te635
-rw-r--r--policy/modules/system/setrans.fc5
-rw-r--r--policy/modules/system/setrans.if42
-rw-r--r--policy/modules/system/setrans.te87
-rw-r--r--policy/modules/system/sysnetwork.fc74
-rw-r--r--policy/modules/system/sysnetwork.if741
-rw-r--r--policy/modules/system/sysnetwork.te365
-rw-r--r--policy/modules/system/udev.fc36
-rw-r--r--policy/modules/system/udev.if291
-rw-r--r--policy/modules/system/udev.te295
-rw-r--r--policy/modules/system/unconfined.fc21
-rw-r--r--policy/modules/system/unconfined.if589
-rw-r--r--policy/modules/system/unconfined.te240
-rw-r--r--policy/modules/system/userdomain.fc4
-rw-r--r--policy/modules/system/userdomain.if3278
-rw-r--r--policy/modules/system/userdomain.te96
-rw-r--r--policy/policy_capabilities33
-rw-r--r--policy/support/file_patterns.spt556
-rw-r--r--policy/support/ipc_patterns.spt14
-rw-r--r--policy/support/loadable_module.spt146
-rw-r--r--policy/support/misc_macros.spt78
-rw-r--r--policy/support/misc_patterns.spt58
-rw-r--r--policy/support/mls_mcs_macros.spt57
-rw-r--r--policy/support/obj_perm_sets.spt273
-rw-r--r--policy/users45
-rw-r--r--support/Makefile.devel223
-rw-r--r--support/comment_move_decl.sed14
-rw-r--r--support/divert.m41
-rw-r--r--support/fc_sort.c558
-rw-r--r--support/genclassperms.py308
-rw-r--r--support/genhomedircon481
-rw-r--r--support/gennetfilter.py163
-rw-r--r--support/get_type_attr_decl.sed13
-rw-r--r--support/iferror.m41
-rw-r--r--support/pyplate.py364
-rw-r--r--support/sedoctool.py847
-rw-r--r--support/segenxml.py391
-rw-r--r--support/selinux-policy-refpolicy.spec438
-rw-r--r--support/selinux-refpolicy-sources.spec.skel49
-rw-r--r--support/set_bools_tuns.awk11
-rw-r--r--support/undivert.m41
1256 files changed, 339388 insertions, 1 deletions
diff --git a/COPYING b/COPYING
new file mode 100644
index 00000000..5b6e7c66
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/Changelog b/Changelog
new file mode 100644
index 00000000..59a89e02
--- /dev/null
+++ b/Changelog
@@ -0,0 +1,925 @@
+* Wed Feb 15 2012 Chris PeBenito <selinux@tresys.com> - 2.20120215
+- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
+- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
+- Add userdom interfaces for user application domains, user tmp files,
+ and user tmpfs files.
+- Asterisk administration fixes from Sven Vermeulen.
+- Fix makefiles to install files with the correct DAC permissions if the
+ umask is not 022.
+- Remove deprecated support macros.
+- Remove rolemap and per-role template support.
+- Change corenetwork port declaration to apply the reserved port type
+ attribute only, when the type has ports above and below 1024.
+- Change secure_mode_policyload to disable only toggling of this Boolean
+ rather than disabling all Boolean toggling permissions.
+- Use role attributes to assist with domain transitions in interactive
+ programs.
+- Milter ports patch from Paul Howarth.
+- Separate portage fetch rules out of portage_run() and portage_domtrans()
+ from Sven Vermeulen.
+- Enhance corenetwork network_port() macro to support ports that do not have
+ a well defined port number, such as stunnel.
+- Opendkim support in dkim module from Paul Howarth.
+- Wireshark updates from Sven Vermeulen.
+- Change secure_mode_insmod to control sys_module capability rather than
+ controlling domain transitions to insmod.
+- Openrc and portage updates from Sven Vermeulen.
+- Allow user and role changes on dynamic transitions with the same
+ constraints as regular transitions.
+- New git service features from Dominick Grift.
+- Corenetwork policy size optimization from Dan Walsh.
+- Silence spurious udp_socket listen denials.
+- Fix unexpanded MLS/MCS fields in monolithic seusers file.
+- Type transition fix in Postgresql database objects from KaiGai Kohei.
+- Support for file context path substitutions (file_contexts.subs).
+- Added contrib modules:
+ glance (Dan Walsh)
+ rhsmcertd (Dan Walsh)
+ sanlock (Dan Walsh)
+ sblim (Dan Walsh)
+ uuidd (Dan Walsh)
+ vdagent (Dan Walsh)
+
+* Tue Jul 26 2011 Chris PeBenito <selinux@tresys.com> - 2.20110726
+- Fix role declarations to handle role attribute compilers.
+- Rename audioentropy module to entropyd due to haveged support.
+- Add haveged support from Sven Vermeulen.
+- Authentication file patch from Matthew Ife.
+- Add agent support to zabbix from Sven Vermeulen.
+- Cyrus file context update for Gentoo from Corentin Labbe.
+- Portage updates from Sven Vermeulen.
+- Fix init_system_domain() description, pointed out by Elia Pinto.
+- Postgresql selabel_lookup update from KaiGai Kohei.
+- Dovecot managesieve support from Mika Pfluger.
+- Semicolon after interface/template calls cleanup from Elia Pinto.
+- Gentoo courier updates from Sven Vermeulen.
+- Amavis patch for connecting to nslcd from Miroslav Grepl.
+- Shorewall patch from Miroslav Grepl.
+- Cpufreqselector dbus patch from Guido Trentalancia.
+- Cron pam_namespace and pam_loginuid support from Harry Ciao.
+- Xserver update for startx from Sven Vermeulen.
+- Fix MLS constraint for contains permission from Harry Ciao.
+- Apache user webpages fix from Dominick Grift.
+- Change default build.conf to modular policy from Stephen Smalley.
+- Xen refinement patch from Stephen Smalley.
+- Sudo timestamp file location update from Sven Vermeulen.
+- XServer keyboard event patch from Sven Vermeulen.
+- RAID uevent patch from Sven Vermeulen.
+- Gentoo ALSA init script usage patch from Sven Vermeulen.
+- LVM semaphore usage patch from Sven Vermeulen.
+- Module load request patch for insmod from Sven Vermeulen.
+- Cron default contexts fix from Harry Ciao.
+- Man page fixes from Justin Mattock.
+- Add syslog capability.
+- Support for logging in to /dev/console, from Harry Ciao.
+- Database object class updates and associated SEPostgreSQL changes from
+ KaiGai Kohei.
+- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
+- Mount updates from Harry Ciao.
+- Semanage update for MLS systems from Harry Ciao.
+- Vlock terminal use update from Harry Ciao.
+- Hadoop CDH3 updates from Paul Nuzzi.
+- Add sepgsql_contexts appconfig files from KaiGai Kohei.
+- Added modules:
+ aiccu
+ bugzilla (Dan Walsh)
+ colord (Dan Walsh)
+ cmirrord (Miroslav Grepl)
+ mediawiki (Miroslav Grepl)
+ mpd (Miroslav Grepl)
+ ncftool
+ passenger (Miroslav Grepl)
+ qpid (Dan Walsh)
+ samhain (Harry Ciao)
+ telepathy (Dominick Grift)
+ tcsd (Stephen Smalley)
+ vnstatd (Dan Walsh)
+ zarafa (Miroslav Grepl)
+
+* Mon Dec 13 2010 Chris PeBenito <selinux@tresys.com> - 2.20101213
+- Git man page from Dominick Grift.
+- Alsa and oident home content cleanup from Dominick Grift.
+- Add support for custom build options.
+- Unconditional staff and user oidentd home config access from Dominick Grift.
+- Conditional mmap_zero support from Dominick Grift.
+- Added devtmpfs support.
+- Dbadm updates from KaiGai Kohei.
+- Virtio disk file context update from Mika Pfluger.
+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
+- Add JIT usage for freshclam.
+- Remove ethereal module since the application was renamed to wireshark.
+- Remove duplicate/redundant rules, from Russell Coker.
+- Increased default number of categories to 1024, from Russell Coker.
+- Added modules:
+ accountsd (Dan Walsh)
+ cgroup (Dominick Grift)
+ hadoop (Paul Nuzzi)
+ kdumpgui (Dan Walsh)
+ livecd (Dan Walsh)
+ mojomojo (Iain Arnell)
+ sambagui (Dan Walsh)
+ shutdown (Dan Walsh)
+ sosreport (Dan Walsh)
+ vlock (Harry Ciao)
+
+* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
+- Merged a significant portion of Fedora policy.
+- Move rules from mta mailserver delivery from interface to .te to use
+ attributes.
+- Remove concept of users from terminal module interfaces since the
+ attributes are not specific to users.
+- Add non-drawing X client support, for consolekit usage.
+- Misc Gentoo fixes from Chris Richards.
+- AFS and abrt fixes from Dominick Grift.
+- Improved the XML docs of 55 most-used interfaces.
+- Apcupsd and amavis fixes from Dominick Grift.
+- Fix network_port() in corenetwork to correctly handle port ranges.
+- SE-Postgresql updates from KaiGai Kohei.
+- X object manager revisions from Eamon Walsh.
+- Added modules:
+ aisexec (Dan Walsh)
+ chronyd (Miroslav Grepl)
+ cobbler (Dominick Grift)
+ corosync (Dan Walsh)
+ dbadm (KaiGai Kohei)
+ denyhosts (Dan Walsh)
+ nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
+ likewise (Scott Salley)
+ plymouthd (Dan Walsh)
+ pyicqt (Stefan Schulze Frielinghaus)
+ rhcs (Dan Walsh)
+ rgmanager (Dan Walsh)
+ sectoolm (Miroslav Grepl)
+ usbmuxd (Dan Walsh)
+ vhostmd (Dan Walsh)
+
+* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
+- Add separate x_pointer and x_keyboard classes inheriting from x_device.
+ From Eamon Walsh.
+- Deprecated the userdom_xwindows_client_template().
+- Misc Gentoo fixes from Corentin Labbe.
+- Debian policykit fixes from Martin Orr.
+- Fix unconfined_r use of unconfined_java_t.
+- Add missing x_device rules for XI2 functions, from Eamon Walsh.
+- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+- Add btrfs and ext4 to labeling targets.
+- Fix infrastructure to expand macros in initrc_context when installing.
+- Handle unix_chkpwd usage by useradd and groupadd.
+- Add missing compatibility aliases for xdm_xserver*_t types.
+- Added modules:
+ abrt (Dan Walsh)
+ dkim (Stefan Schulze Frielinghaus)
+ gitosis (Miroslav Grepl)
+ gnomeclock (Dan Walsh)
+ hddtemp (Dan Walsh)
+ kdump (Dan Walsh)
+ modemmanager(Dan Walsh)
+ nslcd (Dan Walsh)
+ puppet (Craig Grube)
+ rtkit (Dan Walsh)
+ seunshare (Dan Walsh)
+ shorewall (Dan Walsh)
+ tgtd (Matthew Ife)
+ tuned (Miroslav Grepl)
+ xscreensaver (Corentin Labbe)
+
+* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
+- Gentoo fixes for init scripts and system startup.
+- Remove read_default_t tunable.
+- Greylist milter from Paul Howarth.
+- Crack db access for su to handle password expiration, from Brandon Whalen.
+- Misc fixes for unix_update from Brandon Whalen.
+- Add x_device permissions for XI2 functions, from Eamon Walsh.
+- MLS constraints for the x_selection class, from Eamon Walsh.
+- Postgresql updates from KaiGai Kohei.
+- Milter state directory patch from Paul Howarth.
+- Add MLS constrains for ingress/egress and secmark from Paul Moore.
+- Drop write permission from fs_read_rpc_sockets().
+- Remove unused udev_runtime_t type.
+- Patch for RadSec port from Glen Turner.
+- Enable network_peer_controls policy capability from Paul Moore.
+- Btrfs xattr support from Paul Moore.
+- Add db_procedure install permission from KaiGai Kohei.
+- Add support for network interfaces with access controlled by a Boolean
+ from the CLIP project.
+- Several fixes from the CLIP project.
+- Add support for labeled Booleans.
+- Remove node definitions and change node usage to generic nodes.
+- Add kernel_service access vectors, from Stephen Smalley.
+- Added modules:
+ certmaster (Dan Walsh)
+ cpufreqselector (Dan Walsh)
+ devicekit (Dan Walsh)
+ fprintd (Dan Walsh)
+ git (Dan Walsh)
+ gpsd (Miroslav Grepl)
+ guest (Dan Walsh)
+ ifplugd (Dan Walsh)
+ lircd (Miroslav Grepl)
+ logadm (Dan Walsh)
+ pads (Dan Walsh)
+ pingd (Dan Walsh)
+ policykit (Dan Walsh)
+ pulseaudio (Dan Walsh)
+ psad (Dan Walsh)
+ portreserve (Dan Walsh)
+ sssd (Dan Walsh)
+ ulogd (Dan Walsh)
+ varnishd (Dan Walsh)
+ webadm (Dan Walsh)
+ wm (Dan Walsh)
+ xguest (Dan Walsh)
+ zosremote (Dan Walsh)
+
+* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
+- Fix consistency of audioentropy and iscsi module naming.
+- Debian file context fix for xen from Russell Coker.
+- Xserver MLS fix from Eamon Walsh.
+- Add omapi port for dhcpcd.
+- Deprecate per-role templates and rolemap support.
+- Implement user-based access control for use as role separations.
+- Move shared library calls from individual modules to the domain module.
+- Enable open permission checks policy capability.
+- Remove hierarchy from portage module as it is not a good example of
+ hieararchy.
+- Remove enableaudit target from modular build as semodule -DB supplants it.
+- Added modules:
+ milter (Paul Howarth)
+
+* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
+- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
+- Logrotate and Bind updates from Vaclav Ovsik.
+- Init script file and domain support.
+- Glibc 2.7 fix from Vaclav Ovsik.
+- Samba/winbind update from Mike Edenfield.
+- Policy size optimization with a non-security file attribute from James
+ Carter.
+- Database labeled networking update from KaiGai Kohei.
+- Several misc changes from the Fedora policy, cherry picked by David
+ Hardeman.
+- Large whitespace fix from Dominick Grift.
+- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
+- Issuing commands to upstart is over a datagram socket, not the initctl
+ named pipe. Updated init_telinit() to match.
+- Added modules:
+ cyphesis (Dan Walsh)
+ memcached (Dan Walsh)
+ oident (Dominick Grift)
+ w3c (Dan Walsh)
+
+* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
+- Fix httpd_enable_homedirs to actually provide the access it is supposed to
+ provide.
+- Add unused interface/template parameter metadata in XML.
+- Patch to handle postfix data_directory from Vaclav Ovsik.
+- SE-Postgresql policy from KaiGai Kohei.
+- Patch for X.org dbus support from Martin Orr.
+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
+- Module loading now requires setsched on kernel threads.
+- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
+- X application data class from Eamon Walsh and Ted Toth.
+- Move user roles into individual modules.
+- Make hald_log_t a log file.
+- Cryptsetup runs shell scripts. Patch from Martin Orr.
+- Add file for enabling policy capabilities.
+- Patch to fix leaky interface/template call depth calculator from Vaclav
+ Ovsik.
+- Added modules:
+ kerneloops (Dan Walsh)
+ kismet (Dan Walsh)
+ podsleuth (Dan Walsh)
+ prelude (Dan Walsh)
+ qemu (Dan Walsh)
+ virt (Dan Walsh)
+
+* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
+- Add core Security Enhanced X Windows support.
+- Fix winbind socket connection interface for default location of the
+ sock_file.
+- Add wireshark module based on ethereal module.
+- Revise upstart support in init module to use a tunable, as upstart is now
+ used in Fedora too.
+- Add iferror.m4 rather generate it out of the Makefiles.
+- Definitions for open permisson on file and similar objects from Eric
+ Paris.
+- Apt updates for ptys and logs, from Martin Orr.
+- RPC update from Vaclav Ovsik.
+- Exim updates on Debian from Devin Carrawy.
+- Pam and samba updates from Stefan Schulze Frielinghaus.
+- Backup update on Debian from Vaclav Ovsik.
+- Cracklib update on Debian from Vaclav Ovsik.
+- Label /proc/kallsyms with system_map_t.
+- 64-bit capabilities from Stephen Smalley.
+- Labeled networking peer object class updates.
+
+* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
+- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
+- Improve several tunables descriptions from Dan Walsh.
+- Patch to clean up ns switch usage in the policy from Dan Walsh.
+- More complete labeled networking infrastructure from KaiGai Kohei.
+- Add interface for libselinux constructor, for libselinux-linked
+ SELinux-enabled programs.
+- Patch to restructure user role templates to create restricted user roles
+ from Dan Walsh.
+- Russian man page translations from Andrey Markelov.
+- Remove unused types from dbus.
+- Add infrastructure for managing all user web content.
+- Deprecate some old file and dir permission set macros in favor of the
+ newer, more consistently-named macros.
+- Patch to clean up unescaped periods in several file context entries from
+ Jan-Frode Myklebust.
+- Merge shlib_t into lib_t.
+- Merge strict and targeted policies. The policy will now behave like the
+ strict policy if the unconfined module is not present. If it is, it will
+ behave like the targeted policy. Added an unconfined role to have a mix
+ of confined and unconfined users.
+- Added modules:
+ exim (Dan Walsh)
+ postfixpolicyd (Jan-Frode Myklebust)
+
+* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
+- Add support for setting the unknown permissions handling.
+- Fix XML building for external reference builds and headers builds.
+- Patch to add missing requirements in userdomain interfaces from Shintaro
+ Fujiwara.
+- Add tcpd_wrapped_domain() for services that use tcp wrappers.
+- Update MLS constraints from LSPP evaluated policy.
+- Allow initrc_t file descriptors to be inherited regardless of MLS level.
+ Accordingly drop MLS permissions from daemons that inherit from any level.
+- Files and radvd updates from Stefan Schulze Frielinghaus.
+- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
+ mls_write_all_levels() and mls_read_all_levels(), for consistency.
