[selinux-policy: 70/3172] initial commit
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:11:13 UTC 2010
commit 0fbfa546bdf996641cc75b829b6f93b12ebb84e5
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Apr 29 17:45:15 2005 +0000
initial commit
strict/COPYING | 340 ++++++++++
strict/ChangeLog | 165 +++++
strict/Makefile | 331 ++++++++++
strict/README | 125 ++++
strict/VERSION | 1 +
strict/appconfig/dbus_contexts | 6 +
strict/appconfig/default_contexts | 12 +
strict/appconfig/default_type | 3 +
strict/appconfig/failsafe_context | 1 +
strict/appconfig/initrc_context | 1 +
strict/appconfig/media | 3 +
strict/appconfig/removable_context | 1 +
strict/appconfig/root_default_contexts | 9 +
strict/appconfig/userhelper_context | 1 +
strict/assert.te | 162 +++++
strict/attrib.te | 426 +++++++++++++
strict/constraints | 79 +++
strict/domains/admin.te | 35 +
strict/domains/misc/auth-net.te | 3 +
strict/domains/misc/fcron.te | 30 +
strict/domains/misc/kernel.te | 66 ++
strict/domains/misc/screensaver.te | 18 +
strict/domains/misc/startx.te | 7 +
strict/domains/misc/userspace_objmgr.te | 13 +
strict/domains/misc/xclient.te | 14 +
strict/domains/program/acct.te | 68 ++
strict/domains/program/amanda.te | 307 +++++++++
strict/domains/program/anaconda.te | 47 ++
strict/domains/program/apache.te | 354 +++++++++++
strict/domains/program/apmd.te | 134 ++++
strict/domains/program/arpwatch.te | 42 ++
strict/domains/program/auditd.te | 12 +
strict/domains/program/automount.te | 69 ++
strict/domains/program/bluetooth.te | 42 ++
strict/domains/program/bootloader.te | 166 +++++
strict/domains/program/canna.te | 43 ++
strict/domains/program/cardmgr.te | 85 +++
strict/domains/program/cdrecord.te | 10 +
strict/domains/program/checkpolicy.te | 65 ++
strict/domains/program/chkpwd.te | 18 +
strict/domains/program/chroot.te | 21 +
strict/domains/program/comsat.te | 20 +
strict/domains/program/consoletype.te | 64 ++
strict/domains/program/cpucontrol.te | 17 +
strict/domains/program/cpuspeed.te | 17 +
strict/domains/program/crack.te | 48 ++
strict/domains/program/crond.te | 215 +++++++
strict/domains/program/crontab.te | 12 +
strict/domains/program/cups.te | 257 ++++++++
strict/domains/program/cyrus.te | 47 ++
strict/domains/program/dbskkd.te | 14 +
strict/domains/program/dbusd.te | 20 +
strict/domains/program/dhcpc.te | 146 +++++
strict/domains/program/dhcpd.te | 82 +++
strict/domains/program/dictd.te | 49 ++
strict/domains/program/dmesg.te | 29 +
strict/domains/program/dovecot.te | 55 ++
strict/domains/program/fetchmail.te | 28 +
strict/domains/program/fingerd.te | 82 +++
strict/domains/program/firstboot.te | 131 ++++
strict/domains/program/fs_daemon.te | 26 +
strict/domains/program/fsadm.te | 117 ++++
strict/domains/program/ftpd.te | 116 ++++
strict/domains/program/games.te | 17 +
strict/domains/program/getty.te | 60 ++
strict/domains/program/gnome-pty-helper.te | 11 +
strict/domains/program/gpg-agent.te | 13 +
strict/domains/program/gpg.te | 18 +
strict/domains/program/gpm.te | 45 ++
strict/domains/program/hald.te | 74 +++
strict/domains/program/hostname.te | 28 +
strict/domains/program/hotplug.te | 163 +++++
strict/domains/program/howl.te | 22 +
strict/domains/program/hwclock.te | 49 ++
strict/domains/program/i18n_input.te | 29 +
strict/domains/program/ifconfig.te | 68 ++
strict/domains/program/inetd.te | 68 ++
strict/domains/program/init.te | 147 +++++
strict/domains/program/initrc.te | 311 +++++++++
strict/domains/program/innd.te | 81 +++
strict/domains/program/ipsec.te | 229 +++++++
strict/domains/program/iptables.te | 63 ++
strict/domains/program/irc.te | 12 +
strict/domains/program/irqbalance.te | 15 +
strict/domains/program/java.te | 14 +
strict/domains/program/kerberos.te | 91 +++
strict/domains/program/klogd.te | 45 ++
strict/domains/program/ktalkd.te | 14 +
strict/domains/program/kudzu.te | 102 +++
strict/domains/program/ldconfig.te | 51 ++
strict/domains/program/load_policy.te | 61 ++
strict/domains/program/loadkeys.te | 45 ++
strict/domains/program/lockdev.te | 11 +
strict/domains/program/login.te | 227 +++++++
strict/domains/program/logrotate.te | 145 +++++
strict/domains/program/lpd.te | 161 +++++
strict/domains/program/lpr.te | 12 +
strict/domains/program/lvm.te | 124 ++++
strict/domains/program/mailman.te | 110 ++++
strict/domains/program/mdadm.te | 43 ++
strict/domains/program/modutil.te | 232 +++++++
strict/domains/program/mount.te | 110 ++++
strict/domains/program/mozilla.te | 18 +
strict/domains/program/mplayer.te | 15 +
strict/domains/program/mrtg.te | 98 +++
strict/domains/program/mta.te | 84 +++
strict/domains/program/mysqld.te | 92 +++
strict/domains/program/named.te | 157 +++++
strict/domains/program/netutils.te | 60 ++
strict/domains/program/newrole.te | 19 +
strict/domains/program/nscd.te | 74 +++
strict/domains/program/ntpd.te | 86 +++
strict/domains/program/pam.te | 40 ++
strict/domains/program/pamconsole.te | 44 ++
strict/domains/program/passwd.te | 150 +++++
strict/domains/program/ping.te | 59 ++
strict/domains/program/portmap.te | 70 ++
strict/domains/program/postfix.te | 349 ++++++++++
strict/domains/program/postgresql.te | 134 ++++
strict/domains/program/pppd.te | 99 +++
strict/domains/program/prelink.te | 55 ++
strict/domains/program/privoxy.te | 25 +
strict/domains/program/procmail.te | 78 +++
strict/domains/program/quota.te | 59 ++
strict/domains/program/radius.te | 69 ++
strict/domains/program/radvd.te | 29 +
strict/domains/program/restorecon.te | 63 ++
strict/domains/program/rhgb.te | 101 +++
strict/domains/program/rlogind.te | 37 ++
strict/domains/program/rpcd.te | 141 ++++
strict/domains/program/rpm.te | 255 ++++++++
strict/domains/program/rshd.te | 69 ++
strict/domains/program/rsync.te | 19 +
strict/domains/program/samba.te | 182 ++++++
strict/domains/program/saslauthd.te | 23 +
strict/domains/program/screen.te | 13 +
strict/domains/program/sendmail.te | 111 ++++
strict/domains/program/setfiles.te | 62 ++
strict/domains/program/slapd.te | 61 ++
strict/domains/program/slocate.te | 76 +++
strict/domains/program/slrnpull.te | 24 +
strict/domains/program/snmpd.te | 80 +++
strict/domains/program/sound.te | 26 +
strict/domains/program/spamassassin.te | 11 +
strict/domains/program/spamc.te | 10 +
strict/domains/program/spamd.te | 72 +++
strict/domains/program/squid.te | 76 +++
strict/domains/program/ssh-agent.te | 13 +
strict/domains/program/ssh.te | 228 +++++++
strict/domains/program/stunnel.te | 33 +
strict/domains/program/su.te | 14 +
strict/domains/program/sudo.te | 11 +
strict/domains/program/sulogin.te | 56 ++
strict/domains/program/swat.te | 14 +
strict/domains/program/syslogd.te | 107 ++++
strict/domains/program/sysstat.te | 66 ++
strict/domains/program/tcpd.te | 43 ++
strict/domains/program/telnetd.te | 10 +
strict/domains/program/tftpd.te | 43 ++
strict/domains/program/timidity.te | 34 +
strict/domains/program/tmpreaper.te | 33 +
strict/domains/program/traceroute.te | 65 ++
strict/domains/program/tvtime.te | 12 +
strict/domains/program/udev.te | 141 ++++
strict/domains/program/uml.te | 14 +
strict/domains/program/unconfined.te | 15 +
strict/domains/program/unused/amavis.te | 85 +++
strict/domains/program/unused/asterisk.te | 58 ++
strict/domains/program/unused/audio-entropyd.te | 12 +
strict/domains/program/unused/authbind.te | 30 +
strict/domains/program/unused/backup.te | 59 ++
strict/domains/program/unused/calamaris.te | 72 +++
strict/domains/program/unused/ciped.te | 32 +
strict/domains/program/unused/clamav.te | 88 +++
strict/domains/program/unused/courier.te | 140 ++++
strict/domains/program/unused/dante.te | 20 +
strict/domains/program/unused/ddclient.te | 41 ++
strict/domains/program/unused/devfsd.te | 93 +++
strict/domains/program/unused/distcc.te | 35 +
strict/domains/program/unused/dnsmasq.te | 38 ++
strict/domains/program/unused/dpkg.te | 413 ++++++++++++
strict/domains/program/unused/gatekeeper.te | 53 ++
strict/domains/program/unused/gift.te | 9 +
strict/domains/program/unused/imazesrv.te | 30 +
strict/domains/program/unused/ircd.te | 45 ++
strict/domains/program/unused/jabberd.te | 32 +
strict/domains/program/unused/lcd.te | 35 +
strict/domains/program/unused/lrrd.te | 70 ++
strict/domains/program/unused/monopd.te | 30 +
strict/domains/program/unused/nagios.te | 91 +++
strict/domains/program/unused/nessusd.te | 55 ++
strict/domains/program/unused/nrpe.te | 40 ++
strict/domains/program/unused/nsd.te | 101 +++
strict/domains/program/unused/oav-update.te | 38 ++
strict/domains/program/unused/openca-ca.te | 134 ++++
strict/domains/program/unused/openvpn.te | 41 ++
strict/domains/program/unused/perdition.te | 30 +
strict/domains/program/unused/portslave.te | 85 +++
strict/domains/program/unused/postgrey.te | 32 +
strict/domains/program/unused/pxe.te | 22 +
strict/domains/program/unused/qmail.te | 198 ++++++
strict/domains/program/unused/resmgrd.te | 25 +
strict/domains/program/unused/rssh.te | 13 +
strict/domains/program/unused/scannerdaemon.te | 58 ++
strict/domains/program/unused/seuser.te | 148 +++++
strict/domains/program/unused/snort.te | 33 +
strict/domains/program/unused/sound-server.te | 43 ++
strict/domains/program/unused/speedmgmt.te | 26 +
strict/domains/program/unused/sxid.te | 61 ++
strict/domains/program/unused/tinydns.te | 58 ++
strict/domains/program/unused/transproxy.te | 38 ++
strict/domains/program/unused/uml_net.te | 30 +
strict/domains/program/unused/uptimed.te | 36 +
strict/domains/program/unused/uwimapd.te | 46 ++
strict/domains/program/unused/watchdog.te | 52 ++
strict/domains/program/unused/xprint.te | 50 ++
strict/domains/program/updfstab.te | 74 +++
strict/domains/program/usbmodules.te | 35 +
strict/domains/program/useradd.te | 100 +++
strict/domains/program/userhelper.te | 22 +
strict/domains/program/usernetctl.te | 64 ++
strict/domains/program/utempter.te | 52 ++
strict/domains/program/vmware.te | 52 ++
strict/domains/program/vpnc.te | 41 ++
strict/domains/program/webalizer.te | 48 ++
strict/domains/program/winbind.te | 33 +
strict/domains/program/xauth.te | 15 +
strict/domains/program/xdm.te | 344 ++++++++++
strict/domains/program/xfs.te | 50 ++
strict/domains/program/xserver.te | 21 +
strict/domains/program/ypbind.te | 43 ++
strict/domains/program/ypserv.te | 41 ++
strict/domains/program/zebra.te | 33 +
strict/domains/user.te | 132 ++++
strict/file_contexts/distros.fc | 153 +++++
strict/file_contexts/homedir_template | 32 +
strict/file_contexts/program/acct.fc | 5 +
strict/file_contexts/program/amanda.fc | 70 ++
strict/file_contexts/program/amavis.fc | 6 +
strict/file_contexts/program/anaconda.fc | 5 +
strict/file_contexts/program/apache.fc | 46 ++
strict/file_contexts/program/apmd.fc | 11 +
strict/file_contexts/program/arpwatch.fc | 4 +
strict/file_contexts/program/asterisk.fc | 7 +
strict/file_contexts/program/audio-entropyd.fc | 1 +
strict/file_contexts/program/auditd.fc | 3 +
strict/file_contexts/program/authbind.fc | 3 +
strict/file_contexts/program/automount.fc | 5 +
strict/file_contexts/program/backup.fc | 6 +
strict/file_contexts/program/bluetooth.fc | 7 +
strict/file_contexts/program/bootloader.fc | 11 +
strict/file_contexts/program/calamaris.fc | 4 +
strict/file_contexts/program/canna.fc | 12 +
strict/file_contexts/program/cardmgr.fc | 7 +
strict/file_contexts/program/cdrecord.fc | 3 +
strict/file_contexts/program/checkpolicy.fc | 2 +
strict/file_contexts/program/chkpwd.fc | 6 +
strict/file_contexts/program/chroot.fc | 1 +
strict/file_contexts/program/ciped.fc | 3 +
strict/file_contexts/program/clamav.fc | 12 +
strict/file_contexts/program/comsat.fc | 2 +
strict/file_contexts/program/consoletype.fc | 2 +
strict/file_contexts/program/courier.fc | 18 +
strict/file_contexts/program/cpucontrol.fc | 3 +
strict/file_contexts/program/cpuspeed.fc | 3 +
strict/file_contexts/program/crack.fc | 4 +
strict/file_contexts/program/crond.fc | 29 +
strict/file_contexts/program/crontab.fc | 3 +
strict/file_contexts/program/cups.fc | 36 +
strict/file_contexts/program/cyrus.fc | 4 +
strict/file_contexts/program/dante.fc | 4 +
strict/file_contexts/program/dbskkd.fc | 2 +
strict/file_contexts/program/dbusd.fc | 3 +
strict/file_contexts/program/ddclient.fc | 11 +
strict/file_contexts/program/devfsd.fc | 4 +
strict/file_contexts/program/dhcpc.fc | 16 +
strict/file_contexts/program/dhcpd.fc | 33 +
strict/file_contexts/program/dictd.fc | 4 +
strict/file_contexts/program/distcc.fc | 2 +
strict/file_contexts/program/dmesg.fc | 2 +
strict/file_contexts/program/dnsmasq.fc | 4 +
strict/file_contexts/program/dovecot.fc | 12 +
strict/file_contexts/program/dpkg.fc | 50 ++
strict/file_contexts/program/fetchmail.fc | 5 +
strict/file_contexts/program/fingerd.fc | 6 +
strict/file_contexts/program/firstboot.fc | 4 +
strict/file_contexts/program/fs_daemon.fc | 4 +
strict/file_contexts/program/fsadm.fc | 36 +
strict/file_contexts/program/ftpd.fc | 15 +
strict/file_contexts/program/games.fc | 56 ++
strict/file_contexts/program/gatekeeper.fc | 7 +
strict/file_contexts/program/getty.fc | 3 +
strict/file_contexts/program/gift.fc | 5 +
strict/file_contexts/program/gnome-pty-helper.fc | 3 +
strict/file_contexts/program/gpg-agent.fc | 3 +
strict/file_contexts/program/gpg.fc | 5 +
strict/file_contexts/program/gpm.fc | 5 +
strict/file_contexts/program/hald.fc | 6 +
strict/file_contexts/program/hostname.fc | 1 +
strict/file_contexts/program/hotplug.fc | 13 +
strict/file_contexts/program/howl.fc | 3 +
strict/file_contexts/program/hwclock.fc | 3 +
strict/file_contexts/program/i18n_input.fc | 7 +
strict/file_contexts/program/ifconfig.fc | 12 +
strict/file_contexts/program/imazesrv.fc | 4 +
strict/file_contexts/program/inetd.fc | 8 +
strict/file_contexts/program/init.fc | 3 +
strict/file_contexts/program/initrc.fc | 39 ++
strict/file_contexts/program/innd.fc | 49 ++
strict/file_contexts/program/ipsec.fc | 31 +
strict/file_contexts/program/iptables.fc | 8 +
strict/file_contexts/program/irc.fc | 5 +
strict/file_contexts/program/ircd.fc | 6 +
strict/file_contexts/program/irqbalance.fc | 2 +
strict/file_contexts/program/jabberd.fc | 4 +
strict/file_contexts/program/java.fc | 2 +
strict/file_contexts/program/kerberos.fc | 11 +
strict/file_contexts/program/klogd.fc | 4 +
strict/file_contexts/program/ktalkd.fc | 2 +
strict/file_contexts/program/kudzu.fc | 3 +
strict/file_contexts/program/lcd.fc | 2 +
strict/file_contexts/program/ldconfig.fc | 1 +
strict/file_contexts/program/load_policy.fc | 3 +
strict/file_contexts/program/loadkeys.fc | 3 +
strict/file_contexts/program/lockdev.fc | 2 +
strict/file_contexts/program/login.fc | 3 +
strict/file_contexts/program/logrotate.fc | 13 +
strict/file_contexts/program/lpd.fc | 8 +
strict/file_contexts/program/lpr.fc | 4 +
strict/file_contexts/program/lrrd.fc | 10 +
strict/file_contexts/program/lvm.fc | 67 ++
strict/file_contexts/program/mailman.fc | 24 +
strict/file_contexts/program/mdadm.fc | 4 +
strict/file_contexts/program/modutil.fc | 14 +
strict/file_contexts/program/monopd.fc | 4 +
strict/file_contexts/program/mount.fc | 3 +
strict/file_contexts/program/mozilla.fc | 25 +
strict/file_contexts/program/mplayer.fc | 6 +
strict/file_contexts/program/mrtg.fc | 7 +
strict/file_contexts/program/mta.fc | 12 +
strict/file_contexts/program/mysqld.fc | 12 +
strict/file_contexts/program/nagios.fc | 15 +
strict/file_contexts/program/named.fc | 46 ++
strict/file_contexts/program/nessusd.fc | 6 +
strict/file_contexts/program/netutils.fc | 4 +
strict/file_contexts/program/newrole.fc | 2 +
strict/file_contexts/program/nrpe.fc | 7 +
strict/file_contexts/program/nscd.fc | 6 +
strict/file_contexts/program/nsd.fc | 12 +
strict/file_contexts/program/ntpd.fc | 12 +
strict/file_contexts/program/oav-update.fc | 4 +
strict/file_contexts/program/openca-ca.fc | 8 +
strict/file_contexts/program/openca-common.fc | 7 +
strict/file_contexts/program/openvpn.fc | 4 +
strict/file_contexts/program/pam.fc | 3 +
strict/file_contexts/program/pamconsole.fc | 3 +
strict/file_contexts/program/passwd.fc | 13 +
strict/file_contexts/program/perdition.fc | 3 +
strict/file_contexts/program/ping.fc | 3 +
strict/file_contexts/program/portmap.fc | 9 +
strict/file_contexts/program/portslave.fc | 5 +
strict/file_contexts/program/postfix.fc | 45 ++
strict/file_contexts/program/postgresql.fc | 16 +
strict/file_contexts/program/postgrey.fc | 5 +
strict/file_contexts/program/pppd.fc | 20 +
strict/file_contexts/program/prelink.fc | 8 +
strict/file_contexts/program/privoxy.fc | 3 +
strict/file_contexts/program/procmail.fc | 2 +
strict/file_contexts/program/pxe.fc | 5 +
strict/file_contexts/program/qmail.fc | 38 ++
strict/file_contexts/program/quota.fc | 10 +
strict/file_contexts/program/radius.fc | 15 +
strict/file_contexts/program/radvd.fc | 4 +
strict/file_contexts/program/resmgrd.fc | 6 +
strict/file_contexts/program/restorecon.fc | 2 +
strict/file_contexts/program/rhgb.fc | 2 +
strict/file_contexts/program/rlogind.fc | 4 +
strict/file_contexts/program/rpcd.fc | 11 +
strict/file_contexts/program/rpm.fc | 25 +
strict/file_contexts/program/rshd.fc | 3 +
strict/file_contexts/program/rssh.fc | 2 +
strict/file_contexts/program/rsync.fc | 2 +
strict/file_contexts/program/samba.fc | 25 +
strict/file_contexts/program/saslauthd.fc | 3 +
strict/file_contexts/program/scannerdaemon.fc | 4 +
strict/file_contexts/program/screen.fc | 5 +
strict/file_contexts/program/sendmail.fc | 6 +
strict/file_contexts/program/setfiles.fc | 3 +
strict/file_contexts/program/seuser.fc | 4 +
strict/file_contexts/program/slapd.fc | 7 +
strict/file_contexts/program/slocate.fc | 4 +
strict/file_contexts/program/slrnpull.fc | 3 +
strict/file_contexts/program/snmpd.fc | 10 +
strict/file_contexts/program/snort.fc | 4 +
strict/file_contexts/program/sound-server.fc | 8 +
strict/file_contexts/program/sound.fc | 3 +
strict/file_contexts/program/spamassassin.fc | 3 +
strict/file_contexts/program/spamc.fc | 1 +
strict/file_contexts/program/spamd.fc | 3 +
strict/file_contexts/program/speedmgmt.fc | 2 +
strict/file_contexts/program/squid.fc | 8 +
strict/file_contexts/program/ssh-agent.fc | 2 +
strict/file_contexts/program/ssh.fc | 20 +
strict/file_contexts/program/stunnel.fc | 3 +
strict/file_contexts/program/su.fc | 2 +
strict/file_contexts/program/sudo.fc | 2 +
strict/file_contexts/program/sulogin.fc | 2 +
strict/file_contexts/program/swat.fc | 2 +
strict/file_contexts/program/sxid.fc | 6 +
strict/file_contexts/program/syslogd.fc | 11 +
strict/file_contexts/program/sysstat.fc | 7 +
strict/file_contexts/program/tcpd.fc | 2 +
strict/file_contexts/program/telnetd.fc | 3 +
strict/file_contexts/program/tftpd.fc | 4 +
strict/file_contexts/program/timidity.fc | 2 +
strict/file_contexts/program/tinydns.fc | 6 +
strict/file_contexts/program/tmpreaper.fc | 3 +
strict/file_contexts/program/traceroute.fc | 5 +
strict/file_contexts/program/transproxy.fc | 3 +
strict/file_contexts/program/tvtime.fc | 3 +
strict/file_contexts/program/udev.fc | 13 +
strict/file_contexts/program/uml.fc | 4 +
strict/file_contexts/program/uml_net.fc | 3 +
strict/file_contexts/program/unconfined.fc | 3 +
strict/file_contexts/program/updfstab.fc | 3 +
strict/file_contexts/program/uptimed.fc | 4 +
strict/file_contexts/program/usbmodules.fc | 3 +
strict/file_contexts/program/useradd.fc | 10 +
strict/file_contexts/program/userhelper.fc | 2 +
strict/file_contexts/program/usernetctl.fc | 2 +
strict/file_contexts/program/utempter.fc | 2 +
strict/file_contexts/program/uwimapd.fc | 2 +
strict/file_contexts/program/vmware.fc | 42 ++
strict/file_contexts/program/vpnc.fc | 3 +
strict/file_contexts/program/watchdog.fc | 5 +
strict/file_contexts/program/webalizer.fc | 1 +
strict/file_contexts/program/winbind.fc | 10 +
strict/file_contexts/program/xauth.fc | 3 +
strict/file_contexts/program/xdm.fc | 39 ++
strict/file_contexts/program/xfs.fc | 5 +
strict/file_contexts/program/xprint.fc | 1 +
strict/file_contexts/program/xserver.fc | 17 +
strict/file_contexts/program/ypbind.fc | 2 +
strict/file_contexts/program/ypserv.fc | 3 +
strict/file_contexts/program/zebra.fc | 13 +
strict/file_contexts/types.fc | 480 ++++++++++++++
strict/flask/Makefile | 41 ++
strict/flask/access_vectors | 599 +++++++++++++++++
strict/flask/initial_sids | 35 +
strict/flask/mkaccess_vector.sh | 227 +++++++
strict/flask/mkflask.sh | 95 +++
strict/flask/security_classes | 83 +++
strict/fs_use | 31 +
strict/genfs_contexts | 105 +++
strict/initial_sid_contexts | 46 ++
strict/local.users | 21 +
strict/macros/admin_macros.te | 207 ++++++
strict/macros/base_user_macros.te | 378 +++++++++++
strict/macros/core_macros.te | 696 ++++++++++++++++++++
strict/macros/global_macros.te | 739 +++++++++++++++++++++
strict/macros/mini_user_macros.te | 57 ++
strict/macros/network_macros.te | 168 +++++
strict/macros/program/apache_macros.te | 197 ++++++
strict/macros/program/cdrecord_macros.te | 54 ++
strict/macros/program/chkpwd_macros.te | 79 +++
strict/macros/program/chroot_macros.te | 130 ++++
strict/macros/program/clamav_macros.te | 57 ++
strict/macros/program/crond_macros.te | 125 ++++
strict/macros/program/crontab_macros.te | 99 +++
strict/macros/program/dbusd_macros.te | 88 +++
strict/macros/program/fingerd_macros.te | 15 +
strict/macros/program/games_domain.te | 58 ++
strict/macros/program/gift_macros.te | 113 ++++
strict/macros/program/gpg_agent_macros.te | 127 ++++
strict/macros/program/gpg_macros.te | 144 +++++
strict/macros/program/gph_macros.te | 85 +++
strict/macros/program/inetd_macros.te | 98 +++
strict/macros/program/irc_macros.te | 83 +++
strict/macros/program/java_macros.te | 113 ++++
strict/macros/program/kerberos_macros.te | 10 +
strict/macros/program/lockdev_macros.te | 46 ++
strict/macros/program/login_macros.te | 11 +
strict/macros/program/lpr_macros.te | 134 ++++
strict/macros/program/mount_macros.te | 90 +++
strict/macros/program/mozilla_macros.te | 137 ++++
strict/macros/program/mplayer_macros.te | 125 ++++
strict/macros/program/mta_macros.te | 120 ++++
strict/macros/program/newrole_macros.te | 96 +++
strict/macros/program/resmgrd_macros.te | 11 +
strict/macros/program/rhgb_macros.te | 8 +
strict/macros/program/rssh_macros.te | 58 ++
strict/macros/program/run_program_macros.te | 73 +++
strict/macros/program/samba_macros.te | 30 +
strict/macros/program/screen_macros.te | 112 ++++
strict/macros/program/sendmail_macros.te | 56 ++
strict/macros/program/slocate_macros.te | 64 ++
strict/macros/program/spamassassin_macros.te | 122 ++++
strict/macros/program/ssh_agent_macros.te | 117 ++++
strict/macros/program/ssh_macros.te | 171 +++++
strict/macros/program/su_macros.te | 169 +++++
strict/macros/program/sudo_macros.te | 34 +
strict/macros/program/tvtime_macros.te | 43 ++
strict/macros/program/uml_macros.te | 136 ++++
strict/macros/program/userhelper_macros.te | 144 +++++
strict/macros/program/vmware_macros.te | 133 ++++
strict/macros/program/x_client_macros.te | 161 +++++
strict/macros/program/xauth_macros.te | 82 +++
strict/macros/program/xserver_macros.te | 272 ++++++++
strict/macros/program/ypbind_macros.te | 18 +
strict/macros/user_macros.te | 225 +++++++
strict/mls | 742 ++++++++++++++++++++++
strict/net_contexts | 262 ++++++++
strict/rbac | 33 +
strict/tunables/distro.tun | 14 +
strict/tunables/tunable.tun | 31 +
strict/types/device.te | 156 +++++
strict/types/devpts.te | 21 +
strict/types/file.te | 321 ++++++++++
strict/types/network.te | 122 ++++
strict/types/nfs.te | 22 +
strict/types/procfs.te | 50 ++
strict/types/security.te | 54 ++
strict/types/x.te | 32 +
strict/users | 50 ++
524 files changed, 29445 insertions(+), 0 deletions(-)
---
diff --git a/strict/COPYING b/strict/COPYING
new file mode 100644
index 0000000..5b6e7c6
--- /dev/null
+++ b/strict/COPYING
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/strict/ChangeLog b/strict/ChangeLog
new file mode 100644
index 0000000..0e38453
--- /dev/null
+++ b/strict/ChangeLog
@@ -0,0 +1,165 @@
+1.23.2 2005-03-14
+ * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
+ gift policy.
+ * Made sysadm_r the first role for root, so root's home will be labled
+ as sysadm_home_dir_t instead of staff_home_dir_t.
+ * Modified fs_use and Makefile to reflect jfs now supporting security
+ xattrs.
+
+1.23.1 2005-03-10
+ * Merged diffs from Dan Walsh. Dan's patch includes Ivan
+ Gyurdiev's cleanup of homedir macros and more extensive use of
+ read_sysctl()
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21 2005-02-24
+ * Added secure_file_type attribute from Dan Walsh
+ * Added access_terminal() macro from Ivan Gyurdiev
+ * Updated capability access vector for audit capabilities.
+ * Added mlsconvert Makefile target to help generate MLS policies
+ (see selinux-doc/README.MLS for instructions).
+ * Changed policy Makefile to still generate policy.18 as well,
+ and use it for make load if the kernel doesn't support 19.
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+ * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
+ * Merged man pages from Dan Walsh.
+
+1.20 2005-01-04
+ * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
+ Petre Rodan.
+ * Merged can_create() macro used for file_type_{,auto_}trans()
+ from Thomas Bleher.
+ * Merged dante and stunnel policy by Petre Rodan.
+ * Merged $1_file_type attribute from Thomas Bleher.
+ * Merged network_macros from Dan Walsh.
+
+1.18 2004-10-25
+ * Merged diffs from Russell Coker and Dan Walsh.
+ * Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
+ * Added reserved_port_t type and portcon entries to map all other
+ reserved ports to this type.
+ * Added distro_ prefix to distro tunables to avoid conflicts.
+ * Merged diffs from Russell Coker.
+
+1.16 2004-08-16
+ * Added nscd definitions.
+ * Converted many tunables to policy booleans.
+ * Added crontab permission.
+ * Merged diffs from Dan Walsh.
+ This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
+ * Merged diffs from Russell Coker.
+ * Adjusted constraints for crond restart.
+ * Merged dbus/userspace object manager policy from Colin Walters.
+ * Merged dbus definitions from Matthew Rickard.
+ * Merged dnsmasq policy from Greg Norris.
+ * Merged gpg-agent policy from Thomas Bleher.
+
+1.14 2004-06-28
+ * Removed vmware-config.pl from vmware.fc.
+ * Added crond entry to root_default_contexts.
+ * Merged patch from Dan Walsh.
+ * Merged mdadm and postfix changes from Colin Walters.
+ * Merged reiserfs and rpm changes from Russell Coker.
+ * Merged runaway .* glob fix from Valdis Kletnieks.
+ * Merged diff from Dan Walsh.
+ * Merged fine-grained netlink classes and permissions.
+ * Merged changes for new /etc/selinux layout.
+ * Changed mkaccess_vector.sh to provide stable order.
+ * Merged diff from Dan Walsh.
+ * Fix restorecon path in restorecon.fc.
+ * Merged pax class and access vector definition from Joshua Brindle.
+
+1.12 2004-05-12
+ * Added targeted policy.
+ * Merged atd/at into crond/crontab domains.
+ * Exclude bind mounts from relabeling to avoid aliasing.
+ * Removed some obsolete types and remapped their initial SIDs to unlabeled.
+ * Added SE-X related security classes and policy framework.
+ * Added devnull initial SID and context.
+ * Merged diffs from Fedora policy.
+
+1.10 2004-04-07
+ * Merged ipv6 support from James Morris of RedHat.
+ * Merged policy diffs from Dan Walsh.
+ * Updated call to genhomedircon to reflect new usage.
+ * Merged policy diffs from Dan Walsh and Russell Coker.
+ * Removed config-users and config-services per Dan's request.
+
+1.8 2004-03-09
+ * Merged genhomedircon patch from Karl MacMillan of Tresys.
+ * Added restorecon domain.
+ * Added unconfined_domain macro.
+ * Added default_t for /.* file_contexts entry and replaced some
+ uses of file_t with default_t in the policy.
+ * Added su_restricted_domain() macro and use it for initrc_t.
+ * Merged policy diffs from Dan Walsh and Russell Coker.
+ These included a merge of an earlier patch by Chris PeBenito
+ to rename the etc types to be consistent with other types.
+
+1.6 2004-02-18
+ * Merged xfs support from Chris PeBenito.
+ * Merged conditional rules for ping.te.
+ * Defined setbool permission, added can_setbool macro.
+ * Partial network policy cleanup.
+ * Merged with Russell Coker's policy.
+ * Renamed netscape macro and domain to mozilla and renamed
+ ipchains domain to iptables for consistency with Russell.
+ * Merged rhgb macro and domain from Russell Coker.
+ * Merged tunable.te from Russell Coker.
+ Only define direct_sysadm_daemon by default in our copy.
+ * Added rootok permission to passwd class.
+ * Merged Makefile change from Dan Walsh to generate /home
+ file_contexts entries for staff users.
+ * Added automatic role and domain transitions for init scripts and
+ daemons. Added an optional third argument (nosysadm) to
+ daemon_domain to omit the direct transition from sysadm_r when
+ the same executable is also used as an application, in which
+ case the daemon must be restarted via the init script to obtain
+ the proper security context. Added system_r to the authorized roles
+ for admin users at least until support for automatic user identity
+ transitions exist so that a transition to system_u can be provided
+ transparently.
+ * Added support to su domain for using pam_selinux.
+ Added entries to default_contexts for the su domains to
+ provide reasonable defaults. Removed user_su_t.
+ * Tighten restriction on user identity and role transitions in constraints.
+ * Merged macro for newrole-like domains from Russell Coker.
+ * Merged stub dbusd domain from Russell Coker.
+ * Merged stub prelink domain from Dan Walsh.
+ * Merged updated userhelper and config tool domains from Dan Walsh.
+ * Added send_msg/recv_msg permissions to can_network macro.
+ * Merged patch by Chris PeBenito for sshd subsystems.
+ * Merged patch by Chris PeBenito for passing class to var_run_domain.
+ * Merged patch by Yuichi Nakamura for append_log_domain macros.
+ * Merged patch by Chris PeBenito for rpc_pipefs labeling.
+ * Merged patch by Colin Walters to apply m4 once so that
+ source file info is preserved for checkpolicy.
+
+1.4 2003-12-01
+ * Merged patches from Russell Coker.
+ * Revised networking permissions.
+ * Added new node_bind permission.
+ * Added new siginh, rlimitinh, and setrlimit permissions.
+ * Added proc_t:file read permission for new is_selinux_enabled logic.
+ * Added failsafe_context configuration file to appconfig.
+ * Moved newrules.pl to policycoreutils, renamed to audit2allow.
+ * Merged newrules.pl patch from Yuichi Nakamura.
+
+1.2 2003-09-30
+ * More policy merging with Russell Coker.
+ * Transferred newrules.pl script from the old SELinux.
+ * Merged MLS configuration patch from Karl MacMillan of Tresys.
+ * Limit staff_t to reading /proc entries for unpriv_userdomain.
+ * Updated Makefile and spec file to allow non-root builds,
+ based on patch by Paul Nasrat.
+
+1.1 2003-08-13
+ * Merged Makefile check-all and te-includes patches from Colin Walters.
+ * Merged x-debian-packages.patch from Colin Walters.
+ * Folded read permission into domain_trans.
+
+1.0 2003-07-11
+ * Initial public release.
+
diff --git a/strict/Makefile b/strict/Makefile
new file mode 100644
index 0000000..5a70bc7
--- /dev/null
+++ b/strict/Makefile
@@ -0,0 +1,331 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+#
+# install - compile and install the policy configuration, and context files.