+- Add make kernel and init ranged interfaces pass the range transition MLS
+ constraints. Also remove calls to mls_rangetrans_target() in modules that use
+ the kernel and init interfaces, since its redundant.
+- Add interfaces for all MLS attributes except X object classes.
+- Require all sensitivities and categories for MLS and MCS policies, not just
+ the low and high sensitivity and category.
+- Database userspace object manager classes from KaiGai Kohei.
+- Add third-party interface for Apache CGI.
+- Add getserv and shmemserv nscd permissions.
+- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
+- Added modules:
+ application
+ awstats (Stefan Schulze Frielinghaus)
+ bitlbee (Devin Carraway)
+ brctl (Dan Walsh)
+
+* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
+- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
+ libraries module.
+- Unified labeled networking policy from Paul Moore.
+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
+- Xen updates from Dan Walsh.
+- Filesystem updates from Dan Walsh.
+- Large samba update from Dan Walsh.
+- Drop snmpd_etc_t.
+- Confine sendmail and logrotate on targeted.
+- Tunable connection to postgresql for users from KaiGai Kohei.
+- Memprotect support patch from Stephen Smalley.
+- Add logging_send_audit_msgs() interface and deprecate
+ send_audit_msgs_pattern().
+- Openct updates patch from Dan Walsh.
+- Merge restorecon into setfiles.
+- Patch to begin separating out hald helper programs from Dan Walsh.
+- Fixes for squid, dovecot, and snmp from Dan Walsh.
+- Miscellaneous consolekit fixes from Dan Walsh.
+- Patch to have avahi use the nsswitch interface rather than individual
+ permissions from Dan Walsh.
+- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
+ to handle usage from userhelper from Dan Walsh.
+- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+- Patch to allow slocate to getattr other filesystems and directories on those
+ filesystems from Dan Walsh.
+- Fixes for RHEL4 from the CLIP project.
+- Replace the old lrrd fc entries with munin ones.
+- Move program admin template usage out of userdom_admin_user_template() to
+ sysadm policy in userdomain.te to fix usage of the template for third
+ parties.
+- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+ template instead of an interface.
+- Added modules:
+ amtu (Dan Walsh)
+ apcupsd (Dan Walsh)
+ rpcbind (Dan Walsh)
+ rwho (Nalin Dahyabhai)
+
+* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
+- Patch for sasl's use of kerberos from Dan Walsh.
+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
+- Man page updates from Dan Walsh.
+- Two patches from Paul Moore to for ipsec to remove redundant rules and
+ have setkey read the config file.
+- Move booleans and tunables to modules when it is only used in a single
+ module.
+- Add support for tunables and booleans local to a module.
+- Merge sbin_t and ls_exec_t into bin_t.
+- Remove disable_trans booleans.
+- Output different header sets for kernel and userland from flask headers.
+- Marked the pax class as deprecated, changed it to userland so
+ it will be removed from the kernel.
+- Stop including netfilter contexts by default.
+- Add dontaudits for init fds and console to init_daemon_domain().
+- Patch to allow gpg to create user keys dir.
+- Patch to support kvmfs from Dan Walsh.
+- Patch for misc fixes in sudo from Dan Walsh.
+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
+- Patch for handling restart of nscd when ran from useradd, groupadd, and
+ admin passwd, from Dan Walsh.
+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
+- Patch for setroubleshoot for validating file contexts from Dan Walsh.
+- Patch for gssd fixes from Dan Walsh.
+- Patch for lvm fixes from Dan Walsh.
+- Patch for ricci fixes from Dan Walsh.
+- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
+- Patch for kerberized telnet fixes from Dan Walsh.
+- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
+- Patch for an additional wine executable from Dan Walsh.
+- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
+ corecommands, devices, and java from Dan Walsh.
+- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
+- Patch for misc fixes to bluetooth from Dan Walsh.
+- Patch for misc fixes to kerberos from Dan Walsh.
+- Patch to start deprecating usercanread attribute from Ryan Bradetich.
+- Add dccp_socket object class which was added in kernel 2.6.20.
+- Patch for prelink relabefrom it's temp files from Dan Walsh.
+- Patch for capability fix for auditd and networking fix for syslogd from
+ Dan Walsh.
+- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
+- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
+- Patch to allow apmd to telinit from Dan Walsh.
+- Patch for additional labeling of samba files from Stefan Schulze
+ Frielinghaus.
+- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
+- Fix ptys and ttys to be device nodes.
+- Fix explicit use of httpd_t in openca_domtrans().
+- Clean up file context regexes in apache and java, from Eamon Walsh.
+- Patches from Dan Walsh:
+ Thu, 25 Jan 2007
+- Added modules:
+ consolekit (Dan Walsh)
+ fail2ban (Dan Walsh)
+ zabbix (Dan Walsh)
+
+* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
+- Add policy patterns support macros. This changes the behavior of
+ the create_dir_perms and create_file_perms permission sets.
+- Association polmatch MLS constraint making unlabeled_t an exception
+ is no longer needed, patch from Venkat Yekkirala.
+- Context contains checking for PAM and cron from James Antill.
+- Add a reload target to Modules.devel and change the load
+ target to only insert modules that were changed.
+- Allow semanage to read from /root on strict non-MLS for
+ local policy modules.
+- Gentoo init script fixes for udev.
+- Allow udev to read kernel modules.inputmap.
+- Dnsmasq fixes from testing.
+- Allow kernel NFS server to getattr filesystems so df can work
+ on clients.
+- Patch from Matt Anderson for a MLS constraint exemption on a
+ file that can be written to from a subject whose range is
+ within the object's range.
+- Enhanced setransd support from Darrel Goeddel.
+- Patches from Dan Walsh:
+ Tue, 24 Oct 2006
+ Wed, 29 Nov 2006
+- Added modules:
+ aide (Matt Anderson)
+ ccs (Dan Walsh)
+ iscsi (Dan Walsh)
+ ricci (Dan Walsh)
+
+* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
+- Patch from Russell Coker Thu, 5 Oct 2006
+- Move range transitions to modules.
+- Make number of MLS sensitivities, and number of MLS and MCS
+ categories configurable as build options.
+- Add role infrastructure.
+- Debian updates from Erich Schubert.
+- Add nscd_socket_use() to auth_use_nsswitch().
+- Remove old selopt rules.
+- Full support for netfilter_contexts.
+- MRTG patch for daemon operation from Stefan.
+- Add authlogin interface to abstract common access for login programs.
+- Remove setbool auditallow, except for RHEL4.
+- Change eventpollfs to task SID labeling.
+- Add key support from Michael LeMay.
+- Add ftpdctl domain to ftp, from Paul Howarth.
+- Fix build system to not move type declarations out of optionals.
+- Add gcc-config domain to portage.
+- Add packet object class and support in corenetwork.
+- Add a copy of genhomedircon for monolithic policy building, so that a
+ policycoreutils package update is not required for RHEL4 systems.
+- Add appletalk sockets for use in cups.
+- Add Make target to validate module linking.
+- Make duplicate template and interface declarations a fatal error.
+- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
+- Move xconsole_device_t from devices to xserver since it is
+ not actually a device, it is a named pipe.
+- Handle nonexistant .fc and .if files in devel Makefile by
+ automatically creating empty files.
+- Remove unused devfs_control_t.
+- Add rhel4 distro, which also implies redhat distro.
+- Remove unneeded range_transition for su_exec_t and move the
+ type declaration back to the su module.
+- Constrain transitions in MCS so unconfined_t cannot have
+ arbitrary category sets.
+- Change reiserfs from xattr filesystem to genfscon as it's xattrs
+ are currently nonfunctional.
+- Change files and filesystem modules to use their own interfaces.
+- Add user fonts to xserver.
+- Additional interfaces in corecommands, miscfiles, and userdomain
+ from Joy Latten.
+- Miscellaneous fixes from Thomas Bleher.
+- Deprecate module name as first parameter of optional_policy()
+ now that optionals are allowed everywhere.
+- Enable optional blocks in base module and monolithic policy.
+ This requires checkpolicy 1.30.1.
+- Fix vpn module declaration.
+- Numerous fixes from Dan Walsh.
+- Change build order to preserve m4 line number information so policy
+ compile errors are useful again.
+- Additional MLS interfaces from Chad Hanson.
+- Move some rules out of domain_type() and domain_base_type()
+ to the TE file, to use the domain attribute to take advantage
+ of space savings from attribute use.
+- Add global stack smashing protector rule for urandom access from
+ Petre Rodan.
+- Fix temporary rules at the bottom of portmap.
+- Updated comments in mls file from Chad Hanson.
+- Patches from Dan Walsh:
+ Fri, 17 Mar 2006
+ Wed, 29 Mar 2006
+ Tue, 11 Apr 2006
+ Fri, 14 Apr 2006
+ Tue, 18 Apr 2006
+ Thu, 20 Apr 2006
+ Tue, 02 May 2006
+ Mon, 15 May 2006
+ Thu, 18 May 2006
+ Tue, 06 Jun 2006
+ Mon, 12 Jun 2006
+ Tue, 20 Jun 2006
+ Wed, 26 Jul 2006
+ Wed, 23 Aug 2006
+ Thu, 31 Aug 2006
+ Fri, 01 Sep 2006
+ Tue, 05 Sep 2006
+ Wed, 20 Sep 2006
+ Fri, 22 Sep 2006
+ Mon, 25 Sep 2006
+- Added modules:
+ afs
+ amavis (Erich Schubert)
+ apt (Erich Schubert)
+ asterisk
+ audioentropy
+ authbind
+ backup
+ calamaris
+ cipe
+ clamav (Erich Schubert)
+ clockspeed (Petre Rodan)
+ courier
+ dante
+ dcc
+ ddclient
+ dpkg (Erich Schubert)
+ dnsmasq
+ ethereal
+ evolution
+ games
+ gatekeeper
+ gift
+ gnome (James Carter)
+ imaze
+ ircd
+ jabber
+ monop
+ mozilla
+ mplayer
+ munin
+ nagios
+ nessus
+ netlabel (Paul Moore)
+ nsd
+ ntop
+ nx
+ oav
+ oddjob (Dan Walsh)
+ openca
+ openvpn (Petre Rodan)
+ perdition
+ portslave
+ postgrey
+ pxe
+ pyzor (Dan Walsh)
+ qmail (Petre Rodan)
+ razor
+ resmgr
+ rhgb
+ rssh
+ snort
+ soundserver
+ speedtouch
+ sxid
+ thunderbird
+ tor (Erich Schubert)
+ transproxy
+ tripwire
+ uptime
+ uwimap
+ vmware
+ watchdog
+ xen (Dan Walsh)
+ xprint
+ yam
+
+* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
+- Make all interface parameters required.
+- Move boot_t, system_map_t, and modules_object_t to files module,
+ and move bootloader to admin layer.
+- Add semanage policy for semodule from Dan Walsh.
+- Remove allow_execmem from targeted policy domain_base_type().
+- Add users_extra and seusers support.
+- Postfix fixes from Serge Hallyn.
+- Run python and shell directly to interpret scripts so policy
+ sources need not be executable.
+- Add desc tag XML to booleans and tunables, and add summary
+ to param XML tag, to make future translations possible.
+- Remove unused lvm_vg_t.
+- Many interface renames to improve naming consistency.
+- Merge xdm into xserver.
+- Remove kernel module reversed interfaces.
+- Add filename attribute to module XML tag and lineno attribute to
+ interface XML tag.
+- Changed QUIET build option to a yes or no option.
+- Add a Makefile used for compiling loadable modules in a
+ user's development environment, building against policy headers.
+- Add Make target for installing policy headers.
+- Separate per-userdomain template expansion from the userdomain
+ module and add infrastructure to expand templates in the modules
+ that own the template.
+- Enable secadm only for MLS policies.
+- Remove role change rules in su and sudo since this functionality has been
+ removed from these programs.
+- Add ctags Make target from Thomas Bleher.
+- Collapse commands with grep piped to sed into one sed command.
+- Fix type_change bug in term_user_pty().
+- Move ice_tmp_t from miscfiles to xserver.
+- Login fixes from Serge Hallyn.
+- Move xserver_log_t from xdm to xserver.
+- Add lpr per-userdomain policy to lpd.
+- Miscellaneous fixes from Dan Walsh.
+- Change initrc_var_run_t interface noun from script_pid to utmp,
+ for greater clarity.
+- Added modules:
+ certwatch
+ mono (Dan Walsh)
+ mrtg
+ portage
+ tvtime
+ userhelper
+ usernetctl
+ wine (Dan Walsh)
+ xserver
+
+* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
+- Adds support for generating corenetwork interfaces based on attributes
+ in addition to types.
+- Permits the listing of multiple nodes in a network_node() that will be
+ given the same type.
+- Add two new permission sets for stream sockets.
+- Rename file type transition interfaces verb from create to
+ filetrans to differentiate it from create interfaces without
+ type transitions.
+- Fix expansion of interfaces from disabled modules.
+- Rsync can be long running from init,
+ added rules to allow this.
+- Add polyinstantiation build option.
+- Add setcontext to the association object class.
+- Add apache relay and db connect tunables.
+- Rename texrel_shlib_t to textrel_shlib_t.
+- Add swat to samba module.
+- Numerous miscellaneous fixes from Dan Walsh.
+- Added modules:
+ alsa
+ automount
+ cdrecord
+ daemontools (Petre Rodan)
+ ddcprobe
+ djbdns (Petre Rodan)
+ fetchmail
+ irc
+ java
+ lockdev
+ logwatch (Dan Walsh)
+ openct
+ prelink (Dan Walsh)
+ publicfile (Petre Rodan)
+ readahead
+ roundup
+ screen
+ slocate (Dan Walsh)
+ slrnpull
+ smartmon
+ sysstat
+ ucspitcp (Petre Rodan)
+ usbmodules
+ vbetool (Dan Walsh)
+
+* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
+- Add unlabeled IPSEC association rule to domains with
+ networking permissions.
+- Merge systemuser back in to users, as these files
+ do not need to be split.
+- Add check for duplicate interface/template definitions.
+- Move domain, files, and corecommands modules to kernel
+ layer to resolve some layering inconsistencies.
+- Move policy build options out of Makefile into build.conf.
+- Add yppasswd to nis module.
+- Change optional_policy() to refer to the module name
+ rather than modulename.te.
+- Fix labeling targets to use installed file_contexts rather
+ than partial file_contexts in the policy source directory.
+- Fix build process to use make's internal vpath functions
+ to detect modules rather than using subshells and find.
+- Add install target for modular policy.
+- Add load target for modular policy.
+- Add appconfig dependency to the load target.
+- Miscellaneous fixes from Dan Walsh.
+- Fix corenetwork gen_context()'s to expand during the policy
+ build phase instead of during the generation phase.
+- Added policies:
+ amanda
+ avahi
+ canna
+ cyrus
+ dbskk
+ dovecot
+ distcc
+ i18n_input
+ irqbalance
+ lpd
+ networkmanager
+ pegasus
+ postfix
+ procmail
+ radius
+ rdisc
+ rpc
+ spamassassin
+ timidity
+ xdm
+ xfs
+
+* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
+- Many fixes to make loadable modules build.
+- Add targets for sechecker.
+- Updated to sedoctool to read bool files and tunable
+ files separately.
+- Changed the xml tag of <boolean> to <bool> to be consistent
+ with gen_bool().
+- Modified the implementation of segenxml to use regular
+ expressions.
+- Rename context_template() to gen_context() to clarify
+ that its not a Reference Policy template, but a support
+ macro.
+- Add disable_*_trans bool support for targeted policy.
+- Add MLS module to handle MLS constraint exceptions,
+ such as reading up and writing down.
+- Fix errors uncovered by sediff.
+- Added policies:
+ anaconda
+ apache
+ apm
+ arpwatch
+ bluetooth
+ dmidecode
+ finger
+ ftp
+ kudzu
+ mailman
+ ppp
+ radvd
+ sasl
+ webalizer
+
+* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
+- Make logrotate, sendmail, sshd, and rpm policies
+ unconfined in the targeted policy so no special
+ modules.conf is required.
+- Add experimental MCS support.
+- Add appconfig for MLS.
+- Add equivalents for old can_resolve(), can_ldap(), and
+ can_portmap() to sysnetwork.
+- Fix base module compile issues.
+- Added policies:
+ cpucontrol
+ cvs
+ ktalk
+ portmap
+ postgresql
+ rlogin
+ samba
+ snmp
+ stunnel
+ telnet
+ tftp
+ uucp
+ vpn
+ zebra
+
+* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
+- Fix errors uncovered by sediff.
+- Doc tool will explicitly say a module does not have interfaces
+ or templates on the module page.
+- Added policies:
+ comsat
+ dbus
+ dhcp
+ dictd
+ hal
+ inn
+ ntp
+ squid
+
+* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
+- Add Makefile support for building loadable modules.
+- Add genclassperms.py tool to add require blocks
+ for loadable modules.
+- Change sedoctool to make required modules part of base
+ by default, otherwise make as modules, in modules.conf.
+- Fix segenxml to handle modules with no interfaces.
+- Rename ipsec connect interface for consistency.
+- Add missing parts of unix stream socket connect interface
+ of ipsec.
+- Rename inetd connect interface for consistency.
+- Rename interface for purging contents of tmp, for clarity,
+ since it allows deletion of classes other than file.
+- Misc. cleanups.
+- Added policies:
+ acct
+ bind
+ firstboot
+ gpm
+ howl
+ ldap
+ loadkeys
+ mysql
+ privoxy
+ quota
+ rshd
+ rsync
+ su
+ sudo
+ tcpd
+ tmpreaper
+ updfstab
+
+* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
+- Fix comparison bug in fc_sort.
+- Fix handling of ordered and unordered HTML lists.
+- Corenetwork now supports multiple network interfaces having the
+ same type.
+- Doc tool now creates pages for global Booleans and global tunables.
+- Doc tool now links directly to the interface/template in the
+ module page when it is selected in the interface/template index.
+- Added support for layer summaries.