+# load - compile, install, and load the policy configuration.
+# reload - compile, install, and load/reload the policy configuration.
+# relabel - relabel filesystems based on the file contexts configuration.
+# policy - compile the policy configuration locally for testing/development.
+#
+# The default target is 'install'.
+#
+
+# Set to y if MLS is enabled in the policy.
+MLS=n
+
+FLASKDIR = flask/
+PREFIX = /usr
+BINDIR = $(PREFIX)/bin
+SBINDIR = $(PREFIX)/sbin
+LOADPOLICY = $(SBINDIR)/load_policy
+CHECKPOLICY = $(BINDIR)/checkpolicy
+GENHOMEDIRCON = $(SBINDIR)/genhomedircon
+SETFILES = $(SBINDIR)/setfiles
+VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+KERNVERS := $(shell cat /selinux/policyvers)
+POLICYVER := policy.$(VERS)
+TOPDIR = $(DESTDIR)/etc/selinux
+ifeq ($(MLS),y)
+TYPE=mls
+else
+TYPE=strict
+endif
+INSTALLDIR = $(TOPDIR)/$(TYPE)
+POLICYPATH = $(INSTALLDIR)/policy
+SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
+CONTEXTPATH = $(INSTALLDIR)/contexts
+LOADPATH = $(POLICYPATH)/$(POLICYVER)
+FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
+
+ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
+ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
+ALL_TYPES := $(wildcard types/*.te)
+ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
+ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
+TE_RBAC_FILES := $(ALLTEFILES) rbac
+ALL_TUNABLES := $(wildcard tunables/*.tun )
+USER_FILES := users
+POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
+ifeq ($(MLS),y)
+POLICYFILES += mls
+CHECKPOLMLS += -M
+endif
+DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
+POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
+POLICYFILES += $(USER_FILES)
+POLICYFILES += constraints
+POLICYFILES += $(DEFCONTEXTFILES)
+CONTEXTFILES = $(DEFCONTEXTFILES)
+POLICY_DIRS = domains/program domains/misc
+
+UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
+
+FC = file_contexts/file_contexts
+HOMEDIR_TEMPLATE = file_contexts/homedir_template
+FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
+CONTEXTFILES += $(FCFILES)
+
+APPDIR=$(CONTEXTPATH)
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
+CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
+
+ROOTFILES = $(addprefix $(APPDIR)/users/,root)
+
+all: policy
+
+tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
+ @echo "Validating file_contexts ..."
+ $(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+ @touch tmp/valid_fc
+
+install: tmp/valid_fc $(USERPATH)/local.users
+
+$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
+ @mkdir -p $(USERPATH)
+ @echo "# " > tmp/system.users
+ @echo "# Do not edit this file. " >> tmp/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
+ @echo "# Please edit local.users to make local changes." >> tmp/system.users
+ @echo "#" >> tmp/system.users
+ m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+ install -m 644 tmp/system.users $@
+
+$(USERPATH)/local.users: local.users
+ @mkdir -p $(USERPATH)
+ install -C -b -m 644 $< $@
+
+$(CONTEXTPATH)/files/media: appconfig/media
+ mkdir -p $(CONTEXTPATH)/files/
+ install -m 644 $< $@
+
+$(APPDIR)/default_contexts: appconfig/default_contexts
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/removable_context: appconfig/removable_context
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/customizable_types: policy.conf
+ mkdir -p $(APPDIR)
+ @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+ install -m 644 tmp/customizable_types $@
+
+$(APPDIR)/default_type: appconfig/default_type
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/userhelper_context: appconfig/userhelper_context
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/initrc_context: appconfig/initrc_context
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/failsafe_context: appconfig/failsafe_context
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
+$(APPDIR)/users/root: appconfig/root_default_contexts
+ mkdir -p $(APPDIR)/users
+ install -m 644 $< $@
+
+$(LOADPATH): policy.conf $(CHECKPOLICY)
+ mkdir -p $(POLICYPATH)
+ $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ifneq ($(MLS),y)
+ifneq ($(VERS),18)
+ $(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf
+endif
+endif
+# Note: Can't use install, so not sure how to deal with mode, user, and group
+# other than by default.
+
+policy: $(POLICYVER)
+
+$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
+ $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ifneq ($(MLS),y)
+ifneq ($(VERS),18)
+ $(CHECKPOLICY) -c 18 -o policy.18 policy.conf
+endif
+endif
+ @echo "Validating file_contexts ..."
+ $(SETFILES) -q -c $(POLICYVER) $(FC)
+
+reload tmp/load: $(FCPATH) $(LOADPATH)
+ifeq ($(VERS), $(KERNVERS))
+ $(LOADPOLICY) $(LOADPATH)
+else
+ $(LOADPOLICY) $(POLICYPATH)/policy.18
+endif
+ touch tmp/load
+
+load: tmp/load
+
+enableaudit: policy.conf
+ grep -v dontaudit policy.conf > policy.audit
+ mv policy.audit policy.conf
+
+policy.conf: $(POLICYFILES) $(POLICY_DIRS)
+ mkdir -p tmp
+ m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
+ mv $@.tmp $@
+
+install-src:
+ rm -rf $(SRCPATH)/policy.old
+ -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
+ mkdir -p $(SRCPATH)/policy
+ cp -R . $(SRCPATH)/policy
+
+tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
+ mkdir -p tmp
+ ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
+ ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
+ mv $@.tmp $@
+
+FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
+
+checklabels: $(SETFILES)
+ $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
+
+restorelabels: $(SETFILES)
+ $(SETFILES) -v $(FC) $(FILESYSTEMS)
+
+relabel: $(FC) $(SETFILES)
+ $(SETFILES) $(FC) $(FILESYSTEMS)
+
+file_contexts/misc:
+ mkdir -p file_contexts/misc
+
+
+$(FCPATH): $(FC) $(USERPATH)/system.users
+ @mkdir -p $(CONTEXTPATH)/files
+ install -m 644 $(FC) $(FCPATH)
+ install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+ @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
+
+$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
+ @echo "Building file_contexts ..."
+ @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
+ @grep -v -e HOME -e ROLE $@.tmp > $@
+ @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
+ @-rm $@.tmp
+
+# Create a tags-file for the policy:
+# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
+pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
+CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
+ifeq ($(strip $(CTAGS)),)
+CTAGS := $(call pathsearch,ctags) # suse naming scheme
+endif
+
+tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
+ @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+ @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
+ --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
+ --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+ --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
+ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
+
+clean:
+ rm -f policy.conf $(POLICYVER) policy.18
+ rm -f tags
+ rm -f tmp/*
+ rm -f $(FC)
+ rm -f flask/*.h
+# for the policy regression tester
+ find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
+
+# Policy regression tester.
+# Written by Colin Walters <walters at debian.org>
+cur_te = $(filter-out %/,$(subst /,/ ,$@))
+
+TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
+
+define compute_depends
+ export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
+endef
+
+
+ifeq ($(TE_DEPENDS_DEFINED),)
+ifeq ($(MAKECMDGOALS),check-all)
+ GENRULES := $(TESTED_TE_FILES)
+ export TE_DEPENDS_DEFINED := yes
+else
+ # Handle the case where checkunused/blah.te is run directly.
+ ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
+ GENRULES := $(TESTED_TE_FILES)
+ export TE_DEPENDS_DEFINED := yes
+ endif
+endif
+endif
+
+# Test for a new enough version of GNU Make.
+$(eval have_eval := yes)
+ifneq ($(GENRULES),)
+ ifeq ($(have_eval),)
+$(error Need GNU Make 3.80 or better!)
+Need GNU Make 3.80 or better
+ endif
+endif
+$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
+
+PHONIES :=
+
+define compute_presymlinks
+PHONIES += presymlink/$(1)
+presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
+ @if ! test -L domains/program/$(1); then \
+ cd domains/program && ln -s unused/$(1) .; \
+ fi
+endef
+
+# Compute dependencies.
+$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
+
+PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
+$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
+ @$(MAKE) -s clean
+
+$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
+ @if test -n "$(TE_DEPENDS_$(cur_te))"; then \
+ echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
+ fi
+ @echo "Testing $(cur_te)...";
+ @if ! make -s policy 1>/dev/null; then \
+ echo "Testing $(cur_te)...FAILED"; \
+ exit 1; \
+ fi;
+ @echo "Testing $(cur_te)...success."; \
+
+check-all:
+ @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
+ $(MAKE) --no-print-directory $$goal; \
+ done
+
+.PHONY: clean $(PHONIES)
+
+mlsconvert:
+ @for file in $(CONTEXTFILES); do \
+ echo "Converting $$file"; \
+ sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
+ mv $$file.new $$file; \
+ done
+ @for file in $(USER_FILES); do \
+ echo "Converting $$file"; \
+ sed -e 's/;/ level s0 range s0 - s9 : c0 . c127;/' $$file > $$file.new && \
+ mv $$file.new $$file; \
+ done
+ @sed -e '/sid kernel/s/s0/s0 - s9 : c0 . c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+ @echo "Done"
diff --git a/strict/README b/strict/README
new file mode 100644
index 0000000..6818b66
--- /dev/null
+++ b/strict/README
@@ -0,0 +1,125 @@
+The Makefile targets are:
+policy - compile the policy configuration.
+install - compile and install the policy configuration.
+load - compile, install, and load the policy configuration.
+relabel - relabel the filesystem.
+check-all - check individual additional policy files in domains/program/unused.
+checkunused/FILE.te - check individual file FILE from domains/program/unused.
+
+If you have configured MLS into your module, then set MLS=y in the
+Makefile prior to building the policy. Of course, you must have also
+built checkpolicy with MLS enabled.
+
+Three of the configuration files are independent of the particular
+security policy:
+1) flask/security_classes -
+ This file has a simple declaration for each security class.
+ The corresponding symbol definitions are in the automatically
+ generated header file <selinux/flask.h>.
+
+2) flask/initial_sids -
+ This file has a simple declaration for each initial SID.
+ The corresponding symbol definitions are in the automatically
+ generated header file <selinux/flask.h>.
+
+3) access_vectors -
+ This file defines the access vectors. Common prefixes for
+ access vectors may be defined at the beginning of the file.
+ After the common prefixes are defined, an access vector
+ may be defined for each security class.
+ The corresponding symbol definitions are in the automatically
+ generated header file <selinux/av_permissions.h>.
+
+In addition to being read by the security server, these configuration
+files are used during the kernel build to automatically generate
+symbol definitions used by the kernel for security classes, initial
+SIDs and permissions. Since the symbol definitions generated from
+these files are used during the kernel build, the values of existing
+security classes and permissions may not be modified by load_policy.
+However, new classes may be appended to the list of classes and new
+permissions may be appended to the list of permissions associated with
+each access vector definition.
+
+The policy-dependent configuration files are:
+1) tmp/all.te -
+ This file defines the Type Enforcement (TE) configuration.
+ This file is automatically generated from a collection of files.
+
+ The macros subdirectory contains a collection of m4 macro definitions
+ used by the TE configuration. The global_macros.te file contains global
+ macros used throughout the configuration for common groupings of classes
+ and permissions and for common sets of rules. The user_macros.te file
+ contains macros used in defining user domains. The admin_macros.te file
+ contains macros used in defining admin domains. The macros/program
+ subdirectory contains macros that are used to instantiate derived domains
+ for certain programs that encode information about both the calling user
+ domain and the program, permitting the policy to maintain separation
+ between different instances of the program.
+
+ The types subdirectory contains several files with declarations for
+ general types (types not associated with a particular domain) and
+ some rules defining relationships among those types. Related types
+ are grouped together into each file in this directory, e.g. all
+ device type declarations are in the device.te file.
+
+ The domains subdirectory contains several files and directories
+ with declarations and rules for each domain. User domains are defined in
+ user.te. Administrator domains are defined in admin.te. Domains for
+ specific programs, including both system daemons and other programs, are
+ in the .te files within the domains/program subdirectory. The domains/misc
+ subdirectory is for miscellaneous domains such as the kernel domain and
+ the kernel module loader domain.
+
+ The assert.te file contains assertions that are checked after evaluating
+ the entire TE configuration.
+
+2) rbac -
+ This file defines the Role-Based Access Control (RBAC) configuration.
+
+3) mls -
+ This file defines the Multi-Level Security (MLS) configuration.
+
+4) users -
+ This file defines the users recognized by the security policy.
+
+5) constraints -
+ This file defines additional constraints on permissions
+ in the form of boolean expressions that must be satisfied in order
+ for specified permissions to be granted. These constraints
+ are used to further refine the type enforcement tables and
+ the role allow rules. Typically, these constraints are used
+ to restrict changes in user identity or role to certain domains.
+
+6) initial_sid_contexts -
+ This file defines the security context for each initial SID.
+ A security context consists of a user identity, a role, a type and
+ optionally a MLS range if the MLS policy is enabled. If left unspecified,
+ the high MLS level defaults to the low MLS level. The syntax of a valid
+ security context is:
+
+ user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
+
+7) fs_use -
+ This file defines the labeling behavior for inodes in particular
+ filesystem types.
+
+8) genfs_contexts -
+ This file defines security contexts for files in filesystems that
+ cannot support persistent label mappings or use one of the fixed
+ labeling schemes specified in fs_use.
+
+8) net_contexts -
+ This file defines the security contexts of network objects
+ such as ports, interfaces, and nodes.
+
+9) file_contexts/{types.fc,program/*.fc}
+ These files define the security contexts for persistent files.
+
+It is possible to test the security server functions on a given policy
+configuration by running the checkpolicy program with the -d option.
+This program is built from the same sources as the security server
+component of the kernel, so it may be used both to verify that a
+policy configuration will load successfully and to determine how the
+security server would respond if it were using that policy
+configuration. A menu-based interface is provided for calling any of
+the security server functions after the policy is loaded.
diff --git a/strict/VERSION b/strict/VERSION
new file mode 100644
index 0000000..aa3e574
--- /dev/null
+++ b/strict/VERSION
@@ -0,0 +1 @@
+1.23.2-1
diff --git a/strict/appconfig/dbus_contexts b/strict/appconfig/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/strict/appconfig/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/strict/appconfig/default_contexts b/strict/appconfig/default_contexts
new file mode 100644
index 0000000..e778f50
--- /dev/null
+++ b/strict/appconfig/default_contexts
@@ -0,0 +1,12 @@
+system_r:sulogin_t sysadm_r:sysadm_t
+system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+system_r:remote_login_t user_r:user_t staff_r:staff_t
+system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
+system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
+user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/strict/appconfig/default_type b/strict/appconfig/default_type
new file mode 100644
index 0000000..5212ca4
--- /dev/null
+++ b/strict/appconfig/default_type
@@ -0,0 +1,3 @@
+sysadm_r:sysadm_t
+staff_r:staff_t
+user_r:user_t
diff --git a/strict/appconfig/failsafe_context b/strict/appconfig/failsafe_context
new file mode 100644
index 0000000..2f96c9f
--- /dev/null
+++ b/strict/appconfig/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t
diff --git a/strict/appconfig/initrc_context b/strict/appconfig/initrc_context
new file mode 100644
index 0000000..7fcf70b
--- /dev/null
+++ b/strict/appconfig/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t
diff --git a/strict/appconfig/media b/strict/appconfig/media
new file mode 100644
index 0000000..de2a652
--- /dev/null
+++ b/strict/appconfig/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/strict/appconfig/removable_context b/strict/appconfig/removable_context
new file mode 100644
index 0000000..d4921f0
--- /dev/null
+++ b/strict/appconfig/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/strict/appconfig/root_default_contexts b/strict/appconfig/root_default_contexts
new file mode 100644
index 0000000..acdcc08
--- /dev/null
+++ b/strict/appconfig/root_default_contexts
@@ -0,0 +1,9 @@
+system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/strict/appconfig/userhelper_context b/strict/appconfig/userhelper_context
new file mode 100644
index 0000000..081e93b
--- /dev/null
+++ b/strict/appconfig/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t
diff --git a/strict/assert.te b/strict/assert.te
new file mode 100644
index 0000000..f8b76c8
--- /dev/null
+++ b/strict/assert.te
@@ -0,0 +1,162 @@
+##############################
+#
+# Assertions for the type enforcement (TE) configuration.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+##################################
+#
+# Access vector assertions.
+#
+# An access vector assertion specifies permissions that should not be in
+# an access vector based on a source type, a target type, and a class.
+# If any of the specified permissions are in the corresponding access
+# vector, then the policy compiler will reject the policy configuration.
+# Currently, there is only one kind of access vector assertion, neverallow,
+# but support for the other kinds of vectors could be easily added. Access
+# vector assertions use the same syntax as access vector rules.
+#
+
+#
+# Verify that every type that can be entered by
+# a domain is also tagged as a domain.
+#
+neverallow domain ~domain:process { transition dyntransition };
+
+#
+# Verify that only the insmod_t and kernel_t domains
+# have the sys_module capability.
+#
+neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
+
+#
+# Verify that executable types, the system dynamic loaders, and the
+# system shared libraries can only be modified by administrators.
+#
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
+neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
+
+#
+# Verify that only appropriate domains can access /etc/shadow
+neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
+neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
+
+#
+# Verify that only appropriate domains can write to /etc (IE mess with
+# /etc/passwd)
+neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
+neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
+neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
+
+#
+# Verify that other system software can only be modified by administrators.
+#
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
+neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
+
+#
+# Verify that only certain domains have access to the raw disk devices.
+#
+neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
+
+#
+# Verify that only the X server and klogd have access to memory devices.
+#
+neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
+
+#
+# Verify that only domains with the privlog attribute can actually syslog
+#
+neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
+
+#
+# Verify that /proc/kmsg is only accessible to klogd.
+#
+ifdef(`klogd.te', `
+neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
+', `
+ifdef(`syslogd.te', `
+neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
+')dnl end if syslogd
+')dnl end if klogd
+
+#
+# Verify that /proc/kcore is inaccessible.
+#
+
+neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
+
+#
+# Verify that sysctl variables are only changeable
+# by initrc and administrators.
+#
+neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
+neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
+neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
+neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
+neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
+neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
+neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
+neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
+
+#
+# Verify that certain domains are limited to only being
+# entered by their entrypoint types and to only executing
+# the dynamic loader without a transition to another domain.
+#
+
+define(`assert_execute', `
+ ifelse($#, 0, ,
+ $#, 1,
+ ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
+ `assert_execute($1) assert_execute(shift($@))')')
+
+ifdef(`getty.te', `assert_execute(getty)')
+ifdef(`klogd.te', `assert_execute(klogd)')
+ifdef(`tcpd.te', `assert_execute(tcpd)')
+ifdef(`portmap.te', `assert_execute(portmap)')
+ifdef(`syslogd.te', `assert_execute(syslogd)')
+ifdef(`rpcd.te', `assert_execute(rpcd)')
+ifdef(`rlogind.te', `assert_execute(rlogind)')
+ifdef(`ypbind.te', `assert_execute(ypbind)')
+ifdef(`xfs.te', `assert_execute(xfs)')
+ifdef(`gpm.te', `assert_execute(gpm)')
+ifdef(`ifconfig.te', `assert_execute(ifconfig)')
+ifdef(`iptables.te', `assert_execute(iptables)')
+
+ifdef(`login.te', `
+neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
+neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
+')
+
+#
+# Verify that the passwd domain can only be entered by its
+# entrypoint type and can only execute the dynamic loader
+# and the ordinary passwd program without a transition to another domain.
+#
+ifdef(`passwd.te', `
+neverallow passwd_t ~passwd_exec_t:file entrypoint;
+neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
+neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
+')
+
+#
+# Verify that only the admin domains and initrc_t have setenforce.
+#
+neverallow { domain -admin -initrc_t } security_t:security setenforce;
+
+#
+# Verify that only the kernel and load_policy_t have load_policy.
+#
+
+neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
+
+#
+# for gross mistakes in policy
+neverallow * domain:dir ~r_dir_perms;
+neverallow * domain:file_class_set ~rw_file_perms;
+neverallow { domain unlabeled_t } file_type:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/strict/attrib.te b/strict/attrib.te
new file mode 100644
index 0000000..4533bf7
--- /dev/null
+++ b/strict/attrib.te
@@ -0,0 +1,426 @@
+#
+# Declarations for type attributes.
+#
+
+# A type attribute can be used to identify a set of types with a similar
+# property. Each type can have any number of attributes, and each
+# attribute can be associated with any number of types. Attributes are
+# explicitly declared here, and can then be associated with particular
+# types in type declarations. Attribute names can then be used throughout
+# the configuration to express the set of types that are associated with
+# the attribute. Except for the MLS attributes, attributes have no implicit
+# meaning to SELinux. The meaning of all other attributes are completely
+# defined through their usage within the configuration, but should be
+# documented here as comments preceding the attribute declaration.
+
+#####################
+# Attributes for MLS:
+#
+
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetbindall;
+
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinupgrade;
+attribute mlsxwindowngrade;
+
+attribute mlstrustedobject;
+
+attribute privrangetrans;
+attribute mlsrangetrans;
+
+#########################
+# Attributes for domains:
+#
+
+# The domain attribute identifies every type that can be
+# assigned to a process. This attribute is used in TE rules
+# that should be applied to all domains, e.g. permitting
+# init to kill all processes.
+attribute domain;
+
+# The daemon attribute identifies domains for system processes created via
+# the daemon_domain, daemon_base_domain, and init_service_domain macros.
+attribute daemon;
+
+# The privuser attribute identifies every domain that can
+# change its SELinux user identity. This attribute is used
+# in the constraints configuration. NOTE: This attribute
+# is not required for domains that merely change the Linux
+# uid attributes, only for domains that must change the
+# SELinux user identity. Also note that this attribute makes
+# no sense without the privrole attribute.
+attribute privuser;
+
+# The privrole attribute identifies every domain that can
+# change its SELinux role. This attribute is used in the
+# constraints configuration.
+attribute privrole;
+
+# The userspace_objmgr attribute identifies every domain
+# which enforces its own policy.
+attribute userspace_objmgr;
+
+# The priv_system_role attribute identifies every domain that can
+# change role from a user role to system_r role, and identity from a user
+# identity to system_u. It is used in the constraints configuration.
+attribute priv_system_role;
+
+# The privowner attribute identifies every domain that can
+# assign a different SELinux user identity to a file, or that
+# can create a file with an identity that's not the same as the
+# process identity. This attribute is used in the constraints
+# configuration.
+attribute privowner;
+
+# The privlog attribute identifies every domain that can
+# communicate with syslogd through its Unix domain socket.
+# There is an assertion that other domains can not do it,
+# and an allow rule to permit it
+attribute privlog;
+
+# The privmodule attribute identifies every domain that can run
+# modprobe, there is an assertion that other domains can not do it,
+# and an allow rule to permit it
+attribute privmodule;
+
+# The privmem attribute identifies every domain that can
+# access kernel memory devices.
+# This attribute is used in the TE assertions to verify
+# that such access is limited to domains that are explicitly
+# tagged with this attribute.
+attribute privmem;
+
+# The privfd attribute identifies every domain that should have
+# file handles inherited widely (IE sshd_t and getty_t).
+attribute privfd;
+
+# The privhome attribute identifies every domain that can create files under
+# regular user home directories in the regular context (IE act on behalf of
+# a user in writing regular files)
+attribute privhome;
+
+# The auth attribute identifies every domain that needs
+# to read /etc/shadow, and grants the permission.
+attribute auth;
+
+# The auth_write attribute identifies every domain that can have write or
+# relabel access to /etc/shadow, but does not grant it.
+attribute auth_write;
+
+# The auth_chkpwd attribute identifies every system domain that can
+# authenticate users by running unix_chkpwd
+attribute auth_chkpwd;
+
+# The change_context attribute identifies setfiles_t, restorecon_t, and other
+# system domains that change the context of most/all files on the system
+attribute change_context;
+
+# The etc_writer attribute identifies every domain that can write to etc_t
+attribute etc_writer;
+
+# The sysctl_kernel_writer attribute identifies domains that can write to
+# sysctl_kernel_t, in addition the admin attribute is permitted write access
+attribute sysctl_kernel_writer;
+
+# the sysctl_net_writer attribute identifies domains that can write to
+# sysctl_net_t files.
+attribute sysctl_net_writer;
+
+# The sysctl_type attribute identifies every type that is assigned
+# to a sysctl entry. This can be used in allow rules to grant
+# permissions to all sysctl entries without enumerating each individual
+# type, but should be used with care.
+attribute sysctl_type;
+
+# The admin attribute identifies every administrator domain.
+# It is used in TE assertions when verifying that only administrator
+# domains have certain permissions.
+# This attribute is presently associated with sysadm_t and
+# certain administrator utility domains.
+# XXX The use of this attribute should be reviewed for consistency.
+# XXX Might want to partition into several finer-grained attributes
+# XXX used in different assertions within assert.te.
+attribute admin;
+
+# The userdomain attribute identifies every user domain, presently
+# user_t and sysadm_t. It is used in TE rules that should be applied
+# to all user domains.
+attribute userdomain;
+
+# for a small domain that can only be used for newrole
+attribute user_mini_domain;
+
+# pty for the mini domain
+attribute mini_pty_type;
+
+# pty created by a server such as sshd
+attribute server_pty;
+
+# attribute for all non-administrative devpts types
+attribute userpty_type;
+
+# The user_tty_type identifies every type for a tty or pty owned by an
+# unpriviledged user
+attribute user_tty_type;
+
+# The user_crond_domain attribute identifies every user_crond domain, presently
+# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
+# applied to all user domains.
+attribute user_crond_domain;
+
+# The unpriv_userdomain identifies non-administrative users (default user_t)
+attribute unpriv_userdomain;
+
+# This attribute is for the main user home directory for unpriv users
+attribute user_home_dir_type;
+
+# The gphdomain attribute identifies every gnome-pty-helper derived
+# domain. It is used in TE rules to permit inheritance and use of
+# descriptors created by these domains.
+attribute gphdomain;
+
+# The fs_domain identifies every domain that may directly access a fixed disk
+attribute fs_domain;
+
+# This attribute is for all domains for the userhelper program.
+attribute userhelperdomain;
+
+############################
+# Attributes for file types:
+#
+
+# The file_type attribute identifies all types assigned to files
+# in persistent filesystems. It is used in TE rules to permit
+# the association of all such file types with persistent filesystem
+# types, and to permit certain domains to access all such types as
+# appropriate.
+attribute file_type;
+
+# The secure_file_type attribute identifies files
+# which will be treated with a higer level of security.
+# Most domains will be prevented from manipulating files in this domain
+attribute secure_file_type;
+
+# The device_type attribute identifies all types assigned to device nodes
+attribute device_type;
+
+# The proc_fs attribute identifies all types that may be assigned to
+# files under /proc.
+attribute proc_fs;
+
+# The dev_fs attribute identifies all types that may be assigned to
+# files, sockets, or pipes under /dev.
+attribute dev_fs;
+
+# The sysadmfile attribute identifies all types assigned to files
+# that should be completely accessible to administrators. It is used
+# in TE rules to grant such access for administrator domains.
+attribute sysadmfile;
+
+# The fs_type attribute identifies all types assigned to filesystems
+# (not limited to persistent filesystems).
+# It is used in TE rules to permit certain domains to mount
+# any filesystem and to permit most domains to obtain the
+# overall filesystem statistics.
+attribute fs_type;
+
+# The exec_type attribute identifies all types assigned
+# to entrypoint executables for domains. This attribute is
+# used in TE rules and assertions that should be applied to all
+# such executables.
+attribute exec_type;
+
+# The tmpfile attribute identifies all types assigned to temporary
+# files. This attribute is used in TE rules to grant certain
+# domains the ability to remove all such files (e.g. init, crond).
+attribute tmpfile;
+
+# The user_tmpfile attribute identifies all types associated with temporary
+# files for unpriv_userdomain domains.
+attribute user_tmpfile;
+
+# for the user_xserver_tmp_t etc
+attribute xserver_tmpfile;
+
+# The tmpfsfile attribute identifies all types defined for tmpfs
+# type transitions.
+# It is used in TE rules to grant certain domains the ability to
+# access all such files.
+attribute tmpfsfile;
+
+# The home_type attribute identifies all types assigned to home
+# directories. This attribute is used in TE rules to grant certain
+# domains the ability to access all home directory types.
+attribute home_type;
+
+# This attribute is for the main user home directory /home/user, to
+# distinguish it from sub-dirs. Often you want a process to be able to
+# read the user home directory but not read the regular directories under it.
+attribute home_dir_type;
+
+# The ttyfile attribute identifies all types assigned to ttys.
+# It is used in TE rules to grant certain domains the ability to
+# access all ttys.
+attribute ttyfile;
+
+# The ptyfile attribute identifies all types assigned to ptys.
+# It is used in TE rules to grant certain domains the ability to
+# access all ptys.
+attribute ptyfile;
+
+# The pidfile attribute identifies all types assigned to pid files.
+# It is used in TE rules to grant certain domains the ability to
+# access all such files.
+attribute pidfile;
+
+
+############################
+# Attributes for network types:
+#
+
+# The socket_type attribute identifies all types assigned to
+# kernel-created sockets. Ordinary sockets are assigned the
+# domain of the creating process.
+# XXX This attribute is unused. Remove?
+attribute socket_type;
+
+# Identifies all types assigned to port numbers to control binding.
+attribute port_type;
+
+# Identifies all types assigned to reserved port (<1024) numbers to control binding.
+attribute reserved_port_type;
+
+# Identifies all types assigned to network interfaces to control
+# operations on the interface (XXX obsolete, not supported via LSM)
+# and to control traffic sent or received on the interface.
+attribute netif_type;
+
+# Identifies all default types assigned to packets received
+# on network interfaces.
+attribute netmsg_type;
+
+# Identifies all types assigned to network nodes/hosts to control
+# traffic sent to or received from the node.
+attribute node_type;
+
+# Identifier for log files or directories that only exist for log files.
+attribute logfile;
+
+# Identifier for lock files (/var/lock/*) or directories that only exist for
+# lock files.
+attribute lockfile;
+
+
+
+##############################
+# Attributes for security policy types:
+#
+
+# The login_contexts attribute idenitifies the files used
+# to define default contexts for login types (e.g., login, cron).
+attribute login_contexts;
+
+# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
+# sysadm_mail_t, etc)
+attribute user_mail_domain;
+
+# Identifies domains that can transition to system_mail_t
+attribute privmail;
+
+# Type for non-sysadm home directory
+attribute user_home_type;
+
+# For domains that are part of a mail server and need to read user files and
+# fifos, and inherit file handles to enable user email to get to the mail
+# spool
+attribute mta_user_agent;
+
+# For domains that are part of a mail server for delivering messages to the
+# user
+attribute mta_delivery_agent;
+
+# For domains that make outbound TCP port 25 connections to send mail from the
+# mail server.
+attribute mail_server_sender;
+
+# For a mail server process that takes TCP connections on port 25
+attribute mail_server_domain;
+
+# For web clients such as netscape and squid
+attribute web_client_domain;
+
+# For X Window System server domains
+attribute xserver;
+
+# For X Window System client domains
+attribute xclient;
+
+# For X Window System protocol extensions
+attribute xextension;
+
+# For X Window System property types
+attribute xproperty;
+
+#
+# For file systems that do not have extended attributes but need to be
+# r/w by users
+#
+attribute noexattrfile;
+
+#
+# For filetypes that the usercan read
+#
+attribute usercanread;
+
+#
+# For serial devices
+#
+attribute serial_device;
+
+# Attribute to designate unrestricted access
+attribute unrestricted;
+
+# For clients of nscd.
+attribute nscd_client_domain;
+
+# For clients of nscd that can use shmem interface.
+attribute nscd_shmem_domain;
+
+# For labeling of content for httpd
+attribute httpdcontent;
+
+# For labeling of domains whos transition can be disabled
+attribute transitionbool;
+
+# For labeling of file_context domains which users can change files to rather
+# then the default file context. These file_context can survive a relabeling
+# of the file system.
+attribute customizable;
+
diff --git a/strict/constraints b/strict/constraints
new file mode 100644
index 0000000..17fccc0
--- /dev/null
+++ b/strict/constraints
@@ -0,0 +1,79 @@
+#
+# Define m4 macros for the constraints
+#
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# validatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for validatetrans)
+# | r3 op names (NOTE: this is only available for validatetrans)
+# | t3 op names (NOTE: this is only available for validatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name#
+#
+
+#
+# Restrict the ability to transition to other users
+# or roles to a few privileged types.
+#
+
+constrain process transition
+ ( u1 == u2 or ( t1 == privuser and t2 == userdomain )
+ifdef(`crond.te', `
+ or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
+')
+ifdef(`userhelper.te',
+ `or (t1 == userhelperdomain)')
+ or (t1 == priv_system_role and u2 == system_u )
+ );
+
+constrain process transition
+ ( r1 == r2 or ( t1 == privrole and t2 == userdomain )
+ifdef(`crond.te', `
+ or (t1 == crond_t and t2 == user_crond_domain)
+')
+ifdef(`userhelper.te',
+ `or (t1 == userhelperdomain)')
+ or (t1 == priv_system_role and r2 == system_r )
+ );
+
+constrain process dyntransition
+ ( u1 == u2 and r1 == r2);
+
+#
+# Restrict the ability to label objects with other
+# user identities to a few privileged types.
+#
+
+constrain dir_file_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == privowner );
+
+constrain socket_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == privowner );
diff --git a/strict/domains/admin.te b/strict/domains/admin.te
new file mode 100644
index 0000000..b88654f
--- /dev/null
+++ b/strict/domains/admin.te
@@ -0,0 +1,35 @@
+#DESC Admin - Domains for administrators.
+#
+#################################
+
+# sysadm_t is the system administrator domain.
+type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
+ifdef(`direct_sysadm_daemon', `, priv_system_role')
+; dnl end of sysadm_t type declaration
+
+allow privhome home_root_t:dir { getattr search };
+
+# system_r is authorized for sysadm_t for single-user mode.
+role system_r types sysadm_t;
+
+general_proc_read_access(sysadm_t)
+
+# sysadm_t is also granted permissions specific to administrator domains.
+admin_domain(sysadm)
+
+# Allow administrator domains to set the enforcing flag.
+can_setenforce(sysadm_t)
+
+# Allow administrator domains to set policy booleans.
+can_setbool(sysadm_t)
+
+# Allow administrator domains to set security parameters
+can_setsecparam(sysadm_t)
+
+# for su
+allow sysadm_t userdomain:fd use;
+
+define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
+
+# Add/remove user home directories
+file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
diff --git a/strict/domains/misc/auth-net.te b/strict/domains/misc/auth-net.te
new file mode 100644
index 0000000..e954a9b
--- /dev/null
+++ b/strict/domains/misc/auth-net.te
@@ -0,0 +1,3 @@
+#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
+
+can_network(auth)
diff --git a/strict/domains/misc/fcron.te b/strict/domains/misc/fcron.te
new file mode 100644
index 0000000..57209be
--- /dev/null
+++ b/strict/domains/misc/fcron.te
@@ -0,0 +1,30 @@
+#DESC fcron - additions to cron policy for a more powerful cron program
+#
+# Domain for fcron, a more powerful cron program.
+#
+# Needs cron.te installed.
+#
+# Author: Russell Coker <russell at coker.com.au>
+
+# Use capabilities.
+allow crond_t self:capability { dac_override dac_read_search };
+
+# differences between r_dir_perms and rw_dir_perms
+allow crond_t cron_spool_t:dir { add_name remove_name write };
+
+ifdef(`mta.te', `
+# not sure why we need write access, but Postfix does not work without it
+# I will have to change fcron to avoid the need for this
+allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
+')
+
+ifdef(`distro_debian', `
+can_exec(dpkg_t, crontab_exec_t)
+file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
+')
+
+rw_dir_create_file(crond_t, cron_spool_t)
+can_setfscreate(crond_t)
+
+# for /var/run/fcron.fifo
+file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)
diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te
new file mode 100644
index 0000000..4b2cbbb
--- /dev/null
+++ b/strict/domains/misc/kernel.te
@@ -0,0 +1,66 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#################################
+#
+# Rules for the kernel_t domain.
+#
+
+#
+# kernel_t is the domain of kernel threads.
+# It is also the target type when checking permissions in the system class.
+#
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ;
+role system_r types kernel_t;
+general_domain_access(kernel_t)
+general_proc_read_access(kernel_t)
+base_file_read_access(kernel_t)
+uses_shlib(kernel_t)
+can_exec(kernel_t, shell_exec_t)
+
+# Use capabilities.
+allow kernel_t self:capability *;
+
+allow kernel_t sysfs_t:dir search;
+allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
+
+# Run init in the init_t domain.
+domain_auto_trans(kernel_t, init_exec_t, init_t)
+
+# Share state with the init process.
+allow kernel_t init_t:process share;
+
+# Mount and unmount file systems.
+allow kernel_t fs_type:filesystem mount_fs_perms;
+
+# Send signal to any process.
+allow kernel_t domain:process signal;
+
+# Access the console.
+allow kernel_t device_t:dir search;
+allow kernel_t console_device_t:chr_file rw_file_perms;
+
+# Access the initrd filesystem.
+allow kernel_t file_t:chr_file rw_file_perms;
+can_exec(kernel_t, file_t)
+ifdef(`chroot.te', `
+can_exec(kernel_t, chroot_exec_t)
+')
+allow kernel_t self:capability sys_chroot;
+
+allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
+allow kernel_t file_t:dir rw_dir_perms;
+allow kernel_t file_t:blk_file create_file_perms;
+allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
+
+# Lookup the policy.
+allow kernel_t policy_config_t:dir r_dir_perms;
+
+# Load the policy configuration.
+can_loadpol(kernel_t)
+
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+can_exec(kernel_t, bin_t)
+
+
diff --git a/strict/domains/misc/screensaver.te b/strict/domains/misc/screensaver.te
new file mode 100644
index 0000000..d420266
--- /dev/null
+++ b/strict/domains/misc/screensaver.te
@@ -0,0 +1,18 @@
+#
+# Alias file to stop blow up during policy upgrade, since
+# screensaver policy is being removed.
+#
+typealias bin_t alias screensaver_exec_t;
+typealias sysadm_home_t alias sysadm_screensaver_t;
+typealias sysadm_home_t alias sysadm_screensaver_rw_t;
+typealias sysadm_home_t alias sysadm_screensaver_ro_t;
+typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
+typealias user_home_t alias user_screensaver_t;
+typealias user_home_t alias user_screensaver_rw_t;
+typealias user_home_t alias user_screensaver_ro_t;
+typealias user_home_t alias user_screensaver_tmpfs_t;
+typealias staff_home_t alias staff_screensaver_t;
+typealias staff_home_t alias staff_screensaver_rw_t;
+typealias staff_home_t alias staff_screensaver_ro_t;
+typealias staff_home_t alias staff_screensaver_tmpfs_t;
+
diff --git a/strict/domains/misc/startx.te b/strict/domains/misc/startx.te
new file mode 100644
index 0000000..16c4910
--- /dev/null
+++ b/strict/domains/misc/startx.te
@@ -0,0 +1,7 @@
+#DESC startx - policy for running an X server from a user domain
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+# Everything is in the macro files
+
diff --git a/strict/domains/misc/userspace_objmgr.te b/strict/domains/misc/userspace_objmgr.te
new file mode 100644
index 0000000..ae3b205
--- /dev/null
+++ b/strict/domains/misc/userspace_objmgr.te
@@ -0,0 +1,13 @@
+#DESC Userspace Object Managers
+#
+#################################
+
+# Get our own security context.
+can_getcon(userspace_objmgr)
+# Get security decisions via selinuxfs.
+can_getsecurity(userspace_objmgr)
+# Read /etc/selinux
+r_dir_file(userspace_objmgr, { selinux_config_t default_context_t })
+# Receive notifications of policy reloads and enforcing status changes.
+allow userspace_objmgr self:netlink_selinux_socket { create bind read };
+
diff --git a/strict/domains/misc/xclient.te b/strict/domains/misc/xclient.te
new file mode 100644
index 0000000..ae4552f
--- /dev/null
+++ b/strict/domains/misc/xclient.te
@@ -0,0 +1,14 @@
+#
+# Authors: Eamon Walsh <ewalsh at epoch.ncsc.mil>
+#
+
+#######################################
+#
+# Domains for the SELinux-enabled X Window System
+#
+
+#
+# Domain for all non-local X clients
+#
+type remote_xclient_t, domain;
+in_user_role(remote_xclient_t)
diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te
new file mode 100644
index 0000000..3a2447b
--- /dev/null
+++ b/strict/domains/program/acct.te
@@ -0,0 +1,68 @@
+#DESC Acct - BSD process accounting
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: acct
+#
+
+#################################
+#
+# Rules for the acct_t domain.
+#
+# acct_exec_t is the type of the acct executable.
+#
+daemon_base_domain(acct)
+ifdef(`crond.te', `
+system_crond_entry(acct_exec_t, acct_t)
+
+# for monthly cron job
+file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
+')
+
+# for SSP
+allow acct_t urandom_device_t:chr_file read;
+
+type acct_data_t, file_type, sysadmfile;
+
+allow acct_t self:capability sys_pacct;
+
+# gzip needs chown capability for some reason
+allow acct_t self:capability chown;
+
+allow acct_t var_t:dir { getattr search };
+rw_dir_create_file(acct_t, acct_data_t)
+
+can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
+allow acct_t { bin_t sbin_t }:dir search;
+allow acct_t bin_t:lnk_file read;
+
+read_locale(acct_t)
+
+allow acct_t self:capability fsetid;
+allow acct_t fs_t:filesystem getattr;
+
+allow acct_t self:unix_stream_socket create_socket_perms;
+
+allow acct_t self:fifo_file { read write getattr };
+
+allow acct_t proc_t:file { read getattr };
+
+read_sysctl(acct_t)
+
+dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
+
+# for nscd
+dontaudit acct_t var_run_t:dir search;
+
+# not sure why we need this, the command "last" is reported as using it
+dontaudit acct_t self:capability kill;
+
+allow acct_t devtty_t:chr_file { read write };
+
+allow acct_t { etc_t etc_runtime_t }:file { read getattr };
+
+ifdef(`logrotate.te', `
+domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
+rw_dir_create_file(logrotate_t, acct_data_t)
+can_exec(logrotate_t, acct_data_t)
+')
+
diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te
new file mode 100644
index 0000000..d95725e
--- /dev/null
+++ b/strict/domains/program/amanda.te
@@ -0,0 +1,307 @@
+#DESC Amanda - Automated backup program
+#
+# This policy file sets the rigths for amanda client started by inetd_t
+# and amrecover
+#
+# X-Debian-Packages: amanda-common amanda-server
+# Depends: inetd.te
+# Author : Carsten Grohmann <carstengrohmann at gmx.de>
+#
+# License : GPL
+#
+# last change: 27. August 2002
+#
+# state : complete and tested
+#
+# Hints :
+# - amanda.fc is the appendant file context file
+# - If you use amrecover please extract the files and directories to the
+# directory speficified in amanda.fc as type amanda_recover_dir_t.
+# - The type amanda_user_exec_t is defined to label the files but not used.
+# This configuration works only as an client and a amanda client does not need
+# this programs.
+#
+# Enhancements/Corrections:
+# - set tighter permissions to /bin/tar instead bin_t
+
+##############################################################################
+# AMANDA CLIENT DECLARATIONS
+##############################################################################
+
+# General declarations
+######################
+
+type amanda_t, domain, privlog, auth, nscd_client_domain ;
+role system_r types amanda_t;
+
+# type for the amanda executables
+type amanda_exec_t, file_type, sysadmfile, exec_type;
+
+# type for the amanda executables started by inetd
+type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
+
+# type for amanda configurations files
+type amanda_config_t, file_type, sysadmfile;
+
+# type for files in /usr/lib/amanda
+type amanda_usr_lib_t, file_type, sysadmfile;
+
+# type for all files in /var/lib/amanda
+type amanda_var_lib_t, file_type, sysadmfile;
+
+# type for all files in /var/lib/amanda/gnutar-lists/
+type amanda_gnutarlists_t, file_type, sysadmfile;
+
+# type for user startable files
+type amanda_user_exec_t, file_type, sysadmfile, exec_type;
+
+# type for same awk and other scripts
+type amanda_script_exec_t, file_type, sysadmfile, exec_type;
+
+# type for the shell configuration files
+type amanda_shellconfig_t, file_type, sysadmfile;
+
+tmp_domain(amanda)
+
+# type for /etc/amandates
+type amanda_amandates_t, file_type, sysadmfile;
+
+# type for /etc/dumpdates
+type amanda_dumpdates_t, file_type, sysadmfile;
+
+# type for amanda data
+type amanda_data_t, file_type, sysadmfile;
+
+# Domain transitions
+####################
+
+domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
+
+
+##################
+# File permissions
+##################
+
+# configuration files -> read only
+allow amanda_t amanda_config_t:file { getattr read };
+allow amanda_t amanda_config_t:dir search;
+
+# access to amanda_amandates_t
+allow amanda_t amanda_amandates_t:file { getattr lock read write };
+
+# access to amanda_dumpdates_t
+allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
+
+# access to amandas data structure
+allow amanda_t amanda_data_t:dir { read search write };
+allow amanda_t amanda_data_t:file { read write };
+
+# access to proc_t
+allow amanda_t proc_t:dir { getattr search };
+allow amanda_t proc_t:file { getattr read };
+
+# access to etc_t and similar
+allow amanda_t etc_t:dir { getattr search };
+allow amanda_t etc_t:file { getattr read };
+allow amanda_t etc_runtime_t:file { getattr read };
+
+# access to var_t and similar
+allow amanda_t var_t:dir search;
+allow amanda_t var_lib_t:dir search;
+allow amanda_t amanda_var_lib_t:dir search;
+
+# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
+allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
+
+# access to var_run_t
+allow amanda_t var_run_t:dir search;
+
+# access to var_log_t
+allow amanda_t var_log_t:dir getattr;
+
+# access to var_spool_t
+allow amanda_t var_spool_t:dir getattr;
+
+# access to amanda_usr_lib_t
+allow amanda_t amanda_usr_lib_t:dir search;
+
+# access to device_t and similar
+allow amanda_t device_t:dir search;
+allow amanda_t null_device_t:chr_file { getattr read write };
+allow amanda_t devpts_t:dir getattr;
+allow amanda_t fixed_disk_device_t:blk_file getattr;
+allow amanda_t removable_device_t:blk_file getattr;
+allow amanda_t devtty_t:chr_file { read write };
+
+# access to boot_t
+allow amanda_t boot_t:dir getattr;
+
+# access to fs_t
+allow amanda_t fs_t:filesystem getattr;
+
+# access to sysctl_kernel_t ( proc/sys/kernel/* )
+read_sysctl(amanda_t)
+
+#####################
+# process permissions
+#####################
+
+# Allow to use shared libs
+uses_shlib(amanda_t)
+
+# Allow to execute a amanda executable file
+allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
+
+# Allow to run a shell
+allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
+
+# access to bin_t (tar)
+allow amanda_t bin_t:file { execute execute_no_trans };
+
+allow amanda_t self:capability { chown dac_override setuid };
+allow amanda_t self:process { fork sigchld };
+allow amanda_t self:unix_dgram_socket create;
+
+
+###################################
+# Network and process communication
+###################################
+
+can_network_server(amanda_t);
+can_ypbind(amanda_t);
+
+allow amanda_t self:fifo_file { getattr read write ioctl lock };
+allow amanda_t self:unix_stream_socket { connect create read write };
+
+
+##########################
+# Communication with inetd
+##########################
+
+allow amanda_t inetd_t:udp_socket { read write };
+
+
+###################
+# inetd permissions
+###################
+
+allow inetd_t amanda_usr_lib_t:dir search;
+
+
+########################
+# Access to to save data
+########################
+
+# access to user_home_t
+allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
+allow amanda_t user_home_type:file { getattr read };
+
+# access to file_t ( /floppy, /cdrom )
+allow amanda_t mnt_t:dir getattr;
+
+###########
+# Dontaudit
+###########
+dontaudit amanda_t lost_found_t:dir { getattr read };
+
+
+##############################################################################
+# AMANDA RECOVER DECLARATIONS
+##############################################################################
+
+
+# General declarations
+######################
+
+# type for amrecover
+type amanda_recover_t, domain;
+role sysadm_r types { amanda_recover_t amanda_recover_dir_t };
+
+# exec types for amrecover
+type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
+
+# type for recover files ( restored data )
+type amanda_recover_dir_t, file_type, sysadmfile;
+file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
+
+# domain transsition
+domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
+
+# file type auto trans to write debug messages
+file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
+
+
+# amanda recover process permissions
+####################################
+
+uses_shlib(amanda_recover_t)
+allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
+allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
+allow amanda_recover_t privfd:fd use;
+
+
+# amrecover network and process communication
+#############################################
+
+can_network_server(amanda_recover_t);
+can_ypbind(amanda_recover_t);
+
+allow amanda_recover_t self:fifo_file { getattr ioctl read write };
+allow amanda_recover_t self:unix_stream_socket { connect create read write };
+
+
+# amrecover file permissions
+############################
+
+# access to etc_t and similar
+allow amanda_recover_t etc_t:dir search;
+allow amanda_recover_t etc_t:file { getattr read };
+allow amanda_recover_t etc_runtime_t:file { getattr read };
+
+# access to amanda_recover_dir_t
+allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
+allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
+
+# access to var_t and var_run_t
+allow amanda_recover_t var_t:dir search;
+allow amanda_recover_t var_run_t:dir search;
+
+# access to proc_t
+allow amanda_recover_t proc_t:dir search;
+allow amanda_recover_t proc_t:file { getattr read };
+
+# access to sysctl_kernel_t
+read_sysctl(amanda_recover_t)
+
+# access to dev_t and similar
+allow amanda_recover_t device_t:dir search;
+allow amanda_recover_t devtty_t:chr_file { read write };
+allow amanda_recover_t null_device_t:chr_file { getattr write };
+
+# access to bin_t
+allow amanda_recover_t bin_t:file { execute execute_no_trans };
+
+# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
+# in the sysadm home directory
+allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
+
+# access to use sysadm_tty_device_t (/dev/tty?)
+allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
+
+# access to amanda_tmp_t and tmp_t
+allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
+allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
+allow amanda_recover_t tmp_t:dir search;
+
+#
+# Rules to allow amanda to be run as a service in xinetd
+#
+type amanda_port_t, port_type;
+allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
+
+allow amanda_t file_type:dir {getattr read search };
+allow amanda_t file_type:file {getattr read };
+logdir_domain(amanda)
+
diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te
new file mode 100644
index 0000000..981f852
--- /dev/null
+++ b/strict/domains/program/anaconda.te
@@ -0,0 +1,47 @@
+#DESC Anaconda - Red Hat Installation program
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the anaconda_t domain.
+#
+# anaconda_t is the domain of the installation program
+#
+type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
+role system_r types anaconda_t;
+unconfined_domain(anaconda_t)
+
+role system_r types ldconfig_t;
+domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
+
+role system_r types sysadm_su_t;
+domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
+
+# Run other rc scripts in the anaconda_t domain.
+domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
+
+domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
+
+ifdef(`distro_redhat', `
+file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
+')
+
+ifdef(`rpm.te', `
+# Access /var/lib/rpm.
+domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
+')
+
+file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
+
+ifdef(`udev.te', `
+domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
+')
+
+ifdef(`ssh-agent.te', `
+role system_r types sysadm_ssh_agent_t;
+domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+')
+domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te
new file mode 100644
index 0000000..b01d3f3
--- /dev/null
+++ b/strict/domains/program/apache.te
@@ -0,0 +1,354 @@
+#DESC Apache - Web server
+#
+# X-Debian-Packages: apache2-common apache
+#
+###############################################################################
+#
+# Policy file for running the Apache web server
+#
+# NOTES:
+# This policy will work with SUEXEC enabled as part of the Apache
+# configuration. However, the user CGI scripts will run under the
+# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
+# of the creating user.
+#
+# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
+# type, and the directory containing the scripts should also be labeled
+# with these types. This policy allows user_r role to perform that
+# relabeling. If it is desired that only sysadm_r should be able to relabel
+# the user CGI scripts, then relabel rule for user_r should be removed.
+#
+###############################################################################
+
+define(`httpd_home_dirs', `
+r_dir_file(httpd_t, $1)
+r_dir_file(httpd_suexec_t, $1)
+can_exec(httpd_suexec_t, $1)
+')
+
+type http_port_t, port_type, reserved_port_type;
+
+bool httpd_unified false;
+
+# Allow httpd cgi support
+bool httpd_enable_cgi false;
+
+# Allow httpd to read home directories
+bool httpd_enable_homedirs false;
+
+# Run SSI execs in system CGI script domain.
+bool httpd_ssi_exec false;
+
+# Allow http daemon to communicate with the TTY
+bool httpd_tty_comm false;
+
+#########################################################
+# Apache types
+#########################################################
+# httpd_config_t is the type given to the configuration
+# files for apache /etc/httpd/conf
+#
+type httpd_config_t, file_type, sysadmfile;
+
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file read;
+
+# For /etc/init.d/apache2 reload
+can_tcp_connect(httpd_t, httpd_t)
+
+can_tcp_connect(web_client_domain, httpd_t)
+
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
+#
+type httpd_modules_t, file_type, sysadmfile;
+
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
+#
+type httpd_cache_t, file_type, sysadmfile;
+
+# httpd_exec_t is the type give to the httpd executable.
+#
+daemon_domain(httpd, `, privmail')
+
+can_exec(httpd_t, httpd_exec_t)
+file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
+
+general_domain_access(httpd_t)
+
+allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
+
+read_sysctl(httpd_t)
+
+# for modules that want to access /etc/mtab and /proc/meminfo
+allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
+
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec)
+allow httpd_t httpd_suexec_exec_t:file read;
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir search;
+allow httpd_suexec_t httpd_log_t:file { append getattr };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+can_network(httpd_suexec_t)
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+')
+
+uses_shlib(httpd_t)
+allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
+allow httpd_t usr_t:lnk_file { getattr read };
+
+# for apache2 memory mapped files
+var_lib_domain(httpd)
+
+# for tomcat
+r_dir_file(httpd_t, var_lib_t)
+
+# execute perl
+allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
+can_exec(httpd_t, { bin_t sbin_t })
+allow httpd_t bin_t:lnk_file read;
+
+can_network(httpd_t)
+can_ypbind(httpd_t)
+
+###################
+# Allow httpd to search users diretories
+######################
+allow httpd_t home_root_t:dir { getattr search };
+dontaudit httpd_t sysadm_home_dir_t:dir getattr;
+
+############################################################################
+# Allow the httpd_t the capability to bind to a port and various other stuff
+############################################################################
+allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+dontaudit httpd_t self:capability net_admin;
+
+#################################################
+# Allow the httpd_t to read the web servers config files
+###################################################
+r_dir_file(httpd_t, httpd_config_t)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+# allow logrotate to read the config files for restart
+ifdef(`logrotate.te', `
+r_dir_file(logrotate_t, httpd_config_t)
+domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
+allow logrotate_t httpd_t:process signull;
+')
+r_dir_file(initrc_t, httpd_config_t)
+##################################################
+
+########################################
+# Allow httpd_t to bind to the HTTP port
+########################################
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+
+###############################
+# Allow httpd_t to put files in /var/cache/httpd etc
+##############################
+create_dir_file(httpd_t, httpd_cache_t)
+
+###############################
+# Allow httpd_t to access the tmpfs file system
+##############################
+tmpfs_domain(httpd)
+
+#####################
+# Allow httpd_t to access
+# libraries for its modules
+###############################
+allow httpd_t httpd_modules_t:file rx_file_perms;
+allow httpd_t httpd_modules_t:dir r_dir_perms;
+allow httpd_t httpd_modules_t:lnk_file r_file_perms;
+
+######################################################################
+# Allow initrc_t to access the Apache modules directory.
+######################################################################
+allow initrc_t httpd_modules_t:dir r_dir_perms;
+
+##############################################
+# Allow httpd_t to have access to files
+# such as nisswitch.conf
+# need ioctl for php
+###############################################
+allow httpd_t etc_t:file { read getattr ioctl };
+allow httpd_t etc_t:lnk_file { getattr read };
+
+# Run SSI execs in system CGI script domain.
+if (httpd_ssi_exec) {
+domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
+}
+r_dir_file(httpd_t, httpd_sys_script_ro_t)
+create_dir_file(httpd_t, httpd_sys_script_rw_t)
+ra_dir_file(httpd_t, httpd_sys_script_ra_t)
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+
+##################################################
+#
+# PHP Directives
+##################################################
+
+type httpd_php_exec_t, file_type, sysadmfile, exec_type;
+type httpd_php_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# The system role is authorized for this domain.
+role system_r types httpd_php_t;
+
+general_domain_access(httpd_php_t)
+uses_shlib(httpd_php_t)
+can_exec(httpd_php_t, lib_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file ra_file_perms;
+
+# access to /tmp
+tmp_domain(httpd)
+tmp_domain(httpd_php)
+tmp_domain(httpd_suexec)
+
+# Creation of lock files for apache2
+lock_domain(httpd)
+
+# connect to mysql
+ifdef(`mysqld.te', `
+can_unix_connect(httpd_php_t, mysqld_t)
+can_unix_connect(httpd_t, mysqld_t)
+can_unix_connect(httpd_sys_script_t, mysqld_t)
+allow httpd_php_t mysqld_var_run_t:dir search;
+allow httpd_php_t mysqld_var_run_t:sock_file write;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
+allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
+')
+allow httpd_t bin_t:dir search;
+allow httpd_t sbin_t:dir search;
+allow httpd_t httpd_log_t:dir remove_name;
+
+allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+
+allow httpd_t autofs_t:dir { search getattr };
+allow httpd_suexec_t autofs_t:dir { search getattr };
+
+if (use_nfs_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(nfs_t)
+}
+if (use_samba_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(cifs_t)
+}
+r_dir_file(httpd_t, fonts_t)
+
+#
+# Allow users to mount additional directories as http_source
+#
+allow httpd_t mnt_t:dir r_dir_perms;
+
+########################################
+# When the admin starts the server, the server wants to acess
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+##################################################
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
+
+can_kerberos(httpd_t)
+
+ifdef(`targeted_policy', `
+typealias httpd_sys_content_t alias httpd_user_content_t;
+typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+
+if (httpd_enable_homedirs) {
+allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
+allow httpd_t user_home_dir_t:dir { getattr search };
+}
+') dnl targeted policy
+
+ifdef(`distro_redhat', `
+#
+# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
+# This is a bug but it still exists in FC2
+#
+typealias httpd_log_t alias httpd_runtime_t;
+allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
+dontaudit httpd_t httpd_runtime_t:file ioctl;
+') dnl distro_redhat
+#
+# Customer reported the following
+#
+ifdef(`snmpd.te', `
+dontaudit httpd_t snmpd_var_lib_t:dir search;
+dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
+', `
+dontaudit httpd_t usr_t:dir write;
+')
+
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
+create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ifdef(`mta.te', `
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+
+application_domain(httpd_helper)
+role system_r types httpd_helper_t;
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+allow httpd_helper_t httpd_config_t:file { getattr read };
+allow httpd_helper_t httpd_log_t:file { append };
+
+if (httpd_tty_comm) {
+allow { httpd_t httpd_helper_t } devpts_t:dir { search };
+ifdef(`targeted_policy', `
+allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
+')
+allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+}
+
+read_sysctl(httpd_sys_script_t)
+allow httpd_sys_script_t var_lib_t:dir search;
+dontaudit httpd_t selinux_config_t:dir search;
+r_dir_file(httpd_t, cert_t)
diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te
new file mode 100644
index 0000000..2f3cf09
--- /dev/null
+++ b/strict/domains/program/apmd.te
@@ -0,0 +1,134 @@
+#DESC Apmd - Automatic Power Management daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: apmd
+#
+
+#################################
+#
+# Rules for the apmd_t domain.
+#
+daemon_domain(apmd, `, privmodule, nscd_client_domain')
+
+# for SSP
+allow apmd_t urandom_device_t:chr_file read;
+
+type apm_t, domain, privlog;
+type apm_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
+uses_shlib(apm_t)
+allow apm_t privfd:fd use;
+allow apm_t admin_tty_type:chr_file rw_file_perms;
+allow apm_t device_t:dir search;
+allow apm_t self:capability sys_admin;
+allow apm_t proc_t:dir search;
+allow apm_t proc_t:file { read getattr };
+allow apm_t fs_t:filesystem getattr;
+allow apm_t apm_bios_t:chr_file rw_file_perms;
+role sysadm_r types apm_t;
+role system_r types apm_t;
+
+allow apmd_t device_t:lnk_file read;
+allow apmd_t proc_t:file { getattr read };
+read_sysctl(apmd_t)
+allow apmd_t self:unix_dgram_socket create_socket_perms;
+allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+allow apmd_t self:fifo_file rw_file_perms;
+allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
+allow apmd_t etc_t:lnk_file read;
+
+# acpid wants a socket
+file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
+
+# acpid also has a logfile
+log_domain(apmd)
+
+ifdef(`distro_suse', `
+var_lib_domain(apmd)
+')
+
+allow apmd_t self:file { getattr read ioctl };
+allow apmd_t self:process getsession;
+
+# Use capabilities.
+allow apmd_t self:capability { sys_admin sys_nice sys_time };
+
+# controlling an orderly resume of PCMCIA requires creating device
+# nodes 254,{0,1,2} for some reason.
+allow apmd_t self:capability mknod;
+
+# Access /dev/apm_bios.
+allow apmd_t apm_bios_t:chr_file rw_file_perms;
+
+# Run helper programs.
+can_exec_any(apmd_t)
+
+# apmd calls hwclock.sh on suspend and resume
+allow apmd_t clock_device_t:chr_file r_file_perms;
+ifdef(`hwclock.te', `
+allow apmd_t adjtime_t:file rw_file_perms;
+')
+
+
+# to quiet fuser and ps
+# setuid for fuser, dac* for ps
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
+dontaudit apmd_t domain:socket_class_set getattr;
+dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
+dontaudit apmd_t device_type:devfile_class_set getattr;
+dontaudit apmd_t home_type:dir { search getattr };
+dontaudit apmd_t domain:key_socket getattr;
+dontaudit apmd_t domain:dir search;
+
+ifdef(`distro_redhat', `
+can_exec(apmd_t, apmd_var_run_t)
+# for /var/lock/subsys/network
+rw_dir_create_file(apmd_t, var_lock_t)
+
+# ifconfig_exec_t needs to be run in its own domain for Red Hat
+ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
+ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
+ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
+', `
+# for ifconfig which is run all the time
+dontaudit apmd_t sysctl_t:dir search;
+')
+
+ifdef(`udev.te', `
+allow apmd_t udev_t:file { getattr read };
+allow apmd_t udev_t:lnk_file { getattr read };
+')
+#
+# apmd tells the machine to shutdown requires the following
+#
+allow apmd_t initctl_t:fifo_file write;
+allow apmd_t initrc_var_run_t:file { read write lock };
+
+#
+# Allow it to run killof5 and pidof
+#
+r_dir_file(apmd_t, domain)
+
+# Same for apm/acpid scripts
+domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
+ifdef(`consoletype.te', `
+allow consoletype_t apmd_t:fd use;
+allow consoletype_t apmd_t:fifo_file write;
+')
+ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
+ifdef(`crond.te', `
+domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
+allow apmd_t crond_t:fifo_file { getattr read write ioctl };
+')
+
+ifdef(`mta.te', `
+domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
+')
+
+# for a find /dev operation that gets /dev/shm
+dontaudit apmd_t tmpfs_t:dir r_dir_perms;
+dontaudit apmd_t selinux_config_t:dir search;
+allow apmd_t user_tty_type:chr_file rw_file_perms;
+# Access /dev/apm_bios.
+allow initrc_t apm_bios_t:chr_file { setattr getattr read };
diff --git a/strict/domains/program/arpwatch.te b/strict/domains/program/arpwatch.te
new file mode 100644
index 0000000..936d985
--- /dev/null
+++ b/strict/domains/program/arpwatch.te
@@ -0,0 +1,42 @@
+#DESC arpwatch - keep track of ethernet/ip address pairings
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+
+#################################
+#
+# Rules for the arpwatch_t domain.
+#
+# arpwatch_exec_t is the type of the arpwatch executable.
+#
+daemon_domain(arpwatch, `, privmail')
+
+# for files created by arpwatch
+type arpwatch_data_t, file_type, sysadmfile;
+create_dir_file(arpwatch_t,arpwatch_data_t)
+tmp_domain(arpwatch)
+
+allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
+
+can_network_server(arpwatch_t)
+allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+allow arpwatch_t { sbin_t var_lib_t }:dir search;
+allow arpwatch_t sbin_t:lnk_file read;
+r_dir_file(arpwatch_t, etc_t)
+r_dir_file(arpwatch_t, usr_t)
+can_ypbind(arpwatch_t)
+
+ifdef(`qmail.te', `
+allow arpwatch_t bin_t:dir search;
+')
+
+ifdef(`distro_gentoo', `
+allow initrc_t arpwatch_data_t:dir { add_name write };
+allow initrc_t arpwatch_data_t:file create;
+')dnl end distro_gentoo
+
diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te
new file mode 100644
index 0000000..ce6210e
--- /dev/null
+++ b/strict/domains/program/auditd.te
@@ -0,0 +1,12 @@
+#DESC auditd - System auditing daemon
+#
+# Authors: Colin Walters <walters at verbum.org>
+#
+
+daemon_domain(auditd)
+allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow auditd_t self:capability { audit_write audit_control };
+allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
+allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t etc_t:file { getattr read };
+log_domain(auditd)
diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te
new file mode 100644
index 0000000..dbbe8ef
--- /dev/null
+++ b/strict/domains/program/automount.te
@@ -0,0 +1,69 @@
+#DESC Automount - Automount daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil>
+# Modified by Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: amd am-utils autofs
+#
+
+#################################
+#
+# Rules for the automount_t domain.
+#
+daemon_domain(automount)
+
+etc_domain(automount)
+
+# for SSP
+allow automount_t urandom_device_t:chr_file read;
+
+# for if the mount point is not labelled
+allow automount_t file_t:dir getattr;
+allow automount_t default_t:dir getattr;
+
+allow automount_t autofs_t:dir { create_dir_perms ioctl };
+allow automount_t fs_type:dir getattr;
+
+allow automount_t { etc_t etc_runtime_t }:file { getattr read };
+allow automount_t proc_t:file { getattr read };
+allow automount_t self:process { setpgid setsched };
+allow automount_t self:capability sys_nice;
+allow automount_t self:unix_stream_socket create_socket_perms;
+allow automount_t self:unix_dgram_socket create_socket_perms;
+
+# because config files can be shell scripts
+can_exec(automount_t, { etc_t automount_etc_t })
+
+can_network_server(automount_t)
+can_ypbind(automount_t)
+
+ifdef(`fsadm.te', `
+domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
+')
+
+lock_domain(automount)
+
+tmp_domain(automount)
+allow automount_t self:fifo_file rw_file_perms;
+
+# Run mount in the mount_t domain.
+domain_auto_trans(automount_t, mount_exec_t, mount_t)
+allow mount_t autofs_t:dir { search mounton read };
+allow mount_t automount_tmp_t:dir mounton;
+
+ifdef(`apmd.te',
+`domain_auto_trans(apmd_t, automount_exec_t, automount_t)
+can_exec(automount_t, bin_t)')
+
+allow automount_t { bin_t sbin_t }:dir search;
+can_exec(automount_t, mount_exec_t)
+
+allow mount_t autofs_t:dir getattr;
+dontaudit automount_t var_t:dir write;
+
+allow userdomain autofs_t:dir r_dir_perms;
+allow kernel_t autofs_t:dir { getattr ioctl read search };
+
+allow automount_t home_root_t:dir getattr;
+allow automount_t mnt_t:dir { getattr search };
+
+allow initrc_t automount_etc_t:file { getattr read };
diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te
new file mode 100644
index 0000000..15ef978
--- /dev/null
+++ b/strict/domains/program/bluetooth.te
@@ -0,0 +1,42 @@
+#DESC Bluetooth
+#
+# Authors: Dan Walsh
+# RH-Packages: Bluetooth
+#
+
+#################################
+#
+# Rules for the bluetooth_t domain.
+#
+daemon_domain(bluetooth)
+
+file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
+
+tmp_domain(bluetooth)
+
+# Use capabilities.
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+
+rw_dir_create_file(bluetooth_t, var_lock_t)
+
+# Use the network.
+can_network_server(bluetooth_t)
+can_ypbind(bluetooth_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, bluetooth)
+allow bluetooth_t system_dbusd_t:dbus send_msg;
+')
+allow bluetooth_t self:socket { create setopt ioctl bind listen };
+allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+
+dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
+
+# bluetooth_conf_t is the type of the /etc/bluetooth dir.
+type bluetooth_conf_t, file_type, sysadmfile;
+
+# Read /etc/bluetooth
+allow bluetooth_t bluetooth_conf_t:dir search;
+allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
+#/usr/sbin/hid2hci causes the following
+allow initrc_t usbfs_t:file { read };
diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te
new file mode 100644
index 0000000..706945f
--- /dev/null
+++ b/strict/domains/program/bootloader.te
@@ -0,0 +1,166 @@
+#DESC Bootloader - Lilo boot loader/manager
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: lilo
+#
+
+#################################
+#
+# Rules for the bootloader_t domain.
+#
+# bootloader_exec_t is the type of the bootloader executable.
+#
+type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
+type bootloader_exec_t, file_type, sysadmfile, exec_type;
+etc_domain(bootloader)
+typealias bootloader_etc_t alias etc_bootloader_t;
+
+role sysadm_r types bootloader_t;
+role system_r types bootloader_t;
+
+allow bootloader_t var_t:dir search;
+create_append_log_file(bootloader_t, var_log_t)
+allow bootloader_t var_log_t:file write;
+
+# for nscd
+dontaudit bootloader_t var_run_t:dir search;
+
+domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
+allow bootloader_t { initrc_t privfd }:fd use;
+
+tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
+
+read_locale(bootloader_t)
+
+# for tune2fs
+file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
+
+# for /vmlinuz sym link
+allow bootloader_t root_t:lnk_file read;
+
+# lilo would need read access to get BIOS data
+allow bootloader_t proc_kcore_t:file getattr;
+
+allow bootloader_t { etc_t device_t }:dir r_dir_perms;
+allow bootloader_t etc_t:file r_file_perms;
+allow bootloader_t etc_t:lnk_file read;
+allow bootloader_t initctl_t:fifo_file getattr;
+uses_shlib(bootloader_t)
+
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+allow bootloader_t usr_t:lnk_file read;
+allow bootloader_t tmpfs_t:dir r_dir_perms;
+allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+allow bootloader_t var_lib_t:dir search;
+allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+allow bootloader_t dpkg_var_lib_t:file { getattr read };
+# for /usr/share/initrd-tools/scripts
+can_exec(bootloader_t, usr_t)
+')
+
+allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
+allow bootloader_t device_t:lnk_file { getattr read };
+
+# LVM2 / Device Mapper's /dev/mapper/control
+# maybe we should change the labeling for this
+ifdef(`lvm.te', `
+allow bootloader_t lvm_control_t:chr_file rw_file_perms;
+domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+allow lvm_t bootloader_tmp_t:file rw_file_perms;
+r_dir_file(bootloader_t, lvm_etc_t)
+')
+
+# uncomment the following line if you use "lilo -p"
+#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
+
+can_exec_any(bootloader_t)
+allow bootloader_t shell_exec_t:lnk_file read;
+allow bootloader_t { bin_t sbin_t }:dir search;
+allow bootloader_t { bin_t sbin_t }:lnk_file read;
+
+allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
+allow bootloader_t modules_object_t:dir r_dir_perms;
+ifdef(`distro_redhat', `
+allow bootloader_t modules_object_t:lnk_file { getattr read };
+')
+
+# for ldd
+ifdef(`fsadm.te', `
+allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
+')
+ifdef(`modutil.te', `
+allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
+')
+
+dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+
+allow bootloader_t boot_t:dir { create rw_dir_perms };
+allow bootloader_t boot_t:file create_file_perms;
+allow bootloader_t boot_t:lnk_file create_lnk_perms;
+
+allow bootloader_t load_policy_exec_t:file { getattr read };
+
+allow bootloader_t random_device_t:chr_file { getattr read };
+
+ifdef(`distro_redhat', `
+# for mke2fs
+domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
+allow mount_t bootloader_tmp_t:dir mounton;
+
+# new file system defaults to file_t, granting file_t access is still bad.