+- Added policies:
+ ipsec
+ nscd
+ pcmcia
+ raid
+
+* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
+- Changed xml to have modules encapsulated by layer tags, rather
+ than putting layer="foo" in the module tags. Also in the future
+ we can put a summary and description for each layer.
+- Added tool to infer interface, module, and layer tags. This will
+ now list all interfaces, even if they are missing xml docs.
+- Shortened xml tag names.
+- Added macros to declare interfaces and templates.
+- Added interface call trace.
+- Updated all xml documentation for shorter and inferred tags.
+- Doc tool now displays templates in the web pages.
+- Doc tool retains the user's settings in modules.conf and
+ tunables.conf if the files already exist.
+- Modules.conf behavior has been changed to be a list of all
+ available modules, and the user can specify if the module is
+ built as a loadable module, included in the monolithic policy,
+ or excluded.
+- Added policies:
+ fstools (fsck, mkfs, swapon, etc. tools)
+ logrotate
+ inetd
+ kerberos
+ nis (ypbind and ypserv)
+ ssh (server, client, and agent)
+ unconfined
+- Added infrastructure for targeted policy support, only missing
+ transition boolean support.
+
+* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
+ - Initial release
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 00000000..d2ab5cb5
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,42 @@
+Reference Policy has the following build requirements:
+ * libsepol 2.1.0
+ * libsemanage 2.1.0
+ * checkpolicy 2.1.0
+ * policycoreutils 2.1.0
+ * Python PyXML
+ * GCC
+
+To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
+
+ make install-src
+
+This will back up a pre-existing source policy to the
+/etc/selinux/refpolicy/src/policy.bak directory.
+
+If you do not have a modules.conf, one can be generated:
+
+ make conf
+
+This will create a default modules.conf. Options for the policy
+build process can be found in build.conf. After installing the policy sources,
+the old Make targets have been maintained for the monolithic policy:
+
+Local policy development:
+
+ make policy
+
+Compile and install the policy:
+
+ make install
+
+Compile, install, and load the policy:
+
+ make load
+
+Filesystem labeling:
+
+ make relabel
+ make checklabels
+ make restorelabels
+
+See the README for more information on available make targets.
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..39a3d408
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,637 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+#
+# install - compile and install the policy configuration, and context files.
+# load - compile, install, and load the policy configuration.
+# reload - compile, install, and load/reload the policy configuration.
+# relabel - relabel filesystems based on the file contexts configuration.
+# checklabels - check filesystems against the file context configuration
+# restorelabels - check filesystems against the file context configuration
+# and restore the label of files with incorrect labels
+# policy - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+#
+# Please see build.conf for policy build options.
+#
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# Include the local build.conf if it exists, otherwise
+# include the configuration of the root directory.
+include build.conf
+
+ifdef LOCAL_ROOT
+ -include $(LOCAL_ROOT)/build.conf
+endif
+
+# refpolicy version
+version = $(shell cat VERSION)
+
+ifdef LOCAL_ROOT
+builddir := $(LOCAL_ROOT)/
+tmpdir := $(LOCAL_ROOT)/tmp
+tags := $(LOCAL_ROOT)/tags
+else
+tmpdir := tmp
+tags := tags
+endif
+
+# executable paths
+BINDIR ?= /usr/bin
+SBINDIR ?= /usr/sbin
+ifdef TEST_TOOLCHAIN
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
+else
+tc_usrbindir := $(BINDIR)
+tc_usrsbindir := $(SBINDIR)
+tc_sbindir := /sbin
+endif
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+SETFILES ?= $(tc_sbindir)/setfiles
+XMLLINT ?= $(BINDIR)/xmllint
+SECHECK ?= $(BINDIR)/sechecker
+
+# interpreters and aux tools
+AWK ?= gawk
+GREP ?= egrep
+INSTALL ?= install
+M4 ?= m4
+PYTHON ?= python
+SED ?= sed
+SORT ?= LC_ALL=C sort
+UMASK ?= umask
+
+CFLAGS += -Wall
+
+# policy source layout
+poldir := policy
+moddir := $(poldir)/modules
+flaskdir := $(poldir)/flask
+secclass := $(flaskdir)/security_classes
+isids := $(flaskdir)/initial_sids
+avs := $(flaskdir)/access_vectors
+
+# local source layout
+ifdef LOCAL_ROOT
+local_poldir := $(LOCAL_ROOT)/policy
+local_moddir := $(local_poldir)/modules
+endif
+
+# policy building support tools
+support := support
+genxml := $(PYTHON) -E $(support)/segenxml.py
+gendoc := $(PYTHON) -E $(support)/sedoctool.py
+genperm := $(PYTHON) -E $(support)/genclassperms.py
+fcsort := $(tmpdir)/fc_sort
+setbools := $(AWK) -f $(support)/set_bools_tuns.awk
+get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
+comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
+gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
+m4iferror := $(support)/iferror.m4
+m4divert := $(support)/divert.m4
+m4undivert := $(support)/undivert.m4
+# use our own genhomedircon to make sure we have a known usable one,
+# so policycoreutils updates are not required (RHEL4)
+genhomedircon := $(PYTHON) -E $(support)/genhomedircon
+
+# documentation paths
+docs := doc
+xmldtd = $(docs)/policy.dtd
+metaxml = metadata.xml
+doctemplate = $(docs)/templates
+docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
+
+ifndef LOCAL_ROOT
+polxml = $(docs)/policy.xml
+tunxml = $(docs)/global_tunables.xml
+boolxml = $(docs)/global_booleans.xml
+htmldir = $(docs)/html
+else
+polxml = $(LOCAL_ROOT)/doc/policy.xml
+tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml
+boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml
+htmldir = $(LOCAL_ROOT)/doc/html
+endif
+
+# config file paths
+globaltun = $(poldir)/global_tunables
+globalbool = $(poldir)/global_booleans
+user_files := $(poldir)/users
+policycaps := $(poldir)/policy_capabilities
+
+# local config file paths
+ifndef LOCAL_ROOT
+mod_conf = $(poldir)/modules.conf
+booleans = $(poldir)/booleans.conf
+tunables = $(poldir)/tunables.conf
+else
+mod_conf = $(local_poldir)/modules.conf
+booleans = $(local_poldir)/booleans.conf
+tunables = $(local_poldir)/tunables.conf
+endif
+
+# install paths
+PKGNAME ?= refpolicy-$(version)
+prefix = $(DESTDIR)/usr
+topdir = $(DESTDIR)/etc/selinux
+installdir = $(topdir)/$(strip $(NAME))
+srcpath = $(installdir)/src
+userpath = $(installdir)/users
+policypath = $(installdir)/policy
+contextpath = $(installdir)/contexts
+homedirpath = $(contextpath)/files/homedir_template
+fcpath = $(contextpath)/files/file_contexts
+fcsubspath = $(contextpath)/files/file_contexts.subs_dist
+ncpath = $(contextpath)/netfilter_contexts
+sharedir = $(prefix)/share/selinux
+modpkgdir = $(sharedir)/$(strip $(NAME))
+headerdir = $(modpkgdir)/include
+docsdir = $(prefix)/share/doc/$(PKGNAME)
+
+# enable MLS if requested.
+ifeq "$(TYPE)" "mls"
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -m
+endif
+
+# enable MLS if MCS requested.
+ifeq "$(TYPE)" "mcs"
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -c
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# rhel4 also implies redhat
+ifeq "$(DISTRO)" "rhel4"
+ M4PARAM += -D distro_redhat
+endif
+
+ifeq "$(DISTRO)" "ubuntu"
+ M4PARAM += -D distro_debian
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+ CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+ifneq "$(CUSTOM_BUILDOPT)" ""
+ M4PARAM += $(foreach opt,$(CUSTOM_BUILDOPT),-D $(opt))
+endif
+
+# if not set, use the type as the name.
+NAME ?= $(TYPE)
+
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq "$(UBAC)" "y"
+ M4PARAM += -D enable_ubac
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+ verbose = @
+endif
+
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
+
+# we need exuberant ctags; unfortunately it is named
+# differently on different distros
+ifeq ($(DISTRO),debian)
+ CTAGS := ctags-exuberant
+endif
+
+ifeq ($(DISTRO),gentoo)
+ CTAGS := exuberant-ctags
+endif
+
+CTAGS ?= ctags
+
+m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
+ifdef LOCAL_ROOT
+m4support += $(wildcard $(local_poldir)/support/*.spt)
+endif
+m4support += $(m4undivert)
+
+appconf := config/appconfig-$(TYPE)
+seusers := $(appconf)/seusers
+appdir := $(contextpath)
+user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+net_contexts := $(builddir)net_contexts
+
+all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+ifdef LOCAL_ROOT
+all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
+endif
+
+generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
+generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
+generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+
+modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
+layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
+layer_names := $(sort $(notdir $(all_layers)))
+all_metaxml = $(call detect-metaxml, $(layer_names))
+
+# modules.conf setting for base module
+configbase := base
+
+# modules.conf setting for loadable module
+configmod := module
+
+# modules.conf setting for unused module
+configoff := off
+
+# test for module overrides from command line
+mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
+mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
+ifneq "$(strip $(mod_test))" ""
+ $(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
+endif
+
+# add on suffix to modules specified on command line
+cmdline_base := $(addsuffix .te,$(APPS_BASE))
+cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+# extract settings from modules.conf
+mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+base_mods := $(cmdline_base)
+mod_mods := $(cmdline_mods)
+off_mods := $(cmdline_off)
+
+base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
+mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
+off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
+
+# add modules not in modules.conf to the off list
+off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+# filesystems to be used in labeling targets
+filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+########################################
+#
+# Functions
+#
+
+# detect-metaxml layer_names
+ifdef LOCAL_ROOT
+define detect-metaxml
+ $(shell for i in $1; do \
+ if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
+ if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
+ echo $(local_moddir)/$$i/$(metaxml) ;\
+ else \
+ echo $(moddir)/$$i/$(metaxml) ;\
+ fi \
+ elif [ -d $(local_moddir)/$$i ]; then
+ echo $(local_moddir)/$$i/$(metaxml) ;\
+ else \
+ echo $(moddir)/$$i/$(metaxml) ;\
+ fi \
+ done )
+endef
+else
+define detect-metaxml
+ $(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
+endef
+endif
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+ include Rules.monolithic
+else
+ include Rules.modular
+endif
+
+########################################
+#
+# Generated files
+#
+# NOTE: There is no "local" version of these files.
+#
+generate: $(generated_te) $(generated_if) $(generated_fc)
+
+$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) cat $@.in >> $@
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+$(moddir)/kernel/corenetwork.te: $(m4divert) $(moddir)/kernel/corenetwork.te.m4 $(m4undivert) $(moddir)/kernel/corenetwork.te.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+########################################
+#
+# Network packet labeling
+#
+$(net_contexts): $(moddir)/kernel/corenetwork.te.in
+ @echo "Creating netfilter network labeling rules"
+ $(verbose) $(gennetfilter) $^ > $@
+
+########################################
+#
+# Create config files
+#
+conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc)
+
+$(mod_conf) $(booleans): $(polxml)
+ @echo "Updating $(mod_conf) and $(booleans)"
+ $(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
+
+########################################
+#
+# Generate the fc_sort program
+#
+$(fcsort) : $(support)/fc_sort.c
+ $(verbose) $(CC) $(CFLAGS) $^ -o $@
+
+########################################
+#
+# Documentation generation
+#
+$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
+ $(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+ifdef LOCAL_ROOT
+ $(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+endif
+
+$(tunxml): $(globaltun)
+ $(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+ $(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
+ @echo "Creating $(@F)"
+ @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+ $(verbose) echo '<policy>' >> $@
+ $(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
+ $(verbose) cat $(tunxml) $(boolxml) >> $@
+ $(verbose) echo '</policy>' >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+xml: $(polxml)
+
+html $(tmpdir)/html: $(polxml)
+ @echo "Building html interface reference documentation in $(htmldir)"
+ @test -d $(htmldir) || mkdir -p $(htmldir)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
+ $(verbose) cp $(doctemplate)/*.css $(htmldir)
+ @touch $(tmpdir)/html
+
+########################################
+#
+# Runtime binary policy patching of users
+#
+$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
+ @mkdir -p $(tmpdir)
+ @echo "Installing system.users"
+ @echo "# " > $(tmpdir)/system.users
+ @echo "# Do not edit this file. " >> $(tmpdir)/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
+ @echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
+ @echo "#" >> $(tmpdir)/system.users
+ $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
+ -e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/system.users $@
+
+$(userpath)/local.users: config/local.users
+ @echo "Installing local.users"
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -b -m 0644 $< $@
+
+########################################
+#
+# Build Appconfig files
+#
+$(tmpdir)/initrc_context: $(appconf)/initrc_context
+ @mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
+
+########################################
+#
+# Install Appconfig files
+#
+install-appconfig: $(appfiles)
+
+$(installdir)/booleans: $(booleans)
+ @mkdir -p $(tmpdir)
+ $(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
+ -e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/booleans $@
+
+$(contextpath)/files/media: $(appconf)/media
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $< $@
+
+$(fcsubspath): config/file_contexts.subs_dist
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $< $@
+
+$(contextpath)/users/%: $(appconf)/%_default_contexts
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $^ $@
+
+$(appdir)/%: $(appconf)/%
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $< > $(tmpdir)/$(@F)
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/$(@F) $@
+
+########################################
+#
+# Install policy headers
+#
+install-headers: $(layerxml) $(tunxml) $(boolxml)
+ @mkdir -p $(headerdir)
+ @echo "Installing $(NAME) policy headers."
+ $(verbose) $(INSTALL) -m 644 $^ $(headerdir)
+ $(verbose) mkdir -p $(headerdir)/support
+ $(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
+ $(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
+ $(verbose) for i in $(notdir $(all_layers)); do \
+ mkdir -p $(headerdir)/$$i ;\
+ $(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
+ done
+ $(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
+ $(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
+ifneq "$(DISTRO)" ""
+ $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
+endif
+ $(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
+ $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
+ $(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
+
+########################################
+#
+# Install policy documentation
+#
+install-docs: $(tmpdir)/html
+ @mkdir -p $(docsdir)/html
+ @echo "Installing policy documentation"
+ $(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
+ $(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+ rm -rf $(srcpath)/policy.old
+ -mv $(srcpath)/policy $(srcpath)/policy.old
+ mkdir -p $(srcpath)/policy
+ cp -R . $(srcpath)/policy
+
+########################################
+#
+# Generate tags file
+#
+tags: $(tags)
+$(tags):
+ @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+ @LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
+ --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
+ --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+ --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
+ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+ --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
+ --regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
+ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
+
+########################################
+#
+# Filesystem labeling
+#
+checklabels:
+ @echo "Checking labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
+
+restorelabels:
+ @echo "Restoring labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
+
+relabel:
+ @echo "Relabeling filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) $(fcpath) $(filesystems)
+
+resetlabels:
+ @echo "Resetting labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+ rm -f $(polxml)
+ rm -f $(layerxml)
+ rm -f $(modxml)
+ rm -f $(tunxml)
+ rm -f $(boolxml)
+ rm -f $(mod_conf)
+ rm -f $(booleans)
+ rm -fR $(htmldir)
+ rm -f $(tags)
+# don't remove these files if we're given a local root
+ifndef LOCAL_ROOT
+ rm -f $(fcsort)
+ rm -f $(support)/*.pyc
+ifneq ($(generated_te),)
+ rm -f $(generated_te)
+endif
+ifneq ($(generated_if),)
+ rm -f $(generated_if)
+endif
+ifneq ($(generated_fc),)
+ rm -f $(generated_fc)
+endif
+endif
+
+.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
+.SUFFIXES:
+.SUFFIXES: .c
diff --git a/Makefile.orig b/Makefile.orig
new file mode 100644
index 00000000..5a439192
--- /dev/null
+++ b/Makefile.orig
@@ -0,0 +1,637 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+#
+# install - compile and install the policy configuration, and context files.
+# load - compile, install, and load the policy configuration.
+# reload - compile, install, and load/reload the policy configuration.
+# relabel - relabel filesystems based on the file contexts configuration.
+# checklabels - check filesystems against the file context configuration
+# restorelabels - check filesystems against the file context configuration
+# and restore the label of files with incorrect labels
+# policy - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+#
+# Please see build.conf for policy build options.
+#
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# Include the local build.conf if it exists, otherwise
+# include the configuration of the root directory.
+include build.conf
+
+ifdef LOCAL_ROOT
+ -include $(LOCAL_ROOT)/build.conf
+endif
+
+# refpolicy version
+version = $(shell cat VERSION)
+
+ifdef LOCAL_ROOT
+builddir := $(LOCAL_ROOT)/
+tmpdir := $(LOCAL_ROOT)/tmp
+tags := $(LOCAL_ROOT)/tags
+else
+tmpdir := tmp
+tags := tags
+endif
+
+# executable paths
+BINDIR ?= /usr/bin
+SBINDIR ?= /usr/sbin
+ifdef TEST_TOOLCHAIN
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
+else
+tc_usrbindir := $(BINDIR)
+tc_usrsbindir := $(SBINDIR)
+tc_sbindir := /sbin
+endif
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+SETFILES ?= $(tc_sbindir)/setfiles
+XMLLINT ?= $(BINDIR)/xmllint
+SECHECK ?= $(BINDIR)/sechecker
+
+# interpreters and aux tools
+AWK ?= gawk
+GREP ?= egrep
+INSTALL ?= install
+M4 ?= m4
+PYTHON ?= python
+SED ?= sed
+SORT ?= LC_ALL=C sort
+UMASK ?= umask
+
+CFLAGS += -Wall
+
+# policy source layout
+poldir := policy
+moddir := $(poldir)/modules
+flaskdir := $(poldir)/flask
+secclass := $(flaskdir)/security_classes
+isids := $(flaskdir)/initial_sids
+avs := $(flaskdir)/access_vectors
+
+# local source layout
+ifdef LOCAL_ROOT
+local_poldir := $(LOCAL_ROOT)/policy
+local_moddir := $(local_poldir)/modules
+endif
+
+# policy building support tools
+support := support
+genxml := $(PYTHON) -E $(support)/segenxml.py
+gendoc := $(PYTHON) -E $(support)/sedoctool.py
+genperm := $(PYTHON) -E $(support)/genclassperms.py
+fcsort := $(tmpdir)/fc_sort
+setbools := $(AWK) -f $(support)/set_bools_tuns.awk
+get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
+comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
+gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
+m4iferror := $(support)/iferror.m4
+m4divert := $(support)/divert.m4
+m4undivert := $(support)/undivert.m4
+# use our own genhomedircon to make sure we have a known usable one,
+# so policycoreutils updates are not required (RHEL4)
+genhomedircon := $(PYTHON) -E $(support)/genhomedircon
+
+# documentation paths
+docs := doc
+xmldtd = $(docs)/policy.dtd
+metaxml = metadata.xml
+doctemplate = $(docs)/templates
+docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
+
+ifndef LOCAL_ROOT
+polxml = $(docs)/policy.xml
+tunxml = $(docs)/global_tunables.xml
+boolxml = $(docs)/global_booleans.xml
+htmldir = $(docs)/html
+else
+polxml = $(LOCAL_ROOT)/doc/policy.xml
+tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml
+boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml
+htmldir = $(LOCAL_ROOT)/doc/html
+endif
+
+# config file paths
+globaltun = $(poldir)/global_tunables
+globalbool = $(poldir)/global_booleans
+user_files := $(poldir)/users
+policycaps := $(poldir)/policy_capabilities
+
+# local config file paths
+ifndef LOCAL_ROOT
+mod_conf = $(poldir)/modules.conf
+booleans = $(poldir)/booleans.conf
+tunables = $(poldir)/tunables.conf
+else
+mod_conf = $(local_poldir)/modules.conf
+booleans = $(local_poldir)/booleans.conf
+tunables = $(local_poldir)/tunables.conf
+endif
+
+# install paths
+PKGNAME ?= refpolicy-$(version)
+prefix = $(DESTDIR)/usr
+topdir = $(DESTDIR)/etc/selinux
+installdir = $(topdir)/$(strip $(NAME))
+srcpath = $(installdir)/src
+userpath = $(installdir)/users
+policypath = $(installdir)/policy
+contextpath = $(installdir)/contexts
+homedirpath = $(contextpath)/files/homedir_template
+fcpath = $(contextpath)/files/file_contexts
+fcsubspath = $(contextpath)/files/file_contexts.subs_dist
+ncpath = $(contextpath)/netfilter_contexts
+sharedir = $(prefix)/share/selinux
+modpkgdir = $(sharedir)/$(strip $(NAME))
+headerdir = $(modpkgdir)/include
+docsdir = $(prefix)/share/doc/$(PKGNAME)
+
+# enable MLS if requested.
+ifeq "$(TYPE)" "mls"
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -m
+endif
+
+# enable MLS if MCS requested.
+ifeq "$(TYPE)" "mcs"
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -c
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# rhel4 also implies redhat
+ifeq "$(DISTRO)" "rhel4"
+ M4PARAM += -D distro_redhat
+endif
+
+ifeq "$(DISTRO)" "ubuntu"
+ M4PARAM += -D distro_debian
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+ CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+ifneq "$(CUSTOM_BUILDOPT)" ""
+ M4PARAM += $(foreach opt,$(CUSTOM_BUILDOPT),-D $(opt))
+endif
+
+# if not set, use the type as the name.
+NAME ?= $(TYPE)
+
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq "$(UBAC)" "y"
+ M4PARAM += -D enable_ubac
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+ verbose = @
+endif
+
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
+
+# we need exuberant ctags; unfortunately it is named
+# differently on different distros
+ifeq ($(DISTRO),debian)
+ CTAGS := ctags-exuberant
+endif
+
+ifeq ($(DISTRO),gentoo)
+ CTAGS := exuberant-ctags
+endif
+
+CTAGS ?= ctags
+
+m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
+ifdef LOCAL_ROOT
+m4support += $(wildcard $(local_poldir)/support/*.spt)
+endif
+m4support += $(m4undivert)
+
+appconf := config/appconfig-$(TYPE)
+seusers := $(appconf)/seusers
+appdir := $(contextpath)
+user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+net_contexts := $(builddir)net_contexts
+
+all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+ifdef LOCAL_ROOT
+all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
+endif
+
+generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
+generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
+generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+
+modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
+layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
+layer_names := $(sort $(notdir $(all_layers)))
+all_metaxml = $(call detect-metaxml, $(layer_names))
+
+# modules.conf setting for base module
+configbase := base
+
+# modules.conf setting for loadable module
+configmod := module
+
+# modules.conf setting for unused module
+configoff := off
+
+# test for module overrides from command line
+mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
+mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
+ifneq "$(strip $(mod_test))" ""
+ $(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
+endif
+
+# add on suffix to modules specified on command line
+cmdline_base := $(addsuffix .te,$(APPS_BASE))
+cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+# extract settings from modules.conf
+mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+base_mods := $(cmdline_base)
+mod_mods := $(cmdline_mods)
+off_mods := $(cmdline_off)
+
+base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
+mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
+off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
+
+# add modules not in modules.conf to the off list
+off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+# filesystems to be used in labeling targets
+filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+########################################
+#
+# Functions
+#
+
+# detect-metaxml layer_names
+ifdef LOCAL_ROOT
+define detect-metaxml
+ $(shell for i in $1; do \
+ if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
+ if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
+ echo $(local_moddir)/$$i/$(metaxml) ;\
+ else \
+ echo $(moddir)/$$i/$(metaxml) ;\
+ fi \
+ elif [ -d $(local_moddir)/$$i ]; then
+ echo $(local_moddir)/$$i/$(metaxml) ;\
+ else \
+ echo $(moddir)/$$i/$(metaxml) ;\
+ fi \
+ done )
+endef
+else
+define detect-metaxml
+ $(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
+endef
+endif
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+ include Rules.monolithic
+else
+ include Rules.modular
+endif
+
+########################################
+#
+# Generated files
+#
+# NOTE: There is no "local" version of these files.
+#
+generate: $(generated_te) $(generated_if) $(generated_fc)
+
+$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) cat $@.in >> $@
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+$(moddir)/kernel/corenetwork.te: $(m4divert) $(moddir)/kernel/corenetwork.te.m4 $(m4undivert) $(moddir)/kernel/corenetwork.te.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+########################################
+#
+# Network packet labeling
+#
+$(net_contexts): $(moddir)/kernel/corenetwork.te.in
+ @echo "Creating netfilter network labeling rules"
+ $(verbose) $(gennetfilter) $^ > $@
+
+########################################
+#
+# Create config files
+#
+conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc)
+
+$(mod_conf) $(booleans): $(polxml)
+ @echo "Updating $(mod_conf) and $(booleans)"
+ $(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
+
+########################################
+#
+# Generate the fc_sort program
+#
+$(fcsort) : $(support)/fc_sort.c
+ $(verbose) $(CC) $(CFLAGS) $^ -o $@
+
+########################################
+#
+# Documentation generation
+#
+$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
+ $(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+ifdef LOCAL_ROOT
+ $(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+endif
+
+$(tunxml): $(globaltun)
+ $(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+ $(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
+ @echo "Creating $(@F)"
+ @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+ $(verbose) echo '<policy>' >> $@
+ $(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
+ $(verbose) cat $(tunxml) $(boolxml) >> $@
+ $(verbose) echo '</policy>' >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+xml: $(polxml)
+
+html $(tmpdir)/html: $(polxml)
+ @echo "Building html interface reference documentation in $(htmldir)"
+ @test -d $(htmldir) || mkdir -p $(htmldir)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
+ $(verbose) cp $(doctemplate)/*.css $(htmldir)
+ @touch $(tmpdir)/html
+
+########################################
+#
+# Runtime binary policy patching of users
+#
+$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
+ @mkdir -p $(tmpdir)
+ @echo "Installing system.users"
+ @echo "# " > $(tmpdir)/system.users
+ @echo "# Do not edit this file. " >> $(tmpdir)/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
+ @echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
+ @echo "#" >> $(tmpdir)/system.users
+ $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
+ -e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/system.users $@
+
+$(userpath)/local.users: config/local.users
+ @echo "Installing local.users"
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -b -m 0644 $< $@
+
+########################################
+#
+# Build Appconfig files
+#
+$(tmpdir)/initrc_context: $(appconf)/initrc_context
+ @mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
+
+########################################
+#
+# Install Appconfig files
+#
+install-appconfig: $(appfiles)
+
+$(installdir)/booleans: $(booleans)
+ @mkdir -p $(tmpdir)
+ $(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
+ -e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/booleans $@
+
+$(contextpath)/files/media: $(appconf)/media
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $< $@
+
+$(fcsubspath): config/file_contexts.subs_dist
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $< $@
+
+$(contextpath)/users/%: $(appconf)/%_default_contexts
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $^ $@
+
+$(appdir)/%: $(appconf)/%
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $< > $(tmpdir)/$(@F)
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/$(@F) $@
+
+########################################
+#
+# Install policy headers
+#
+install-headers: $(layerxml) $(tunxml) $(boolxml)
+ @mkdir -p $(headerdir)
+ @echo "Installing $(NAME) policy headers."
+ $(verbose) $(INSTALL) -m 644 $^ $(headerdir)
+ $(verbose) mkdir -p $(headerdir)/support
+ $(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
+ $(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
+ $(verbose) for i in $(notdir $(all_layers)); do \
+ mkdir -p $(headerdir)/$$i ;\
+ $(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
+ done
+ $(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
+ $(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
+ifneq "$(DISTRO)" ""
+ $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
+endif
+ $(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
+ $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
+ $(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
+
+########################################
+#
+# Install policy documentation
+#
+install-docs: $(tmpdir)/html
+ @mkdir -p $(docsdir)/html
+ @echo "Installing policy documentation"
+ $(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
+ $(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+ rm -rf $(srcpath)/policy.old
+ -mv $(srcpath)/policy $(srcpath)/policy.old
+ mkdir -p $(srcpath)/policy
+ cp -R . $(srcpath)/policy
+
+########################################
+#
+# Generate tags file
+#
+tags: $(tags)
+$(tags):
+ @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+ @LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
+ --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
+ --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+ --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
+ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+ --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
+ --regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
+ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
+
+########################################
+#
+# Filesystem labeling
+#
+checklabels:
+ @echo "Checking labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
+
+restorelabels:
+ @echo "Restoring labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
+
+relabel:
+ @echo "Relabeling filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) $(fcpath) $(filesystems)
+
+resetlabels:
+ @echo "Resetting labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+ rm -f $(polxml)
+ rm -f $(layerxml)
+ rm -f $(modxml)
+ rm -f $(tunxml)
+ rm -f $(boolxml)
+ rm -f $(mod_conf)
+ rm -f $(booleans)
+ rm -fR $(htmldir)
+ rm -f $(tags)
+# don't remove these files if we're given a local root
+ifndef LOCAL_ROOT
+ rm -f $(fcsort)
+ rm -f $(support)/*.pyc
+ifneq ($(generated_te),)
+ rm -f $(generated_te)
+endif
+ifneq ($(generated_if),)
+ rm -f $(generated_if)
+endif
+ifneq ($(generated_fc),)
+ rm -f $(generated_fc)
+endif
+endif
+
+.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
+.SUFFIXES:
+.SUFFIXES: .c
diff --git a/README b/README
index 345e6aef..a3e8082a 100644
--- a/README
+++ b/README
@@ -1 +1,264 @@
-Test
+1) Reference Policy make targets:
+
+General Make targets:
+
+install-src Install the policy sources into
+ /etc/selinux/NAME/src/policy, where NAME is defined in
+ the Makefile. If not defined, the TYPE, as defined in
+ the Makefile, is used. The default NAME is refpolicy.
+ A pre-existing source policy will be moved to
+ /etc/selinux/NAME/src/policy.bak.
+
+conf Regenerate policy.xml, and update/create modules.conf
+ and booleans.conf. This should be done after adding
+ or removing modules, or after running the bare target.
+ If the configuration files exist, their settings will
+ be preserved. This must be ran on policy sources that
+ are checked out from the CVS repository before they can
+ be used.
+
+clean Delete all temporary files, compiled policies,
+ and file_contexts. Configuration files are left intact.
+
+bare Do the clean make target and also delete configuration
+ files, web page documentation, and policy.xml.
+
+html Regenerate policy.xml and create web page documentation
+ in the doc/html directory.
+
+Make targets specific to modular (loadable modules) policies:
+
+base Compile and package the base module. This is the
+ default target for modular policies.
+
+modules Compile and package all Reference Policy modules
+ configured to be built as loadable modules.
+
+MODULENAME.pp Compile and package the MODULENAME Reference Policy
+ module.
+
+all Compile and package the base module and all Reference
+ Policy modules configured to be built as loadable
+ modules.
+
+install Compile, package, and install the base module and
+ Reference Policy modules configured to be built as
+ loadable modules.
+
+load Compile, package, and install the base module and
+ Reference Policy modules configured to be built as
+ loadable modules, then insert them into the module
+ store.
+
+validate Validate if the configured modules can successfully
+ link and expand.
+
+install-headers Install the policy headers into /usr/share/selinux/NAME.
+ The headers are sufficient for building a policy
+ module locally, without requiring the complete
+ Reference Policy sources. The build.conf settings
+ for this policy configuration should be set before
+ using this target.
+
+Make targets specific to monolithic policies:
+
+policy Compile a policy locally for development and testing.
+ This is the default target for monolithic policies.
+
+install Compile and install the policy and file contexts.
+
+load Compile and install the policy and file contexts, then
+ load the policy.
+
+enableaudit Remove all dontaudit rules from policy.conf.
+
+relabel Relabel the filesystem.
+
+checklabels Check the labels on the filesystem, and report when
+ a file would be relabeled, but do not change its label.
+
+restorelabels Relabel the filesystem and report each file that is
+ relabeled.
+
+
+2) Reference Policy Build Options (build.conf)
+
+TYPE String. Available options are standard, mls, and mcs.
+ For a type enforcement only system, set standard.
+ This optionally enables multi-level security (MLS) or
+ multi-category security (MCS) features. This option
+ controls enable_mls, and enable_mcs policy blocks.
+
+NAME String (optional). Sets the name of the policy; the
+ NAME is used when installing files to e.g.,
+ /etc/selinux/NAME and /usr/share/selinux/NAME. If not
+ set, the policy type (TYPE) is used.
+
+DISTRO String (optional). Enable distribution-specific policy.
+ Available options are redhat, rhel4, gentoo, debian,
+ and suse. This option controls distro_redhat,
+ distro_rhel4, distro_gentoo, distro_debian, and
+ distro_suse policy blocks.
+
+MONOLITHIC Boolean. If set, a monolithic policy is built,
+ otherwise a modular policy is built.
+
+DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
+ run init scripts, instead of requiring the run_init
+ tool. This is a build option instead of a tunable since
+ role transitions do not work in conditional policy.
+ This option controls direct_sysadm_daemon policy
+ blocks.
+
+OUTPUT_POLICY Integer. Set the version of the policy created when
+ building a monolithic policy. This option has no effect
+ on modular policy.
+
+UNK_PERMS String. Set the kernel behavior for handling of
+ permissions defined in the kernel but missing from the
+ policy. The permissions can either be allowed, denied,
+ or the policy loading can be rejected.
+
+UBAC Boolean. If set, the SELinux user will be used
+ additionally for approximate role separation.
+
+MLS_SENS Integer. Set the number of sensitivities in the MLS
+ policy. Ignored on standard and MCS policies.
+
+MLS_CATS Integer. Set the number of categories in the MLS
+ policy. Ignored on standard and MCS policies.
+
+MCS_CATS Integer. Set the number of categories in the MCS
+ policy. Ignored on standard and MLS policies.
+
+QUIET Boolean. If set, the build system will only display
+ status messages and error messages. This option has no
+ effect on policy.
+
+
+3) Reference Policy Files and Directories
+All directories relative to the root of the Reference Policy sources directory.
+
+Makefile General rules for building the policy.
+
+Rules.modular Makefile rules specific to building loadable module
+ policies.
+
+Rules.monolithic Makefile rules specific to building monolithic policies.
+
+build.conf Options which influence the building of the policy,
+ such as the policy type and distribution.
+
+config/appconfig-* Application configuration files for all configurations
+ of the Reference Policy (targeted/strict with or without
+ MLS or MCS). These are used by SELinux-aware programs.
+
+config/local.users The file read by load policy for adding SELinux users
+ to the policy on the fly.
+
+doc/html/* This contains the contents of the in-policy XML
+ documentation, presented in web page form.
+
+doc/policy.dtd The doc/policy.xml file is validated against this DTD.
+
+doc/policy.xml This file is generated/updated by the conf and html make
+ targets. It contains the complete XML documentation
+ included in the policy.
+
+doc/templates/* Templates used for documentation web pages.
+
+policy/booleans.conf This file is generated/updated by the conf make target.
+ It contains the booleans in the policy, and their
+ default values. If tunables are implemented as
+ booleans, tunables will also be included. This file
+ will be installed as the /etc/selinux/NAME/booleans
+ file.
+
+policy/constraints This file defines additional constraints on permissions
+ in the form of boolean expressions that must be
+ satisfied in order for specified permissions to be
+ granted. These constraints are used to further refine
+ the type enforcement rules and the role allow rules.
+ Typically, these constraints are used to restrict
+ changes in user identity or role to certain domains.
+
+policy/global_booleans This file defines all booleans that have a global scope,
+ their default value, and documentation.
+
+policy/global_tunables This file defines all tunables that have a global scope,
+ their default value, and documentation.
+
+policy/flask/initial_sids This file has declarations for each initial SID.
+
+policy/flask/security_classes This file has declarations for each security class.
+
+policy/flask/access_vectors This file defines the access vectors. Common
+ prefixes for access vectors may be defined at the
+ beginning of the file. After the common prefixes are
+ defined, an access vector may be defined for each
+ security class.
+
+policy/mcs The multi-category security (MCS) configuration.