+allow bootloader_t file_t:dir create_dir_perms;
+allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
+allow bootloader_t file_t:lnk_file create_lnk_perms;
+allow bootloader_t self:unix_stream_socket create_socket_perms;
+allow bootloader_t boot_runtime_t:file { read getattr unlink };
+
+# for memlock
+allow bootloader_t zero_device_t:chr_file { getattr read };
+allow bootloader_t self:capability ipc_lock;
+')
+
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+# allow bootloader to get attributes of any device node
+allow bootloader_t { device_type ttyfile }:chr_file getattr;
+allow bootloader_t device_type:blk_file getattr;
+dontaudit bootloader_t devpts_t:dir create_dir_perms;
+
+allow bootloader_t self:process { fork signal_perms };
+allow bootloader_t self:lnk_file read;
+allow bootloader_t self:dir search;
+allow bootloader_t self:file { getattr read };
+allow bootloader_t self:fifo_file rw_file_perms;
+
+allow bootloader_t fs_t:filesystem getattr;
+
+allow bootloader_t proc_t:dir { getattr search };
+allow bootloader_t proc_t:file r_file_perms;
+allow bootloader_t proc_t:lnk_file { getattr read };
+allow bootloader_t proc_mdstat_t:file r_file_perms;
+allow bootloader_t self:dir { getattr search read };
+read_sysctl(bootloader_t)
+allow bootloader_t etc_runtime_t:file r_file_perms;
+
+allow bootloader_t devtty_t:chr_file rw_file_perms;
+allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow bootloader_t initrc_t:fifo_file { read write };
+
+# for reading BIOS data
+allow bootloader_t memory_device_t:chr_file r_file_perms;
+
+allow bootloader_t policy_config_t:dir { search read };
+allow bootloader_t policy_config_t:file { getattr read };
+
+allow bootloader_t lib_t:file { getattr read };
+allow bootloader_t sysfs_t:dir getattr;
+allow bootloader_t urandom_device_t:chr_file read;
+allow bootloader_t { usr_t var_t }:file { getattr read };
+r_dir_file(bootloader_t, src_t)
+dontaudit bootloader_t selinux_config_t:dir search;
+dontaudit bootloader_t sysctl_t:dir search;
diff --git a/strict/domains/program/canna.te b/strict/domains/program/canna.te
new file mode 100644
index 0000000..f629788
--- /dev/null
+++ b/strict/domains/program/canna.te
@@ -0,0 +1,43 @@
+#DESC canna - A Japanese character set input system.
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the canna_t domain.
+#
+daemon_domain(canna)
+
+file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
+
+logdir_domain(canna)
+var_lib_domain(canna)
+
+allow canna_t self:capability { setgid setuid net_bind_service };
+allow canna_t tmp_t:dir { search };
+allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
+allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+allow canna_t etc_t:file { getattr read };
+allow canna_t usr_t:file { getattr read };
+
+allow canna_t proc_t:file r_file_perms;
+allow canna_t etc_runtime_t:file r_file_perms;
+allow canna_t canna_var_lib_t:dir create;
+
+rw_dir_create_file(canna_t, canna_var_lib_t)
+
+can_network_tcp(canna_t)
+can_ypbind(canna_t)
+
+allow userdomain canna_var_run_t:dir search;
+allow userdomain canna_var_run_t:sock_file write;
+can_unix_connect(userdomain, canna_t)
+
+ifdef(`i18n_input.te', `
+allow i18n_input_t canna_var_run_t:dir search;
+allow i18n_input_t canna_var_run_t:sock_file write;
+can_unix_connect(i18n_input_t, canna_t)
+')
+
diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te
new file mode 100644
index 0000000..c9a5e97
--- /dev/null
+++ b/strict/domains/program/cardmgr.te
@@ -0,0 +1,85 @@
+#DESC Cardmgr - PCMCIA control programs
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: pcmcia-cs
+#
+
+#################################
+#
+# Rules for the cardmgr_t domain.
+#
+daemon_domain(cardmgr, `, privmodule')
+
+# for SSP
+allow cardmgr_t urandom_device_t:chr_file read;
+
+type cardctl_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
+role sysadm_r types cardmgr_t;
+allow cardmgr_t admin_tty_type:chr_file { read write };
+
+allow cardmgr_t sysfs_t:dir search;
+allow cardmgr_t home_root_t:dir search;
+
+# Use capabilities (net_admin for route), setuid for cardctl
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+
+# for /etc/resolv.conf
+file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
+
+allow cardmgr_t etc_runtime_t:file { getattr read };
+
+allow cardmgr_t modules_object_t:dir search;
+allow cardmgr_t self:unix_dgram_socket create_socket_perms;
+allow cardmgr_t self:unix_stream_socket create_socket_perms;
+allow cardmgr_t self:fifo_file rw_file_perms;
+
+# Create stab file
+var_lib_domain(cardmgr)
+
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+allow cardmgr_t var_lib_t:file { getattr read };
+
+# Create device files in /tmp.
+type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
+file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
+
+# Create symbolic links in /dev.
+type cardmgr_lnk_t, file_type, sysadmfile;
+file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
+
+# Run a shell, normal commands, /etc/pcmcia scripts.
+can_exec_any(cardmgr_t)
+allow cardmgr_t etc_t:lnk_file read;
+
+# Run ifconfig.
+domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
+allow ifconfig_t cardmgr_t:fd use;
+
+allow cardmgr_t proc_t:file { getattr read ioctl };
+
+# Read /proc/PID directories for all domains (for fuser).
+can_ps(cardmgr_t, domain)
+allow cardmgr_t device_type:{ chr_file blk_file } getattr;
+allow cardmgr_t ttyfile:chr_file getattr;
+dontaudit cardmgr_t ptyfile:chr_file getattr;
+dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
+dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
+dontaudit cardmgr_t proc_kmsg_t:file getattr;
+
+allow cardmgr_t tty_device_t:chr_file rw_file_perms;
+
+ifdef(`apmd.te', `
+domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
+')
+
+ifdef(`hide_broken_symptoms', `
+dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
+dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
+')
+ifdef(`hald.te', `
+rw_dir_file(hald_t, cardmgr_var_run_t)
+allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+')
diff --git a/strict/domains/program/cdrecord.te b/strict/domains/program/cdrecord.te
new file mode 100644
index 0000000..6460090
--- /dev/null
+++ b/strict/domains/program/cdrecord.te
@@ -0,0 +1,10 @@
+# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+
+# Type for the cdrecord excutable.
+type cdrecord_exec_t, file_type, sysadmfile, exec_type;
+
+# everything else is in the cdrecord_domain macros in
+# macros/program/cdrecord_macros.te.
+
diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te
new file mode 100644
index 0000000..97ea0bc
--- /dev/null
+++ b/strict/domains/program/checkpolicy.te
@@ -0,0 +1,65 @@
+#DESC Checkpolicy - SELinux policy compliler
+#
+# Authors: Frank Mayer, mayerf at tresys.com
+# X-Debian-Packages: checkpolicy
+#
+
+###########################
+#
+# checkpolicy_t is the domain type for checkpolicy
+# checkpolicy_exec_t if file type for the executable
+
+type checkpolicy_t, domain;
+role sysadm_r types checkpolicy_t;
+role system_r types checkpolicy_t;
+
+type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
+
+##########################
+#
+# Rules
+
+domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
+
+# able to create and modify binary policy files
+allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
+
+###########################
+# constrain what checkpolicy can use as source files
+#
+
+# only allow read of policy source files
+allow checkpolicy_t policy_src_t:dir r_dir_perms;
+allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
+
+# allow test policies to be created in src directories
+file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+
+# directory search permissions for path to source and binary policy files
+allow checkpolicy_t root_t:dir search;
+allow checkpolicy_t etc_t:dir search;
+
+# Read the devpts root directory.
+allow checkpolicy_t devpts_t:dir r_dir_perms;
+ifdef(`sshd.te',
+`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
+
+# Other access
+allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
+uses_shlib(checkpolicy_t)
+allow checkpolicy_t self:capability dac_override;
+
+allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
+
+##########################
+# Allow users to execute checkpolicy without a domain transition
+# so it can be used without privilege to write real binary policy file
+can_exec(unpriv_userdomain, checkpolicy_exec_t)
+
+allow checkpolicy_t { userdomain privfd }:fd use;
+
+allow checkpolicy_t fs_t:filesystem getattr;
+allow checkpolicy_t console_device_t:chr_file { read write };
+allow checkpolicy_t init_t:fd use;
+allow checkpolicy_t selinux_config_t:dir search;
diff --git a/strict/domains/program/chkpwd.te b/strict/domains/program/chkpwd.te
new file mode 100644
index 0000000..22ac7f2
--- /dev/null
+++ b/strict/domains/program/chkpwd.te
@@ -0,0 +1,18 @@
+#DESC Chkpwd - PAM password checking programs
+# X-Debian-Packages: libpam-modules
+#
+# Domains for the /sbin/.*_chkpwd utilities.
+#
+
+#
+# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
+#
+type chkpwd_exec_t, file_type, sysadmfile, exec_type;
+
+chkpwd_domain(system)
+dontaudit system_chkpwd_t privfd:fd use;
+role sysadm_r types system_chkpwd_t;
+in_user_role(system_chkpwd_t)
+
+# Everything else is in the chkpwd_domain macro in
+# macros/program/chkpwd_macros.te.
diff --git a/strict/domains/program/chroot.te b/strict/domains/program/chroot.te
new file mode 100644
index 0000000..8992c66
--- /dev/null
+++ b/strict/domains/program/chroot.te
@@ -0,0 +1,21 @@
+#DESC Chroot - Establish chroot environments
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages:
+#
+type chroot_exec_t, file_type, sysadmfile, exec_type;
+
+# For a chroot environment named potato that can be entered from user_t (so
+# the user can run an old version of Debian in a chroot), with the possibility
+# of user_devpts_t or user_tty_device_t being the controlling tty type for
+# administration. This also defines a mount_domain for the user (so they can
+# mount file systems).
+#chroot(user, potato)
+# For a chroot environment named apache that can be entered from initrc_t for
+# running a different version of apache.
+# initrc is a special case, uses the system_r role (usually appends "_r" to
+# the base name of the parent domain), and has sysadm_devpts_t and
+# sysadm_tty_device_t for the controlling terminal
+#chroot(initrc, apache)
+
+# the main code is in macros/program/chroot_macros.te
diff --git a/strict/domains/program/comsat.te b/strict/domains/program/comsat.te
new file mode 100644
index 0000000..cd0e3f9
--- /dev/null
+++ b/strict/domains/program/comsat.te
@@ -0,0 +1,20 @@
+#DESC comsat - biff server
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the comsat_t domain.
+#
+# comsat_exec_t is the type of the comsat executable.
+#
+
+inetd_child_domain(comsat, udp)
+allow comsat_t initrc_var_run_t:file r_file_perms;
+dontaudit comsat_t initrc_var_run_t:file write;
+allow comsat_t mail_spool_t:dir r_dir_perms;
+allow comsat_t mail_spool_t:lnk_file read;
+allow comsat_t var_spool_t:dir search;
+dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te
new file mode 100644
index 0000000..9836ce4
--- /dev/null
+++ b/strict/domains/program/consoletype.te
@@ -0,0 +1,64 @@
+#DESC consoletype - determine the type of a console device
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the consoletype_t domain.
+#
+# consoletype_t is the domain for the consoletype program.
+# consoletype_exec_t is the type of the corresponding program.
+#
+type consoletype_t, domain;
+type consoletype_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types consoletype_t;
+
+uses_shlib(consoletype_t)
+general_domain_access(consoletype_t)
+
+domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
+
+allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
+allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
+
+ifdef(`xdm.te', `
+domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
+allow consoletype_t xdm_tmp_t:file { read write };
+')
+
+allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
+allow consoletype_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`hotplug.te', `
+domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
+')
+
+# Use capabilities.
+allow consoletype_t self:capability sys_admin;
+
+allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
+allow consoletype_t initrc_t:fifo_file write;
+allow consoletype_t tty_device_t:chr_file read;
+allow consoletype_t nfs_t:file write;
+allow consoletype_t sysadm_t:fifo_file rw_file_perms;
+
+ifdef(`lpd.te', `
+allow consoletype_t printconf_t:file { getattr read };
+')
+
+ifdef(`pam.te', `
+allow consoletype_t pam_var_run_t:file { getattr read };
+')
+ifdef(`distro_redhat', `
+allow consoletype_t tmpfs_t:chr_file rw_file_perms;
+')
+ifdef(`firstboot.te', `
+allow consoletype_t firstboot_t:fifo_file write;
+')
+dontaudit consoletype_t proc_t:file read;
+dontaudit consoletype_t root_t:file read;
+allow consoletype_t crond_t:fifo_file { read getattr ioctl };
+allow consoletype_t system_crond_t:fd use;
+allow consoletype_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/cpucontrol.te b/strict/domains/program/cpucontrol.te
new file mode 100644
index 0000000..23a13b7
--- /dev/null
+++ b/strict/domains/program/cpucontrol.te
@@ -0,0 +1,17 @@
+#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+type cpucontrol_conf_t, file_type, sysadmfile;
+
+daemon_base_domain(cpucontrol)
+
+# Access cpu devices.
+allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
+allow cpucontrol_t device_t:lnk_file { getattr read };
+allow initrc_t cpu_device_t:chr_file getattr;
+
+allow cpucontrol_t self:capability sys_rawio;
+
+r_dir_file(cpucontrol_t, cpucontrol_conf_t)
diff --git a/strict/domains/program/cpuspeed.te b/strict/domains/program/cpuspeed.te
new file mode 100644
index 0000000..b80f705
--- /dev/null
+++ b/strict/domains/program/cpuspeed.te
@@ -0,0 +1,17 @@
+#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
+#
+# Authors: Russell Coker <russell at coker.com.au>
+# Thomas Bleher <ThomasBleher at gmx.de>
+#
+
+daemon_base_domain(cpuspeed)
+read_locale(cpuspeed_t)
+
+allow cpuspeed_t sysfs_t:dir search;
+allow cpuspeed_t sysfs_t:file rw_file_perms;
+allow cpuspeed_t proc_t:dir r_dir_perms;
+allow cpuspeed_t proc_t:file { getattr read };
+allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
+
+allow cpuspeed_t self:process setsched;
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/crack.te b/strict/domains/program/crack.te
new file mode 100644
index 0000000..1706f6e
--- /dev/null
+++ b/strict/domains/program/crack.te
@@ -0,0 +1,48 @@
+#DESC Crack - Password cracking application
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: crack
+#
+
+#################################
+#
+# Rules for the crack_t domain.
+#
+# crack_exec_t is the type of the crack executable.
+#
+system_domain(crack)
+ifdef(`crond.te', `
+system_crond_entry(crack_exec_t, crack_t)
+')
+
+# for SSP
+allow crack_t urandom_device_t:chr_file read;
+
+type crack_db_t, file_type, sysadmfile, usercanread;
+allow crack_t var_t:dir search;
+rw_dir_create_file(crack_t, crack_db_t)
+
+allow crack_t device_t:dir search;
+allow crack_t devtty_t:chr_file rw_file_perms;
+allow crack_t self:fifo_file { read write getattr };
+
+tmp_domain(crack)
+
+# for dictionaries
+allow crack_t usr_t:file { getattr read };
+
+can_exec(crack_t, bin_t)
+allow crack_t { bin_t sbin_t }:dir search;
+
+allow crack_t self:process { fork signal_perms };
+
+allow crack_t proc_t:dir { read search };
+allow crack_t proc_t:file { read getattr };
+
+# read config files
+allow crack_t { etc_t etc_runtime_t }:file { getattr read };
+allow crack_t etc_t:dir r_dir_perms;
+
+allow crack_t fs_t:filesystem getattr;
+
+dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
new file mode 100644
index 0000000..10f8a4d
--- /dev/null
+++ b/strict/domains/program/crond.te
@@ -0,0 +1,215 @@
+#DESC Crond - Crond daemon
+#
+# Domains for the top-level crond daemon process and
+# for system cron jobs. The domains for user cron jobs
+# are in macros/program/crond_macros.te.
+#
+# X-Debian-Packages: cron
+# Authors: Jonathan Crowley (MITRE) <jonathan at mitre.org>,
+# Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+# NB The constraints file has some entries for crond_t, this makes it
+# different from all other domains...
+
+# Domain for crond. It needs auth_chkpwd to check for locked accounts.
+daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
+
+# This domain is granted permissions common to most domains (including can_net)
+general_domain_access(crond_t)
+
+# Type for the anacron executable.
+type anacron_exec_t, file_type, sysadmfile, exec_type;
+
+# Type for temporary files.
+tmp_domain(crond)
+
+crond_domain(system)
+
+allow system_crond_t proc_mdstat_t:file { getattr read };
+allow system_crond_t proc_t:lnk_file read;
+allow system_crond_t proc_t:filesystem getattr;
+allow system_crond_t usbdevfs_t:filesystem getattr;
+
+ifdef(`mta.te', `
+allow mta_user_agent system_crond_t:fd use;
+')
+
+# read files in /etc
+allow system_crond_t etc_t:file r_file_perms;
+allow system_crond_t etc_runtime_t:file read;
+
+allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
+
+read_locale(crond_t)
+
+log_domain(crond)
+
+# Use capabilities.
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+dontaudit crond_t self:capability sys_resource;
+
+# Get security policy decisions.
+can_getsecurity(crond_t)
+
+# for finding binaries and /bin/sh
+allow crond_t { bin_t sbin_t }:dir search;
+allow crond_t { bin_t sbin_t }:lnk_file read;
+
+# Read from /var/spool/cron.
+allow crond_t var_lib_t:dir search;
+allow crond_t var_spool_t:dir r_dir_perms;
+allow crond_t cron_spool_t:dir r_dir_perms;
+allow crond_t cron_spool_t:file r_file_perms;
+
+# Read /etc/security/default_contexts.
+r_dir_file(crond_t, default_context_t)
+
+allow crond_t etc_t:file { getattr read };
+allow crond_t etc_t:lnk_file read;
+
+allow crond_t default_t:dir search;
+
+# crond tries to search /root. Not sure why.
+allow crond_t sysadm_home_dir_t:dir r_dir_perms;
+
+# to search /home
+allow crond_t home_root_t:dir { getattr search };
+allow crond_t user_home_dir_type:dir r_dir_perms;
+
+# Run a shell.
+can_exec(crond_t, shell_exec_t)
+
+ifdef(`distro_redhat', `
+# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+# via redirection of standard out.
+ifdef(`rpm.te', `
+allow crond_t rpm_log_t: file create_file_perms;
+
+system_crond_entry(rpm_exec_t, rpm_t)
+allow system_crond_t rpm_log_t:file create_file_perms;
+')
+')
+
+allow system_crond_t var_log_t:file r_file_perms;
+
+
+# Set exec context.
+can_setexec(crond_t)
+
+# Transition to this domain for anacron as well.
+# Still need to study anacron.
+domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
+
+# Access log files
+file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
+
+# Inherit and use descriptors from init for anacron.
+allow system_crond_t init_t:fd use;
+
+# Inherit and use descriptors from initrc for anacron.
+allow system_crond_t initrc_t:fd use;
+allow system_crond_t initrc_devpts_t:chr_file { read write };
+
+# Use capabilities.
+allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+
+allow crond_t urandom_device_t:chr_file { getattr read };
+
+# Read the system crontabs.
+allow system_crond_t system_cron_spool_t:file r_file_perms;
+
+allow crond_t system_cron_spool_t:dir r_dir_perms;
+allow crond_t system_cron_spool_t:file r_file_perms;
+
+# Read from /var/spool/cron.
+allow system_crond_t cron_spool_t:dir r_dir_perms;
+allow system_crond_t cron_spool_t:file r_file_perms;
+
+# Write to /var/lib/slocate.db.
+allow system_crond_t var_lib_t:dir rw_dir_perms;
+allow system_crond_t var_lib_t:file create_file_perms;
+
+# Update whatis files.
+allow system_crond_t catman_t:dir create_dir_perms;
+allow system_crond_t catman_t:file create_file_perms;
+allow system_crond_t man_t:file r_file_perms;
+allow system_crond_t man_t:lnk_file read;
+
+# Write /var/lock/makewhatis.lock.
+lock_domain(system_crond)
+
+# for if /var/mail is a symlink
+allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
+allow crond_t mail_spool_t:dir search;
+
+ifdef(`mta.te', `
+r_dir_file(system_mail_t, crond_tmp_t)
+')
+
+# Stat any file and search any directory for find.
+allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
+allow system_crond_t device_type:{ chr_file blk_file } getattr;
+allow system_crond_t file_type:dir { read search getattr };
+
+# Create temporary files.
+type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
+file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
+
+# /sbin/runlevel ask for w access to utmp, but will operate
+# correctly without it. Do not audit write denials to utmp.
+# /sbin/runlevel needs lock access however
+dontaudit system_crond_t initrc_var_run_t:file write;
+allow system_crond_t initrc_var_run_t:file { getattr read lock };
+
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+allow system_crond_t var_spool_t:file create_file_perms;
+allow system_crond_t var_spool_t:dir rw_dir_perms;
+
+# Do not audit attempts to search unlabeled directories (e.g. slocate).
+dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
+dontaudit system_crond_t unlabeled_t:file r_file_perms;
+
+#
+# reading /var/spool/cron/mailman
+#
+allow crond_t var_spool_t:file { getattr read };
+allow system_crond_t devpts_t:filesystem getattr;
+allow system_crond_t sysfs_t:filesystem getattr;
+allow system_crond_t tmpfs_t:filesystem getattr;
+allow system_crond_t rpc_pipefs_t:filesystem getattr;
+
+#
+# These rules are here to allow system cron jobs to su
+#
+ifdef(`su.te', `
+su_restricted_domain(system_crond,system)
+role system_r types system_crond_su_t;
+allow system_crond_su_t crond_t:fifo_file ioctl;
+')
+allow system_crond_t self:passwd rootok;
+#
+# prelink tells init to restart it self, we either need to allow or dontaudit
+#
+allow system_crond_t initctl_t:fifo_file write;
+dontaudit userdomain system_crond_t:fd use;
+
+r_dir_file(crond_t, selinux_config_t)
+
+# Allow system cron jobs to relabel filesystem for restoring file contexts.
+bool cron_can_relabel false;
+if (cron_can_relabel) {
+domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
+} else {
+r_dir_file(system_crond_t, file_context_t)
+can_getsecurity(system_crond_t)
+}
+allow system_crond_t removable_t:filesystem { getattr };
+#
+# Required for webalizer
+#
+ifdef(`apache.te', `
+allow system_crond_t httpd_log_t:file { getattr read };
+')
+dontaudit crond_t self:capability { sys_tty_config };
diff --git a/strict/domains/program/crontab.te b/strict/domains/program/crontab.te
new file mode 100644
index 0000000..48b5fcc
--- /dev/null
+++ b/strict/domains/program/crontab.te
@@ -0,0 +1,12 @@
+#DESC Crontab - Crontab manipulation programs
+#
+# Domains for the crontab program.
+#
+# X-Debian-Packages: cron
+#
+
+# Type for the crontab executable.
+type crontab_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the crontab_domain macro in
+# macros/program/crontab_macros.te.
diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te
new file mode 100644
index 0000000..684f440
--- /dev/null
+++ b/strict/domains/program/cups.te
@@ -0,0 +1,257 @@
+#DESC Cups - Common Unix Printing System
+#
+# Created cups policy from lpd policy: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
+# Depends: lpd.te lpr.te
+
+#################################
+#
+# Rules for the cupsd_t domain.
+#
+# cupsd_t is the domain of cupsd.
+# cupsd_exec_t is the type of the cupsd executable.
+#
+type ipp_port_t, port_type, reserved_port_type;
+daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
+etcdir_domain(cupsd)
+typealias cupsd_etc_t alias etc_cupsd_t;
+type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
+typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
+
+can_network(cupsd_t)
+logdir_domain(cupsd)
+
+tmp_domain(cupsd)
+
+allow cupsd_t devpts_t:dir search;
+
+allow cupsd_t device_t:lnk_file read;
+allow cupsd_t printer_device_t:chr_file rw_file_perms;
+allow cupsd_t urandom_device_t:chr_file { getattr read };
+dontaudit cupsd_t random_device_t:chr_file ioctl;
+
+# temporary solution, we need something better
+allow cupsd_t serial_device:chr_file rw_file_perms;
+
+r_dir_file(cupsd_t, usbdevfs_t)
+r_dir_file(cupsd_t, usbfs_t)
+
+ifdef(`logrotate.te', `
+domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
+')
+
+ifdef(`inetd.te', `
+allow inetd_t printer_port_t:tcp_socket name_bind;
+domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
+')
+
+# write to spool
+allow cupsd_t var_spool_t:dir search;
+
+# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
+file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
+allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
+allow cupsd_t cupsd_etc_t:file setattr;
+allow cupsd_t cupsd_etc_t:dir setattr;
+
+allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
+can_exec(cupsd_t, initrc_exec_t)
+allow cupsd_t proc_t:file r_file_perms;
+allow cupsd_t proc_t:dir r_dir_perms;
+allow cupsd_t self:file { getattr read };
+read_sysctl(cupsd_t)
+allow cupsd_t sysctl_dev_t:dir search;
+allow cupsd_t sysctl_dev_t:file { getattr read };
+
+# for /etc/printcap
+dontaudit cupsd_t etc_t:file write;
+
+# allow cups to execute its backend scripts
+can_exec(cupsd_t, cupsd_exec_t)
+allow cupsd_t cupsd_exec_t:dir search;
+allow cupsd_t cupsd_exec_t:lnk_file read;
+
+allow cupsd_t self:unix_stream_socket create_socket_perms;
+allow cupsd_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_t self:fifo_file rw_file_perms;
+
+# Use capabilities.
+allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+dontaudit cupsd_t self:capability net_admin;
+
+allow cupsd_t self:process setsched;
+
+# for /var/lib/defoma
+allow cupsd_t var_lib_t:dir search;
+r_dir_file(cupsd_t, readable_t)
+
+# Bind to the cups/ipp port (631).
+allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
+
+can_tcp_connect(web_client_domain, cupsd_t)
+can_tcp_connect(cupsd_t, cupsd_t)
+
+# Send to portmap.
+ifdef(`portmap.te', `
+can_udp_send(cupsd_t, portmap_t)
+can_udp_send(portmap_t, cupsd_t)
+')
+
+# Write to /var/spool/cups.
+allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
+allow cupsd_t print_spool_t:file create_file_perms;
+allow cupsd_t print_spool_t:file rw_file_perms;
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+allow cupsd_t { bin_t sbin_t }:dir { search getattr };
+allow cupsd_t bin_t:lnk_file read;
+can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
+
+# They will also invoke ghostscript, which needs to read fonts
+r_dir_file(cupsd_t, fonts_t)
+
+# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+allow cupsd_t lib_t:file { read getattr };
+
+# read python modules
+allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
+
+#
+# lots of errors generated requiring the following
+#
+allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+#
+# Satisfy readahead
+#
+allow initrc_t cupsd_log_t:file { getattr read };
+r_dir_file(cupsd_t, var_t)
+
+r_dir_file(cupsd_t, usercanread)
+ifdef(`samba.te', `
+rw_dir_file(cupsd_t, samba_var_t)
+allow smbd_t cupsd_etc_t:dir search;
+')
+
+ifdef(`pam.te', `
+dontaudit cupsd_t pam_var_run_t:file { getattr read };
+')
+dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+# PTAL
+daemon_domain(ptal)
+etcdir_domain(ptal)
+allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
+allow ptal_t ptal_var_run_t:sock_file create_file_perms;
+allow ptal_t self:capability chown;
+allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ptal_t self:unix_stream_socket { listen accept };
+allow ptal_t self:fifo_file rw_file_perms;
+allow ptal_t device_t:dir read;
+allow ptal_t printer_device_t:chr_file { ioctl read write };
+allow initrc_t printer_device_t:chr_file getattr;
+allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(ptal_t, usbdevfs_t)
+r_dir_file(ptal_t, usbfs_t)
+allow cupsd_t ptal_var_run_t:sock_file { write setattr };
+allow cupsd_t ptal_t:unix_stream_socket connectto;
+allow cupsd_t ptal_var_run_t:dir search;
+dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+
+allow initrc_t ptal_var_run_t:dir rmdir;
+allow initrc_t ptal_var_run_t:fifo_file unlink;
+
+dontaudit cupsd_t selinux_config_t:dir search;
+dontaudit cupsd_t selinux_config_t:file { getattr read };
+
+allow cupsd_t printconf_t:file { getattr read };
+
+dbusd_client(system, cupsd)
+
+ifdef(`hald.te', `
+
+# CUPS configuration daemon
+daemon_domain(cupsd_config)
+
+allow cupsd_config_t devpts_t:dir search;
+
+ifdef(`distro_redhat', `
+ifdef(`rpm.te', `
+allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
+allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+')
+allow cupsd_config_t initrc_exec_t:file getattr;
+')dnl end distro_redhat
+
+allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
+allow cupsd_config_t self:file { getattr read };
+
+allow cupsd_config_t proc_t:file { getattr read };
+allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+allow cupsd_config_t cupsd_t:process { signal };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+can_ps(cupsd_config_t, cupsd_t)
+
+allow cupsd_config_t self:capability chown;
+
+rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
+rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
+file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+
+can_network_tcp(cupsd_config_t)
+can_tcp_connect(cupsd_config_t, cupsd_t)
+allow cupsd_config_t self:fifo_file rw_file_perms;
+
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+ifdef(`dbusd.te', `
+dbusd_client(system, cupsd_config)
+allow cupsd_config_t userdomain:dbus send_msg;
+allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow cupsd_t system_dbusd_t:dbus send_msg;
+allow userdomain cupsd_config_t:dbus send_msg;
+allow cupsd_config_t hald_t:dbus send_msg;
+allow hald_t cupsd_config_t:dbus send_msg;
+allow cupsd_t userdomain:dbus send_msg;
+allow cupsd_t hald_t:dbus send_msg;
+allow hald_t cupsd_t:dbus send_msg;
+')dnl end if dbusd.te
+
+can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
+ifdef(`hostname.te', `
+can_exec(cupsd_t, hostname_exec_t)
+can_exec(cupsd_config_t, hostname_exec_t)
+')
+allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
+allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
+# killall causes the following
+dontaudit cupsd_config_t domain:dir { getattr search };
+dontaudit cupsd_config_t selinux_config_t:dir search;
+
+can_exec(cupsd_config_t, cupsd_config_exec_t)
+
+allow cupsd_config_t usr_t:file { getattr read };
+allow cupsd_config_t var_lib_t:dir { getattr search };
+allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+allow cupsd_config_t printconf_t:file { getattr read };
+
+allow cupsd_config_t urandom_device_t:chr_file { getattr read };
+
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+ifdef(`logrotate.te', `
+allow cupsd_config_t logrotate_t:fd use;
+')dnl end if logrotate.te
+allow cupsd_config_t system_crond_t:fd use;
+allow cupsd_config_t crond_t:fifo_file read;
+allow cupsd_t crond_t:fifo_file read;
+
+# Alternatives asks for this
+allow cupsd_config_t initrc_exec_t:file getattr;
+') dnl end if hald.te
+ifdef(`targeted_policy', `
+can_unix_connect(cupsd_t, initrc_t)
+allow cupsd_t initrc_t:dbus send_msg;
+allow initrc_t cupsd_t:dbus send_msg;
+')
+
+ifdef(`targeted_policy', `
+allow cupsd_t unconfined_t:dbus send_msg;
+')
diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te
new file mode 100644
index 0000000..d101c1a
--- /dev/null
+++ b/strict/domains/program/cyrus.te
@@ -0,0 +1,47 @@
+#DESC cyrus-imapd
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+
+# cyrusd_exec_t is the type of the cyrusd executable.
+# cyrusd_key_t is the type of the cyrus private key files
+daemon_domain(cyrus)
+
+general_domain_access(cyrus_t)
+file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
+
+type cyrus_var_lib_t, file_type, sysadmfile;
+
+allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow cyrus_t self:process setrlimit;
+
+allow initrc_su_t cyrus_var_lib_t:dir search;
+
+can_network(cyrus_t)
+can_ypbind(cyrus_t)
+can_exec(cyrus_t, bin_t)
+allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
+allow cyrus_t etc_t:file { getattr read };
+allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
+read_locale(cyrus_t)
+read_sysctl(cyrus_t)
+tmp_domain(cyrus)
+ifdef(`use_pop', `
+allow cyrus_t pop_port_t:tcp_socket name_bind;
+')
+allow cyrus_t proc_t:dir search;
+allow cyrus_t proc_t:file { getattr read };
+allow cyrus_t sysadm_devpts_t:chr_file { read write };
+
+allow cyrus_t staff_t:fd use;
+allow cyrus_t var_lib_t:dir search;
+
+allow cyrus_t etc_runtime_t:file { read getattr };
+ifdef(`crond.te', `
+system_crond_entry(cyrus_exec_t, cyrus_t)
+allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
+allow system_crond_t cyrus_var_lib_t:file create_file_perms;
+allow system_crond_su_t cyrus_var_lib_t:dir search;
+')
+allow cyrus_t mail_port_t:tcp_socket name_bind;
diff --git a/strict/domains/program/dbskkd.te b/strict/domains/program/dbskkd.te
new file mode 100644
index 0000000..e75d90b
--- /dev/null
+++ b/strict/domains/program/dbskkd.te
@@ -0,0 +1,14 @@
+#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+
+#################################
+#
+# Rules for the dbskkd_t domain.
+#
+# dbskkd_exec_t is the type of the dbskkd executable.
+#
+# Depends: inetd.te
+
+inetd_child_domain(dbskkd)
diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te
new file mode 100644
index 0000000..8216b06
--- /dev/null
+++ b/strict/domains/program/dbusd.te
@@ -0,0 +1,20 @@
+#DESC dbus-daemon-1 server for dbus desktop bus protocol
+#
+# Author: Russell Coker <russell at coker.com.au>
+
+dbusd_domain(system)
+
+allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
+
+ifdef(`pamconsole.te', `
+r_dir_file(system_dbusd_t, pam_var_console_t)
+')
+
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+allow system_dbusd_t self:capability { dac_override setgid setuid };
+can_ypbind(system_dbusd_t)
+
+# I expect we need more than this
+
+allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
new file mode 100644
index 0000000..53f7de4
--- /dev/null
+++ b/strict/domains/program/dhcpc.te
@@ -0,0 +1,146 @@
+#DESC DHCPC - DHCP client
+#
+# Authors: Wayne Salamon (NAI Labs) <wsalamon at tislabs.com>
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: pump dhcp-client udhcpc
+#
+
+#################################
+#
+# Rules for the dhcpc_t domain.
+#
+# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
+# network configurator daemon started by /etc/sysconfig/network-scripts
+# rc scripts, runs in this domain.
+# dhcpc_exec_t is the type of the dhcpcd executable.
+# The dhcpc_t can be used for other DHCPC related files as well.