+
+policy/mls The multi-level security (MLS) configuration.
+
+policy/modules/* Each directory represents a layer in Reference Policy
+ all of the modules are contained in one of these layers.
+
+policy/modules.conf This file contains a listing of available modules, and
+ how they will be used when building Reference Policy. To
+ prevent a module from being used, set the module to
+ "off". For monolithic policies, modules set to "base"
+ and "module" will be included in the policy. For
+ modular policies, modules set to "base" will be included
+ in the base module; those set to "module" will be
+ compiled as individual loadable modules.
+
+policy/support/* Support macros.
+
+policy/users This file defines the users included in the policy.
+
+support/* Tools used in the build process.
+
+
+4) Building policy modules using Reference Policy headers:
+
+The system must first have the Reference Policy headers installed, typically
+by the distribution. Otherwise, the headers can be installed using the
+install-headers target from the full Reference Policy sources.
+
+To set up a directory to build a local module, one must simply place a .te
+file in a directory. A sample Makefile to use in the directory is the
+Makefile.example in the doc directory. This may be installed in
+/usr/share/doc, under the directory for the distribution's policy.
+Alternatively, the primary Makefile in the headers directory (typically
+/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
+option.
+
+Larger projects can set up a structure of layers, just as in Reference
+Policy, by creating policy/modules/LAYERNAME directories. Each layer also
+must have a metadata.xml file which is an XML file with a summary tag and
+optional desc (long description) tag. This should describe the purpose of
+the layer.
+
+Metadata.xml example:
+
+<summary>ABC modules for the XYZ components.</summary>
+
+Make targets for modules built from headers:
+
+MODULENAME.pp Compile and package the MODULENAME local module.
+
+all Compile and package the modules in the current
+ directory.
+
+load Compile and package the modules in the current
+ directory, then insert them into the module store.
+
+refresh Attempts to reinsert all modules that are currently
+ in the module store from the local and system module
+ packages.
+
+xml Build a policy.xml from the XML included with the
+ base policy headers and any XML in the modules in
+ the current directory.
diff --git a/Rules.modular b/Rules.modular
new file mode 100644
index 00000000..313d8375
--- /dev/null
+++ b/Rules.modular
@@ -0,0 +1,217 @@
+########################################
+#
+# Rules and Targets for building modular policies
+#
+
+all_modules := $(base_mods) $(mod_mods) $(off_mods)
+all_interfaces := $(all_modules:.te=.if)
+
+base_pkg := $(builddir)base.pp
+base_fc := $(builddir)base.fc
+base_conf := $(builddir)base.conf
+base_mod := $(tmpdir)/base.mod
+
+users_extra := $(tmpdir)/users_extra
+
+base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
+
+base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
+base_te_files := $(base_mods)
+base_post_te_files := $(user_files) $(poldir)/constraints
+base_fc_files := $(base_mods:.te=.fc)
+
+mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
+
+# policy packages to install
+instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
+
+# search layer dirs for source files
+vpath %.te $(all_layers)
+vpath %.if $(all_layers)
+vpath %.fc $(all_layers)
+
+.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
+
+########################################
+#
+# default action: create all module packages
+#
+default: policy
+
+all policy: base modules
+
+base: $(base_pkg)
+
+modules: $(mod_pkgs)
+
+install: $(instpkg) $(appfiles)
+
+########################################
+#
+# Load all configured modules
+#
+load: $(instpkg) $(appfiles)
+# make sure two directories exist since they are not
+# created by semanage
+ @echo "Loading configured modules."
+ @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
+ $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
+
+########################################
+#
+# Install policy packages
+#
+$(modpkgdir)/%.pp: $(builddir)%.pp
+ @echo "Installing $(NAME) $(@F) policy package."
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
+
+########################################
+#
+# Build module packages
+#
+$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+$(tmpdir)/%.mod.fc: $(m4support) %.fc
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
+
+$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ @test -d $(builddir) || mkdir -p $(builddir)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+########################################
+#
+# Create a base module package
+#
+$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
+ @echo "Creating $(NAME) base module package"
+ @test -d $(builddir) || mkdir -p $(builddir)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
+$(base_mod): $(base_conf)
+ @echo "Compiling $(NAME) base module"
+ $(verbose) $(CHECKMODULE) $^ -o $@
+
+$(tmpdir)/seusers: $(seusers)
+ @mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
+
+$(users_extra): $(m4support) $(user_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
+ $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
+
+########################################
+#
+# Construct a base.conf
+#
+$(base_conf): $(base_sections)
+ @echo "Creating $(NAME) base module $(@F)"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) cat $^ > $@
+
+$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/generated_definitions.conf:
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+# define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+ $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
+ $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
+ @echo "divert" >> $@
+
+$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files)
+ifeq "$(strip $(base_te_files))" ""
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+ $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
+ $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+# these have to run individually because order matters:
+ $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+
+########################################
+#
+# Construct a base.fc
+#
+$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
+ $(verbose) $(fcsort) $< $@
+
+$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
+ifeq ($(base_fc_files),)
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) base module file contexts."
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+########################################
+#
+# Appconfig files
+#
+$(appdir)/customizable_types: $(base_conf)
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
+
+########################################
+#
+# Validate linking and expanding of modules
+#
+validate: $(base_pkg) $(mod_pkgs)
+ @echo "Validating policy linking."
+ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+ @echo "Success."
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -f $(base_conf)
+ rm -f $(base_fc)
+ rm -f $(builddir)*.pp
+ rm -f $(net_contexts)
+ rm -fR $(tmpdir)
+
+.PHONY: default all policy base modules install load clean validate
diff --git a/Rules.monolithic b/Rules.monolithic
new file mode 100644
index 00000000..7c4d0355
--- /dev/null
+++ b/Rules.monolithic
@@ -0,0 +1,256 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+# determine the policy version and current kernel version if possible
+pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+kv := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq "$(kv)" ""
+ kv := $(pv)
+endif
+
+policy_conf = $(builddir)policy.conf
+fc = $(builddir)file_contexts
+polver = $(builddir)policy.$(pv)
+homedir_template = $(builddir)homedir_template
+
+M4PARAM += -D self_contained_policy
+
+# install paths
+loadpath = $(policypath)/$(notdir $(polver))
+
+appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
+
+# for monolithic policy use all base and module to create policy
+all_modules := $(strip $(base_mods) $(mod_mods))
+# off module interfaces included to make sure all interfaces are expanded.
+all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
+all_te_files := $(all_modules)
+all_fc_files := $(all_modules:.te=.fc)
+
+pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
+post_te_files := $(user_files) $(poldir)/constraints
+
+policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
+
+# search layer dirs for source files
+vpath %.te $(all_layers)
+vpath %.if $(all_layers)
+vpath %.fc $(all_layers)
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(polver)
+
+install: $(loadpath) $(fcpath) $(appfiles)
+
+load: $(tmpdir)/load
+
+checklabels: $(fcpath)
+restorelabels: $(fcpath)
+relabel: $(fcpath)
+resetlabels: $(fcpath)
+
+########################################
+#
+# Build a binary policy locally
+#
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(polver): $(policy_conf)
+ @echo "Compiling $(NAME) $(polver)"
+ifneq ($(pv),$(kv))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(loadpath): $(policy_conf)
+ @echo "Compiling and installing $(NAME) $(loadpath)"
+ifneq ($(pv),$(kv))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
+ @echo "Loading $(NAME) $(loadpath)"
+ $(verbose) $(LOADPOLICY) -q $(loadpath)
+ @touch $(tmpdir)/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+$(policy_conf): $(policy_sections)
+ @echo "Creating $(NAME) $(@F)"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) cat $^ > $@
+
+$(tmpdir)/pre_te_files.conf: $(pre_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/generated_definitions.conf: $(all_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+# define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+ $(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
+ $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
+ @echo "divert" >> $@
+
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files)
+ifeq "$(strip $(all_te_files))" ""
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+ $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
+ $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+# these have to run individually because order matters:
+ $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: $(policy_conf)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ @echo "Removing dontaudit rules from $(notdir $(policy_conf))"
+ $(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
+ $(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
+
+########################################
+#
+# Construct file_contexts
+#
+$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
+ $(verbose) $(fcsort) $< $@
+ $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
+ $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
+
+$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
+ifeq ($(all_fc_files),)
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) file_contexts."
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(homedir_template): $(fc)
+
+########################################
+#
+# Install file_contexts
+#
+$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
+ @echo "Validating $(NAME) file_contexts."
+ $(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
+ @echo "Installing file_contexts."
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
+ $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
+ $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+ifeq "$(DISTRO)" "rhel4"
+# Setfiles in RHEL4 does not look at file_contexts.homedirs.
+ $(verbose) cat $@.homedirs >> $@
+# Delete the file_contexts.homedirs in case the toolchain has
+# been updated, to prevent duplicate match errors.
+ $(verbose) rm -f $@.homedirs
+endif
+
+########################################
+#
+# Intall netfilter_contexts
+#
+$(ncpath): $(net_contexts)
+ @echo "Installing $(NAME) netfilter_contexts."
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $^ $@
+
+########################################
+#
+# Run policy source checks
+#
+check: $(builddir)check.res
+$(builddir)check.res: $(policy_conf) $(fc)
+ $(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+longcheck: $(builddir)longcheck.res
+$(builddir)longcheck.res: $(policy_conf) $(fc)
+ $(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+########################################
+#
+# Appconfig files
+#
+$(appdir)/customizable_types: $(policy_conf)
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
+
+$(installdir)/seusers: $(seusers)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers
+ @$(INSTALL) -d -m 0755 $(@D)
+ $(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -f $(policy_conf)
+ rm -f $(polver)
+ rm -f $(fc)
+ rm -f $(homedir_template)
+ rm -f $(net_contexts)
+ rm -f *.res
+ rm -fR $(tmpdir)
+
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
diff --git a/VERSION b/VERSION
new file mode 100644
index 00000000..04d1dd01
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+2.20120215
diff --git a/build.conf b/build.conf
new file mode 100644
index 00000000..5a521c46
--- /dev/null
+++ b/build.conf
@@ -0,0 +1,77 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version. This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 18
+
+# Policy Type
+# standard, mls, mcs
+TYPE = standard
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+#DISTRO = redhat
+
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy. The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+#UNK_PERMS = deny
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC = n
+
+# Build monolithic policy. Putting y here
+# will build a monolithic policy.
+MONOLITHIC = n
+
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = y
+
+# Custom build options. This field enables custom
+# build options. Putting foo here will enable
+# build option blocks named foo. Options should be
+# separated by spaces.
+CUSTOM_BUILDOPT =
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS = 16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS = 1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS = 1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET = n
diff --git a/config/appconfig-mcs/dbus_contexts b/config/appconfig-mcs/dbus_contexts
new file mode 100644
index 00000000..116e684f
--- /dev/null
+++ b/config/appconfig-mcs/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
new file mode 100644
index 00000000..801d97b6
--- /dev/null
+++ b/config/appconfig-mcs/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/default_type b/config/appconfig-mcs/default_type
new file mode 100644
index 00000000..33528d61
--- /dev/null
+++ b/config/appconfig-mcs/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
new file mode 100644
index 00000000..999abd9a
--- /dev/null
+++ b/config/appconfig-mcs/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/guest_u_default_contexts b/config/appconfig-mcs/guest_u_default_contexts
new file mode 100644
index 00000000..90e52627
--- /dev/null
+++ b/config/appconfig-mcs/guest_u_default_contexts
@@ -0,0 +1,6 @@
+guest_r:guest_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:initrc_su_t:s0 guest_r:guest_t:s0
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
diff --git a/config/appconfig-mcs/initrc_context b/config/appconfig-mcs/initrc_context
new file mode 100644
index 00000000..30ab971d
--- /dev/null
+++ b/config/appconfig-mcs/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0
diff --git a/config/appconfig-mcs/media b/config/appconfig-mcs/media
new file mode 100644
index 00000000..81f3463e
--- /dev/null
+++ b/config/appconfig-mcs/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mcs/removable_context b/config/appconfig-mcs/removable_context
new file mode 100644
index 00000000..7fcc56e4
--- /dev/null
+++ b/config/appconfig-mcs/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
new file mode 100644
index 00000000..7805778a
--- /dev/null
+++ b/config/appconfig-mcs/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/securetty_types b/config/appconfig-mcs/securetty_types
new file mode 100644
index 00000000..527d8358
--- /dev/null
+++ b/config/appconfig-mcs/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mcs/sepgsql_contexts b/config/appconfig-mcs/sepgsql_contexts
new file mode 100644
index 00000000..f8e9b1cd
--- /dev/null
+++ b/config/appconfig-mcs/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MCS)
+#
+
+# <databases>
+db_database * system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema *.* system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
+db_table *.*.* system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0
+db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view *.*.* system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob *.* system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.* system_u:object_r:sepgsql_lang_t:s0
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
new file mode 100644
index 00000000..dc5f1e42
--- /dev/null
+++ b/config/appconfig-mcs/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mcs_systemhigh
+root:root:s0-mcs_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
new file mode 100644
index 00000000..881a292e
--- /dev/null
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts
new file mode 100644
index 00000000..106e093d
--- /dev/null
+++ b/config/appconfig-mcs/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
new file mode 100644
index 00000000..cacbc939
--- /dev/null
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
+
diff --git a/config/appconfig-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context
new file mode 100644
index 00000000..dc37a69b
--- /dev/null
+++ b/config/appconfig-mcs/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
new file mode 100644
index 00000000..d387b428
--- /dev/null
+++ b/config/appconfig-mcs/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
new file mode 100644
index 00000000..8ab1e27e
--- /dev/null
+++ b/config/appconfig-mcs/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mcs/x_contexts b/config/appconfig-mcs/x_contexts
new file mode 100644
index 00000000..0b320443
--- /dev/null
+++ b/config/appconfig-mcs/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client * system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context. A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property * system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context. A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension * system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context. A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection * system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context. A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event * system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mcs/xguest_u_default_contexts b/config/appconfig-mcs/xguest_u_default_contexts
new file mode 100644
index 00000000..574363b5
--- /dev/null
+++ b/config/appconfig-mcs/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0 xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+system_r:local_login_t:s0 xguest_r:xguest_t:s0
+system_r:remote_login_t:s0 xguest_r:xguest_t:s0
+system_r:sshd_t:s0 xguest_r:xguest_t:s0
+system_r:xdm_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --git a/config/appconfig-mls/dbus_contexts b/config/appconfig-mls/dbus_contexts
new file mode 100644
index 00000000..116e684f
--- /dev/null
+++ b/config/appconfig-mls/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
new file mode 100644
index 00000000..801d97b6
--- /dev/null
+++ b/config/appconfig-mls/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/default_type b/config/appconfig-mls/default_type
new file mode 100644
index 00000000..33528d61
--- /dev/null
+++ b/config/appconfig-mls/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mls/failsafe_context b/config/appconfig-mls/failsafe_context
new file mode 100644
index 00000000..999abd9a
--- /dev/null
+++ b/config/appconfig-mls/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/guest_u_default_contexts b/config/appconfig-mls/guest_u_default_contexts
new file mode 100644
index 00000000..e2106efa
--- /dev/null
+++ b/config/appconfig-mls/guest_u_default_contexts
@@ -0,0 +1,5 @@
+guest_r:guest_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
diff --git a/config/appconfig-mls/initrc_context b/config/appconfig-mls/initrc_context
new file mode 100644
index 00000000..4598f92e
--- /dev/null
+++ b/config/appconfig-mls/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0-mls_systemhigh
diff --git a/config/appconfig-mls/media b/config/appconfig-mls/media
new file mode 100644
index 00000000..81f3463e
--- /dev/null
+++ b/config/appconfig-mls/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mls/removable_context b/config/appconfig-mls/removable_context
new file mode 100644
index 00000000..7fcc56e4
--- /dev/null
+++ b/config/appconfig-mls/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
new file mode 100644
index 00000000..7805778a
--- /dev/null
+++ b/config/appconfig-mls/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/securetty_types b/config/appconfig-mls/securetty_types
new file mode 100644
index 00000000..527d8358
--- /dev/null
+++ b/config/appconfig-mls/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mls/sepgsql_contexts b/config/appconfig-mls/sepgsql_contexts
new file mode 100644
index 00000000..76ff21cd
--- /dev/null
+++ b/config/appconfig-mls/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MLS)
+#
+
+# <databases>
+db_database * system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema *.* system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
+db_table *.*.* system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0
+db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view *.*.* system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob *.* system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0
+db_language *.* system_u:object_r:sepgsql_lang_t:s0
diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers
new file mode 100644
index 00000000..dc156bfa
--- /dev/null
+++ b/config/appconfig-mls/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mls_systemhigh
+root:root:s0-mls_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
new file mode 100644
index 00000000..881a292e
--- /dev/null
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
new file mode 100644
index 00000000..106e093d
--- /dev/null
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
new file mode 100644
index 00000000..cacbc939
--- /dev/null
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
+
diff --git a/config/appconfig-mls/userhelper_context b/config/appconfig-mls/userhelper_context
new file mode 100644
index 00000000..dc37a69b
--- /dev/null
+++ b/config/appconfig-mls/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
new file mode 100644
index 00000000..d387b428
--- /dev/null
+++ b/config/appconfig-mls/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
new file mode 100644
index 00000000..8ab1e27e
--- /dev/null
+++ b/config/appconfig-mls/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mls/x_contexts b/config/appconfig-mls/x_contexts
new file mode 100644
index 00000000..0b320443
--- /dev/null
+++ b/config/appconfig-mls/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client * system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context. A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property * system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context. A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension * system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context. A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection * system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context. A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event * system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mls/xguest_u_default_contexts b/config/appconfig-mls/xguest_u_default_contexts
new file mode 100644
index 00000000..574363b5
--- /dev/null
+++ b/config/appconfig-mls/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0 xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+system_r:local_login_t:s0 xguest_r:xguest_t:s0
+system_r:remote_login_t:s0 xguest_r:xguest_t:s0
+system_r:sshd_t:s0 xguest_r:xguest_t:s0
+system_r:xdm_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --git a/config/appconfig-standard/dbus_contexts b/config/appconfig-standard/dbus_contexts
new file mode 100644
index 00000000..116e684f
--- /dev/null
+++ b/config/appconfig-standard/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
new file mode 100644
index 00000000..64a0a90c
--- /dev/null
+++ b/config/appconfig-standard/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
+system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
+system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:sulogin_t sysadm_r:sysadm_t
+system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+
+staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
+
+sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+
+user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/config/appconfig-standard/default_type b/config/appconfig-standard/default_type
new file mode 100644
index 00000000..33528d61
--- /dev/null
+++ b/config/appconfig-standard/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-standard/failsafe_context b/config/appconfig-standard/failsafe_context
new file mode 100644
index 00000000..2f96c9fd
--- /dev/null
+++ b/config/appconfig-standard/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/guest_u_default_contexts b/config/appconfig-standard/guest_u_default_contexts
new file mode 100644
index 00000000..85a35fb1
--- /dev/null
+++ b/config/appconfig-standard/guest_u_default_contexts
@@ -0,0 +1,7 @@
+guest_r:guest_t guest_r:guest_t
+system_r:crond_t guest_r:guest_t
+system_r:initrc_su_t guest_r:guest_t
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+
diff --git a/config/appconfig-standard/initrc_context b/config/appconfig-standard/initrc_context
new file mode 100644
index 00000000..7fcf70bd
--- /dev/null
+++ b/config/appconfig-standard/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t
diff --git a/config/appconfig-standard/media b/config/appconfig-standard/media
new file mode 100644
index 00000000..de2a6527
--- /dev/null
+++ b/config/appconfig-standard/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/config/appconfig-standard/removable_context b/config/appconfig-standard/removable_context
new file mode 100644
index 00000000..d4921f03
--- /dev/null
+++ b/config/appconfig-standard/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
new file mode 100644
index 00000000..f5225686
--- /dev/null
+++ b/config/appconfig-standard/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
+system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-standard/securetty_types b/config/appconfig-standard/securetty_types
new file mode 100644
index 00000000..527d8358
--- /dev/null
+++ b/config/appconfig-standard/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-standard/sepgsql_contexts b/config/appconfig-standard/sepgsql_contexts
new file mode 100644
index 00000000..c7281512
--- /dev/null
+++ b/config/appconfig-standard/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (none-MLS)
+#
+
+# <databases>
+db_database * system_u:object_r:sepgsql_db_t
+
+# <schemas>
+db_schema *.* system_u:object_r:sepgsql_schema_t
+
+# <tables>
+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t
+db_table *.*.* system_u:object_r:sepgsql_table_t
+
+# <column>
+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t
+db_column *.*.*.* system_u:object_r:sepgsql_table_t
+
+# <sequences>
+db_sequence *.*.* system_u:object_r:sepgsql_seq_t
+
+# <views>
+db_view *.*.* system_u:object_r:sepgsql_view_t
+
+# <procedures>
+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t
+
+# <tuples>
+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t
+db_tuple *.*.* system_u:object_r:sepgsql_table_t
+
+# <blobs>
+db_blob *.* system_u:object_r:sepgsql_blob_t
+
+# <language>
+db_language *.sql system_u:object_r:sepgsql_safe_lang_t
+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t
+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t
+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t
+db_language *.* system_u:object_r:sepgsql_lang_t
diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers
new file mode 100644
index 00000000..36b193b1
--- /dev/null
+++ b/config/appconfig-standard/seusers
@@ -0,0 +1,3 @@
+system_u:system_u
+root:root
+__default__:user_u
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
new file mode 100644
index 00000000..c2a5ea87
--- /dev/null
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:remote_login_t staff_r:staff_t
+system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t staff_r:cronjob_t
+system_r:xdm_t staff_r:staff_t
+staff_r:staff_su_t staff_r:staff_t
+staff_r:staff_sudo_t staff_r:staff_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+
diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts
new file mode 100644
index 00000000..e340b219
--- /dev/null
+++ b/config/appconfig-standard/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
+system_r:initrc_t unconfined_r:unconfined_t
+system_r:local_login_t unconfined_r:unconfined_t
+system_r:remote_login_t unconfined_r:unconfined_t
+system_r:rshd_t unconfined_r:unconfined_t
+system_r:sshd_t unconfined_r:unconfined_t
+system_r:sysadm_su_t unconfined_r:unconfined_t
+system_r:unconfined_t unconfined_r:unconfined_t
+system_r:xdm_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
new file mode 100644
index 00000000..f5bfac34
--- /dev/null
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t user_r:user_t
+system_r:remote_login_t user_r:user_t
+system_r:sshd_t user_r:user_t
+system_r:crond_t user_r:cronjob_t
+system_r:xdm_t user_r:user_t
+user_r:user_su_t user_r:user_t
+user_r:user_sudo_t user_r:user_t
+
diff --git a/config/appconfig-standard/userhelper_context b/config/appconfig-standard/userhelper_context
new file mode 100644
index 00000000..081e93b4
--- /dev/null
+++ b/config/appconfig-standard/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
new file mode 100644
index 00000000..c049e104
--- /dev/null
+++ b/config/appconfig-standard/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t
diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
new file mode 100644
index 00000000..fca6046d
--- /dev/null
+++ b/config/appconfig-standard/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t
+system_u:object_r:virt_content_t
diff --git a/config/appconfig-standard/x_contexts b/config/appconfig-standard/x_contexts
new file mode 100644
index 00000000..5b752f85
--- /dev/null
+++ b/config/appconfig-standard/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client * system_u:object_r:remote_t
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context. A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t
+
+# Clipboard and selection properties
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t
+
+# Default fallback type
+property * system_u:object_r:xproperty_t
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context. A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t
+
+# Standard extensions
+extension * system_u:object_r:xextension_t
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context. A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY system_u:object_r:clipboard_xselection_t
+selection CLIPBOARD system_u:object_r:clipboard_xselection_t
+
+# Default fallback type
+selection * system_u:object_r:xselection_t
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context. A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress system_u:object_r:input_xevent_t
+event X11:KeyRelease system_u:object_r:input_xevent_t
+event X11:ButtonPress system_u:object_r:input_xevent_t
+event X11:ButtonRelease system_u:object_r:input_xevent_t
+event X11:MotionNotify system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t
+event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t
+event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t
+event XInputExtension:ProximityIn system_u:object_r:input_xevent_t
+event XInputExtension:ProximityOut system_u:object_r:input_xevent_t
+
+# Client message events
+event X11:ClientMessage system_u:object_r:client_xevent_t
+event X11:SelectionNotify system_u:object_r:client_xevent_t
+event X11:UnmapNotify system_u:object_r:client_xevent_t
+event X11:ConfigureNotify system_u:object_r:client_xevent_t
+
+# Default fallback type
+event * system_u:object_r:xevent_t
diff --git a/config/appconfig-standard/xguest_u_default_contexts b/config/appconfig-standard/xguest_u_default_contexts
new file mode 100644
index 00000000..55d44d1b
--- /dev/null
+++ b/config/appconfig-standard/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t xguest_r:xguest_t
+system_r:initrc_su_t xguest_r:xguest_t
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:xdm_t xguest_r:xguest_t
+xguest_r:xguest_t xguest_r:xguest_t
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
new file mode 100644
index 00000000..32b87a4f
--- /dev/null
+++ b/config/file_contexts.subs_dist
@@ -0,0 +1,7 @@
+/lib32 /lib
+/lib64 /lib
+/run /var/run
+/run/lock /var/lock
+/usr/lib32 /usr/lib
+/usr/lib64 /usr/lib
+/var/run/lock /var/lock
diff --git a/config/local.users b/config/local.users
new file mode 100644
index 00000000..7e2bf7aa
--- /dev/null
+++ b/config/local.users
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the system.users file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if
+# MLS was enabled in the policy.
+
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r };
+
+# sample for regular user
+#user jdoe roles { user_r };
diff --git a/doc/Makefile.example b/doc/Makefile.example
new file mode 100644
index 00000000..9f2a8d52
--- /dev/null
+++ b/doc/Makefile.example
@@ -0,0 +1,8 @@
+
+AWK ?= gawk
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+SHAREDIR ?= /usr/share/selinux
+HEADERDIR := $(SHAREDIR)/$(NAME)/include
+
+include $(HEADERDIR)/Makefile
diff --git a/doc/example.fc b/doc/example.fc
new file mode 100644
index 00000000..9cf7c4c1
--- /dev/null
+++ b/doc/example.fc
@@ -0,0 +1,6 @@
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
diff --git a/doc/example.if b/doc/example.if
new file mode 100644
index 00000000..54d42ae6
--- /dev/null
+++ b/doc/example.if
@@ -0,0 +1,54 @@
+## <summary>Myapp example policy</summary>
+## <desc>
+## <p>
+## More descriptive text about myapp. The desc
+## tag can also use p, ul, and ol
+## html tags for formatting.
+## </p>
+## <p>
+## This policy supports the following myapp features:
+## <ul>
+## <li>Feature A</li>
+## <li>Feature B</li>
+## <li>Feature C</li>
+## </ul>
+## </p>
+## </desc>
+#
+
+########################################
+## <summary>
+## Execute a domain transition to run myapp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`myapp_domtrans',`
+ gen_require(`
+ type myapp_t, myapp_exec_t;
+ ')
+
+ domtrans_pattern($1,myapp_exec_t,myapp_t)
+')
+
+########################################
+## <summary>
+## Read myapp log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read the log files.
+## </summary>
+## </param>
+#
+interface(`myapp_read_log',`
+ gen_require(`
+ type myapp_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 myapp_log_t:file read_file_perms;
+')
diff --git a/doc/example.te b/doc/example.te
new file mode 100644
index 00000000..82383553
--- /dev/null
+++ b/doc/example.te
@@ -0,0 +1,28 @@
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
diff --git a/doc/global_booleans.xml b/doc/global_booleans.xml
new file mode 100644
index 00000000..76c5a81a
--- /dev/null
+++ b/doc/global_booleans.xml
@@ -0,0 +1,9 @@
+<bool name="secure_mode" dftval="false">
+<desc>
+<p>
+Enabling secure mode disallows programs, such as
+newrole, from transitioning to administrative
+user domains.
+</p>
+</desc>
+</bool>
diff --git a/doc/global_tunables.xml b/doc/global_tunables.xml
new file mode 100644
index 00000000..c026deaf
--- /dev/null
+++ b/doc/global_tunables.xml
@@ -0,0 +1,108 @@
+<tunable name="allow_execheap" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmem" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmod" dftval="false">
+<desc>
+<p>
+Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execstack" dftval="false">
+<desc>
+<p>
+Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+</p>
+</desc>
+</tunable>
+<tunable name="allow_polyinstantiation" dftval="false">
+<desc>
+<p>
+Enable polyinstantiated directory support.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ypbind" dftval="false">
+<desc>
+<p>
+Allow system to run with NIS
+</p>
+</desc>
+</tunable>
+<tunable name="console_login" dftval="true">
+<desc>
+<p>
+Allow logging in and using the system from /dev/console.
+</p>
+</desc>
+</tunable>
+<tunable name="global_ssp" dftval="false">
+<desc>
+<p>
+Enable reading of urandom for all domains.
+</p>
+<p>
+This should be enabled when all programs
+are compiled with ProPolice/SSP
+stack smashing protection. All domains will
+be allowed to read from /dev/urandom.
+</p>
+</desc>
+</tunable>
+<tunable name="mail_read_content" dftval="false">
+<desc>
+<p>
+Allow email client to various content.
+nfs, samba, removable devices, and user temp
+files
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_rw" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/write via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_ro" dftval="false">
+<desc>
+<p>
+Allow any files/directories to be exported read/only via NFS.
+</p>
+</desc>
+</tunable>
+<tunable name="use_nfs_home_dirs" dftval="false">
+<desc>
+<p>
+Support NFS home directories
+</p>
+</desc>
+</tunable>
+<tunable name="use_samba_home_dirs" dftval="false">
+<desc>
+<p>
+Support SAMBA home directories
+</p>
+</desc>
+</tunable>
+<tunable name="user_tcp_server" dftval="false">
+<desc>
+<p>
+Allow users to run TCP servers (bind to ports and accept connection from
+the same domain and outside users) disabling this forces FTP passive mode
+and may change other protocols.
+</p>
+</desc>
+</tunable>
diff --git a/doc/policy.dtd b/doc/policy.dtd
new file mode 100644
index 00000000..b797f712
--- /dev/null
+++ b/doc/policy.dtd
@@ -0,0 +1,44 @@
+<!ENTITY % inline.class "pre|p|ul|ol|li">
+
+<!ELEMENT policy (layer+,(tunable|bool)*)>
+<!ELEMENT layer (summary,module+)>
+<!ATTLIST layer
+ name CDATA #REQUIRED>
+<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
+<!ATTLIST module
+ name CDATA #REQUIRED
+ filename CDATA #REQUIRED>
+<!ELEMENT required (#PCDATA)>
+<!ATTLIST required
+ val (true|false) "false">
+<!ELEMENT tunable (desc)>
+<!ATTLIST tunable
+ name CDATA #REQUIRED
+ dftval CDATA #REQUIRED>
+<!ELEMENT bool (desc)>
+<!ATTLIST bool
+ name CDATA #REQUIRED
+ dftval CDATA #REQUIRED>
+<!ELEMENT summary (#PCDATA)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
+<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
+<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT desc (#PCDATA|%inline.class;)*>
+<!ELEMENT param (summary)>
+<!ATTLIST param
+ name CDATA #REQUIRED
+ optional (true|false) "false"
+ unused (true|false) "false">
+<!ELEMENT infoflow EMPTY>
+<!ATTLIST infoflow
+ type CDATA #REQUIRED
+ weight CDATA #IMPLIED>
+<!ELEMENT rolebase EMPTY>
+<!ELEMENT rolecap EMPTY>
+
+<!ATTLIST pre caption CDATA #IMPLIED>
+<!ELEMENT p (#PCDATA|%inline.class;)*>
+<!ELEMENT ul (li+)>
+<!ELEMENT ol (li+)>
+<!ELEMENT li (#PCDATA|%inline.class;)*>
diff --git a/doc/policy.xml b/doc/policy.xml
new file mode 100644
index 00000000..92615add
--- /dev/null
+++ b/doc/policy.xml
@@ -0,0 +1,91784 @@
+<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
+<!DOCTYPE policy SYSTEM "policy.dtd">
+<policy>
+<layer name="admin">
+<summary>
+ Policy modules for administrative functions, such as package management.
+</summary>
+<module name="bootloader" filename="policy/modules/admin/bootloader.if">
+<summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
+<interface name="bootloader_domtrans" lineno="13">
+<summary>
+Execute bootloader in the bootloader domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bootloader_run" lineno="39">
+<summary>
+Execute bootloader interactively and do
+a domain transition to the bootloader domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bootloader_read_config" lineno="58">
+<summary>
+Read the bootloader configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bootloader_rw_config" lineno="78">
+<summary>
+Read and write the bootloader
+configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bootloader_rw_tmp_files" lineno="97">
+<summary>
+Read and write the bootloader
+temporary data in /tmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bootloader_create_runtime_file" lineno="117">
+<summary>
+Read and write the bootloader
+temporary data in /tmp.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="consoletype" filename="policy/modules/admin/consoletype.if">
+<summary>
+Determine of the console connected to the controlling terminal.
+</summary>
+<interface name="consoletype_domtrans" lineno="15">
+<summary>
+Execute consoletype in the consoletype domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="consoletype_run" lineno="44">
+<summary>
+Execute consoletype in the consoletype domain, and
+allow the specified role the consoletype domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="consoletype_exec" lineno="64">
+<summary>
+Execute consoletype in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="dmesg" filename="policy/modules/admin/dmesg.if">
+<summary>Policy for dmesg.</summary>
+<interface name="dmesg_domtrans" lineno="13">
+<summary>
+Execute dmesg in the dmesg domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="dmesg_exec" lineno="33">
+<summary>
+Execute dmesg in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="netutils" filename="policy/modules/admin/netutils.if">
+<summary>Network analysis utilities</summary>
+<interface name="netutils_domtrans" lineno="13">
+<summary>
+Execute network utilities in the netutils domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="netutils_run" lineno="39">
+<summary>
+Execute network utilities in the netutils domain, and
+allow the specified role the netutils domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_exec" lineno="58">
+<summary>
+Execute network utilities in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_signal" lineno="77">
+<summary>
+Send generic signals to network utilities.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_domtrans_ping" lineno="95">
+<summary>
+Execute ping in the ping domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="netutils_kill_ping" lineno="114">
+<summary>
+Send a kill (SIGKILL) signal to ping.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_signal_ping" lineno="132">
+<summary>
+Send generic signals to ping.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_run_ping" lineno="157">
+<summary>
+Execute ping in the ping domain, and
+allow the specified role the ping domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_run_ping_cond" lineno="183">
+<summary>
+Conditionally execute ping in the ping domain, and
+allow the specified role the ping domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_exec_ping" lineno="206">
+<summary>
+Execute ping in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="netutils_domtrans_traceroute" lineno="225">
+<summary>
+Execute traceroute in the traceroute domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="netutils_run_traceroute" lineno="251">
+<summary>
+Execute traceroute in the traceroute domain, and
+allow the specified role the traceroute domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_run_traceroute_cond" lineno="277">
+<summary>
+Conditionally execute traceroute in the traceroute domain, and
+allow the specified role the traceroute domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="netutils_exec_traceroute" lineno="300">
+<summary>
+Execute traceroute in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="user_ping" dftval="false">
+<desc>
+<p>
+Control users use of ping and traceroute
+</p>
+</desc>
+</tunable>
+</module>
+<module name="su" filename="policy/modules/admin/su.if">
+<summary>Run shells with substitute user and group</summary>
+<template name="su_restricted_domain_template" lineno="31">
+<summary>
+Restricted su domain template.