+#
+type dhcpc_port_t, port_type, reserved_port_type;
+
+daemon_domain(dhcpc)
+
+# for SSP
+allow dhcpc_t urandom_device_t:chr_file read;
+
+can_network(dhcpc_t)
+can_ypbind(dhcpc_t)
+allow dhcpc_t self:unix_dgram_socket create_socket_perms;
+allow dhcpc_t self:unix_stream_socket create_socket_perms;
+allow dhcpc_t self:fifo_file rw_file_perms;
+
+allow dhcpc_t devpts_t:dir search;
+
+# for localization
+allow dhcpc_t lib_t:file { getattr read };
+
+ifdef(`consoletype.te', `
+domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
+')
+ifdef(`nscd.te', `
+domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
+')
+ifdef(`cardmgr.te', `
+domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
+allow cardmgr_t dhcpc_var_run_t:file { getattr read };
+allow cardmgr_t dhcpc_t:process signal_perms;
+')
+ifdef(`hotplug.te', `
+domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
+allow hotplug_t dhcpc_t:process signal_perms;
+allow hotplug_t dhcpc_var_run_t:file { getattr read };
+allow hotplug_t dhcp_etc_t:file rw_file_perms;
+allow dhcpc_t hotplug_etc_t:dir { getattr search };
+ifdef(`distro_redhat', `
+domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
+')
+')dnl end hotplug.te
+
+# for the dhcp client to run ping to check IP addresses
+ifdef(`ping.te', `
+domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
+ifdef(`hotplug.te', `
+allow ping_t hotplug_t:fd use;
+') dnl end if hotplug
+ifdef(`cardmgr.te', `
+allow ping_t cardmgr_t:fd use;
+') dnl end if cardmgr
+') dnl end if ping
+
+ifdef(`dhcpd.te', `', `
+type dhcp_state_t, file_type, sysadmfile;
+type dhcp_etc_t, file_type, sysadmfile, usercanread;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+')
+type dhcpc_state_t, file_type, sysadmfile;
+
+allow dhcpc_t etc_t:lnk_file read;
+allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
+allow dhcpc_t proc_net_t:dir search;
+allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
+allow dhcpc_t self:file { getattr read };
+read_sysctl(dhcpc_t)
+allow dhcpc_t userdomain:fd use;
+ifdef(`run_init.te', `
+allow dhcpc_t run_init_t:fd use;
+')
+
+# Use capabilities
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+
+# for udp port 68
+allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
+
+# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+# in /etc created by dhcpcd will be labelled net_conf_t.
+file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
+
+# Allow access to the dhcpc file types
+r_dir_file(dhcpc_t, dhcp_etc_t)
+allow dhcpc_t sbin_t:dir search;
+can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
+ifdef(`distro_redhat', `
+can_exec(dhcpc_t, etc_t)
+allow initrc_t dhcp_etc_t:file rw_file_perms;
+')
+ifdef(`ifconfig.te', `
+domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+
+tmp_domain(dhcpc)
+
+# Allow dhcpc_t to use packet sockets
+allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t var_lib_t:dir search;
+file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+
+allow dhcpc_t bin_t:dir search;
+allow dhcpc_t bin_t:lnk_file read;
+can_exec(dhcpc_t, { bin_t shell_exec_t })
+
+ifdef(`hostname.te', `
+domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
+')
+dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
+allow dhcpc_t { userdomain kernel_t }:fd use;
+
+allow dhcpc_t home_root_t:dir search;
+allow initrc_t dhcpc_state_t:file { getattr read };
+dontaudit dhcpc_t var_lock_t:dir search;
+dontaudit dhcpc_t selinux_config_t:dir search;
+allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit dhcpc_t domain:dir getattr;
+allow dhcpc_t initrc_var_run_t:file rw_file_perms;
+#
+# dhclient sometimes starts ypbind and ntdp
+#
+can_exec(dhcpc_t, initrc_exec_t)
+ifdef(`ypbind.te', `
+domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
+')
+ifdef(`ntpd.te', `
+domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
+')
diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te
new file mode 100644
index 0000000..67ae087
--- /dev/null
+++ b/strict/domains/program/dhcpd.te
@@ -0,0 +1,82 @@
+#DESC DHCPD - DHCP server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# based on the dhcpc_t policy from:
+# Wayne Salamon (NAI Labs) <wsalamon at tislabs.com>
+# X-Debian-Packages: dhcp dhcp3-server
+#
+
+#################################
+#
+# Rules for the dhcpd_t domain.
+#
+# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
+# server daemon rc scripts, runs in this domain.
+# dhcpd_exec_t is the type of the dhcpdd executable.
+# The dhcpd_t can be used for other DHCPC related files as well.
+#
+daemon_domain(dhcpd)
+
+allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
+
+# for UDP port 4011
+ifdef(`pxe.te', `', `
+type pxe_port_t, port_type;
+')
+allow dhcpd_t pxe_port_t:udp_socket name_bind;
+
+type dhcp_etc_t, file_type, sysadmfile, usercanread;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+
+# Use the network.
+can_network(dhcpd_t)
+can_ypbind(dhcpd_t)
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow dhcpd_t var_lib_t:dir search;
+
+allow dhcpd_t devtty_t:chr_file { read write };
+
+# Use capabilities
+allow dhcpd_t self:capability { net_raw net_bind_service };
+dontaudit dhcpd_t self:capability net_admin;
+
+# Allow access to the dhcpd file types
+type dhcp_state_t, file_type, sysadmfile;
+type dhcpd_state_t, file_type, sysadmfile;
+allow dhcpd_t dhcp_etc_t:file { read getattr };
+allow dhcpd_t dhcp_etc_t:dir search;
+file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
+
+allow dhcpd_t etc_t:lnk_file read;
+allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
+
+# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
+can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
+
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+# allow to run utilities and scripts
+allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
+allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
+allow dhcpd_t self:fifo_file { read write getattr };
+
+# allow reading /proc
+allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
+tmp_domain(dhcpd)
+
+ifdef(`distro_gentoo', `
+allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+allow initrc_t dhcpd_state_t:file setattr;
+')
+r_dir_file(dhcpd_t, usr_t)
+allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+ifdef(`named.te', `
+allow dhcpd_t { named_conf_t named_zone_t }:dir search;
+allow dhcpd_t dnssec_t:file { getattr read };
+')
diff --git a/strict/domains/program/dictd.te b/strict/domains/program/dictd.te
new file mode 100644
index 0000000..39df03a
--- /dev/null
+++ b/strict/domains/program/dictd.te
@@ -0,0 +1,49 @@
+#DESC Dictd - Dictionary daemon
+#
+# Authors: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: dictd
+#
+
+#################################
+#
+# Rules for the dictd_t domain.
+#
+# dictd_exec_t is the type of the dictd executable.
+#
+type dict_port_t, port_type;
+daemon_base_domain(dictd)
+type var_lib_dictd_t, file_type, sysadmfile;
+etc_domain(dictd)
+typealias dictd_etc_t alias etc_dictd_t;
+
+# for checking for nscd
+dontaudit dictd_t var_run_t:dir search;
+
+# read config files
+allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
+
+read_locale(dictd_t)
+
+allow dictd_t { var_t var_lib_t }:dir search;
+allow dictd_t var_lib_dictd_t:dir r_dir_perms;
+allow dictd_t var_lib_dictd_t:file r_file_perms;
+
+allow dictd_t self:capability { setuid setgid };
+
+allow dictd_t usr_t:file r_file_perms;
+
+allow dictd_t self:process { setpgid fork sigchld };
+
+allow dictd_t proc_t:file r_file_perms;
+
+allow dictd_t dict_port_t:tcp_socket name_bind;
+
+allow dictd_t devtty_t:chr_file rw_file_perms;
+
+allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+
+can_network_server(dictd_t)
+can_ypbind(dictd_t)
+can_tcp_connect(userdomain, dictd_t)
+
+allow dictd_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/dmesg.te b/strict/domains/program/dmesg.te
new file mode 100644
index 0000000..9f9392e
--- /dev/null
+++ b/strict/domains/program/dmesg.te
@@ -0,0 +1,29 @@
+#DESC dmesg - control kernel ring buffer
+#
+# Author: Dan Walsh dwalsh at redhat.com
+#
+# X-Debian-Packages: util-linux
+
+#################################
+#
+# Rules for the dmesg_t domain.
+#
+# dmesg_exec_t is the type of the dmesg executable.
+#
+# while sysadm_t has the sys_admin capability there is no point in using
+# dmesg_t when run from sysadm_t, so we use nosysadm.
+#
+daemon_base_domain(dmesg, , `nosysadm')
+
+#
+# Rules used for dmesg
+#
+allow dmesg_t self:capability sys_admin;
+allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
+allow dmesg_t admin_tty_type:chr_file { getattr read write };
+allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
+allow dmesg_t var_log_t:file { getattr write };
+read_locale(dmesg_t)
+
+# for when /usr is not mounted
+dontaudit dmesg_t file_t:dir search;
diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te
new file mode 100644
index 0000000..9d91688
--- /dev/null
+++ b/strict/domains/program/dovecot.te
@@ -0,0 +1,55 @@
+#DESC Dovecot POP and IMAP servers
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
+
+daemon_domain(dovecot, `, privhome')
+
+allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
+
+can_exec(dovecot_t, dovecot_exec_t)
+
+type dovecot_cert_t, file_type, sysadmfile;
+
+allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:process setrlimit;
+can_network_tcp(dovecot_t)
+can_ypbind(dovecot_t)
+allow dovecot_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(dovecot_t, self)
+
+allow dovecot_t etc_t:file { getattr read };
+allow dovecot_t initrc_var_run_t:file getattr;
+allow dovecot_t bin_t:dir { getattr search };
+can_exec(dovecot_t, bin_t)
+
+allow dovecot_t pop_port_t:tcp_socket name_bind;
+allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t cert_t:dir search;
+allow dovecot_t dovecot_cert_t:file { getattr read };
+
+allow dovecot_t { self proc_t }:file { getattr read };
+allow dovecot_t self:fifo_file rw_file_perms;
+
+can_kerberos(dovecot_t)
+
+allow dovecot_t tmp_t:dir search;
+rw_dir_file(dovecot_t, mail_spool_t)
+allow dovecot_t mail_spool_t:lnk_file read;
+allow dovecot_t var_spool_t:dir { search };
+
+daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
+allow dovecot_auth_t self:process { fork signal_perms };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+allow dovecot_auth_t self:fifo_file rw_file_perms;
+allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
+allow dovecot_auth_t etc_t:file { getattr read };
+allow dovecot_auth_t { self proc_t }:file { getattr read };
+read_locale(dovecot_auth_t)
+read_sysctl(dovecot_auth_t)
+allow dovecot_auth_t sysctl_t:dir search;
+dontaudit dovecot_auth_t selinux_config_t:dir search;
+
diff --git a/strict/domains/program/fetchmail.te b/strict/domains/program/fetchmail.te
new file mode 100644
index 0000000..d87c11f
--- /dev/null
+++ b/strict/domains/program/fetchmail.te
@@ -0,0 +1,28 @@
+#DESC fetchmail - remote-mail retrieval utility
+#
+# Author: Greg Norris <haphazard at kc.rr.com>
+# X-Debian-Packages: fetchmail
+#
+# Note: This policy is only required when running fetchmail in daemon mode.
+
+#################################
+#
+# Rules for the fetchmail_t domain.
+#
+daemon_domain(fetchmail);
+type fetchmail_etc_t, file_type, sysadmfile;
+type fetchmail_uidl_cache_t, file_type, sysadmfile;
+
+# misc. requirements
+allow fetchmail_t self:process setrlimit;
+
+# network-related goodies
+can_network(fetchmail_t)
+allow fetchmail_t self:unix_dgram_socket create_socket_perms;
+allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
+
+# file access
+allow fetchmail_t etc_t:file r_file_perms;
+allow fetchmail_t fetchmail_etc_t:file r_file_perms;
+allow fetchmail_t mail_spool_t:dir search;
+file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)
diff --git a/strict/domains/program/fingerd.te b/strict/domains/program/fingerd.te
new file mode 100644
index 0000000..86705eb
--- /dev/null
+++ b/strict/domains/program/fingerd.te
@@ -0,0 +1,82 @@
+#DESC Fingerd - Finger daemon
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
+#
+
+#################################
+#
+# Rules for the fingerd_t domain.
+#
+# fingerd_exec_t is the type of the fingerd executable.
+#
+daemon_domain(fingerd)
+
+type fingerd_port_t, port_type, reserved_port_type;
+etcdir_domain(fingerd)
+typealias fingerd_etc_t alias etc_fingerd_t;
+
+allow fingerd_t etc_t:lnk_file read;
+allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
+
+log_domain(fingerd)
+system_crond_entry(fingerd_exec_t, fingerd_t)
+ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
+
+allow fingerd_t fingerd_port_t:tcp_socket name_bind;
+ifdef(`inetd.te', `
+allow inetd_t fingerd_port_t:tcp_socket name_bind;
+# can be run from inetd
+domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
+allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
+')
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
+')
+
+allow fingerd_t self:capability { setgid setuid };
+# for gzip from logrotate
+dontaudit fingerd_t self:capability fsetid;
+
+# cfingerd runs shell scripts
+allow fingerd_t { bin_t sbin_t }:dir search;
+allow fingerd_t bin_t:lnk_file read;
+can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
+allow fingerd_t devtty_t:chr_file { read write };
+
+allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
+
+# Use the network.
+can_network_server(fingerd_t)
+can_ypbind(fingerd_t)
+
+allow fingerd_t self:unix_dgram_socket create_socket_perms;
+allow fingerd_t self:unix_stream_socket create_socket_perms;
+allow fingerd_t self:fifo_file { read write getattr };
+
+# allow any user domain to connect to the finger server
+can_tcp_connect(userdomain, fingerd_t)
+
+# for .finger, .plan. etc
+allow fingerd_t { home_root_t user_home_dir_type }:dir search;
+# should really have a different type for .plan etc
+allow fingerd_t user_home_type:file { getattr read };
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+dontaudit fingerd_t user_home_t:dir search;
+
+# for mail
+allow fingerd_t { var_spool_t mail_spool_t }:dir search;
+allow fingerd_t mail_spool_t:file getattr;
+allow fingerd_t mail_spool_t:lnk_file read;
+
+# see who is logged in and when users last logged in
+allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
+dontaudit fingerd_t initrc_var_run_t:file lock;
+allow fingerd_t devpts_t:dir search;
+allow fingerd_t ptyfile:chr_file getattr;
+
+allow fingerd_t proc_t:file { read getattr };
+
+# for date command
+read_sysctl(fingerd_t)
diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te
new file mode 100644
index 0000000..37b107d
--- /dev/null
+++ b/strict/domains/program/firstboot.te
@@ -0,0 +1,131 @@
+#DESC firstboot
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+# X-Debian-Packages: firstboot
+#
+
+#################################
+#
+# Rules for the firstboot_t domain.
+#
+# firstboot_exec_t is the type of the firstboot executable.
+#
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
+type firstboot_rw_t, file_type, sysadmfile;
+role system_r types firstboot_t;
+
+ifdef(`xserver.te', `
+domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
+')
+
+etc_domain(firstboot)
+
+allow firstboot_t proc_t:file r_file_perms;
+
+allow firstboot_t urandom_device_t:chr_file { getattr read };
+allow firstboot_t proc_t:file { getattr read write };
+
+domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
+file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
+
+can_exec_any(firstboot_t)
+domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
+domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
+allow firstboot_t etc_runtime_t:file { getattr read };
+
+r_dir_file(firstboot_t, etc_t)
+
+allow firstboot_t firstboot_rw_t:dir create_dir_perms;
+allow firstboot_t firstboot_rw_t:file create_file_perms;
+allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:process { fork sigchld };
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t initrc_exec_t:file { getattr read };
+allow firstboot_t initrc_var_run_t:file r_file_perms;
+allow firstboot_t lib_t:file { getattr read };
+allow firstboot_t local_login_t:fd use;
+read_locale(firstboot_t)
+
+allow firstboot_t proc_t:dir search;
+allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
+allow firstboot_t usr_t:file r_file_perms;
+
+allow firstboot_t etc_t:file write;
+
+# Allow write to utmp file
+allow firstboot_t initrc_var_run_t:file write;
+
+allow firstboot_t krb5_conf_t:file { getattr read };
+allow firstboot_t net_conf_t:file { getattr read };
+
+ifdef(`samba.te', `
+rw_dir_file(firstboot_t, samba_etc_t)
+')
+
+dontaudit firstboot_t shadow_t:file getattr;
+
+role system_r types initrc_t;
+#role_transition firstboot_r initrc_exec_t system_r;
+domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
+
+allow firstboot_t self:passwd rootok;
+
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+ifdef(`consoletype.te', `
+allow consoletype_t devtty_t:chr_file { read write };
+allow consoletype_t etc_t:file { getattr read };
+allow consoletype_t firstboot_t:fd use;
+')
+
+allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:dir search;
+allow firstboot_t self:file { read write };
+allow firstboot_t self:lnk_file read;
+can_setfscreate(firstboot_t)
+allow firstboot_t krb5_conf_t:file rw_file_perms;
+
+allow firstboot_t modules_conf_t:file { getattr read };
+allow firstboot_t modules_dep_t:file { getattr read };
+allow firstboot_t modules_object_t:dir search;
+allow firstboot_t net_conf_t:file rw_file_perms;
+allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
+allow firstboot_t node_t:node { tcp_recv tcp_send };
+
+allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
+allow firstboot_t proc_t:lnk_file read;
+
+can_getsecurity(firstboot_t)
+
+dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
+read_sysctl(firstboot_t)
+
+allow firstboot_t var_run_t:dir getattr;
+allow firstboot_t var_t:dir getattr;
+allow hostname_t devtty_t:chr_file { read write };
+allow hostname_t firstboot_t:fd use;
+ifdef(`iptables.te', `
+allow iptables_t devtty_t:chr_file { read write };
+allow iptables_t firstboot_t:fd use;
+allow iptables_t firstboot_t:fifo_file write;
+')
+can_network_server(firstboot_t)
+can_ypbind(firstboot_t)
+ifdef(`printconf.te', `
+can_exec(firstboot_t, printconf_t)
+')
+create_dir_file(firstboot_t, var_t)
+# Add/remove user home directories
+file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
+file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
+
+#
+# The big hammer
+#
+unconfined_domain(firstboot_t)
+
diff --git a/strict/domains/program/fs_daemon.te b/strict/domains/program/fs_daemon.te
new file mode 100644
index 0000000..6ec6da0
--- /dev/null
+++ b/strict/domains/program/fs_daemon.te
@@ -0,0 +1,26 @@
+#DESC file system daemons
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: smartmontools
+
+daemon_domain(fsdaemon, `, fs_domain, privmail')
+allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
+allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+# for config
+allow fsdaemon_t etc_t:file { getattr read };
+
+allow fsdaemon_t device_t:dir read;
+allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
+allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+allow fsdaemon_t etc_runtime_t:file { getattr read };
+
+can_exec_any(fsdaemon_t)
+allow fsdaemon_t self:fifo_file rw_file_perms;
+can_network_udp(fsdaemon_t)
+tmp_domain(fsdaemon)
+allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
+
+dontaudit fsdaemon_t devpts_t:dir search;
+allow fsdaemon_t proc_t:file { getattr read };
+dontaudit system_mail_t fixed_disk_device_t:blk_file read;
diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te
new file mode 100644
index 0000000..6ae2a67
--- /dev/null
+++ b/strict/domains/program/fsadm.te
@@ -0,0 +1,117 @@
+#DESC Fsadm - Disk and file system administration
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
+#
+
+#################################
+#
+# Rules for the fsadm_t domain.
+#
+# fsadm_t is the domain for disk and file system
+# administration.
+# fsadm_exec_t is the type of the corresponding programs.
+#
+type fsadm_t, domain, privlog, fs_domain;
+role system_r types fsadm_t;
+role sysadm_r types fsadm_t;
+
+general_domain_access(fsadm_t)
+
+# for swapon
+allow fsadm_t sysfs_t:dir { search getattr };
+
+# Read system information files in /proc.
+r_dir_file(fsadm_t, proc_t)
+
+# Read system variables in /proc/sys
+read_sysctl(fsadm_t)
+
+# for /dev/shm
+allow fsadm_t tmpfs_t:dir { getattr search };
+
+base_file_read_access(fsadm_t)
+
+# Read /etc.
+allow fsadm_t etc_t:dir r_dir_perms;
+allow fsadm_t etc_t:notdevfile_class_set r_file_perms;
+
+# Read module-related files.
+allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow fsadm_t device_t:dir r_dir_perms;
+allow fsadm_t device_t:lnk_file r_file_perms;
+
+uses_shlib(fsadm_t)
+
+type fsadm_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
+domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
+
+tmp_domain(fsadm)
+
+# remount file system to apply changes
+allow fsadm_t fs_t:filesystem remount;
+
+allow fsadm_t fs_t:filesystem getattr;
+
+# mkreiserfs needs this
+allow fsadm_t proc_t:filesystem getattr;
+
+# mkreiserfs and other programs need this for UUID
+allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
+
+# Use capabilities. ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+
+# Write to /etc/mtab.
+file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
+
+# Inherit and use descriptors from init.
+allow fsadm_t init_t:fd use;
+
+# Run other fs admin programs in the fsadm_t domain.
+can_exec(fsadm_t, fsadm_exec_t)
+
+# Access disk devices.
+allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
+allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
+allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
+
+# Access lost+found.
+allow fsadm_t lost_found_t:dir create_dir_perms;
+allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
+allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
+
+allow fsadm_t file_t:dir { search read getattr rmdir create };
+
+# Recreate /mnt/cdrom.
+allow fsadm_t mnt_t:dir { search read getattr rmdir create };
+
+# Recreate /dev/cdrom.
+allow fsadm_t device_t:dir rw_dir_perms;
+allow fsadm_t device_t:lnk_file { unlink create };
+
+# Enable swapping to devices and files
+allow fsadm_t swapfile_t:file { getattr swapon };
+allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
+
+# Allow console log change (updfstab)
+allow fsadm_t kernel_t:system syslog_console;
+
+# Access terminals.
+allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
+allow fsadm_t privfd:fd use;
+allow fsadm_t devpts_t:dir { getattr search };
+
+read_locale(fsadm_t)
+
+# for smartctl cron jobs
+system_crond_entry(fsadm_exec_t, fsadm_t)
+
+# Access to /initrd devices
+allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
+allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
+allow fsadm_t usbfs_t:dir { getattr search };
diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te
new file mode 100644
index 0000000..938899a
--- /dev/null
+++ b/strict/domains/program/ftpd.te
@@ -0,0 +1,116 @@
+#DESC Ftpd - Ftp daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
+#
+
+#################################
+#
+# Rules for the ftpd_t domain
+#
+type ftp_port_t, port_type, reserved_port_type;
+type ftp_data_port_t, port_type, reserved_port_type;
+daemon_domain(ftpd, `, auth_chkpwd')
+etc_domain(ftpd)
+typealias ftpd_etc_t alias etc_ftpd_t;
+
+can_network(ftpd_t)
+allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow ftpd_t self:unix_stream_socket create_socket_perms;
+allow ftpd_t self:process { getcap setcap setsched setrlimit };
+allow ftpd_t self:fifo_file rw_file_perms;
+
+allow ftpd_t bin_t:dir search;
+can_exec(ftpd_t, bin_t)
+allow ftpd_t bin_t:lnk_file read;
+read_sysctl(ftpd_t)
+
+allow ftpd_t urandom_device_t:chr_file { getattr read };
+
+ifdef(`crond.te', `
+system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
+can_exec(ftpd_t, { sbin_t shell_exec_t })
+allow ftpd_t usr_t:file { getattr read };
+ifdef(`logrotate.te', `
+can_exec(ftpd_t, logrotate_exec_t)
+')dnl end if logrotate.te
+')dnl end if crond.te
+
+allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket name_bind;
+
+# Allow ftpd to run directly without inetd.
+bool ftpd_is_daemon false;
+if (ftpd_is_daemon) {
+rw_dir_create_file(ftpd_t, var_lock_t)
+allow ftpd_t ftp_port_t:tcp_socket name_bind;
+can_tcp_connect(userdomain, ftpd_t)
+# Allows it to check exec privs on daemon
+allow inetd_t ftpd_exec_t:file x_file_perms;
+}
+ifdef(`inetd.te', `
+if (!ftpd_is_daemon) {
+ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
+
+# Use sockets inherited from inetd.
+allow ftpd_t inetd_t:fd use;
+allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# Send SIGCHLD to inetd on death.
+allow ftpd_t inetd_t:process sigchld;
+}
+') dnl end inetd.te
+
+# Access shared memory tmpfs instance.
+tmpfs_domain(ftpd)
+
+# Use capabilities.
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
+
+# Append to /var/log/wtmp.
+allow ftpd_t wtmp_t:file { getattr append };
+#kerberized ftp requires the following
+allow ftpd_t wtmp_t:file { write lock };
+
+# Create and modify /var/log/xferlog.
+type xferlog_t, file_type, sysadmfile, logfile;
+file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
+
+# Execute /bin/ls (can comment this out for proftpd)
+# also may need rules to allow tar etc...
+can_exec(ftpd_t, ls_exec_t)
+
+allow initrc_t ftpd_etc_t:file { getattr read };
+allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow ftpd_t proc_t:file { getattr read };
+
+dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
+dontaudit ftpd_t selinux_config_t:dir search;
+allow ftpd_t autofs_t:dir search;
+allow ftpd_t self:file { getattr read };
+tmp_domain(ftpd)
+
+# Allow ftp to read/write files in the user home directories.
+bool ftp_home_dir false;
+
+if (ftp_home_dir) {
+# allow access to /home
+allow ftpd_t home_root_t:dir { getattr search };
+}
+if (use_nfs_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, nfs_t)
+}
+if (use_samba_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, cifs_t)
+}
+dontaudit ftpd_t selinux_config_t:dir search;
+#
+# Type for access to anon ftp
+#
+type ftpd_anon_t, file_type, sysadmfile, customizable;
+r_dir_file(ftpd_t,ftpd_anon_t)
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
+create_dir_file(ftpd_t,ftpd_anon_rw_t)
diff --git a/strict/domains/program/games.te b/strict/domains/program/games.te
new file mode 100644
index 0000000..6129631
--- /dev/null
+++ b/strict/domains/program/games.te
@@ -0,0 +1,17 @@
+#DESC Games - Miscellaneous games
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: bsdgames
+#
+
+# type for shared data from games
+type games_data_t, file_type, sysadmfile;
+
+# domain games_t is for system operation of games, generic games daemons and
+# games recovery scripts, also defines games_exec_t
+daemon_domain(games,,nosysadm)
+rw_dir_create_file(games_t, games_data_t)
+r_dir_file(initrc_t, games_data_t)
+
+# Everything else is in the x_client_domain macro in
+# macros/program/x_client_macros.te.
diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te
new file mode 100644
index 0000000..745d52e
--- /dev/null
+++ b/strict/domains/program/getty.te
@@ -0,0 +1,60 @@
+#DESC Getty - Manage ttys
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
+#
+
+#################################
+#
+# Rules for the getty_t domain.
+#
+init_service_domain(getty, `, privfd')
+
+etcdir_domain(getty)
+typealias getty_etc_t alias etc_getty_t;
+
+allow getty_t console_device_t:chr_file setattr;
+
+tmp_domain(getty)
+log_domain(getty)
+
+allow getty_t { etc_t etc_runtime_t }:file { getattr read };
+allow getty_t etc_t:lnk_file read;
+allow getty_t self:process { getpgid getsession };
+allow getty_t self:unix_dgram_socket create_socket_perms;
+allow getty_t self:unix_stream_socket create_socket_perms;
+
+# to allow w to display everyone...
+bool user_ttyfile_stat false;
+if (user_ttyfile_stat) {
+allow userdomain ttyfile:chr_file getattr;
+}
+
+# Use capabilities.
+allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
+
+# fbgetty needs fsetid for some reason
+#allow getty_t self:capability fsetid;
+
+read_locale(getty_t)
+
+# Run login in local_login_t domain.
+allow getty_t bin_t:dir search;
+domain_auto_trans(getty_t, login_exec_t, local_login_t)
+
+# Write to /var/run/utmp.
+allow getty_t { var_t var_run_t }:dir search;
+allow getty_t initrc_var_run_t:file rw_file_perms;
+
+# Write to /var/log/wtmp.
+allow getty_t wtmp_t:file rw_file_perms;
+
+# Chown, chmod, read and write ttys.
+allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
+allow getty_t ttyfile:chr_file { setattr rw_file_perms };
+
+# for error condition handling
+allow getty_t fs_t:filesystem getattr;
+
+rw_dir_create_file(getty_t, var_lock_t)
+r_dir_file(getty_t, sysfs_t)
diff --git a/strict/domains/program/gnome-pty-helper.te b/strict/domains/program/gnome-pty-helper.te
new file mode 100644
index 0000000..084aa68
--- /dev/null
+++ b/strict/domains/program/gnome-pty-helper.te
@@ -0,0 +1,11 @@
+#DESC Gnome Terminal - Helper program for GNOME x-terms
+#
+# Domains for the gnome-pty-helper program.
+# X-Debian-Packages: gnome-terminal
+#
+
+# Type for the gnome-pty-helper executable.
+type gph_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the gph_domain macro in
+# macros/program/gph_macros.te.
diff --git a/strict/domains/program/gpg-agent.te b/strict/domains/program/gpg-agent.te
new file mode 100644
index 0000000..2942c6c
--- /dev/null
+++ b/strict/domains/program/gpg-agent.te
@@ -0,0 +1,13 @@
+#DESC gpg-agent - agent to securely store gpg-keys
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+#
+
+# Type for the gpg-agent executable.
+type gpg_agent_exec_t, file_type, exec_type, sysadmfile;
+
+# type for the pinentry executable
+type pinentry_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the gpg_agent_domain macro in
+# macros/program/gpg_agent_macros.te.
diff --git a/strict/domains/program/gpg.te b/strict/domains/program/gpg.te
new file mode 100644
index 0000000..65e2ca5
--- /dev/null
+++ b/strict/domains/program/gpg.te
@@ -0,0 +1,18 @@
+#DESC GPG - Gnu Privacy Guard (PGP replacement)
+#
+# Authors: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: gnupg
+#
+
+# Type for gpg or pgp executables.
+type gpg_exec_t, file_type, sysadmfile, exec_type;
+type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
+
+allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
+allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
+
+# Allow gpg exec stack
+bool allow_gpg_execstack false;
+
+# Everything else is in the gpg_domain macro in
+# macros/program/gpg_macros.te.
diff --git a/strict/domains/program/gpm.te b/strict/domains/program/gpm.te
new file mode 100644
index 0000000..ff81d69
--- /dev/null
+++ b/strict/domains/program/gpm.te
@@ -0,0 +1,45 @@
+#DESC Gpm - General Purpose Mouse driver
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: gpm
+#
+
+#################################
+#
+# Rules for the gpm_t domain.
+#
+# gpm_t is the domain of the console mouse server.
+# gpm_exec_t is the type of the console mouse server program.
+# gpmctl_t is the type of the Unix domain socket or pipe created
+# by the console mouse server.
+#
+daemon_domain(gpm)
+
+type gpmctl_t, file_type, sysadmfile, dev_fs;
+
+tmp_domain(gpm)
+
+# Allow to read the /etc/gpm/ conf files
+type gpm_conf_t, file_type, sysadmfile;
+r_dir_file(gpm_t, gpm_conf_t)
+
+# Use capabilities.
+allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
+
+# Create and bind to /dev/gpmctl.
+file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })
+allow gpm_t gpmctl_t:unix_stream_socket name_bind;
+allow gpm_t self:unix_dgram_socket create_socket_perms;
+allow gpm_t self:unix_stream_socket create_stream_socket_perms;
+
+# Read and write ttys.
+allow gpm_t tty_device_t:chr_file rw_file_perms;
+
+# Access the mouse.
+allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
+allow gpm_t device_t:lnk_file { getattr read };
+
+read_locale(gpm_t)
+
+allow initrc_t gpmctl_t:sock_file setattr;
+
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
new file mode 100644
index 0000000..95ebff9
--- /dev/null
+++ b/strict/domains/program/hald.te
@@ -0,0 +1,74 @@
+#DESC hald - server for device info
+#
+# Author: Russell Coker <rcoker at redhat.com>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the hald_t domain.
+#
+# hald_exec_t is the type of the hald executable.
+#
+daemon_domain(hald, `, fs_domain, nscd_client_domain')
+
+can_exec_any(hald_t)
+
+allow hald_t { etc_t etc_runtime_t }:file { getattr read };
+allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_dgram_socket create_socket_perms;
+
+ifdef(`dbusd.te', `
+allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
+dbusd_client(system, hald)
+allow hald_t self:dbus send_msg;
+')
+
+allow hald_t { self proc_t }:file { getattr read };
+
+allow hald_t { bin_t sbin_t }:dir search;
+allow hald_t self:fifo_file rw_file_perms;
+allow hald_t usr_t:file { getattr read };
+
+allow hald_t bin_t:file getattr;
+allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+can_network_server(hald_t)
+can_ypbind(hald_t)
+
+allow hald_t device_t:lnk_file read;
+allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
+allow hald_t removable_device_t:blk_file write;
+allow hald_t event_device_t:chr_file { getattr read ioctl };
+allow hald_t printer_device_t:chr_file rw_file_perms;
+allow hald_t urandom_device_t:chr_file read;
+
+ifdef(`updfstab.te', `
+domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
+allow updfstab_t hald_t:dbus send_msg;
+allow hald_t updfstab_t:dbus send_msg;
+')
+ifdef(`udev.te', `
+domain_auto_trans(hald_t, udev_exec_t, udev_t)
+allow udev_t hald_t:unix_dgram_socket sendto;
+allow hald_t udev_tbl_t:file { getattr read };
+')
+
+ifdef(`hotplug.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
+allow hald_t usbdevfs_t:dir search;
+allow hald_t usbdevfs_t:file { getattr read };
+allow hald_t usbfs_t:dir search;
+allow hald_t usbfs_t:file { getattr read };
+allow hald_t bin_t:lnk_file read;
+r_dir_file(hald_t, { selinux_config_t default_context_t } )
+allow hald_t initrc_t:dbus send_msg;
+allow initrc_t hald_t:dbus send_msg;
+allow hald_t etc_runtime_t:file rw_file_perms;
+allow hald_t var_lib_t:dir search;
+allow hald_t device_t:dir create_dir_perms;
+allow hald_t device_t:chr_file create_file_perms;
+tmp_domain(hald)
+allow hald_t mnt_t:dir search;
+r_dir_file(hald_t, proc_net_t)
diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te
new file mode 100644
index 0000000..575833c
--- /dev/null
+++ b/strict/domains/program/hostname.te
@@ -0,0 +1,28 @@
+#DESC hostname - show or set the system host name
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: hostname
+
+# for setting the hostname
+daemon_base_domain(hostname, , nosysadm)
+role sysadm_r types hostname_t;
+
+allow hostname_t self:capability sys_admin;
+allow hostname_t etc_t:file { getattr read };
+
+allow hostname_t { user_tty_type admin_tty_type }:chr_file { getattr read write };
+read_locale(hostname_t)
+can_resolve(hostname_t)
+allow hostname_t userdomain:fd use;
+dontaudit hostname_t kernel_t:fd use;
+allow hostname_t net_conf_t:file { getattr read };
+allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit hostname_t var_t:dir search;
+allow hostname_t fs_t:filesystem getattr;
+
+# for when /usr is not mounted
+dontaudit hostname_t file_t:dir search;
+
+ifdef(`distro_redhat', `
+allow hostname_t tmpfs_t:chr_file rw_file_perms;
+')
diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te
new file mode 100644
index 0000000..7fd6a39
--- /dev/null
+++ b/strict/domains/program/hotplug.te
@@ -0,0 +1,163 @@
+#DESC Hotplug - Hardware event manager
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: hotplug
+#
+
+#################################
+#
+# Rules for the hotplug_t domain.
+#
+# hotplug_exec_t is the type of the hotplug executable.