+</summary>
+<desc>
+<p>
+This template creates a derived domain which is allowed
+to change the linux user id, to run shells as a different
+user.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+</template>
+<template name="su_role_template" lineno="162">
+<summary>
+The role template for the su module.
+</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="su_exec" lineno="328">
+<summary>
+Execute su in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="sudo" filename="policy/modules/admin/sudo.if">
+<summary>Execute a command with a substitute user</summary>
+<template name="sudo_role_template" lineno="31">
+<summary>
+The role template for the sudo module.
+</summary>
+<desc>
+<p>
+This template creates a derived domain which is allowed
+to change the linux user id, to run commands as a different
+user.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The user role.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The user domain associated with the role.
+</summary>
+</param>
+</template>
+<interface name="sudo_sigchld" lineno="172">
+<summary>
+Send a SIGCHLD signal to the sudo domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="usermanage" filename="policy/modules/admin/usermanage.if">
+<summary>Policy for managing user accounts.</summary>
+<interface name="usermanage_domtrans_chfn" lineno="13">
+<summary>
+Execute chfn in the chfn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_chfn" lineno="42">
+<summary>
+Execute chfn in the chfn domain, and
+allow the specified role the chfn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_domtrans_groupadd" lineno="61">
+<summary>
+Execute groupadd in the groupadd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_groupadd" lineno="91">
+<summary>
+Execute groupadd in the groupadd domain, and
+allow the specified role the groupadd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="usermanage_domtrans_passwd" lineno="110">
+<summary>
+Execute passwd in the passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_kill_passwd" lineno="133">
+<summary>
+Send sigkills to passwd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_passwd" lineno="157">
+<summary>
+Execute passwd in the passwd domain, and
+allow the specified role the passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_domtrans_admin_passwd" lineno="177">
+<summary>
+Execute password admin functions in
+the admin passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_admin_passwd" lineno="204">
+<summary>
+Execute passwd admin functions in the admin
+passwd domain, and allow the specified role
+the admin passwd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="usermanage_dontaudit_use_useradd_fds" lineno="223">
+<summary>
+Do not audit attempts to use useradd fds.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_domtrans_useradd" lineno="241">
+<summary>
+Execute useradd in the useradd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_useradd" lineno="271">
+<summary>
+Execute useradd in the useradd domain, and
+allow the specified role the useradd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="usermanage_read_crack_db" lineno="290">
+<summary>
+Read the crack database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+</layer>
+<layer name="apps">
+<summary>Policy modules for applications</summary>
+<module name="seunshare" filename="policy/modules/apps/seunshare.if">
+<summary>Filesystem namespacing/polyinstantiation application.</summary>
+<interface name="seunshare_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run seunshare.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="seunshare_run" lineno="37">
+<summary>
+Execute seunshare in the seunshare domain, and
+allow the specified role the seunshare domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seunshare_role" lineno="69">
+<summary>
+Role access for seunshare
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
+</summary>
+</param>
+</interface>
+</module>
+</layer>
+<layer name="contrib">
+<summary>Contributed Reference Policy modules.</summary>
+<module name="abrt" filename="policy/modules/contrib/abrt.if">
+<summary>ABRT - automated bug-reporting tool</summary>
+<interface name="abrt_domtrans" lineno="13">
+<summary>
+Execute abrt in the abrt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="abrt_exec" lineno="32">
+<summary>
+Execute abrt in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_signull" lineno="51">
+<summary>
+Send a null signal to abrt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_state" lineno="69">
+<summary>
+Allow the domain to read abrt state files in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_stream_connect" lineno="87">
+<summary>
+Connect to abrt over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_dbus_chat" lineno="107">
+<summary>
+Send and receive messages from
+abrt over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_domtrans_helper" lineno="127">
+<summary>
+Execute abrt-helper in the abrt-helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="abrt_run_helper" lineno="152">
+<summary>
+Execute abrt helper in the abrt_helper domain, and
+allow the specified role the abrt_helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="abrt_cache_manage" lineno="172">
+<summary>
+Send and receive messages from
+abrt over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_config" lineno="190">
+<summary>
+Read abrt configuration file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_log" lineno="209">
+<summary>
+Read abrt logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_read_pid_files" lineno="228">
+<summary>
+Read abrt PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_manage_pid_files" lineno="247">
+<summary>
+Create, read, write, and delete abrt PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="abrt_admin" lineno="273">
+<summary>
+All of the rules required to administrate
+an abrt environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the abrt domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="accountsd" filename="policy/modules/contrib/accountsd.if">
+<summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>
+<interface name="accountsd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run accountsd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_dontaudit_rw_fifo_file" lineno="32">
+<summary>
+Do not audit attempts to read and write Accounts Daemon
+fifo file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_dbus_chat" lineno="51">
+<summary>
+Send and receive messages from
+accountsd over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_search_lib" lineno="71">
+<summary>
+Search accountsd lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_read_lib_files" lineno="90">
+<summary>
+Read accountsd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_manage_lib_files" lineno="110">
+<summary>
+Create, read, write, and delete
+accountsd lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="accountsd_admin" lineno="136">
+<summary>
+All of the rules required to administrate
+an accountsd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="acct" filename="policy/modules/contrib/acct.if">
+<summary>Berkeley process accounting</summary>
+<interface name="acct_domtrans" lineno="13">
+<summary>
+Transition to the accounting management domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="acct_exec" lineno="32">
+<summary>
+Execute accounting management tools in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="acct_exec_data" lineno="53">
+<summary>
+Execute accounting management data in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="acct_manage_data" lineno="72">
+<summary>
+Create, read, write, and delete process accounting data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="ada" filename="policy/modules/contrib/ada.if">
+<summary>GNAT Ada95 compiler</summary>
+<interface name="ada_domtrans" lineno="13">
+<summary>
+Execute the ada program in the ada domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ada_run" lineno="38">
+<summary>
+Execute ada in the ada domain, and
+allow the specified role the ada domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="afs" filename="policy/modules/contrib/afs.if">
+<summary>Andrew Filesystem server</summary>
+<interface name="afs_domtrans" lineno="14">
+<summary>
+Execute a domain transition to run the
+afs client.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="afs_rw_udp_sockets" lineno="33">
+<summary>
+Read and write afs client UDP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="afs_rw_cache" lineno="51">
+<summary>
+read/write afs cache files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="afs_initrc_domtrans" lineno="70">
+<summary>
+Execute afs server in the afs domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="afs_admin" lineno="95">
+<summary>
+All of the rules required to administrate
+an afs environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the afs domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="aiccu" filename="policy/modules/contrib/aiccu.if">
+<summary>Automatic IPv6 Connectivity Client Utility.</summary>
+<interface name="aiccu_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run aiccu.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aiccu_initrc_domtrans" lineno="32">
+<summary>
+Execute aiccu server in the aiccu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aiccu_read_pid_files" lineno="50">
+<summary>
+Read aiccu PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="aiccu_admin" lineno="76">
+<summary>
+All of the rules required to administrate
+an aiccu environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="aide" filename="policy/modules/contrib/aide.if">
+<summary>Aide filesystem integrity checker</summary>
+<interface name="aide_domtrans" lineno="13">
+<summary>
+Execute aide in the aide domain
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aide_run" lineno="37">
+<summary>
+Execute aide programs in the AIDE domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the AIDE domain.
+</summary>
+</param>
+</interface>
+<interface name="aide_admin" lineno="58">
+<summary>
+All of the rules required to administrate
+an aide environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="aisexec" filename="policy/modules/contrib/aisexec.if">
+<summary>Aisexec Cluster Engine</summary>
+<interface name="aisexec_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run aisexec.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="aisexec_stream_connect" lineno="32">
+<summary>
+Connect to aisexec over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="aisexec_read_log" lineno="51">
+<summary>
+Allow the specified domain to read aisexec's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="aisexecd_admin" lineno="78">
+<summary>
+All of the rules required to administrate
+an aisexec environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the aisexecd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="alsa" filename="policy/modules/contrib/alsa.if">
+<summary>Ainit ALSA configuration tool.</summary>
+<interface name="alsa_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run Alsa.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="alsa_run" lineno="39">
+<summary>
+Execute a domain transition to run
+Alsa, and allow the specified role
+the Alsa domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_rw_semaphores" lineno="58">
+<summary>
+Read and write Alsa semaphores.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_rw_shared_mem" lineno="76">
+<summary>
+Read and write Alsa shared memory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_read_rw_config" lineno="94">
+<summary>
+Read writable Alsa config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_manage_rw_config" lineno="119">
+<summary>
+Manage writable Alsa config files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_manage_home_files" lineno="144">
+<summary>
+Manage alsa home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_read_home_files" lineno="163">
+<summary>
+Read Alsa home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_relabel_home_files" lineno="182">
+<summary>
+Relabel alsa home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="alsa_read_lib" lineno="201">
+<summary>
+Read Alsa lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="amanda" filename="policy/modules/contrib/amanda.if">
+<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
+<interface name="amanda_domtrans_recover" lineno="14">
+<summary>
+Execute a domain transition to run
+Amanda recover.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amanda_run_recover" lineno="41">
+<summary>
+Execute a domain transition to run
+Amanda recover, and allow the specified
+role the Amanda recover domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="amanda_search_lib" lineno="60">
+<summary>
+Search Amanda library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_dontaudit_read_dumpdates" lineno="79">
+<summary>
+Do not audit attempts to read /etc/dumpdates.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="amanda_rw_dumpdates_files" lineno="97">
+<summary>
+Read and write /etc/dumpdates.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_manage_lib" lineno="116">
+<summary>
+Search Amanda library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_append_log_files" lineno="135">
+<summary>
+Read and append amanda logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amanda_search_var_lib" lineno="154">
+<summary>
+Search Amanda var library directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="amavis" filename="policy/modules/contrib/amavis.if">
+<summary>
+Daemon that interfaces mail transfer agents and content
+checkers, such as virus scanners.
+</summary>
+<interface name="amavis_domtrans" lineno="16">
+<summary>
+Execute a domain transition to run amavis.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amavis_initrc_domtrans" lineno="35">
+<summary>
+Execute amavis server in the amavis domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amavis_read_spool_files" lineno="53">
+<summary>
+Read amavis spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_manage_spool_files" lineno="72">
+<summary>
+Manage amavis spool files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_spool_filetrans" lineno="103">
+<summary>
+Create objects in the amavis spool directories
+with a private type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="private_type">
+<summary>
+Private file type.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="amavis_search_lib" lineno="122">
+<summary>
+Search amavis lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_read_lib_files" lineno="141">
+<summary>
+Read amavis lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_manage_lib_files" lineno="162">
+<summary>
+Create, read, write, and delete
+amavis lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_setattr_pid_files" lineno="181">
+<summary>
+Set the attributes of amavis pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_create_pid_files" lineno="200">
+<summary>
+Create of amavis pid files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="amavis_admin" lineno="226">
+<summary>
+All of the rules required to administrate
+an amavis environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="amtu" filename="policy/modules/contrib/amtu.if">
+<summary>Abstract Machine Test Utility.</summary>
+<interface name="amtu_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run Amtu.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amtu_run" lineno="39">
+<summary>
+Execute a domain transition to run
+Amtu, and allow the specified role
+the Amtu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="anaconda" filename="policy/modules/contrib/anaconda.if">
+<summary>Anaconda installer.</summary>
+</module>
+<module name="apache" filename="policy/modules/contrib/apache.if">
+<summary>Apache web server</summary>
+<template name="apache_content_template" lineno="14">
+<summary>
+Create a set of derived types for apache
+web content.
+</summary>
+<param name="prefix">
+<summary>
+The prefix to be used for deriving type names.
+</summary>
+</param>
+</template>
+<interface name="apache_role" lineno="211">
+<summary>
+Role access for apache
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="apache_read_user_scripts" lineno="271">
+<summary>
+Read httpd user scripts executables.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_user_content" lineno="291">
+<summary>
+Read user web content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans" lineno="311">
+<summary>
+Transition to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_signal" lineno="330">
+<summary>
+Send a generic signal to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_signull" lineno="348">
+<summary>
+Send a null signal to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_sigchld" lineno="366">
+<summary>
+Send a SIGCHLD signal to apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_use_fds" lineno="384">
+<summary>
+Inherit and use file descriptors from Apache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_fifo_file" lineno="403">
+<summary>
+Do not audit attempts to read and write Apache
+unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_stream_sockets" lineno="422">
+<summary>
+Do not audit attempts to read and write Apache
+unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_tcp_sockets" lineno="441">
+<summary>
+Do not audit attempts to read and write Apache
+TCP sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_all_content" lineno="460">
+<summary>
+Create, read, write, and delete all web content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_setattr_cache_dirs" lineno="485">
+<summary>
+Allow domain to set the attributes
+of the APACHE cache directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_list_cache" lineno="504">
+<summary>
+Allow the specified domain to list
+Apache cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_rw_cache_files" lineno="523">
+<summary>
+Allow the specified domain to read
+and write Apache cache files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_delete_cache_files" lineno="542">
+<summary>
+Allow the specified domain to delete
+Apache cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_config" lineno="562">
+<summary>
+Allow the specified domain to read
+apache configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_manage_config" lineno="584">
+<summary>
+Allow the specified domain to manage
+apache configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans_helper" lineno="606">
+<summary>
+Execute the Apache helper program with
+a domain transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_run_helper" lineno="633">
+<summary>
+Execute the Apache helper program with
+a domain transition, and allow the
+specified role the Apache helper domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_read_log" lineno="654">
+<summary>
+Allow the specified domain to read
+apache log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_append_log" lineno="676">
+<summary>
+Allow the specified domain to append
+to apache log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_append_log" lineno="697">
+<summary>
+Do not audit attempts to append to the
+Apache logs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_log" lineno="716">
+<summary>
+Allow the specified domain to manage
+to apache log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_search_modules" lineno="738">
+<summary>
+Do not audit attempts to search Apache
+module directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_list_modules" lineno="758">
+<summary>
+Allow the specified domain to list
+the contents of the apache modules
+directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_exec_modules" lineno="777">
+<summary>
+Allow the specified domain to execute
+apache modules.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans_rotatelogs" lineno="797">
+<summary>
+Execute a domain transition to run httpd_rotatelogs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_list_sys_content" lineno="816">
+<summary>
+Allow the specified domain to list
+apache system content files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_sys_content" lineno="838">
+<summary>
+Allow the specified domain to manage
+apache system content files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_domtrans_sys_script" lineno="862">
+<summary>
+Execute all web scripts in the system
+script domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_rw_sys_script_stream_sockets" lineno="884">
+<summary>
+Do not audit attempts to read and write Apache
+system script unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_domtrans_all_scripts" lineno="903">
+<summary>
+Execute all user scripts in the user
+script domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apache_run_all_scripts" lineno="928">
+<summary>
+Execute all user scripts in the user
+script domain. Add user script domains
+to the specified role.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access..
+</summary>
+</param>
+</interface>
+<interface name="apache_read_squirrelmail_data" lineno="948">
+<summary>
+Allow the specified domain to read
+apache squirrelmail data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_append_squirrelmail_data" lineno="967">
+<summary>
+Allow the specified domain to append
+apache squirrelmail data.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_search_sys_content" lineno="985">
+<summary>
+Search apache system content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_sys_content" lineno="1003">
+<summary>
+Read apache system content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_search_sys_scripts" lineno="1023">
+<summary>
+Search apache system CGI directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_manage_all_user_content" lineno="1042">
+<summary>
+Create, read, write, and delete all user web content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apache_search_sys_script_state" lineno="1066">
+<summary>
+Search system script state directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_read_tmp_files" lineno="1085">
+<summary>
+Allow the specified domain to read
+apache tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apache_dontaudit_write_tmp_files" lineno="1105">
+<summary>
+Dontaudit attempts to write
+apache tmp files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apache_cgi_domain" lineno="1138">
+<summary>
+Execute CGI in the specified domain.
+</summary>
+<desc>
+<p>
+Execute CGI in the specified domain.
+</p>
+<p>
+This is an interface to support third party modules
+and its use is not allowed in upstream reference
+policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain run the cgi script in.
+</summary>
+</param>
+<param name="entrypoint">
+<summary>
+Type of the executable to enter the cgi domain.
+</summary>
+</param>
+</interface>
+<interface name="apache_admin" lineno="1171">
+<summary>
+All of the rules required to administrate an apache environment
+</summary>
+<param name="prefix">
+<summary>
+Prefix of the domain. Example, user would be
+the prefix for the uder_t domain.
+</summary>
+</param>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="allow_httpd_anon_write" dftval="false">
+<desc>
+<p>
+Allow Apache to modify public files
+used for public file transfer services. Directories/Files must
+be labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_httpd_mod_auth_pam" dftval="false">
+<desc>
+<p>
+Allow Apache to use mod_auth_pam
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_builtin_scripting" dftval="false">
+<desc>
+<p>
+Allow httpd to use built in scripting (usually php)
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_connect" dftval="false">
+<desc>
+<p>
+Allow HTTPD scripts and modules to connect to the network using TCP.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_connect_db" dftval="false">
+<desc>
+<p>
+Allow HTTPD scripts and modules to connect to databases over the network.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_relay" dftval="false">
+<desc>
+<p>
+Allow httpd to act as a relay
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_sendmail" dftval="false">
+<desc>
+<p>
+Allow http daemon to send mail
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_dbus_avahi" dftval="false">
+<desc>
+<p>
+Allow Apache to communicate with avahi service via dbus
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_cgi" dftval="false">
+<desc>
+<p>
+Allow httpd cgi support
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_ftp_server" dftval="false">
+<desc>
+<p>
+Allow httpd to act as a FTP server by
+listening on the ftp port.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_homedirs" dftval="false">
+<desc>
+<p>
+Allow httpd to read home directories
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_ssi_exec" dftval="false">
+<desc>
+<p>
+Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_tty_comm" dftval="false">
+<desc>
+<p>
+Unify HTTPD to communicate with the terminal.