+#
+ifdef(`unlimitedUtils', `
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
+', `
+daemon_domain(hotplug, `, privmodule')
+')
+
+etcdir_domain(hotplug)
+
+allow hotplug_t self:fifo_file { read write getattr ioctl };
+allow hotplug_t self:unix_dgram_socket create_socket_perms;
+allow hotplug_t self:unix_stream_socket create_socket_perms;
+allow hotplug_t self:udp_socket create_socket_perms;
+
+read_sysctl(hotplug_t)
+allow hotplug_t sysctl_net_t:dir r_dir_perms;
+allow hotplug_t sysctl_net_t:file { getattr read };
+
+# get info from /proc
+r_dir_file(hotplug_t, proc_t)
+allow hotplug_t self:file { getattr read };
+
+allow hotplug_t devtty_t:chr_file rw_file_perms;
+
+allow hotplug_t device_t:dir r_dir_perms;
+
+# for SSP
+allow hotplug_t urandom_device_t:chr_file read;
+
+allow hotplug_t { bin_t sbin_t }:dir search;
+allow hotplug_t { bin_t sbin_t }:lnk_file read;
+can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
+ifdef(`hostname.te', `
+can_exec(hotplug_t, hostname_exec_t)
+dontaudit hostname_t hotplug_t:fd use;
+')
+ifdef(`netutils.te', `
+ifdef(`distro_redhat', `
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+
+allow hotplug_t tmpfs_t:dir search;
+allow hotplug_t tmpfs_t:chr_file rw_file_perms;
+')dnl end if distro_redhat
+')dnl end if netutils.te
+
+allow initrc_t usbdevfs_t:file { getattr read ioctl };
+allow initrc_t modules_dep_t:file { getattr read ioctl };
+r_dir_file(hotplug_t, usbdevfs_t)
+allow hotplug_t usbfs_t:dir r_dir_perms;
+allow hotplug_t usbfs_t:file { getattr read };
+
+# read config files
+allow hotplug_t etc_t:dir r_dir_perms;
+allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
+
+allow hotplug_t kernel_t:process sigchld;
+
+ifdef(`distro_redhat', `
+allow hotplug_t var_lock_t:dir search;
+allow hotplug_t var_lock_t:file getattr;
+')
+
+ifdef(`hald.te', `
+allow hotplug_t hald_t:unix_dgram_socket sendto;
+allow hald_t hotplug_etc_t:dir search;
+allow hald_t hotplug_etc_t:file { getattr read };
+')
+
+# for killall
+allow hotplug_t self:process { getsession getattr };
+allow hotplug_t self:file getattr;
+
+domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
+domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
+domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`updfstab.te', `
+domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
+')
+
+# init scripts run /etc/hotplug/usb.rc
+domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
+allow initrc_t hotplug_etc_t:dir r_dir_perms;
+
+ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
+
+r_dir_file(hotplug_t, modules_object_t)
+allow hotplug_t modules_dep_t:file { getattr read ioctl };
+
+# for lsmod
+dontaudit hotplug_t self:capability { sys_module sys_admin };
+
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit hotplug_t self:capability { dac_override dac_read_search };
+
+ifdef(`fsadm.te', `
+domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
+')
+
+allow hotplug_t var_log_t:dir search;
+
+# for ps
+dontaudit hotplug_t domain:dir { getattr search };
+dontaudit hotplug_t { init_t kernel_t }:file read;
+ifdef(`initrc.te', `
+can_ps(hotplug_t, initrc_t)
+')
+
+# for when filesystems are not mounted early in the boot
+dontaudit hotplug_t file_t:dir { search getattr };
+
+# kernel threads inherit from shared descriptor table used by init
+dontaudit hotplug_t initctl_t:fifo_file { read write };
+
+# Read /usr/lib/gconv/.*
+allow hotplug_t lib_t:file { getattr read };
+
+allow hotplug_t self:capability { net_admin sys_tty_config mknod };
+allow hotplug_t sysfs_t:dir { getattr read search };
+allow hotplug_t sysfs_t:file { getattr read };
+allow hotplug_t sysfs_t:lnk_file { getattr read };
+allow hotplug_t udev_runtime_t:file rw_file_perms;
+ifdef(`lpd.te', `
+allow hotplug_t printer_device_t:chr_file setattr;
+')
+allow hotplug_t fixed_disk_device_t:blk_file setattr;
+allow hotplug_t removable_device_t:blk_file setattr;
+allow hotplug_t sound_device_t:chr_file setattr;
+
+ifdef(`udev.te', `
+domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
+')
+
+file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
+
+can_network_server(hotplug_t)
+can_ypbind(hotplug_t)
+dbusd_client(system, hotplug)
+
+# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
+domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
+ifdef(`mta.te', `
+domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
+')
+
+allow restorecon_t hotplug_t:fd use;
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(hotplug_t)
+')
+
+allow kernel_t hotplug_etc_t:dir search;
diff --git a/strict/domains/program/howl.te b/strict/domains/program/howl.te
new file mode 100644
index 0000000..026790a
--- /dev/null
+++ b/strict/domains/program/howl.te
@@ -0,0 +1,22 @@
+#DESC howl - port of Apple Rendezvous multicast DNS
+#
+# Author: Russell Coker <rcoker at redhat.com>
+#
+
+daemon_domain(howl)
+r_dir_file(howl_t, proc_net_t)
+can_network_server(howl_t)
+can_ypbind(howl_t)
+allow howl_t self:unix_dgram_socket create_socket_perms;
+allow howl_t self:capability { kill net_admin sys_module };
+
+allow howl_t self:fifo_file rw_file_perms;
+
+type howl_port_t, port_type;
+allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
+
+allow howl_t self:unix_dgram_socket create_socket_perms;
+
+allow howl_t etc_t:file { getattr read };
+allow howl_t initrc_var_run_t:file rw_file_perms;
+
diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te
new file mode 100644
index 0000000..2af68ab
--- /dev/null
+++ b/strict/domains/program/hwclock.te
@@ -0,0 +1,49 @@
+#DESC Hwclock - Hardware clock manager
+#
+# Author: David A. Wheeler <dwheeler at ida.org>
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: util-linux
+#
+
+#################################
+#
+# Rules for the hwclock_t domain.
+# This domain moves time information between the "hardware clock"
+# (which runs when the system is off) and the "system clock",
+# and it stores adjustment values in /etc/adjtime so that errors in the
+# hardware clock are corrected.
+# Note that any errors from this domain are NOT recorded by the system logger,
+# because the system logger isnt running when this domain is active.
+#
+daemon_base_domain(hwclock)
+role sysadm_r types hwclock_t;
+domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
+type adjtime_t, file_type, sysadmfile;
+ifdef(`apmd.te', `
+domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
+')
+
+allow hwclock_t fs_t:filesystem getattr;
+
+read_locale(hwclock_t)
+
+# Give hwclock the capabilities it requires. dac_override is a surprise,
+# but hwclock does require it.
+allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
+
+# Allow hwclock to set the hardware clock.
+allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
+
+# Allow hwclock to store & retrieve correction factors.
+allow hwclock_t adjtime_t:file { setattr rw_file_perms };
+
+# Read and write console and ttys.
+allow hwclock_t tty_device_t:chr_file rw_file_perms;
+allow hwclock_t ttyfile:chr_file rw_file_perms;
+allow hwclock_t ptyfile:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
+
+read_locale(hwclock_t)
+
+# for when /usr is not mounted
+dontaudit hwclock_t file_t:dir search;
diff --git a/strict/domains/program/i18n_input.te b/strict/domains/program/i18n_input.te
new file mode 100644
index 0000000..8de3839
--- /dev/null
+++ b/strict/domains/program/i18n_input.te
@@ -0,0 +1,29 @@
+# i18n_input.te
+# Security Policy for IIIMF htt server
+# Date: 2004, 12th April (Monday)
+
+# Types for server port
+type i18n_input_port_t, port_type;
+
+# Establish i18n_input as a daemon
+daemon_domain(i18n_input)
+
+can_exec(i18n_input_t, i18n_input_exec_t)
+can_network(i18n_input_t)
+can_ypbind(i18n_input_t)
+
+can_tcp_connect(userdomain, i18n_input_t)
+
+allow i18n_input_t self:fifo_file rw_file_perms;
+allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
+
+allow i18n_input_t self:capability { kill setgid setuid };
+allow i18n_input_t self:process { setsched setpgid };
+
+allow i18n_input_t { bin_t sbin_t }:dir search;
+
+allow i18n_input_t etc_t:file r_file_perms;
+allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
+allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te
new file mode 100644
index 0000000..b2039ac
--- /dev/null
+++ b/strict/domains/program/ifconfig.te
@@ -0,0 +1,68 @@
+#DESC Ifconfig - Configure network interfaces
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: net-tools
+#
+
+#################################
+#
+# Rules for the ifconfig_t domain.
+#
+# ifconfig_t is the domain for the ifconfig program.
+# ifconfig_exec_t is the type of the corresponding program.
+#
+type ifconfig_t, domain, privlog, privmodule;
+type ifconfig_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types ifconfig_t;
+role sysadm_r types ifconfig_t;
+
+uses_shlib(ifconfig_t)
+general_domain_access(ifconfig_t)
+
+domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
+domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
+
+# for /sbin/ip
+allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ifconfig_t self:tcp_socket { create ioctl };
+allow ifconfig_t etc_t:file { getattr read };
+
+allow ifconfig_t self:socket create_socket_perms;
+
+# Use capabilities.
+allow ifconfig_t self:capability net_admin;
+dontaudit ifconfig_t self:capability sys_module;
+
+# Inherit and use descriptors from init.
+allow ifconfig_t { kernel_t init_t }:fd use;
+
+# Access /proc
+r_dir_file(ifconfig_t, proc_t)
+r_dir_file(ifconfig_t, proc_net_t)
+
+allow ifconfig_t privfd:fd use;
+allow ifconfig_t run_init_t:fd use;
+
+# Create UDP sockets, necessary when called from dhcpc
+allow ifconfig_t self:udp_socket create_socket_perms;
+
+# Access terminals.
+allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
+
+allow ifconfig_t tun_tap_device_t:chr_file { read write };
+
+# ifconfig attempts to search some sysctl entries.
+# Do not audit those attempts; comment out these rules if it is desired to
+# see the denials.
+dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
+
+allow ifconfig_t fs_t:filesystem getattr;
+
+read_locale(ifconfig_t)
+allow ifconfig_t lib_t:file { getattr read };
+
+rhgb_domain(ifconfig_t)
+allow ifconfig_t userdomain:fd use;
+dontaudit ifconfig_t root_t:file read;
diff --git a/strict/domains/program/inetd.te b/strict/domains/program/inetd.te
new file mode 100644
index 0000000..c0eed55
--- /dev/null
+++ b/strict/domains/program/inetd.te
@@ -0,0 +1,68 @@
+#DESC Inetd - Internet services daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# re-written with daemon_domain by Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
+#
+
+#################################
+#
+# Rules for the inetd_t domain and
+# the inetd_child_t domain.
+#
+type biff_port_t, port_type, reserved_port_type;
+
+#################################
+#
+# Rules for the inetd_t domain.
+#
+
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
+
+can_network(inetd_t)
+allow inetd_t self:unix_dgram_socket create_socket_perms;
+allow inetd_t self:unix_stream_socket create_socket_perms;
+allow inetd_t self:fifo_file rw_file_perms;
+allow inetd_t etc_t:file { getattr read ioctl };
+allow inetd_t self:process setsched;
+
+log_domain(inetd)
+tmp_domain(inetd)
+
+# Use capabilities.
+allow inetd_t self:capability { setuid setgid net_bind_service };
+
+# allow any domain to connect to inetd
+can_tcp_connect(userdomain, inetd_t)
+
+# Run each daemon with a defined domain in its own domain.
+# These rules have been moved to the individual target domain .te files.
+
+# Run other daemons in the inetd_child_t domain.
+allow inetd_t { bin_t sbin_t }:dir search;
+allow inetd_t sbin_t:lnk_file read;
+
+# Bind to the telnet, ftp, rlogin and rsh ports.
+ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
+ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
+ifdef(`talk.te', `
+allow inetd_t talk_port_t:tcp_socket name_bind;
+allow inetd_t ntalk_port_t:tcp_socket name_bind;
+')
+
+# Communicate with the portmapper.
+ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
+
+
+inetd_child_domain(inetd_child)
+allow inetd_child_t proc_net_t:dir search;
+allow inetd_child_t proc_net_t:file { getattr read };
+
+ifdef(`unconfined.te', `
+domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
+')
+
+ifdef(`unlimitedInetd', `
+unconfined_domain(inetd_t)
+')
+
diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te
new file mode 100644
index 0000000..3aeb04f
--- /dev/null
+++ b/strict/domains/program/init.te
@@ -0,0 +1,147 @@
+#DESC Init - Process initialization
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sysvinit
+#
+
+#################################
+#
+# Rules for the init_t domain.
+#
+# init_t is the domain of the init process.
+# init_exec_t is the type of the init program.
+# initctl_t is the type of the named pipe created
+# by init during initialization. This pipe is used
+# to communicate with init.
+#
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
+role system_r types init_t;
+uses_shlib(init_t);
+type init_exec_t, file_type, sysadmfile, exec_type;
+type initctl_t, file_type, sysadmfile, dev_fs;
+
+# for init to determine whether SE Linux is active so it can know whether to
+# activate it
+allow init_t security_t:dir search;
+allow init_t security_t:file { getattr read };
+
+# for mount points
+allow init_t file_t:dir search;
+
+# Use capabilities.
+allow init_t self:capability ~sys_module;
+
+# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
+domain_auto_trans(init_t, initrc_exec_t, initrc_t)
+
+# Run the shell in the sysadm_t domain for single-user mode.
+domain_auto_trans(init_t, shell_exec_t, sysadm_t)
+
+# Run /sbin/update in the init_t domain.
+can_exec(init_t, sbin_t)
+
+# Run init.
+can_exec(init_t, init_exec_t)
+
+# Run chroot from initrd scripts.
+ifdef(`chroot.te', `
+can_exec(init_t, chroot_exec_t)
+')
+
+# Create /dev/initctl.
+file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
+ifdef(`distro_redhat', `
+file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
+')
+
+# Create ioctl.save.
+file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
+
+# Update /etc/ld.so.cache
+allow init_t ld_so_cache_t:file rw_file_perms;
+
+# Allow access to log files
+allow init_t var_t:dir search;
+allow init_t var_log_t:dir search;
+allow init_t var_log_t:file rw_file_perms;
+
+read_locale(init_t)
+
+# Create unix sockets
+allow init_t self:unix_dgram_socket create_socket_perms;
+allow init_t self:unix_stream_socket create_socket_perms;
+allow init_t self:fifo_file rw_file_perms;
+
+# Permissions required for system startup
+allow init_t { bin_t sbin_t }:dir r_dir_perms;
+allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
+
+# allow init to fork
+allow init_t self:process { fork sigchld };
+
+# Modify utmp.
+allow init_t var_run_t:file rw_file_perms;
+allow init_t initrc_var_run_t:file { setattr rw_file_perms };
+
+# For /var/run/shutdown.pid.
+var_run_domain(init)
+
+# Shutdown permissions
+r_dir_file(init_t, proc_t)
+r_dir_file(init_t, self)
+allow init_t devpts_t:dir r_dir_perms;
+
+# Modify wtmp.
+allow init_t wtmp_t:file rw_file_perms;
+
+# Kill all processes.
+allow init_t domain:process signal_perms;
+
+# Allow all processes to send SIGCHLD to init.
+allow domain init_t:process { sigchld signull };
+
+# If you load a new policy that removes active domains, processes can
+# get stuck if you do not allow unlabeled processes to signal init
+# If you load an incompatible policy, you should probably reboot,
+# since you may have compromised system security.
+allow unlabeled_t init_t:process sigchld;
+
+# for loading policy
+allow init_t policy_config_t:file r_file_perms;
+
+# Set booleans.
+can_setbool(init_t)
+
+# Read and write the console and ttys.
+allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
+ifdef(`distro_redhat', `
+allow init_t tmpfs_t:chr_file rw_file_perms;
+')
+allow init_t ttyfile:chr_file rw_file_perms;
+allow init_t ptyfile:chr_file rw_file_perms;
+
+# Run system executables.
+can_exec(init_t,bin_t)
+ifdef(`consoletype.te', `
+can_exec(init_t, consoletype_exec_t)
+')
+
+# Run /etc/X11/prefdm.
+can_exec(init_t,etc_t)
+
+allow init_t lib_t:file { getattr read };
+
+ifdef(`rhgb.te', `
+allow init_t devtty_t:chr_file { read write };
+allow init_t ramfs_t:dir search;
+')
+r_dir_file(init_t, sysfs_t)
+
+r_dir_file(init_t, selinux_config_t)
+
+# file descriptors inherited from the rootfs.
+dontaudit init_t root_t:{ file chr_file } { read write };
+ifdef(`targeted_policy', `
+typeattribute init_t unrestricted;
+')
+
diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te
new file mode 100644
index 0000000..86e09cc
--- /dev/null
+++ b/strict/domains/program/initrc.te
@@ -0,0 +1,311 @@
+#DESC Initrc - System initialization scripts
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sysvinit policycoreutils
+#
+
+#################################
+#
+# Rules for the initrc_t domain.
+#
+# initrc_t is the domain of the init rc scripts.
+# initrc_exec_t is the type of the init program.
+#
+# do not use privmail for sendmail as it creates a type transition conflict
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+
+role system_r types initrc_t;
+uses_shlib(initrc_t);
+can_network(initrc_t)
+can_ypbind(initrc_t)
+type initrc_exec_t, file_type, sysadmfile, exec_type;
+
+# for halt to down interfaces
+allow initrc_t self:udp_socket create_socket_perms;
+
+# read files in /etc/init.d
+allow initrc_t etc_t:lnk_file r_file_perms;
+
+read_locale(initrc_t)
+
+r_dir_file(initrc_t, usr_t)
+
+# Read system information files in /proc.
+r_dir_file(initrc_t, { proc_t proc_net_t })
+allow initrc_t proc_mdstat_t:file { getattr read };
+
+# Allow IPC with self
+allow initrc_t self:unix_dgram_socket create_socket_perms;
+allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow initrc_t self:fifo_file rw_file_perms;
+
+# Read the root directory of a usbdevfs filesystem, and
+# the devices and drivers files. Permit stating of the
+# device nodes, but nothing else.
+allow initrc_t usbdevfs_t:dir r_dir_perms;
+allow initrc_t usbdevfs_t:lnk_file r_file_perms;
+allow initrc_t usbdevfs_t:file getattr;
+allow initrc_t usbfs_t:dir r_dir_perms;
+allow initrc_t usbfs_t:file getattr;
+
+# allow initrc to fork and renice itself
+allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
+
+# Can create ptys for open_init_pty
+can_create_pty(initrc)
+
+tmp_domain(initrc)
+
+var_run_domain(initrc)
+allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
+allow initrc_t var_run_t:dir { create rmdir };
+
+ifdef(`distro_debian', `
+allow initrc_t { etc_t device_t }:dir setattr;
+
+# for storing state under /dev/shm
+allow initrc_t tmpfs_t:dir setattr;
+file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
+file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
+')
+
+allow initrc_t framebuf_device_t:chr_file r_file_perms;
+
+# Use capabilities.
+allow initrc_t self:capability ~{ sys_admin sys_module };
+
+# Use system operations.
+allow initrc_t kernel_t:system *;
+
+# Set values in /proc/sys.
+can_sysctl(initrc_t)
+
+# Run helper programs in the initrc_t domain.
+allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
+allow initrc_t {bin_t sbin_t }:lnk_file read;
+can_exec(initrc_t, etc_t)
+can_exec(initrc_t, lib_t)
+can_exec(initrc_t, bin_t)
+can_exec(initrc_t, sbin_t)
+can_exec(initrc_t, exec_type)
+#
+# These rules are here to allow init scripts to su
+#
+ifdef(`su.te', `
+su_restricted_domain(initrc,system)
+role system_r types initrc_su_t;
+')
+allow initrc_t self:passwd rootok;
+
+# read /lib/modules
+allow initrc_t modules_object_t:dir { search read };
+
+# Read conf.modules.
+allow initrc_t modules_conf_t:file r_file_perms;
+
+# Run other rc scripts in the initrc_t domain.
+can_exec(initrc_t, initrc_exec_t)
+
+# Run init (telinit) in the initrc_t domain.
+can_exec(initrc_t, init_exec_t)
+
+# Communicate with the init process.
+allow initrc_t initctl_t:fifo_file rw_file_perms;
+
+# Read /proc/PID directories for all domains.
+r_dir_file(initrc_t, domain)
+allow initrc_t domain:process { getattr getsession };
+
+# Mount and unmount file systems.
+allow initrc_t fs_type:filesystem mount_fs_perms;
+allow initrc_t { file_t default_t }:dir { read search getattr mounton };
+
+# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
+file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
+
+# Update /etc/ld.so.cache.
+allow initrc_t ld_so_cache_t:file rw_file_perms;
+
+# Update /var/log/wtmp and /var/log/dmesg.
+allow initrc_t wtmp_t:file { setattr rw_file_perms };
+allow initrc_t var_log_t:dir rw_dir_perms;
+allow initrc_t var_log_t:file { setattr rw_file_perms };
+allow initrc_t lastlog_t:file { setattr rw_file_perms };
+allow initrc_t logfile:file { read append };
+
+# remove old locks
+allow initrc_t lockfile:dir rw_dir_perms;
+allow initrc_t lockfile:file { getattr unlink };
+
+# Access /var/lib/random-seed.
+allow initrc_t var_lib_t:file rw_file_perms;
+allow initrc_t var_lib_t:file unlink;
+
+# Create lock file.
+allow initrc_t var_lock_t:dir create_dir_perms;
+allow initrc_t var_lock_t:file create_file_perms;
+
+# Set the clock.
+allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
+
+# Kill all processes.
+allow initrc_t domain:process signal_perms;
+
+# Read and unlink /var/run/*.pid files.
+allow initrc_t pidfile:file { getattr read unlink };
+
+# Write to /dev/urandom.
+allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
+
+# for cryptsetup
+allow initrc_t fixed_disk_device_t:blk_file getattr;
+
+# Set device ownerships/modes.
+allow initrc_t framebuf_device_t:chr_file setattr;
+allow initrc_t misc_device_t:devfile_class_set setattr;
+allow initrc_t device_t:devfile_class_set setattr;
+allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
+allow initrc_t removable_device_t:devfile_class_set setattr;
+allow initrc_t device_t:lnk_file read;
+allow initrc_t xconsole_device_t:fifo_file setattr;
+
+# Stat any file.
+allow initrc_t file_type:notdevfile_class_set getattr;
+allow initrc_t file_type:dir { search getattr };
+
+# Read and write console and ttys.
+allow initrc_t devtty_t:chr_file rw_file_perms;
+allow initrc_t console_device_t:chr_file rw_file_perms;
+allow initrc_t tty_device_t:chr_file rw_file_perms;
+allow initrc_t ttyfile:chr_file rw_file_perms;
+allow initrc_t ptyfile:chr_file rw_file_perms;
+
+# Reset tty labels.
+allow initrc_t ttyfile:chr_file relabelfrom;
+allow initrc_t tty_device_t:chr_file relabelto;
+
+ifdef(`distro_redhat', `
+# Create and read /boot/kernel.h and /boot/System.map.
+# Redhat systems typically create this file at boot time.
+allow initrc_t boot_t:lnk_file rw_file_perms;
+file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
+
+allow initrc_t tmpfs_t:chr_file rw_file_perms;
+allow initrc_t tmpfs_t:dir r_dir_perms;
+
+ifdef(`distro_redhat', `
+# Allow initrc domain to set the enforcing flag.
+can_setenforce(initrc_t)
+')
+
+#
+# readahead asks for these
+#
+allow initrc_t etc_aliases_t:file { getattr read };
+allow initrc_t var_lib_nfs_t:file { getattr read };
+
+# for /halt /.autofsck and other flag files
+file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
+
+')dnl end distro_redhat
+
+allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
+allow initrc_t var_spool_t:file rw_file_perms;
+
+# Allow access to the sysadm TTYs. Note that this will give access to the
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+allow initrc_t admin_tty_type:chr_file rw_file_perms;
+
+# Access sound device and files.
+allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
+
+# Read user home directories.
+allow initrc_t { home_root_t home_type }:dir r_dir_perms;
+allow initrc_t home_type:file r_file_perms;
+
+# for system start scripts
+allow initrc_t pidfile:dir rw_dir_perms;
+allow initrc_t pidfile:sock_file unlink;
+rw_dir_create_file(initrc_t, var_lib_t)
+
+# allow start scripts to clean /tmp
+allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
+allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
+
+# for lsof which is used by alsa shutdown
+dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
+dontaudit initrc_t proc_kmsg_t:file getattr;
+
+#################################
+#
+# Rules for the run_init_t domain.
+#
+ifdef(`targeted_policy', `
+type run_init_exec_t, file_type, sysadmfile, exec_type;
+type run_init_t, domain;
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+', `
+run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
+')
+allow initrc_t privfd:fd use;
+
+# Transition to system_r:initrc_t upon executing init scripts.
+ifdef(`direct_sysadm_daemon', `
+role_transition sysadm_r initrc_exec_t system_r;
+domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
+')
+
+#
+# Shutting down xinet causes these
+#
+# Fam
+dontaudit initrc_t device_t:dir { read write };
+# Rsync
+dontaudit initrc_t mail_spool_t:lnk_file read;
+
+allow initrc_t sysfs_t:dir { getattr read search };
+allow initrc_t sysfs_t:file { getattr read write };
+allow initrc_t sysfs_t:lnk_file { getattr read };
+allow initrc_t udev_runtime_t:file rw_file_perms;
+allow initrc_t device_type:chr_file setattr;
+allow initrc_t binfmt_misc_fs_t:dir { getattr search };
+allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
+
+# for lsof in shutdown scripts
+can_kerberos(initrc_t)
+
+#
+# Wants to remove udev.tbl
+#
+allow initrc_t device_t:dir rw_dir_perms;
+allow initrc_t device_t:lnk_file unlink;
+
+r_dir_file(initrc_t,selinux_config_t)
+
+ifdef(`distro_redhat', `
+#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+')
+
+ifdef(`unlimitedRC', `
+unconfined_domain(initrc_t)
+')
+#
+# initrc script does a cat /selinux/enforce
+#
+allow initrc_t security_t:dir { getattr search };
+allow initrc_t security_t:file { getattr read };
+
+# init script state
+type initrc_state_t, file_type, sysadmfile;
+create_dir_file(initrc_t,initrc_state_t)
+
+ifdef(`distro_gentoo', `
+# Gentoo integrated run_init+open_init_pty-runscript:
+domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+')
+allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/innd.te b/strict/domains/program/innd.te
new file mode 100644
index 0000000..09b7c06
--- /dev/null
+++ b/strict/domains/program/innd.te
@@ -0,0 +1,81 @@
+#DESC INN - InterNetNews server
+#
+# Author: Faye Coker <faye at lurking-grue.org>
+# X-Debian-Packages: inn
+#
+################################
+
+# Types for the server port and news spool.
+#
+type innd_port_t, port_type, reserved_port_type;
+type news_spool_t, file_type, sysadmfile;
+
+
+# need privmail attribute so innd can access system_mail_t
+daemon_domain(innd, `, privmail')
+
+# allow innd to create files and directories of type news_spool_t
+create_dir_file(innd_t, news_spool_t)
+
+# allow user domains to read files and directories these types
+r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
+
+can_exec(initrc_t, innd_etc_t)
+can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
+ifdef(`hostname.te', `
+can_exec(innd_t, hostname_exec_t)
+')
+
+allow innd_t var_spool_t:dir { getattr search };
+
+can_network(innd_t)
+can_ypbind(innd_t)
+
+can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
+allow innd_t self:unix_dgram_socket create_socket_perms;
+allow innd_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(innd_t, self)
+
+allow innd_t self:fifo_file rw_file_perms;
+allow innd_t innd_port_t:tcp_socket name_bind;
+
+allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
+allow innd_t self:process setsched;
+
+allow innd_t { bin_t sbin_t }:dir search;
+allow innd_t usr_t:lnk_file read;
+allow innd_t usr_t:file { getattr read ioctl };
+allow innd_t lib_t:file ioctl;
+allow innd_t etc_t:file { getattr read };
+allow innd_t { proc_t etc_runtime_t }:file { getattr read };
+allow innd_t urandom_device_t:chr_file read;
+
+allow innd_t innd_var_run_t:sock_file create_file_perms;
+
+# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
+etcdir_domain(innd)
+
+# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
+# it can write to
+logdir_domain(innd)
+
+# allow innd read-write directory permissions to /var/lib/news.
+var_lib_domain(innd)
+
+ifdef(`crond.te', `
+system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
+')
+
+ifdef(`syslogd.te', `
+allow syslogd_t innd_log_t:dir search;
+allow syslogd_t innd_log_t:file create_file_perms;
+')
+
+allow innd_t self:file { getattr read };
+dontaudit innd_t selinux_config_t:dir { search };
+allow system_crond_t innd_etc_t:file { getattr read };
+allow innd_t bin_t:lnk_file { read };
+allow innd_t sbin_t:lnk_file { read };
diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te
new file mode 100644
index 0000000..dd32f69
--- /dev/null
+++ b/strict/domains/program/ipsec.te
@@ -0,0 +1,229 @@
+#DESC ipsec - TCP/IP encryption
+#
+# Authors: Mark Westerman mark.westerman at westcam.com
+# massively butchered by paul krumviede <pwk at acm.org>
+# further massaged by Chris Vance <cvance at tislabs.com>
+# X-Debian-Packages: freeswan
+#
+########################################
+#
+# Rules for the ipsec_t domain.
+#
+# a domain for things that need access to the PF_KEY socket
+daemon_base_domain(ipsec, `, privlog')
+
+# type for ipsec configuration file(s) - not for keys
+type ipsec_conf_file_t, file_type, sysadmfile;
+
+# type for file(s) containing ipsec keys - RSA or preshared
+type ipsec_key_file_t, file_type, sysadmfile;
+
+# type for runtime files, including pluto.ctl
+# lots of strange stuff for the ipsec_var_run_t - need to check it
+var_run_domain(ipsec)
+
+type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
+type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
+file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
+file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
+
+allow ipsec_mgmt_t modules_object_t:dir search;
+allow ipsec_mgmt_t modules_object_t:file getattr;
+
+allow ipsec_t self:capability { net_admin net_bind_service };
+allow ipsec_t self:process signal;
+allow ipsec_t etc_t:lnk_file read;
+
+domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
+
+# Inherit and use descriptors from init.
+# allow access (for, e.g., klipsdebug) to console
+allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
+allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
+
+# I do not know where this pesky pipe is...
+allow ipsec_t initrc_t:fifo_file write;
+
+r_dir_file(ipsec_t, ipsec_conf_file_t)
+r_dir_file(ipsec_t, ipsec_key_file_t)
+allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
+rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
+
+allow ipsec_t self:key_socket { create write read setopt };
+
+# for lsof
+allow sysadm_t ipsec_t:key_socket getattr;
+
+# the ipsec wrapper wants to run /usr/bin/logger (should we put
+# it in its own domain?)
+can_exec(ipsec_mgmt_t, bin_t)
+# logger, running in ipsec_mgmt_t needs to use sockets
+allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+
+# also need to run things like whack and shell scripts
+can_exec(ipsec_mgmt_t, ipsec_exec_t)
+can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+can_exec(ipsec_mgmt_t, shell_exec_t)
+can_exec(ipsec_t, shell_exec_t)
+can_exec(ipsec_t, bin_t)
+can_exec(ipsec_t, ipsec_mgmt_exec_t)
+# now for a icky part...
+# pluto runs an updown script (by calling popen()!); as this is by default
+# a shell script, we need to find a way to make things work without
+# letting all sorts of stuff possibly be run...
+# so try flipping back into the ipsec_mgmt_t domain
+domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
+allow ipsec_mgmt_t ipsec_t:fd use;
+
+# the default updown script wants to run route
+can_exec(ipsec_mgmt_t, sbin_t)
+allow ipsec_mgmt_t sbin_t:lnk_file read;
+allow ipsec_mgmt_t self:capability { net_admin dac_override };
+
+# need access to /proc/sys/net/ipsec/icmp
+allow ipsec_mgmt_t sysctl_t:file write;
+allow ipsec_mgmt_t sysctl_net_t:dir search;
+allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
+
+# whack needs to be able to read/write pluto.ctl
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
+# and it wants to connect to a socket...
+allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
+
+# allow system administrator to use the ipsec script to look
+# at things (e.g., ipsec auto --status)
+# probably should create an ipsec_admin role for this kind of thing
+can_exec(sysadm_t, ipsec_mgmt_exec_t)
+allow sysadm_t ipsec_t:unix_stream_socket connectto;
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
+
+allow ipsec_mgmt_t boot_t:dir search;
+allow ipsec_mgmt_t system_map_t:file { read getattr };
+
+# denials when ps tries to search /proc. Do not audit these denials.
+dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
+
+# suppress audit messages about unnecessary socket access
+dontaudit ipsec_mgmt_t domain:key_socket { read write };
+dontaudit ipsec_mgmt_t domain:udp_socket { read write };
+
+# from rbac
+role system_r types { ipsec_t ipsec_mgmt_t };
+
+# from initrc.te
+domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
+
+
+########## The following rules were added by cvance at tislabs.com ##########
+
+# allow pluto and startup scripts to access /dev/urandom
+allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+# allow pluto to access /proc/net/ipsec_eroute;
+general_proc_read_access(ipsec_t)
+general_proc_read_access(ipsec_mgmt_t)
+
+# allow pluto to search the root directory (not sure why, but mostly harmless)
+# Are these all really necessary?
+allow ipsec_t var_t:dir search;
+allow ipsec_t bin_t:dir search;
+allow ipsec_t device_t:dir { getattr search };
+allow ipsec_mgmt_t device_t:dir { getattr search read };
+dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
+dontaudit ipsec_mgmt_t devpts_t:dir getattr;
+allow ipsec_mgmt_t etc_t:lnk_file read;
+allow ipsec_mgmt_t var_t:dir search;
+allow ipsec_mgmt_t sbin_t:dir search;
+allow ipsec_mgmt_t bin_t:dir search;
+allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
+
+# Startup scripts
+# use libraries
+uses_shlib({ ipsec_t ipsec_mgmt_t })
+# Read and write /dev/tty
+allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
+# fork
+allow ipsec_mgmt_t self:process fork;
+# startup script runs /bin/gawk with a pipe
+allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+# read /etc/mtab Why?
+allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
+# read link for /bin/sh
+allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
+
+#
+allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
+
+# Allow read/write access to /var/run/pluto.ctl
+allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
+
+# Pluto needs network access
+can_network_server(ipsec_t)
+can_ypbind(ipsec_t)
+allow ipsec_t self:unix_dgram_socket { create connect write };
+
+# for sleep
+allow ipsec_mgmt_t fs_t:filesystem getattr;
+
+# for the start script
+can_exec(ipsec_mgmt_t, etc_t)
+
+# allow access to /etc/localtime
+allow ipsec_mgmt_t etc_t:file { read getattr };
+allow ipsec_t etc_t:file { read getattr };
+
+# allow access to /dev/null
+allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
+allow ipsec_t null_device_t:chr_file rw_file_perms;
+
+# Allow scripts to use /var/locl/subsys/ipsec
+allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms;
+allow ipsec_mgmt_t var_lock_t:file create_file_perms;
+
+# allow tncfg to create sockets
+allow ipsec_mgmt_t self:udp_socket { create ioctl };
+
+#When running ipsec auto --up <conname>
+allow ipsec_t self:process { fork sigchld };
+allow ipsec_t self:fifo_file { read getattr };
+
+# ideally it would not need this. It wants to write to /root/.rnd
+file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+
+allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
+allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
+allow ipsec_mgmt_t self:lnk_file read;
+
+allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
+read_locale(ipsec_mgmt_t)
+var_run_domain(ipsec_mgmt)
+dontaudit ipsec_mgmt_t default_t:dir getattr;
+dontaudit ipsec_mgmt_t default_t:file getattr;
+allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
+allow ipsec_mgmt_t self:key_socket { create setopt };
+can_exec(ipsec_mgmt_t, initrc_exec_t)
+allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
+read_locale(ipsec_t)
+ifdef(`consoletype.te', `
+can_exec(ipsec_mgmt_t, consoletype_exec_t )
+')
+dontaudit ipsec_mgmt_t selinux_config_t:dir search;
+dontaudit ipsec_t ttyfile:chr_file { read write };
+allow ipsec_t self:capability { dac_override dac_read_search };
+allow ipsec_t reserved_port_t:udp_socket name_bind;
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+dontaudit ipsec_mgmt_t device_t:lnk_file read;
+allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
+allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
+rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
+rw_dir_create_file(initrc_t, ipsec_var_run_t)
+allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
diff --git a/strict/domains/program/iptables.te b/strict/domains/program/iptables.te
new file mode 100644
index 0000000..8d83280
--- /dev/null
+++ b/strict/domains/program/iptables.te
@@ -0,0 +1,63 @@
+#DESC Ipchains - IP packet filter administration
+#
+# Authors: Justin Smith <jsmith at mcs.drexel.edu>
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: ipchains iptables
+#
+
+#
+# Rules for the iptables_t domain.