+Needed for entering the passphrase for certificates at
+the terminal.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_unified" dftval="false">
+<desc>
+<p>
+Unify HTTPD handling of all content files.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_use_cifs" dftval="false">
+<desc>
+<p>
+Allow httpd to access cifs file systems
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_use_gpg" dftval="false">
+<desc>
+<p>
+Allow httpd to run gpg
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_use_nfs" dftval="false">
+<desc>
+<p>
+Allow httpd to access nfs file systems
+</p>
+</desc>
+</tunable>
+</module>
+<module name="apcupsd" filename="policy/modules/contrib/apcupsd.if">
+<summary>APC UPS monitoring daemon</summary>
+<interface name="apcupsd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run apcupsd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_initrc_domtrans" lineno="32">
+<summary>
+Execute apcupsd server in the apcupsd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_read_pid_files" lineno="50">
+<summary>
+Read apcupsd PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_read_log" lineno="70">
+<summary>
+Allow the specified domain to read apcupsd's log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apcupsd_append_log" lineno="91">
+<summary>
+Allow the specified domain to append
+apcupsd log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_cgi_script_domtrans" lineno="111">
+<summary>
+Execute a domain transition to run httpd_apcupsd_cgi_script.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apcupsd_admin" lineno="141">
+<summary>
+All of the rules required to administrate
+an apcupsd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the apcupsd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="apm" filename="policy/modules/contrib/apm.if">
+<summary>Advanced power management daemon</summary>
+<interface name="apm_domtrans_client" lineno="13">
+<summary>
+Execute APM in the apm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apm_use_fds" lineno="32">
+<summary>
+Use file descriptors for apmd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_write_pipes" lineno="50">
+<summary>
+Write to apmd unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_rw_stream_sockets" lineno="68">
+<summary>
+Read and write to an apm unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_append_log" lineno="86">
+<summary>
+Append to apm's log file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apm_stream_connect" lineno="105">
+<summary>
+Connect to apmd over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="apt" filename="policy/modules/contrib/apt.if">
+<summary>APT advanced package tool.</summary>
+<interface name="apt_domtrans" lineno="13">
+<summary>
+Execute apt programs in the apt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="apt_run" lineno="39">
+<summary>
+Execute apt programs in the apt domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to allow the apt domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="apt_use_fds" lineno="59">
+<summary>
+Inherit and use file descriptors from apt.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_dontaudit_use_fds" lineno="78">
+<summary>
+Do not audit attempts to use file descriptors from apt.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="apt_read_pipes" lineno="96">
+<summary>
+Read from an unnamed apt pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_rw_pipes" lineno="115">
+<summary>
+Read and write an unnamed apt pipe.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_use_ptys" lineno="134">
+<summary>
+Read from and write to apt ptys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_read_cache" lineno="152">
+<summary>
+Read the apt package cache.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_read_db" lineno="173">
+<summary>
+Read the apt package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_manage_db" lineno="194">
+<summary>
+Create, read, write, and delete the apt package database.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_dontaudit_manage_db" lineno="217">
+<summary>
+Do not audit attempts to create, read,
+write, and delete the apt package database.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+</module>
+<module name="arpwatch" filename="policy/modules/contrib/arpwatch.if">
+<summary>Ethernet activity monitor.</summary>
+<interface name="arpwatch_initrc_domtrans" lineno="13">
+<summary>
+Execute arpwatch server in the arpwatch domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_search_data" lineno="31">
+<summary>
+Search arpwatch's data file directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_manage_data_files" lineno="50">
+<summary>
+Create arpwatch data files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_rw_tmp_files" lineno="69">
+<summary>
+Read and write arpwatch temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_manage_tmp_files" lineno="88">
+<summary>
+Read and write arpwatch temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_dontaudit_rw_packet_sockets" lineno="108">
+<summary>
+Do not audit attempts to read and write
+arpwatch packet sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="arpwatch_admin" lineno="133">
+<summary>
+All of the rules required to administrate
+an arpwatch environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the arpwatch domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="asterisk" filename="policy/modules/contrib/asterisk.if">
+<summary>Asterisk IP telephony server</summary>
+<interface name="asterisk_domtrans" lineno="13">
+<summary>
+Execute asterisk in the asterisk domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="asterisk_stream_connect" lineno="33">
+<summary>
+Connect to asterisk over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="asterisk_admin" lineno="59">
+<summary>
+All of the rules required to administrate
+an asterisk environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the asterisk domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="authbind" filename="policy/modules/contrib/authbind.if">
+<summary>Tool for non-root processes to bind to reserved ports</summary>
+<interface name="authbind_domtrans" lineno="13">
+<summary>
+Use authbind to bind to a reserved port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="automount" filename="policy/modules/contrib/automount.if">
+<summary>Filesystem automounter service.</summary>
+<interface name="automount_domtrans" lineno="13">
+<summary>
+Execute automount in the automount domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="automount_signal" lineno="33">
+<summary>
+Send automount a signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="automount_exec_config" lineno="51">
+<summary>
+Execute automount in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="automount_read_state" lineno="66">
+<summary>
+Allow the domain to read state files in /proc.
+</summary>
+<param name="domain">
+<summary>
+Domain to allow access.
+</summary>
+</param>
+</interface>
+<interface name="automount_dontaudit_use_fds" lineno="84">
+<summary>
+Do not audit attempts to file descriptors for automount.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="automount_dontaudit_write_pipes" lineno="102">
+<summary>
+Do not audit attempts to write automount daemon unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="automount_dontaudit_getattr_tmp_dirs" lineno="121">
+<summary>
+Do not audit attempts to get the attributes
+of automount temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="automount_admin" lineno="146">
+<summary>
+All of the rules required to administrate
+an automount environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the automount domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="avahi" filename="policy/modules/contrib/avahi.if">
+<summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
+<interface name="avahi_domtrans" lineno="13">
+<summary>
+Execute avahi server in the avahi domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="avahi_signal" lineno="32">
+<summary>
+Send avahi a signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_kill" lineno="50">
+<summary>
+Send avahi a kill signal.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_signull" lineno="68">
+<summary>
+Send avahi a signull
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_dbus_chat" lineno="87">
+<summary>
+Send and receive messages from
+avahi over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_stream_connect" lineno="107">
+<summary>
+Connect to avahi using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="avahi_dontaudit_search_pid" lineno="126">
+<summary>
+Do not audit attempts to search the avahi pid directory.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="avahi_admin" lineno="151">
+<summary>
+All of the rules required to administrate
+an avahi environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the avahi domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="awstats" filename="policy/modules/contrib/awstats.if">
+<summary>
+AWStats is a free powerful and featureful tool that generates advanced
+web, streaming, ftp or mail server statistics, graphically.
+</summary>
+<interface name="awstats_rw_pipes" lineno="16">
+<summary>
+Read and write awstats unnamed pipes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="awstats_cgi_exec" lineno="34">
+<summary>
+Execute awstats cgi scripts in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="backup" filename="policy/modules/contrib/backup.if">
+<summary>System backup scripts</summary>
+<interface name="backup_domtrans" lineno="13">
+<summary>
+Execute backup in the backup domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="backup_run" lineno="38">
+<summary>
+Execute backup in the backup domain, and
+allow the specified role the backup domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="bind" filename="policy/modules/contrib/bind.if">
+<summary>Berkeley internet name domain DNS server.</summary>
+<interface name="bind_initrc_domtrans" lineno="13">
+<summary>
+Execute bind server in the bind domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bind_domtrans_ndc" lineno="31">
+<summary>
+Execute ndc in the ndc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bind_signal" lineno="49">
+<summary>
+Send generic signals to BIND.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_signull" lineno="67">
+<summary>
+Send null sigals to BIND.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_kill" lineno="85">
+<summary>
+Send BIND the kill signal
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_run_ndc" lineno="110">
+<summary>
+Execute ndc in the ndc domain, and
+allow the specified role the ndc domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bind_domtrans" lineno="129">
+<summary>
+Execute bind in the named domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bind_read_dnssec_keys" lineno="147">
+<summary>
+Read DNSSEC keys.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_read_config" lineno="165">
+<summary>
+Read BIND named configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_write_config" lineno="183">
+<summary>
+Write BIND named configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_manage_config_dirs" lineno="203">
+<summary>
+Create, read, write, and delete
+BIND configuration directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_search_cache" lineno="221">
+<summary>
+Search the BIND cache directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_manage_cache" lineno="243">
+<summary>
+Create, read, write, and delete
+BIND cache files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_setattr_pid_dirs" lineno="264">
+<summary>
+Set the attributes of the BIND pid directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_setattr_zone_dirs" lineno="282">
+<summary>
+Set the attributes of the BIND zone directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_read_zone" lineno="300">
+<summary>
+Read BIND zone files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_manage_zone" lineno="319">
+<summary>
+Manage BIND zone files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_udp_chat_named" lineno="338">
+<summary>
+Send and receive datagrams to and from named. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bind_admin" lineno="359">
+<summary>
+All of the rules required to administrate
+an bind environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bind domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="named_write_master_zones" dftval="false">
+<desc>
+<p>
+Allow BIND to write the master zone files.
+Generally this is used for dynamic DNS or zone transfers.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="bitlbee" filename="policy/modules/contrib/bitlbee.if">
+<summary>Bitlbee service</summary>
+<interface name="bitlbee_read_config" lineno="13">
+<summary>
+Read bitlbee configuration files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed accesss.
+</summary>
+</param>
+</interface>
+<interface name="bitlbee_admin" lineno="40">
+<summary>
+All of the rules required to administrate
+an bitlbee environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bitlbee domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="bluetooth" filename="policy/modules/contrib/bluetooth.if">
+<summary>Bluetooth tools and system services.</summary>
+<interface name="bluetooth_role" lineno="18">
+<summary>
+Role access for bluetooth
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_stream_connect" lineno="51">
+<summary>
+Connect to bluetooth over a unix domain
+stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_domtrans" lineno="71">
+<summary>
+Execute bluetooth in the bluetooth domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_read_config" lineno="89">
+<summary>
+Read bluetooth daemon configuration.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_dbus_chat" lineno="108">
+<summary>
+Send and receive messages from
+bluetooth over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_domtrans_helper" lineno="128">
+<summary>
+Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_run_helper" lineno="154">
+<summary>
+Execute bluetooth_helper in the bluetooth_helper domain, and
+allow the specified role the bluetooth_helper domain. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="terminal">
+<summary>
+The type of the terminal allow the bluetooth_helper domain to use.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="bluetooth_dontaudit_read_helper_state" lineno="168">
+<summary>
+Read bluetooth helper state files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_admin" lineno="194">
+<summary>
+All of the rules required to administrate
+an bluetooth environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bluetooth domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="brctl" filename="policy/modules/contrib/brctl.if">
+<summary>Utilities for configuring the linux ethernet bridge</summary>
+<interface name="brctl_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run brctl.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+</module>
+<module name="bugzilla" filename="policy/modules/contrib/bugzilla.if">
+<summary>Bugzilla server</summary>
+<interface name="bugzilla_search_content" lineno="14">
+<summary>
+Allow the specified domain to search
+bugzilla directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bugzilla_dontaudit_rw_stream_sockets" lineno="33">
+<summary>
+Do not audit attempts to read and write
+bugzilla script unix domain stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="bugzilla_admin" lineno="58">
+<summary>
+All of the rules required to administrate
+an bugzilla environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the bugzilla domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="calamaris" filename="policy/modules/contrib/calamaris.if">
+<summary>Squid log analysis</summary>
+<interface name="calamaris_read_www_files" lineno="13">
+<summary>
+Allow domain to read calamaris www files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="canna" filename="policy/modules/contrib/canna.if">
+<summary>Canna - kana-kanji conversion server</summary>
+<interface name="canna_stream_connect" lineno="13">
+<summary>
+Connect to Canna using a unix domain stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="canna_admin" lineno="39">
+<summary>
+All of the rules required to administrate
+an canna environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the canna domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="ccs" filename="policy/modules/contrib/ccs.if">
+<summary>Cluster Configuration System</summary>
+<interface name="ccs_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run ccs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="ccs_stream_connect" lineno="31">
+<summary>
+Connect to ccs over an unix stream socket.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ccs_read_config" lineno="50">
+<summary>
+Read cluster configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ccs_manage_config" lineno="68">
+<summary>
+Manage cluster configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
+<module name="cdrecord" filename="policy/modules/contrib/cdrecord.if">
+<summary>Policy for cdrecord</summary>
+<interface name="cdrecord_role" lineno="18">
+<summary>
+Role access for cdrecord
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<tunable name="cdrecord_read_content" dftval="false">
+<desc>
+<p>
+Allow cdrecord to read various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+</p>
+</desc>
+</tunable>
+</module>
+<module name="certmaster" filename="policy/modules/contrib/certmaster.if">
+<summary>Certmaster SSL certificate distribution service</summary>
+<interface name="certmaster_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run certmaster.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_exec" lineno="31">
+<summary>
+Execute certmaster in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_read_log" lineno="50">
+<summary>
+read certmaster logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_append_log" lineno="69">
+<summary>
+Append to certmaster logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_manage_log" lineno="89">
+<summary>
+Create, read, write, and delete
+certmaster logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmaster_admin" lineno="116">
+<summary>
+All of the rules required to administrate
+an snort environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the syslog domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="certmonger" filename="policy/modules/contrib/certmonger.if">
+<summary>Certificate status monitor and PKI enrollment client</summary>
+<interface name="certmonger_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run certmonger.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_dbus_chat" lineno="32">
+<summary>
+Send and receive messages from
+certmonger over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_initrc_domtrans" lineno="52">
+<summary>
+Execute certmonger server in the certmonger domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_read_pid_files" lineno="70">
+<summary>
+Read certmonger PID files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_search_lib" lineno="89">
+<summary>
+Search certmonger lib directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_read_lib_files" lineno="108">
+<summary>
+Read certmonger lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_manage_lib_files" lineno="128">
+<summary>
+Create, read, write, and delete
+certmonger lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="certmonger_admin" lineno="154">
+<summary>
+All of the rules required to administrate
+an certmonger environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="certwatch" filename="policy/modules/contrib/certwatch.if">
+<summary>Digital Certificate Tracking</summary>
+<interface name="certwatch_domtrans" lineno="13">
+<summary>
+Domain transition to certwatch.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="certwatch_run" lineno="42">
+<summary>
+Execute certwatch in the certwatch domain, and
+allow the specified role the certwatch domain,
+and use the caller's terminal. Has a sigchld
+backchannel.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="certwatach_run" lineno="75">
+<summary>
+Execute certwatch in the certwatch domain, and
+allow the specified role the certwatch domain,
+and use the caller's terminal. Has a sigchld
+backchannel. (Deprecated)
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="terminal">
+<summary>
+The type of the terminal allow the certwatch domain to use.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="cgroup" filename="policy/modules/contrib/cgroup.if">
+<summary>libcg is a library that abstracts the control group file system in Linux.</summary>
+<interface name="cgroup_domtrans_cgclear" lineno="14">
+<summary>
+Execute a domain transition to run
+CG Clear.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_domtrans_cgconfig" lineno="34">
+<summary>
+Execute a domain transition to run
+CG config parser.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_initrc_domtrans_cgconfig" lineno="54">
+<summary>
+Execute a domain transition to run
+CG config parser.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_domtrans_cgred" lineno="73">
+<summary>
+Execute a domain transition to run
+CG rules engine daemon.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_initrc_domtrans_cgred" lineno="94">
+<summary>
+Execute a domain transition to run
+CG rules engine daemon.
+domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_run_cgclear" lineno="121">
+<summary>
+Execute a domain transition to
+run CG Clear and allow the
+specified role the CG Clear
+domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="cgroup_stream_connect_cgred" lineno="141">
+<summary>
+Connect to CG rules engine daemon
+over unix stream sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cgroup_admin" lineno="167">
+<summary>
+All of the rules required to administrate
+an cgroup environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="chronyd" filename="policy/modules/contrib/chronyd.if">
+<summary>Chrony NTP background daemon</summary>
+<interface name="chronyd_domtrans" lineno="13">
+<summary>
+Execute chronyd in the chronyd domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="chronyd_exec" lineno="32">
+<summary>
+Execute chronyd
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="chronyd_read_log" lineno="50">
+<summary>
+Read chronyd logs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="chronyd_admin" lineno="76">
+<summary>
+All of the rules required to administrate
+an chronyd environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the chronyd domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="cipe" filename="policy/modules/contrib/cipe.if">
+<summary>Encrypted tunnel daemon</summary>
+</module>
+<module name="clamav" filename="policy/modules/contrib/clamav.if">
+<summary>ClamAV Virus Scanner</summary>
+<interface name="clamav_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run clamd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clamav_stream_connect" lineno="31">
+<summary>
+Connect to run clamd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_append_log" lineno="50">
+<summary>
+Allow the specified domain to append
+to clamav log files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_read_config" lineno="70">
+<summary>
+Read clamav configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_search_lib" lineno="89">
+<summary>
+Search clamav libraries directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_domtrans_clamscan" lineno="108">
+<summary>
+Execute a domain transition to run clamscan.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clamav_exec_clamscan" lineno="126">
+<summary>
+Execute clamscan without a transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="clamav_admin" lineno="151">
+<summary>
+All of the rules required to administrate
+an clamav environment
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the clamav domain.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="clamd_use_jit" dftval="false">
+<desc>
+<p>
+Allow clamd to use JIT compiler
+</p>
+</desc>
+</tunable>
+</module>
+<module name="clockspeed" filename="policy/modules/contrib/clockspeed.if">
+<summary>Clockspeed simple network time protocol client</summary>
+<interface name="clockspeed_domtrans_cli" lineno="13">
+<summary>
+Execute clockspeed utilities in the clockspeed_cli domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="clockspeed_run_cli" lineno="37">
+<summary>
+Allow the specified role the clockspeed_cli domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+</module>
+<module name="clogd" filename="policy/modules/contrib/clogd.if">
+<summary>clogd - Clustered Mirror Log Server</summary>
+<interface name="clogd_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run clogd.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name