+#
+daemon_base_domain(iptables, `, privmodule')
+role sysadm_r types iptables_t;
+domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
+
+ifdef(`modutil.te', `
+# for modprobe
+allow iptables_t sbin_t:dir search;
+allow iptables_t sbin_t:lnk_file read;
+')
+
+read_locale(iptables_t)
+
+# to allow rules to be saved on reboot
+allow iptables_t initrc_tmp_t:file rw_file_perms;
+
+domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
+allow iptables_t var_t:dir search;
+var_run_domain(iptables)
+
+allow iptables_t self:process { fork signal_perms };
+
+allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
+allow iptables_t sysctl_modprobe_t:file { getattr read };
+
+tmp_domain(iptables)
+
+# for iptables -L
+allow iptables_t self:unix_stream_socket create_socket_perms;
+can_resolve(iptables_t)
+can_ypbind(iptables_t)
+
+allow iptables_t iptables_exec_t:file execute_no_trans;
+allow iptables_t self:capability { net_admin net_raw };
+allow iptables_t self:rawip_socket create_socket_perms;
+
+allow iptables_t etc_t:file { getattr read };
+
+allow iptables_t fs_t:filesystem getattr;
+allow iptables_t { userdomain kernel_t }:fd use;
+
+# Access terminals.
+allow iptables_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
+
+allow iptables_t proc_t:file { getattr read };
+allow iptables_t proc_net_t:dir search;
+allow iptables_t proc_net_t:file { read getattr };
+
+# system-config-network appends to /var/log
+allow iptables_t var_log_t:file append;
+ifdef(`firstboot.te', `
+allow iptables_t firstboot_t:fifo_file write;
+')
diff --git a/strict/domains/program/irc.te b/strict/domains/program/irc.te
new file mode 100644
index 0000000..50c1122
--- /dev/null
+++ b/strict/domains/program/irc.te
@@ -0,0 +1,12 @@
+#DESC Irc - IRC client
+#
+# Domains for the irc program.
+# X-Debian-Packages: tinyirc ircii
+
+#
+# irc_exec_t is the type of the irc executable.
+#
+type irc_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the irc_domain macro in
+# macros/program/irc_macros.te.
diff --git a/strict/domains/program/irqbalance.te b/strict/domains/program/irqbalance.te
new file mode 100644
index 0000000..35be192
--- /dev/null
+++ b/strict/domains/program/irqbalance.te
@@ -0,0 +1,15 @@
+#DESC IRQBALANCE - IRQ balance daemon
+#
+# Author: Ulrich Drepper <drepper at redhat.com>
+#
+
+#################################
+#
+# Rules for the irqbalance_t domain.
+#
+daemon_domain(irqbalance)
+
+# irqbalance needs access to /proc.
+allow irqbalance_t proc_t:file { read getattr };
+allow irqbalance_t sysctl_irq_t:dir r_dir_perms;
+allow irqbalance_t sysctl_irq_t:file rw_file_perms;
diff --git a/strict/domains/program/java.te b/strict/domains/program/java.te
new file mode 100644
index 0000000..dfd0372
--- /dev/null
+++ b/strict/domains/program/java.te
@@ -0,0 +1,14 @@
+#DESC Java VM
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+# X-Debian-Packages: java
+#
+
+# Type for the netscape, java or other browser executables.
+type java_exec_t, file_type, sysadmfile, exec_type;
+
+# Allow java executable stack
+bool allow_java_execstack false;
+
+# Everything else is in the java_domain macro in
+# macros/program/java_macros.te.
diff --git a/strict/domains/program/kerberos.te b/strict/domains/program/kerberos.te
new file mode 100644
index 0000000..19cc3c4
--- /dev/null
+++ b/strict/domains/program/kerberos.te
@@ -0,0 +1,91 @@
+#DESC Kerberos5 - MIT Kerberos5
+# supports krb5kdc and kadmind daemons
+# kinit, kdestroy, klist clients
+# ksu support not complete
+#
+# includes rules for OpenSSH daemon compiled with both
+# kerberos5 and SELinux support
+#
+# Not supported : telnetd, ftpd, kprop/kpropd daemons
+#
+# Author: Kerry Thompson <kerry at crypt.gen.nz>
+# Modified by Colin Walters <walters at redhat.com>
+#
+
+#################################
+#
+# Rules for the krb5kdc_t,kadmind_t domains.
+#
+daemon_domain(krb5kdc)
+daemon_domain(kadmind)
+
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+can_exec(kadmind_t, kadmind_exec_t)
+
+# types for general configuration files in /etc
+type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
+
+# types for KDC configs and principal file(s)
+type krb5kdc_conf_t, file_type, sysadmfile;
+type krb5kdc_principal_t, file_type, sysadmfile;
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
+allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
+
+# krb5kdc and kadmind can use network
+can_network_server( { krb5kdc_t kadmind_t } )
+can_ypbind( { krb5kdc_t kadmind_t } )
+
+# allow UDP transfer to/from any program
+can_udp_send(kerberos_port_t, krb5kdc_t)
+can_udp_send(krb5kdc_t, kerberos_port_t)
+can_tcp_connect(kerberos_port_t, krb5kdc_t)
+can_tcp_connect(kerberos_admin_port_t, kadmind_t)
+
+# Bind to the kerberos, kerberos-adm ports.
+allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
+allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
+allow kadmind_t reserved_port_t:tcp_socket name_bind;
+dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
+
+#
+# Rules for Kerberos5 KDC daemon
+allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
+allow krb5kdc_t self:unix_stream_socket create_socket_perms;
+allow kadmind_t self:unix_stream_socket create_socket_perms;
+allow krb5kdc_t krb5kdc_conf_t:dir search;
+allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
+allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
+dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+allow krb5kdc_t locale_t:file { getattr read };
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
+allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
+allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
+dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
+tmp_domain(krb5kdc)
+log_domain(krb5kdc)
+allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
+allow kadmind_t random_device_t:chr_file { getattr read };
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t proc_t:dir r_dir_perms;
+allow krb5kdc_t proc_t:file { getattr read };
+
+#
+# Rules for Kerberos5 Kadmin daemon
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t krb5kdc_conf_t:dir search;
+allow kadmind_t krb5kdc_conf_t:file r_file_perms;
+allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
+read_locale(kadmind_t)
+dontaudit kadmind_t krb5kdc_conf_t:file write;
+tmp_domain(kadmind)
+log_domain(kadmind)
+
+#
+# Allow user programs to talk to KDC
+allow krb5kdc_t userdomain:udp_socket recvfrom;
+allow userdomain krb5kdc_t:udp_socket recvfrom;
+allow initrc_t krb5_conf_t:file ioctl;
diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te
new file mode 100644
index 0000000..b7efff1
--- /dev/null
+++ b/strict/domains/program/klogd.te
@@ -0,0 +1,45 @@
+#DESC Klogd - Kernel log daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: klogd
+#
+
+#################################
+#
+# Rules for the klogd_t domain.
+#
+daemon_domain(klogd, `, privmem')
+
+tmp_domain(klogd)
+allow klogd_t proc_t:dir r_dir_perms;
+allow klogd_t proc_t:lnk_file r_file_perms;
+allow klogd_t proc_t:file { getattr read };
+allow klogd_t self:dir r_dir_perms;
+allow klogd_t self:lnk_file r_file_perms;
+
+# read /etc/nsswitch.conf
+allow klogd_t etc_t:lnk_file read;
+allow klogd_t etc_t:file r_file_perms;
+
+read_locale(klogd_t)
+
+allow klogd_t etc_runtime_t:file { getattr read };
+
+# Create unix sockets
+allow klogd_t self:unix_dgram_socket create_socket_perms;
+
+# Use the sys_admin and sys_rawio capabilities.
+allow klogd_t self:capability { sys_admin sys_rawio };
+dontaudit klogd_t self:capability sys_resource;
+
+
+# Read /proc/kmsg and /dev/mem.
+allow klogd_t proc_kmsg_t:file r_file_perms;
+allow klogd_t memory_device_t:chr_file r_file_perms;
+
+# Control syslog and console logging
+allow klogd_t kernel_t:system { syslog_mod syslog_console };
+
+# Read /boot/System.map*
+allow klogd_t system_map_t:file r_file_perms;
+allow klogd_t boot_t:dir r_dir_perms;
diff --git a/strict/domains/program/ktalkd.te b/strict/domains/program/ktalkd.te
new file mode 100644
index 0000000..7ae0109
--- /dev/null
+++ b/strict/domains/program/ktalkd.te
@@ -0,0 +1,14 @@
+#DESC ktalkd - KDE version of the talk server
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the ktalkd_t domain.
+#
+# ktalkd_exec_t is the type of the ktalkd executable.
+#
+
+inetd_child_domain(ktalkd, udp)
diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te
new file mode 100644
index 0000000..257c587
--- /dev/null
+++ b/strict/domains/program/kudzu.te
@@ -0,0 +1,102 @@
+#DESC kudzu - Red Hat utility to recognise new hardware
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
+
+read_locale(kudzu_t)
+
+# for /etc/sysconfig/hwconf - probably need a new type
+allow kudzu_t etc_runtime_t:file rw_file_perms;
+
+# for kmodule
+if (allow_execmem) {
+allow kudzu_t self:process execmem;
+}
+allow kudzu_t zero_device_t:chr_file rx_file_perms;
+allow kudzu_t memory_device_t:chr_file { read write execute };
+
+allow kudzu_t ramfs_t:dir search;
+allow kudzu_t ramfs_t:sock_file write;
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t modules_conf_t:file { getattr read };
+allow kudzu_t modules_object_t:dir r_dir_perms;
+allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
+allow kudzu_t mouse_device_t:chr_file { read write };
+allow kudzu_t proc_net_t:dir r_dir_perms;
+allow kudzu_t { proc_net_t proc_t }:file { getattr read };
+allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
+allow kudzu_t { bin_t sbin_t }:dir { getattr search };
+allow kudzu_t { bin_t sbin_t }:lnk_file read;
+read_sysctl(kudzu_t)
+allow kudzu_t sysctl_dev_t:dir { getattr search read };
+allow kudzu_t sysctl_dev_t:file { getattr read };
+allow kudzu_t sysctl_kernel_t:file write;
+allow kudzu_t usbdevfs_t:dir search;
+allow kudzu_t usbdevfs_t:file { getattr read };
+allow kudzu_t usbfs_t:dir search;
+allow kudzu_t usbfs_t:file { getattr read };
+allow kudzu_t var_t:dir search;
+allow kudzu_t kernel_t:system syslog_console;
+allow kudzu_t self:udp_socket { create ioctl };
+allow kudzu_t var_lock_t:dir search;
+allow kudzu_t devpts_t:dir search;
+
+# so it can write messages to the console
+allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
+
+role sysadm_r types kudzu_t;
+domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
+ifdef(`anaconda.te', `
+domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
+')
+
+allow kudzu_t sysadm_home_dir_t:dir search;
+rw_dir_create_file(kudzu_t, etc_t)
+
+rw_dir_create_file(kudzu_t, mnt_t)
+can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
+# Read /usr/lib/gconv/gconv-modules.*
+allow kudzu_t lib_t:file { read getattr };
+# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+allow kudzu_t usr_t:file { read getattr };
+
+# Communicate with rhgb-client.
+allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow kudzu_t self:unix_dgram_socket create_socket_perms;
+
+ifdef(`rhgb.te', `
+allow kudzu_t rhgb_t:unix_stream_socket connectto;
+')
+
+allow kudzu_t self:file { getattr read };
+allow kudzu_t self:fifo_file rw_file_perms;
+ifdef(`gpm.te', `
+allow kudzu_t gpmctl_t:sock_file getattr;
+')
+
+can_exec(kudzu_t, shell_exec_t)
+
+# Write to /proc/sys/kernel/hotplug. Why?
+allow kudzu_t sysctl_hotplug_t:file { read write };
+
+allow kudzu_t sysfs_t:dir { getattr read search };
+allow kudzu_t sysfs_t:file { getattr read };
+allow kudzu_t sysfs_t:lnk_file read;
+file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
+allow kudzu_t tape_device_t:chr_file r_file_perms;
+tmp_domain(kudzu, `', `{ file dir chr_file }')
+
+# for file systems that are not yet mounted
+dontaudit kudzu_t file_t:dir search;
+ifdef(`lpd.te', `
+allow kudzu_t printconf_t:file { getattr read };
+')
+allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+dontaudit kudzu_t src_t:dir search;
+ifdef(`xserver.te', `
+allow kudzu_t xserver_exec_t:file getattr;
+')
+
diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te
new file mode 100644
index 0000000..083063f
--- /dev/null
+++ b/strict/domains/program/ldconfig.te
@@ -0,0 +1,51 @@
+#DESC Ldconfig - Configure dynamic linker bindings
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: libc6
+#
+
+#################################
+#
+# Rules for the ldconfig_t domain.
+#
+type ldconfig_t, domain, privlog, etc_writer;
+type ldconfig_exec_t, file_type, sysadmfile, exec_type;
+
+role sysadm_r types ldconfig_t;
+role system_r types ldconfig_t;
+
+domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
+dontaudit ldconfig_t device_t:dir search;
+allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow ldconfig_t privfd:fd use;
+
+uses_shlib(ldconfig_t)
+
+file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
+allow ldconfig_t lib_t:dir rw_dir_perms;
+allow ldconfig_t lib_t:lnk_file create_lnk_perms;
+
+allow ldconfig_t userdomain:fd use;
+# unlink for when /etc/ld.so.cache is mislabeled
+allow ldconfig_t etc_t:file { getattr read unlink };
+allow ldconfig_t etc_t:lnk_file read;
+
+allow ldconfig_t fs_t:filesystem getattr;
+allow ldconfig_t tmp_t:dir search;
+
+ifdef(`apache.te', `
+# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+dontaudit ldconfig_t httpd_modules_t:dir search;
+')
+
+allow ldconfig_t { var_t var_lib_t }:dir search;
+allow ldconfig_t proc_t:file read;
+ifdef(`hide_broken_symptoms', `
+ifdef(`unconfined.te',`
+dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
+');
+')dnl end hide_broken_symptoms
+ifdef(`targeted_policy', `
+allow ldconfig_t lib_t:file r_file_perms;
+unconfined_domain(ldconfig_t)
+')
diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te
new file mode 100644
index 0000000..f54c963
--- /dev/null
+++ b/strict/domains/program/load_policy.te
@@ -0,0 +1,61 @@
+#DESC LoadPolicy - SELinux policy loading utilities
+#
+# Authors: Frank Mayer, mayerf at tresys.com
+# X-Debian-Packages: policycoreutils
+#
+
+###########################
+# load_policy_t is the domain type for load_policy
+# load_policy_exec_t is the file type for the executable
+
+
+type load_policy_t, domain;
+role sysadm_r types load_policy_t;
+role system_r types load_policy_t;
+
+type load_policy_exec_t, file_type, exec_type, sysadmfile;
+
+##########################
+#
+# Rules
+
+domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+
+allow load_policy_t console_device_t:chr_file { read write };
+
+# Reload the policy configuration (sysadm_t no longer has this ability)
+can_loadpol(load_policy_t)
+
+# Reset policy boolean values.
+can_setbool(load_policy_t)
+
+
+###########################
+# constrain from where load_policy can load a policy, specifically
+# policy_config_t files
+#
+
+# only allow read of policy config files
+allow load_policy_t policy_src_t:dir search;
+allow load_policy_t policy_config_t:dir r_dir_perms;
+allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+
+# directory search permissions for path to binary policy files
+allow load_policy_t root_t:dir search;
+allow load_policy_t etc_t:dir search;
+
+# Read the devpts root directory (needed?)
+allow load_policy_t devpts_t:dir r_dir_perms;
+
+# Other access
+allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+uses_shlib(load_policy_t)
+allow load_policy_t self:capability dac_override;
+
+allow load_policy_t { userdomain privfd initrc_t }:fd use;
+
+allow load_policy_t fs_t:filesystem getattr;
+
+allow load_policy_t sysadm_tmp_t:file { getattr write } ;
+read_locale(load_policy_t)
+r_dir_file(load_policy_t, selinux_config_t)
diff --git a/strict/domains/program/loadkeys.te b/strict/domains/program/loadkeys.te
new file mode 100644
index 0000000..0959762
--- /dev/null
+++ b/strict/domains/program/loadkeys.te
@@ -0,0 +1,45 @@
+#DESC loadkeys - for changing to unicode at login time
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+# X-Debian-Packages: console-tools
+
+#
+# loadkeys_exec_t is the type of the wrapper
+#
+type loadkeys_exec_t, file_type, sysadmfile, exec_type;
+
+can_exec(initrc_t, loadkeys_exec_t)
+
+# Derived domain based on the calling user domain and the program.
+type loadkeys_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t)
+
+uses_shlib(loadkeys_t)
+dontaudit loadkeys_t proc_t:dir search;
+allow loadkeys_t proc_t:file { getattr read };
+allow loadkeys_t self:process { fork sigchld };
+
+allow loadkeys_t self:fifo_file rw_file_perms;
+allow loadkeys_t bin_t:dir search;
+allow loadkeys_t bin_t:lnk_file read;
+can_exec(loadkeys_t, { shell_exec_t bin_t })
+
+read_locale(loadkeys_t)
+
+dontaudit loadkeys_t etc_runtime_t:file { getattr read };
+
+# Use capabilities.
+allow loadkeys_t self:capability { setuid sys_tty_config };
+
+allow loadkeys_t local_login_t:fd use;
+allow loadkeys_t devtty_t:chr_file rw_file_perms;
+
+# The user role is authorized for this domain.
+in_user_role(loadkeys_t)
+
+# Write to the user domain tty.
+allow loadkeys_t ttyfile:chr_file rw_file_perms;
+
diff --git a/strict/domains/program/lockdev.te b/strict/domains/program/lockdev.te
new file mode 100644
index 0000000..adb2a77
--- /dev/null
+++ b/strict/domains/program/lockdev.te
@@ -0,0 +1,11 @@
+#DESC Lockdev - libblockdev helper application
+#
+# Authors: Daniel Walsh <dwalsh at redhat.com>
+#
+
+
+# Type for the lockdev
+type lockdev_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the lockdev_domain macro in
+# macros/program/lockdev_macros.te.
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
new file mode 100644
index 0000000..569c755
--- /dev/null
+++ b/strict/domains/program/login.te
@@ -0,0 +1,227 @@
+#DESC Login - Local/remote login utilities
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Macroised by Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: login
+#
+
+#################################
+#
+# Rules for the local_login_t domain
+# and the remote_login_t domain.
+#
+
+# $1 is the name of the domain (local or remote)
+define(`login_domain', `
+type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
+role system_r types $1_login_t;
+
+dontaudit $1_login_t shadow_t:file { getattr read };
+
+general_domain_access($1_login_t);
+
+# Read system information files in /proc.
+r_dir_file($1_login_t, proc_t)
+
+base_file_read_access($1_login_t)
+
+# Read directories and files with the readable_t type.
+# This type is a general type for "world"-readable files.
+allow $1_login_t readable_t:dir r_dir_perms;
+allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
+
+# Read /var, /var/spool
+allow $1_login_t { var_t var_spool_t }:dir search;
+
+# for when /var/mail is a sym-link
+allow $1_login_t var_t:lnk_file read;
+
+# Read /etc.
+allow $1_login_t etc_t:dir r_dir_perms;
+allow $1_login_t etc_t:notdevfile_class_set r_file_perms;
+allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
+
+read_locale($1_login_t)
+
+# for SSP/ProPolice
+allow $1_login_t urandom_device_t:chr_file { getattr read };
+
+# Read executable types.
+allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow $1_login_t device_t:dir r_dir_perms;
+allow $1_login_t device_t:lnk_file r_file_perms;
+
+uses_shlib($1_login_t);
+
+tmp_domain($1_login)
+
+ifdef(`pam.te', `
+can_exec($1_login_t, pam_exec_t)
+')
+
+ifdef(`pamconsole.te', `
+rw_dir_create_file($1_login_t, pam_var_console_t)
+')
+
+# Use capabilities
+allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow $1_login_t self:process setrlimit;
+dontaudit $1_login_t sysfs_t:dir search;
+
+# Set exec context.
+can_setexec($1_login_t)
+
+allow $1_login_t autofs_t:dir { search read getattr };
+allow $1_login_t mnt_t:dir r_dir_perms;
+
+if (use_nfs_home_dirs) {
+r_dir_file($1_login_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+r_dir_file($1_login_t, cifs_t)
+}
+
+# FIXME: what is this for?
+ifdef(`xdm.te', `
+allow xdm_t $1_login_t:process signull;
+')
+
+ifdef(`crack.te', `
+allow $1_login_t crack_db_t:file r_file_perms;
+')
+
+# Permit login to search the user home directories.
+allow $1_login_t home_root_t:dir search;
+allow $1_login_t home_dir_type:dir search;
+
+# Write to /var/run/utmp.
+allow $1_login_t var_run_t:dir search;
+allow $1_login_t initrc_var_run_t:file rw_file_perms;
+
+# Write to /var/log/wtmp.
+allow $1_login_t var_log_t:dir search;
+allow $1_login_t wtmp_t:file rw_file_perms;
+
+# Write to /var/log/lastlog.
+allow $1_login_t lastlog_t:file rw_file_perms;
+
+# Write to /var/log/btmp
+allow $1_login_t faillog_t:file { append read write };
+
+# Search for mail spool file.
+allow $1_login_t mail_spool_t:dir r_dir_perms;
+allow $1_login_t mail_spool_t:file getattr;
+allow $1_login_t mail_spool_t:lnk_file read;
+
+# Get security policy decisions.
+can_getsecurity($1_login_t)
+
+# allow read access to default_contexts in /etc/security
+allow $1_login_t default_context_t:file r_file_perms;
+allow $1_login_t default_context_t:dir search;
+r_dir_file($1_login_t, selinux_config_t)
+
+allow $1_login_t mouse_device_t:chr_file { getattr setattr };
+
+ifdef(`targeted_policy',`
+unconfined_domain($1_login_t)
+domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
+')
+
+')dnl end login_domain macro
+#################################
+#
+# Rules for the local_login_t domain.
+#
+# local_login_t is the domain of a login process
+# spawned by getty.
+#
+# remote_login_t is the domain of a login process
+# spawned by rlogind.
+#
+# login_exec_t is the type of the login program
+#
+type login_exec_t, file_type, sysadmfile, exec_type;
+
+login_domain(local)
+
+# But also permit other user domains to be entered by login.
+login_spawn_domain(local_login, userdomain)
+
+# Do not audit denied attempts to access devices.
+dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
+dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
+dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
+dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
+dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
+dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
+dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
+dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
+dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
+
+# Do not audit denied attempts to access /mnt.
+dontaudit local_login_t mnt_t:dir r_dir_perms;
+
+
+# Create lock file.
+allow local_login_t var_lock_t:dir rw_dir_perms;
+allow local_login_t var_lock_t:file create_file_perms;
+
+
+# Read and write ttys.
+allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
+allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
+
+# Relabel ttys.
+allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
+allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
+
+ifdef(`gpm.te',
+`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
+
+# Allow setting of attributes on sound devices.
+allow local_login_t sound_device_t:chr_file { getattr setattr };
+
+# Allow setting of attributes on power management devices.
+allow local_login_t power_device_t:chr_file { getattr setattr };
+dontaudit local_login_t init_t:fd use;
+
+#################################
+#
+# Rules for the remote_login_t domain.
+#
+
+login_domain(remote)
+
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
+login_spawn_domain(remote_login, unpriv_userdomain)
+
+allow remote_login_t devpts_t:dir search;
+allow remote_login_t userpty_type:chr_file { setattr write };
+
+# Use the pty created by rlogind.
+ifdef(`rlogind.te', `
+allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
+
+# Relabel ptys created by rlogind.
+allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+')
+
+# Use the pty created by telnetd.
+ifdef(`telnetd.te', `
+allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
+
+# Relabel ptys created by telnetd.
+allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
+')
+
+allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
+allow remote_login_t fs_t:filesystem { getattr };
+
+# Allow remote login to resolve host names (passed in via the -h switch)
+can_resolve(remote_login_t)
+
diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te
new file mode 100644
index 0000000..6340f28
--- /dev/null
+++ b/strict/domains/program/logrotate.te
@@ -0,0 +1,145 @@
+#DESC Logrotate - Rotate log files
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> Timothy Fraser
+# Russell Coker <rcoker at redhat.com>
+# X-Debian-Packages: logrotate
+# Depends: crond.te
+#
+
+#################################
+#
+# Rules for the logrotate_t domain.
+#
+# logrotate_t is the domain for the logrotate program.
+# logrotate_exec_t is the type of the corresponding program.
+#
+type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
+role system_r types logrotate_t;
+role sysadm_r types logrotate_t;
+uses_shlib(logrotate_t)
+general_domain_access(logrotate_t)
+type logrotate_exec_t, file_type, sysadmfile, exec_type;
+
+system_crond_entry(logrotate_exec_t, logrotate_t)
+allow logrotate_t cron_spool_t:dir search;
+allow crond_t logrotate_var_lib_t:dir search;
+domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
+allow logrotate_t self:unix_stream_socket create_socket_perms;
+allow logrotate_t devtty_t:chr_file rw_file_perms;
+
+ifdef(`distro_debian', `
+allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+# for savelog
+can_exec(logrotate_t, logrotate_exec_t)
+')
+
+# for perl
+allow logrotate_t usr_t:file { getattr read ioctl };
+allow logrotate_t usr_t:lnk_file read;
+
+# access files in /etc
+allow logrotate_t etc_t:file { getattr read ioctl };
+allow logrotate_t etc_t:lnk_file { getattr read };
+allow logrotate_t etc_runtime_t:file r_file_perms;
+
+# it should not require this
+allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
+
+# create lock files
+rw_dir_create_file(logrotate_t, var_lock_t)
+
+# Create temporary files.
+tmp_domain(logrotate)
+can_exec(logrotate_t, logrotate_tmp_t)
+
+# Run helper programs.
+allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
+allow logrotate_t { bin_t sbin_t }:lnk_file read;
+can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })
+
+# Read PID files.
+allow logrotate_t pidfile:file r_file_perms;
+
+# Read /proc/PID directories for all domains.
+read_sysctl(logrotate_t)
+allow logrotate_t proc_t:dir r_dir_perms;
+allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
+allow logrotate_t domain:notdevfile_class_set r_file_perms;
+allow logrotate_t domain:dir r_dir_perms;
+allow logrotate_t exec_type:file getattr;
+
+# Read /dev directories and any symbolic links.
+allow logrotate_t device_t:dir r_dir_perms;
+allow logrotate_t device_t:lnk_file r_file_perms;
+
+# Signal processes.
+allow logrotate_t domain:process signal;
+
+# Modify /var/log and other log dirs.
+allow logrotate_t var_t:dir r_dir_perms;
+allow logrotate_t logfile:dir rw_dir_perms;
+allow logrotate_t logfile:lnk_file read;
+
+# Create, rename, and truncate log files.
+allow logrotate_t logfile:file create_file_perms;
+allow logrotate_t wtmp_t:file create_file_perms;
+ifdef(`squid.te', `
+allow squid_t { system_crond_t crond_t }:fd use;
+allow squid_t crond_t:fifo_file { read write };
+allow squid_t system_crond_t:fifo_file write;
+allow squid_t self:capability kill;
+')
+
+# Set a context other than the default one for newly created files.
+can_setfscreate(logrotate_t)
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid };
+
+ifdef(`mta.te', `
+allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
+')
+
+# Access /var/run
+allow logrotate_t var_run_t:dir r_dir_perms;
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+var_lib_domain(logrotate)
+allow logrotate_t logrotate_var_lib_t:dir create;
+
+# Write to /var/spool/slrnpull - should be moved into its own type.
+create_dir_file(logrotate_t, var_spool_t)
+
+allow logrotate_t urandom_device_t:chr_file { getattr read };
+
+# Access terminals.
+allow logrotate_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
+allow logrotate_t privfd:fd use;
+
+# for /var/backups on Debian
+ifdef(`backup.te', `
+rw_dir_create_file(logrotate_t, backup_store_t)
+')
+
+read_locale(logrotate_t)
+
+allow logrotate_t fs_t:filesystem getattr;
+can_exec(logrotate_t, shell_exec_t)
+can_exec(logrotate_t, hostname_exec_t)
+can_exec(logrotate_t,logfile)
+allow logrotate_t net_conf_t:file { getattr read };
+
+ifdef(`consoletype.te', `
+can_exec(logrotate_t, consoletype_exec_t)
+dontaudit consoletype_t logrotate_t:fd use;
+')
+
+allow logrotate_t syslogd_t:unix_dgram_socket sendto;
+
+domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
+
+dontaudit logrotate_t selinux_config_t:dir search;
+
diff --git a/strict/domains/program/lpd.te b/strict/domains/program/lpd.te
new file mode 100644
index 0000000..75825a3
--- /dev/null
+++ b/strict/domains/program/lpd.te
@@ -0,0 +1,161 @@
+#DESC Lpd - Print server
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Modified by David A. Wheeler <dwheeler at ida.org> for LPRng (Red Hat 7.1)
+# Modified by Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: lpr
+#
+
+#################################
+#
+# Rules for the lpd_t domain.
+#
+# lpd_t is the domain of lpd.
+# lpd_exec_t is the type of the lpd executable.
+# printer_t is the type of the Unix domain socket created
+# by lpd.
+#
+type printer_port_t, port_type, reserved_port_type;
+daemon_domain(lpd)
+
+allow lpd_t lpd_var_run_t:sock_file create_file_perms;
+
+r_dir_file(lpd_t, fonts_t)
+
+type printer_t, file_type, sysadmfile, dev_fs;
+
+type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
+
+tmp_domain(lpd);
+
+# for postscript include files
+allow lpd_t usr_t:{ file lnk_file } { getattr read };
+
+# Allow checkpc to access the lpd spool so it can check & fix it.
+# This requires that /usr/sbin/checkpc have type checkpc_t.
+type checkpc_t, domain, privlog;
+role system_r types checkpc_t;
+uses_shlib(checkpc_t)
+can_network_client(checkpc_t)
+can_ypbind(checkpc_t)
+log_domain(checkpc)
+type checkpc_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
+domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
+role sysadm_r types checkpc_t;
+allow checkpc_t admin_tty_type:chr_file { read write };
+allow checkpc_t privfd:fd use;
+ifdef(`crond.te', `
+system_crond_entry(checkpc_exec_t, checkpc_t)
+')
+allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:process { fork signal_perms };
+
+allow checkpc_t proc_t:dir search;
+allow checkpc_t proc_t:lnk_file read;
+allow checkpc_t proc_t:file { getattr read };
+r_dir_file(checkpc_t, self)
+allow checkpc_t self:unix_stream_socket create_socket_perms;
+
+allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
+allow checkpc_t etc_t:lnk_file read;
+
+allow checkpc_t { var_t var_spool_t }:dir { getattr search };
+allow checkpc_t print_spool_t:file { rw_file_perms unlink };
+allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
+allow checkpc_t device_t:dir search;
+allow checkpc_t printer_device_t:chr_file { getattr append };
+allow checkpc_t devtty_t:chr_file rw_file_perms;
+allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
+
+# Allow access to /dev/console through the fd:
+allow checkpc_t init_t:fd use;
+
+# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
+allow checkpc_t { bin_t sbin_t }:dir search;
+allow checkpc_t bin_t:lnk_file read;
+can_exec(checkpc_t, shell_exec_t)
+can_exec(checkpc_t, bin_t)
+
+# bash wants access to /proc/meminfo
+allow lpd_t proc_t:file { getattr read };
+
+# gs-gnu wants to read some sysctl entries, it seems to work without though
+dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
+
+# for defoma
+r_dir_file(lpd_t, var_lib_t)
+
+allow checkpc_t var_run_t:dir search;
+allow checkpc_t lpd_var_run_t:dir { search getattr };
+
+# This is needed to permit chown to read /var/spool/lpd/lp.
+# This is opens up security more than necessary; this means that ANYTHING
+# running in the initrc_t domain can read the printer spool directory.
+# Perhaps executing /etc/rc.d/init.d/lpd should transition
+# to domain lpd_t, instead of waiting for executing lpd.
+allow initrc_t print_spool_t:dir read;
+
+# for defoma
+r_dir_file(lpd_t, readable_t)
+
+# Use capabilities.
+allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
+
+# Use the network.
+can_network_server(lpd_t)
+can_ypbind(lpd_t)
+allow lpd_t self:fifo_file rw_file_perms;
+allow lpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lpd_t self:unix_dgram_socket create_socket_perms;
+
+allow lpd_t self:file { getattr read };
+allow lpd_t etc_runtime_t:file { getattr read };
+
+# Bind to the printer port.
+allow lpd_t printer_port_t:tcp_socket name_bind;
+
+# Send to portmap.
+ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
+
+ifdef(`ypbind.te',
+`# Connect to ypbind.
+can_tcp_connect(lpd_t, ypbind_t)')
+
+# Create and bind to /dev/printer.
+file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
+allow lpd_t printer_t:unix_stream_socket name_bind;
+allow lpd_t printer_t:unix_dgram_socket name_bind;
+allow lpd_t printer_device_t:chr_file rw_file_perms;
+
+# Write to /var/spool/lpd.
+allow lpd_t var_spool_t:dir search;
+allow lpd_t print_spool_t:dir rw_dir_perms;
+allow lpd_t print_spool_t:file create_file_perms;
+allow lpd_t print_spool_t:file rw_file_perms;
+
+# Execute filter scripts.
+# can_exec(lpd_t, print_spool_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+allow lpd_t bin_t:dir search;
+allow lpd_t bin_t:lnk_file read;
+can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
+
+# lpd must be able to execute the filter utilities in /usr/share/printconf.
+can_exec(lpd_t, printconf_t)
+allow lpd_t printconf_t:file rx_file_perms;
+allow lpd_t printconf_t:dir { getattr search read };
+
+# config files for lpd are of type etc_t, probably should change this
+allow lpd_t etc_t:file { getattr read };
+allow lpd_t etc_t:lnk_file read;
+
+# checkpc needs similar permissions.
+allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:dir { getattr search read };
+
+# Read printconf files.
+allow initrc_t printconf_t:dir r_dir_perms;
+allow initrc_t printconf_t:file r_file_perms;
+
diff --git a/strict/domains/program/lpr.te b/strict/domains/program/lpr.te
new file mode 100644
index 0000000..d8ec0c0
--- /dev/null
+++ b/strict/domains/program/lpr.te
@@ -0,0 +1,12 @@
+#DESC Lpr - Print client
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: lpr lprng
+#
+
+
+# Type for the lpr, lpq, and lprm executables.
+type lpr_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the lpr_domain macro in
+# macros/program/lpr_macros.te.
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
new file mode 100644
index 0000000..f2cf061
--- /dev/null
+++ b/strict/domains/program/lvm.te
@@ -0,0 +1,124 @@
+#DESC LVM - Linux Volume Manager
+#
+# Author: Michael Kaufman <walker at screwage.com>
+# X-Debian-Packages: lvm10 lvm2 lvm-common
+#
+
+#################################
+#
+# Rules for the lvm_t domain.
+#
+# lvm_t is the domain for LVM administration.
+# lvm_exec_t is the type of the corresponding programs.
+# lvm_etc_t is for read-only LVM configuration files.
+# lvm_metadata_t is the type of LVM metadata files in /etc that are
+# modified at runtime.
+#
+type lvm_vg_t, file_type, sysadmfile;
+type lvm_metadata_t, file_type, sysadmfile;
+type lvm_control_t, device_type, dev_fs;
+etcdir_domain(lvm)
+allow lvm_t var_t:dir search;
+lock_domain(lvm)
+allow lvm_t lvm_lock_t:dir rw_dir_perms;
+
+# needs privowner because it assigns the identity system_u to device nodes
+# but runs as the identity of the sysadmin
+daemon_base_domain(lvm, `, fs_domain, privowner')
+role sysadm_r types lvm_t;
+domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t)
+
+# LVM will complain a lot if it cannot set its priority.
+allow lvm_t self:process setsched;
+
+allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
+
+r_dir_file(lvm_t, proc_t)
+allow lvm_t self:file r_file_perms;
+
+# Read system variables in /proc/sys
+read_sysctl(lvm_t)
+
+# Read /sys/block. Device mapper metadata is kept there.
+r_dir_file(lvm_t, sysfs_t)
+
+allow lvm_t fs_t:filesystem getattr;
+
+# Read configuration files in /etc.
+allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
+
+# LVM creates block devices in /dev/mapper or /dev/<vg>
+# depending on its version
+file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file)
+
+# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
+# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
+allow lvm_t device_t:dir create_dir_perms;
+allow lvm_t device_t:lnk_file create_lnk_perms;
+
+# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
+allow lvm_t lvm_exec_t:dir search;
+allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
+
+tmp_domain(lvm)
+allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+
+# DAC overrides and mknod for modifying /dev entries (vgmknodes)
+allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
+
+# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
+
+allow lvm_t lvm_metadata_t:dir rw_dir_perms;
+
+# Inherit and use descriptors from init.
+allow lvm_t init_t:fd use;
+
+# LVM is split into many individual binaries
+can_exec(lvm_t, lvm_exec_t)
+
+# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+allow lvm_t fixed_disk_device_t:chr_file create_file_perms;
+
+# relabel devices
+allow lvm_t { default_context_t file_context_t }:dir search;
+allow lvm_t file_context_t:file { getattr read };
+can_getsecurity(lvm_t)
+allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
+allow lvm_t device_t:lnk_file { relabelfrom relabelto };
+
+# Access terminals.
+allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow lvm_t devtty_t:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;')
+allow lvm_t privfd:fd use;
+allow lvm_t devpts_t:dir { search getattr read };
+
+read_locale(lvm_t)
+
+# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
+dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
+dontaudit lvm_t ttyfile:chr_file getattr;
+dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
+dontaudit lvm_t devpts_t:dir { getattr read };
+
+ifdef(`gpm.te', `
+dontaudit lvm_t gpmctl_t:sock_file getattr;
+')
+dontaudit lvm_t initctl_t:fifo_file getattr;
+allow lvm_t sbin_t:dir search;
+dontaudit lvm_t sbin_t:file getattr;
+allow lvm_t lvm_control_t:chr_file rw_file_perms;
+allow initrc_t lvm_control_t:chr_file { getattr read unlink };
+allow initrc_t device_t:chr_file create;
+dontaudit lvm_t var_run_t:dir getattr;
+
+# for when /usr is not mounted
+dontaudit lvm_t file_t:dir search;
+
+allow lvm_t tmpfs_t:dir r_dir_perms;
+r_dir_file(lvm_t, selinux_config_t)
+
+# it has no reason to need this
+dontaudit lvm_t proc_kcore_t:file getattr;
diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te
new file mode 100644
index 0000000..588459a
--- /dev/null
+++ b/strict/domains/program/mailman.te
@@ -0,0 +1,110 @@
+#DESC Mailman - GNU Mailman mailing list manager
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: mailman
+
+type mailman_data_t, file_type, sysadmfile;
+type mailman_archive_t, file_type, sysadmfile;
+
+type mailman_log_t, file_type, sysadmfile, logfile;
+type mailman_lock_t, file_type, sysadmfile, lockfile;
+
+define(`mailman_domain', `
+type mailman_$1_t, domain, privlog $2;
+type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
+role system_r types mailman_$1_t;
+file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
+allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
+create_dir_file(mailman_$1_t, mailman_data_t)
+uses_shlib(mailman_$1_t)
+can_exec_any(mailman_$1_t)
+read_sysctl(mailman_$1_t)
+allow mailman_$1_t proc_t:dir search;
+allow mailman_$1_t proc_t:file { read getattr };
+allow mailman_$1_t var_lib_t:dir r_dir_perms;
+allow mailman_$1_t var_lib_t:lnk_file read;
+allow mailman_$1_t device_t:dir search;
+allow mailman_$1_t etc_runtime_t:file { read getattr };
+read_locale(mailman_$1_t)
+file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
+allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_$1_t fs_t:filesystem getattr;
+can_network(mailman_$1_t)
+can_ypbind(mailman_$1_t)
+allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+allow mailman_$1_t var_t:dir r_dir_perms;
+tmp_domain(mailman_$1)
+')
+
+mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
+can_tcp_connect(mailman_queue_t, mail_server_domain)
+
+can_exec(mailman_queue_t, su_exec_t)
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:fifo_file rw_file_perms;
+dontaudit mailman_queue_t var_run_t:dir search;
+allow mailman_queue_t proc_t:lnk_file { getattr read };
+
+# for su
+dontaudit mailman_queue_t selinux_config_t:dir search;
+allow mailman_queue_t self:dir search;
+allow mailman_queue_t self:file { getattr read };
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+allow mailman_queue_t self:lnk_file { getattr read };
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };
+
+mailman_domain(mail)
+dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
+allow mailman_mail_t mta_delivery_agent:fd use;
+ifdef(`qmail.te', `
+allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
+# do we really need this?
+allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+')
+
+create_dir_file(mailman_queue_t, mailman_archive_t)
+
+ifdef(`apache.te', `
+mailman_domain(cgi)
+can_tcp_connect(mailman_cgi_t, mail_server_domain)
+
+domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
+# should have separate types for public and private archives
+r_dir_file(httpd_t, mailman_archive_t)
+create_dir_file(mailman_cgi_t, mailman_archive_t)
+allow httpd_t mailman_data_t:dir { getattr search };
+
+dontaudit mailman_cgi_t httpd_log_t:file append;
+allow httpd_t mailman_cgi_t:process signal;
+allow mailman_cgi_t httpd_t:process sigchld;
+allow mailman_cgi_t httpd_t:fd use;
+allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
+allow mailman_cgi_t httpd_sys_script_t:dir search;
+allow mailman_cgi_t devtty_t:chr_file { read write };
+allow mailman_cgi_t self:process { fork sigchld };
+allow mailman_cgi_t var_spool_t:dir search;
+')
+
+allow mta_delivery_agent mailman_data_t:dir search;
+allow mta_delivery_agent mailman_data_t:lnk_file read;
+domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
+ifdef(`direct_sysadm_daemon', `
+domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
+')
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+
+system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
+allow mailman_queue_t devtty_t:chr_file { read write };
+allow mailman_queue_t self:process { fork signal sigchld };
+allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
+
+# so MTA can access /var/lib/mailman/mail/wrapper
+allow mta_delivery_agent var_lib_t:dir search;
+
+# Handle mailman log files
+rw_dir_create_file(logrotate_t, mailman_log_t)
+allow logrotate_t mailman_data_t:dir search;
+can_exec(logrotate_t, mailman_mail_exec_t)
diff --git a/strict/domains/program/mdadm.te b/strict/domains/program/mdadm.te
new file mode 100644
index 0000000..91de77c
--- /dev/null
+++ b/strict/domains/program/mdadm.te
@@ -0,0 +1,43 @@
+#DESC mdadm - Linux RAID tool
+#
+# Author: Colin Walters <walters at redhat.com>
+#
+
+daemon_base_domain(mdadm, `, fs_domain')
+role sysadm_r types mdadm_t;
+
+allow initrc_t mdadm_var_run_t:file create_file_perms;
+
+# Kernel filesystem permissions
+r_dir_file(mdadm_t, proc_t)
+allow mdadm_t proc_mdstat_t:file rw_file_perms;
+read_sysctl(mdadm_t)
+r_dir_file(mdadm_t, sysfs_t)
+
+# Configuration
+allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale(mdadm_t)
+
+# Linux capabilities
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+
+# Helper program access
+can_exec(mdadm_t, { bin_t sbin_t })
+
+# RAID block device access
+allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
+allow mdadm_t device_t:lnk_file { getattr read };
+
+# Ignore attempts to read every device file
+dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
+dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
+dontaudit mdadm_t devpts_t:dir r_dir_perms;
+
+# Ignore attempts to read/write sysadmin tty
+dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms;
+
+# Other random ignores
+dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
+dontaudit mdadm_t initctl_t:fifo_file getattr;
+var_run_domain(mdadm)
+allow mdadm_t var_t:dir { getattr search };
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
new file mode 100644
index 0000000..4643be1
--- /dev/null
+++ b/strict/domains/program/modutil.te
@@ -0,0 +1,232 @@
+#DESC Modutil - Dynamic module utilities
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: modutils
+#
+
+#################################
+#
+# Rules for the module utility domains.
+#
+type modules_dep_t, file_type, sysadmfile;
+type modules_conf_t, file_type, sysadmfile;
+type modules_object_t, file_type, sysadmfile;
+
+
+ifdef(`IS_INITRD', `', `
+#################################
+#
+# Rules for the depmod_t domain.
+#
+type depmod_t, domain;
+role system_r types depmod_t;
+role sysadm_r types depmod_t;
+
+uses_shlib(depmod_t)
+
+r_dir_file(depmod_t, src_t)
+
+type depmod_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
+allow depmod_t { bin_t sbin_t }:dir search;
+can_exec(depmod_t, depmod_exec_t)
+domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
+
+# Inherit and use descriptors from init and login programs.
+allow depmod_t { init_t privfd }:fd use;
+
+allow depmod_t { etc_t etc_runtime_t }:file { getattr read };
+allow depmod_t { device_t proc_t }:dir search;
+allow depmod_t proc_t:file { getattr read };
+allow depmod_t fs_t:filesystem getattr;
+
+# read system.map
+allow depmod_t boot_t:dir search;
+allow depmod_t boot_t:file { getattr read };
+allow depmod_t system_map_t:file { getattr read };
+
+# Read conf.modules.
+allow depmod_t modules_conf_t:file r_file_perms;
+
+# Create modules.dep.
+file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
+
+# Read module objects.
+allow depmod_t modules_object_t:dir r_dir_perms;
+allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
+
+# Access terminals.
+allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
+
+# Read System.map from home directories.
+allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
+r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
+')dnl end IS_INITRD
+
+#################################
+#
+# Rules for the insmod_t domain.
+#
+
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
+;
+role system_r types insmod_t;
+role sysadm_r types insmod_t;
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(insmod_t)
+')
+can_ypbind(insmod_t)
+uses_shlib(insmod_t)
+read_locale(insmod_t)
+
+# for SSP
+allow insmod_t urandom_device_t:chr_file read;
+allow insmod_t lib_t:file { getattr read };
+
+allow insmod_t { bin_t sbin_t }:dir search;
+allow insmod_t { bin_t sbin_t }:lnk_file read;
+
+allow insmod_t self:dir search;
+allow insmod_t self:lnk_file read;
+
+allow insmod_t usr_t:file { getattr read };
+
+allow insmod_t privfd:fd use;
+allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write };
+ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
+
+allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
+
+allow insmod_t sound_device_t:chr_file { read ioctl write };
+allow insmod_t zero_device_t:chr_file read;
+allow insmod_t memory_device_t:chr_file rw_file_perms;
+
+# Read module config and dependency information
+allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
+
+# Read module objects.
+r_dir_file(insmod_t, modules_object_t)
+# for locking
+allow insmod_t modules_object_t:file write;
+
+allow insmod_t { var_t var_log_t }:dir search;
+ifdef(`xserver.te', `
+allow insmod_t xserver_log_t:file getattr;
+')
+rw_dir_create_file(insmod_t, var_log_ksyms_t)
+allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
+
+allow insmod_t self:udp_socket create_socket_perms;
+allow insmod_t self:unix_dgram_socket create_socket_perms;
+allow insmod_t self:unix_stream_socket create_stream_socket_perms;
+allow insmod_t self:rawip_socket create_socket_perms;
+allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
+allow insmod_t domain:process signal;
+allow insmod_t self:process { fork signal_perms };
+allow insmod_t device_t:dir search;
+allow insmod_t etc_runtime_t:file { getattr read };
+
+# for loading modules at boot time
+allow insmod_t { init_t initrc_t }:fd use;
+allow insmod_t initrc_t:fifo_file { getattr read write };
+
+allow insmod_t fs_t:filesystem getattr;
+allow insmod_t sysfs_t:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
+
+# Rules for /proc/sys/kernel/tainted
+read_sysctl(insmod_t)
+allow insmod_t proc_t:dir search;
+allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
+
+allow insmod_t proc_t:file { getattr read };
+allow insmod_t proc_t:lnk_file read;
+
+# Write to /proc/mtrr.
+allow insmod_t mtrr_device_t:file write;
+
+# Read /proc/sys/kernel/hotplug.
+allow insmod_t sysctl_hotplug_t:file read;
+
+allow insmod_t device_t:dir read;
+allow insmod_t devpts_t:dir { getattr search };
+
+type insmod_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
+can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
+allow insmod_t devtty_t:chr_file rw_file_perms;
+allow update_modules_t devpts_t:dir search;
+allow insmod_t privmodule:process sigchld;
+dontaudit sysadm_t self:capability sys_module;
+
+ifdef(`mount.te', `
+# Run mount in the mount_t domain.
+domain_auto_trans(insmod_t, mount_exec_t, mount_t)
+')
+# for when /var is not mounted early in the boot
+dontaudit insmod_t file_t:dir search;
+
+# for nscd
+dontaudit insmod_t var_run_t:dir search;
+
+ifdef(`crond.te', `
+rw_dir_create_file(system_crond_t, var_log_ksyms_t)
+')
+
+ifdef(`IS_INITRD', `', `
+#################################
+#
+# Rules for the update_modules_t domain.
+#
+type update_modules_t, domain, privlog;
+type update_modules_exec_t, file_type, exec_type, sysadmfile;
+
+role system_r types update_modules_t;
+role sysadm_r types update_modules_t;
+
+domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t)
+allow update_modules_t privfd:fd use;
+allow update_modules_t init_t:fd use;
+
+allow update_modules_t device_t:dir { getattr search };
+allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
+allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow update_modules_t devpts_t:dir search;
+
+can_exec(update_modules_t, insmod_exec_t)
+allow update_modules_t urandom_device_t:chr_file { getattr read };
+
+dontaudit update_modules_t sysadm_home_dir_t:dir search;
+
+uses_shlib(update_modules_t)
+read_locale(update_modules_t)
+allow update_modules_t lib_t:file { getattr read };
+allow update_modules_t self:process { fork sigchld };
+allow update_modules_t self:fifo_file rw_file_perms;
+allow update_modules_t self:file { getattr read };
+allow update_modules_t modules_dep_t:file rw_file_perms;
+file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file)
+domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
+can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t })
+allow update_modules_t { sbin_t bin_t }:lnk_file read;
+allow update_modules_t { sbin_t bin_t }:dir search;
+allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms;
+allow update_modules_t etc_t:lnk_file read;
+allow update_modules_t fs_t:filesystem getattr;
+
+allow update_modules_t proc_t:dir search;
+allow update_modules_t proc_t:file r_file_perms;
+allow update_modules_t { self proc_t }:lnk_file read;
+read_sysctl(update_modules_t)
+allow update_modules_t self:dir search;
+allow update_modules_t self:unix_stream_socket create_socket_perms;
+
+file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
+
+tmp_domain(update_modules)
+')dnl end IS_INITRD
+
+
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
new file mode 100644
index 0000000..e79168b
--- /dev/null
+++ b/strict/domains/program/mount.te
@@ -0,0 +1,110 @@
+#DESC Mount - Filesystem mount utilities
+#
+# Macros for mount
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+# X-Debian-Packages: mount
+#
+# based on the work of:
+# Mark Westerman mark.westerman at csoconline.com
+#
+
+type mount_exec_t, file_type, sysadmfile, exec_type;
+
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
+mount_loopback_privs(sysadm, mount)
+role sysadm_r types mount_t;
+role system_r types mount_t;
+
+allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write };
+
+domain_auto_trans(initrc_t, mount_exec_t, mount_t)
+allow mount_t init_t:fd use;
+allow mount_t privfd:fd use;
+
+allow mount_t self:capability { ipc_lock dac_override };
+allow mount_t self:process { fork signal_perms };
+
+allow mount_t file_type:dir search;
+
+# Access disk devices.
+allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
+allow mount_t removable_device_t:devfile_class_set rw_file_perms;
+allow mount_t device_t:lnk_file read;
+
+# for when /etc/mtab loses its type
+allow mount_t file_t:file { getattr read unlink };
+
+# Mount, remount and unmount file systems.
+allow mount_t fs_type:filesystem mount_fs_perms;
+allow mount_t default_t:dir mounton;
+allow mount_t file_t:dir mounton;
+allow mount_t usr_t:dir mounton;
+allow mount_t var_t:dir mounton;
+allow mount_t proc_t:dir mounton;
+allow mount_t root_t:dir mounton;
+allow mount_t home_root_t:dir mounton;
+allow mount_t tmp_t:dir mounton;
+allow mount_t mnt_t:dir mounton;
+allow mount_t devpts_t:dir mounton;
+allow mount_t usbdevfs_t:dir mounton;
+allow mount_t sysfs_t:dir mounton;
+allow mount_t nfs_t:dir mounton;
+allow mount_t nfs_t:dir search;
+# nfsv4 has a filesystem to mount for its userspace daemons
+allow mount_t var_lib_nfs_t:dir mounton;
+
+# On some RedHat systems, /boot is a mount point
+allow mount_t boot_t:dir mounton;
+allow mount_t device_t:dir mounton;
+# mount binfmt_misc on /proc/sys/fs/binfmt_misc
+allow mount_t sysctl_t:dir { mounton search };
+
+allow mount_t root_t:filesystem unmount;
+
+ifdef(`portmap.te', `
+# for nfs
+can_network(mount_t)
+can_ypbind(mount_t)
+allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
+allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+can_udp_send(mount_t, portmap_t)
+can_udp_send(portmap_t, mount_t)
+allow mount_t rpc_pipefs_t:dir search;
+')
+dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
+
+#
+# required for mount.smbfs
+#
+allow mount_t sbin_t:lnk_file { getattr read };
+
+rhgb_domain(mount_t)
+
+# for localization
+allow mount_t lib_t:file { getattr read };
+allow mount_t autofs_t:dir read;
+allow mount_t fs_t:filesystem relabelfrom;
+#
+# This rule needs to be generalized. Only admin, initrc should have it.
+#
+allow mount_t file_type:filesystem { unmount mount relabelto };
+
+allow mount_t mnt_t:dir getattr;
+dontaudit mount_t kernel_t:fd use;
+allow mount_t userdomain:fd use;
+can_exec(mount_t, { sbin_t bin_t })
+allow mount_t device_t:dir r_dir_perms;
+ifdef(`distro_redhat', `
+allow mount_t tmpfs_t:chr_file { read write };
+allow mount_t tmpfs_t:dir mounton;
+')
+
+
+# tries to read /init
+dontaudit mount_t root_t:file { getattr read };
+
+allow kernel_t mount_t:tcp_socket { read write };
+allow mount_t self:capability { setgid setuid };
+allow user_t mount_t:tcp_socket write;
+allow mount_t proc_t:lnk_file read;
diff --git a/strict/domains/program/mozilla.te b/strict/domains/program/mozilla.te
new file mode 100644
index 0000000..3761e0d
--- /dev/null
+++ b/strict/domains/program/mozilla.te
@@ -0,0 +1,18 @@
+#DESC Netscape - Web browser
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: mozilla
+#
+
+# Type for the netscape, mozilla or other browser executables.
+type mozilla_exec_t, file_type, sysadmfile, exec_type;
+type mozilla_conf_t, file_type, sysadmfile;
+
+# Allow mozilla to read files in the user home directory
+bool mozilla_readhome false;
+
+# Allow mozilla to write files in the user home directory
+bool mozilla_writehome false;
+
+# Everything else is in the mozilla_domain macro in
+# macros/program/mozilla_macros.te.
diff --git a/strict/domains/program/mplayer.te b/strict/domains/program/mplayer.te
new file mode 100644
index 0000000..194c807
--- /dev/null
+++ b/strict/domains/program/mplayer.te
@@ -0,0 +1,15 @@
+#DESC mplayer - media player
+#
+# Author: Ivan Gyurdiev <ivg2 at cornell.edu>
+#
+
+# Type for the mplayer executable.
+type mplayer_exec_t, file_type, exec_type, sysadmfile;
+type mencoder_exec_t, file_type, exec_type, sysadmfile;
+type mplayer_etc_t, file_type, sysadmfile;
+
+# Allow mplayer executable stack
+bool allow_mplayer_execstack false;
+
+# Everything else is in the mplayer_domain macro in
+# macros/program/mplayer_macros.te.
diff --git a/strict/domains/program/mrtg.te b/strict/domains/program/mrtg.te
new file mode 100644
index 0000000..112b94d
--- /dev/null
+++ b/strict/domains/program/mrtg.te
@@ -0,0 +1,98 @@
+#DESC MRTG - Network traffic graphing
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: mrtg
+#
+
+#################################
+#
+# Rules for the mrtg_t domain.
+#
+# mrtg_exec_t is the type of the mrtg executable.
+#
+daemon_base_domain(mrtg)
+
+allow mrtg_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(mrtg_exec_t, mrtg_t)
+allow system_crond_t mrtg_log_t:dir rw_dir_perms;
+allow system_crond_t mrtg_log_t:file { create append getattr };
+')
+
+allow mrtg_t usr_t:{ file lnk_file } { getattr read };
+dontaudit mrtg_t usr_t:file ioctl;
+
+logdir_domain(mrtg)
+etcdir_domain(mrtg)
+typealias mrtg_etc_t alias etc_mrtg_t;
+type var_lib_mrtg_t, file_type, sysadmfile;
+type mrtg_lock_t, file_type, sysadmfile, lockfile;
+r_dir_file(mrtg_t, lib_t)
+
+# Use the network.
+can_network_client(mrtg_t)
+can_ypbind(mrtg_t)
+
+allow mrtg_t self:fifo_file { getattr read write ioctl };
+allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms;
+allow mrtg_t urandom_device_t:chr_file { getattr read };
+allow mrtg_t self:unix_stream_socket create_socket_perms;
+ifdef(`apache.te', `
+rw_dir_create_file(mrtg_t, httpd_sys_content_t)
+')
+
+can_exec(mrtg_t, { shell_exec_t bin_t sbin_t })
+allow mrtg_t { bin_t sbin_t }:dir { getattr search };
+allow mrtg_t bin_t:lnk_file read;
+allow mrtg_t var_t:dir { getattr search };
+
+ifdef(`snmpd.te', `
+can_udp_send(mrtg_t, snmpd_t)
+can_udp_send(snmpd_t, mrtg_t)
+r_dir_file(mrtg_t, snmpd_var_lib_t)
+')
+
+allow mrtg_t proc_net_t:dir search;
+allow mrtg_t { proc_t proc_net_t }:file { read getattr };
+dontaudit mrtg_t proc_t:file ioctl;
+
+allow mrtg_t { var_lock_t var_lib_t }:dir search;
+rw_dir_create_file(mrtg_t, var_lib_mrtg_t)
+rw_dir_create_file(mrtg_t, mrtg_lock_t)
+ifdef(`distro_redhat', `
+file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
+')
+
+# read config files
+allow mrtg_t etc_t:file { read getattr };
+dontaudit mrtg_t mrtg_etc_t:dir write;
+dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+read_locale(mrtg_t)
+
+# for /.autofsck
+dontaudit mrtg_t root_t:file getattr;
+
+dontaudit mrtg_t security_t:dir getattr;
+
+read_sysctl(mrtg_t)
+
+# for uptime
+allow mrtg_t var_run_t:dir search;
+allow mrtg_t initrc_var_run_t:file read;
+dontaudit mrtg_t initrc_var_run_t:file { write lock };
+allow mrtg_t etc_runtime_t:file { getattr read };
+
+allow mrtg_t tmp_t:dir getattr;
+
+# should not need this!
+dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
+dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
+ifdef(`quota.te', `
+dontaudit mrtg_t quota_db_t:file getattr;
+')
+dontaudit mrtg_t root_t:lnk_file getattr;
+
+allow mrtg_t self:capability { setgid setuid };
+can_exec(mrtg_t, hostname_exec_t)
+allow mrtg_t var_spool_t:dir search;
diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te
new file mode 100644
index 0000000..096c734
--- /dev/null
+++ b/strict/domains/program/mta.te
@@ -0,0 +1,84 @@
+#DESC MTA - Mail agents
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: postfix exim sendmail sendmail-wide
+#
+# policy for all mail servers, including allowing user to send mail from the
+# command-line and for cron jobs to use sendmail -t
+
+#
+# sendmail_exec_t is the type of /usr/sbin/sendmail
+#
+# define sendmail_exec_t if sendmail.te does not do it for us
+ifdef(`sendmail.te', `', `
+type sendmail_exec_t, file_type, exec_type, sysadmfile;
+')
+type smtp_port_t, port_type, reserved_port_type;
+
+
+# create a system_mail_t domain for daemons, init scripts, etc when they run
+# "mail user at domain"
+mail_domain(system)
+
+ifdef(`targeted_policy', `
+# rules are currently defined in sendmail.te, but it is not included in
+# targeted policy. We could move these rules permanantly here.
+ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
+allow system_mail_t self:dir { search };
+r_dir_file(system_mail_t, { proc_t proc_net_t })
+allow system_mail_t fs_t:filesystem getattr;
+allow system_mail_t { var_t var_spool_t }:dir getattr;
+create_dir_file(system_mail_t, mqueue_spool_t)
+create_dir_file(system_mail_t, mail_spool_t)
+allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+allow system_mail_t etc_mail_t:file { getattr read };
+', `
+ifdef(`sendmail.te', `
+# sendmail has an ugly design, the one process parses input from the user and
+# then does system things with it.
+domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
+', `
+domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
+')
+allow initrc_t sendmail_exec_t:lnk_file { getattr read };
+
+# allow the sysadmin to do "mail someone < /home/user/whatever"
+allow sysadm_mail_t user_home_dir_type:dir search;
+r_dir_file(sysadm_mail_t, user_home_type)
+')
+# for a mail server process that does things in response to a user command
+allow mta_user_agent userdomain:process sigchld;
+allow mta_user_agent { userdomain privfd }:fd use;
+ifdef(`crond.te', `
+allow mta_user_agent crond_t:process sigchld;
+')
+allow mta_user_agent sysadm_t:fifo_file { read write };
+
+allow { system_mail_t mta_user_agent } privmail:fd use;
+allow { system_mail_t mta_user_agent } privmail:process sigchld;
+allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
+allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
+
+ifdef(`arpwatch.te', `
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')
+')dnl end if arpwatch.te
+
+allow mta_delivery_agent home_root_t:dir { getattr search };
+
+# for /var/spool/mail
+ra_dir_create_file(mta_delivery_agent, mail_spool_t)
+
+# for piping mail to a command
+can_exec(mta_delivery_agent, shell_exec_t)
+allow mta_delivery_agent bin_t:dir search;
+allow mta_delivery_agent bin_t:lnk_file read;
+allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
+allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
+
+allow system_mail_t etc_runtime_t:file { getattr read };
+allow system_mail_t urandom_device_t:chr_file read;
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
new file mode 100644
index 0000000..84934de
--- /dev/null
+++ b/strict/domains/program/mysqld.te
@@ -0,0 +1,92 @@
+#DESC Mysqld - Database server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: mysql-server
+#
+
+#################################
+#
+# Rules for the mysqld_t domain.
+#
+# mysqld_exec_t is the type of the mysqld executable.
+#
+daemon_domain(mysqld)
+
+type mysqld_port_t, port_type;
+allow mysqld_t mysqld_port_t:tcp_socket name_bind;
+
+allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
+
+etcdir_domain(mysqld)
+typealias mysqld_etc_t alias etc_mysqld_t;
+type mysqld_db_t, file_type, sysadmfile;
+
+log_domain(mysqld)
+
+# for temporary tables
+tmp_domain(mysqld)
+
+allow mysqld_t usr_t:file { getattr read };
+
+allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow initrc_t mysqld_t:unix_stream_socket connectto;
+allow initrc_t mysqld_var_run_t:sock_file write;
+
+allow initrc_t mysqld_log_t:file { write append setattr ioctl };
+
+allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
+allow mysqld_t self:process getsched;
+
+allow mysqld_t proc_t:file { getattr read };
+
+# Allow access to the mysqld databases
+create_dir_file(mysqld_t, mysqld_db_t)
+allow mysqld_t var_lib_t:dir { getattr search };
+
+can_network_server(mysqld_t)
+can_ypbind(mysqld_t)
+
+# read config files
+r_dir_file(initrc_t, mysqld_etc_t)
+allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
+
+allow mysqld_t etc_t:dir search;
+
+read_sysctl(mysqld_t)
+
+can_unix_connect(sysadm_t, mysqld_t)
+
+# for /root/.my.cnf - should not be needed
+allow mysqld_t sysadm_home_dir_t:dir search;
+allow mysqld_t sysadm_home_t:file { read getattr };
+
+ifdef(`logrotate.te', `
+r_dir_file(logrotate_t, mysqld_etc_t)
+allow logrotate_t mysqld_db_t:dir search;
+allow logrotate_t mysqld_var_run_t:dir search;
+allow logrotate_t mysqld_var_run_t:sock_file write;
+can_unix_connect(logrotate_t, mysqld_t)
+')
+
+ifdef(`daemontools.te', `
+domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
+allow svc_start_t mysqld_t:process signal;
+svc_ipc_domain(mysqld_t)
+')dnl end ifdef daemontools
+
+ifdef(`distro_redhat', `
+allow initrc_t mysqld_db_t:dir create_dir_perms;
+
+# because Fedora has the sock_file in the database directory
+file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
+ifdef(`targeted_policy', `', `
+bool allow_user_mysql_connect false;
+
+if (allow_user_mysql_connect) {
+allow userdomain mysqld_var_run_t:dir search;
+allow userdomain mysqld_var_run_t:sock_file write;
+}
+')
+
diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te
new file mode 100644
index 0000000..028667e
--- /dev/null
+++ b/strict/domains/program/named.te
@@ -0,0 +1,157 @@
+#DESC BIND - Name server
+#
+# Authors: Yuichi Nakamura <ynakam at ori.hitachi-sk.co.jp>,
+# Russell Coker
+# X-Debian-Packages: bind bind9
+#
+#
+
+#################################
+#
+# Rules for the named_t domain.
+#
+type rndc_port_t, port_type, reserved_port_type;
+
+daemon_domain(named, `, nscd_client_domain')
+tmp_domain(named)
+
+# For /var/run/ndc used in BIND 8
+file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
+
+# ndc_t is the domain for the ndc program
+type ndc_t, domain, privlog, nscd_client_domain;
+role sysadm_r types ndc_t;
+role system_r types ndc_t;
+
+ifdef(`targeted_policy', `
+dontaudit ndc_t root_t:file { getattr read };
+dontaudit ndc_t unlabeled_t:file { getattr read };
+')
+
+can_exec(named_t, named_exec_t)
+allow named_t sbin_t:dir search;
+
+allow named_t self:process { setsched setcap setrlimit };
+
+# A type for configuration files of named.
+type named_conf_t, file_type, sysadmfile;
+
+# for primary zone files
+type named_zone_t, file_type, sysadmfile;
+
+# for secondary zone files
+type named_cache_t, file_type, sysadmfile;
+
+# for DNSSEC key files
+type dnssec_t, file_type, sysadmfile, secure_file_type;
+allow { ndc_t named_t } dnssec_t:file { getattr read };
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
+
+allow named_t etc_t:file { getattr read };
+allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
+
+#Named can use network
+can_network(named_t)
+can_ypbind(named_t)
+# allow UDP transfer to/from any program
+can_udp_send(domain, named_t)
+can_udp_send(named_t, domain)
+can_tcp_connect(domain, named_t)
+
+# Bind to the named port.
+allow named_t dns_port_t:udp_socket name_bind;
+allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
+
+bool named_write_master_zones false;
+
+#read configuration files
+r_dir_file(named_t, named_conf_t)
+
+if (named_write_master_zones) {
+#create and modify zone files
+create_dir_file(named_t, named_zone_t)
+}
+#read zone files
+r_dir_file(named_t, named_zone_t)
+
+#write cache for secondary zones
+rw_dir_create_file(named_t, named_cache_t)
+
+allow named_t self:unix_stream_socket create_stream_socket_perms;
+allow named_t self:unix_dgram_socket create_socket_perms;
+allow named_t self:netlink_route_socket r_netlink_socket_perms;
+
+# Read sysctl kernel variables.
+read_sysctl(named_t)
+
+# Read /proc/cpuinfo and /proc/net
+r_dir_file(named_t, proc_t)
+r_dir_file(named_t, proc_net_t)
+
+# Read /dev/random.
+allow named_t device_t:dir r_dir_perms;
+allow named_t random_device_t:chr_file r_file_perms;
+
+# Use a pipe created by self.
+allow named_t self:fifo_file rw_file_perms;
+
+# Set own capabilities.
+#A type for /usr/sbin/ndc
+type ndc_exec_t, file_type,sysadmfile, exec_type;
+domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
+uses_shlib(ndc_t)
+can_network_client_tcp(ndc_t)
+can_ypbind(ndc_t)
+can_resolve(ndc_t)
+read_locale(ndc_t)
+can_tcp_connect(ndc_t, named_t)
+
+# for /etc/rndc.key
+ifdef(`distro_redhat', `
+allow { ndc_t initrc_t } named_conf_t:dir search;
+# Allow init script to cp localtime to named_conf_t
+allow initrc_t named_conf_t:file { setattr write };
+')
+allow { ndc_t initrc_t } named_conf_t:file { getattr read };
+
+allow ndc_t etc_t:dir r_dir_perms;
+allow ndc_t etc_t:file r_file_perms;
+allow ndc_t self:unix_stream_socket create_stream_socket_perms;
+allow ndc_t self:unix_stream_socket connect;
+allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t var_t:dir search;
+allow ndc_t var_run_t:dir search;
+allow ndc_t named_var_run_t:sock_file rw_file_perms;
+allow ndc_t named_t:unix_stream_socket connectto;
+allow ndc_t { privfd init_t }:fd use;
+# seems to need read as well for some reason
+allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
+allow ndc_t fs_t:filesystem getattr;
+
+# Read sysctl kernel variables.
+read_sysctl(ndc_t)
+
+allow ndc_t self:process { fork signal_perms };
+allow ndc_t self:fifo_file { read write getattr ioctl };
+allow ndc_t named_zone_t:dir search;
+
+# for chmod in start script
+dontaudit initrc_t named_var_run_t:dir setattr;
+
+# for ndc_t to be used for restart shell scripts
+ifdef(`ndc_shell_script', `
+system_crond_entry(ndc_exec_t, ndc_t)
+allow ndc_t devtty_t:chr_file { read write ioctl };
+allow ndc_t etc_runtime_t:file { getattr read };
+allow ndc_t proc_t:dir search;
+allow ndc_t proc_t:file { getattr read };
+can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
+allow ndc_t named_var_run_t:file getattr;
+allow ndc_t named_zone_t:dir { read getattr };
+allow ndc_t named_zone_t:file getattr;
+dontaudit ndc_t sysadm_home_t:dir { getattr search read };
+')
+allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te
new file mode 100644
index 0000000..c314eee
--- /dev/null
+++ b/strict/domains/program/netutils.te
@@ -0,0 +1,60 @@
+#DESC Netutils - Network utilities
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil>
+# X-Debian-Packages: netbase iputils arping tcpdump
+#
+
+#
+# Rules for the netutils_t domain.
+# This domain is for network utilities that require access to
+# special protocol families.
+#
+type netutils_t, domain, privlog;
+type netutils_exec_t, file_type, sysadmfile, exec_type;
+role system_r types netutils_t;
+role sysadm_r types netutils_t;
+
+uses_shlib(netutils_t)
+can_network(netutils_t)
+can_ypbind(netutils_t)
+tmp_domain(netutils)
+
+domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
+domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+
+# Inherit and use descriptors from init.
+allow netutils_t { userdomain init_t }:fd use;
+
+allow netutils_t self:process { fork signal_perms };
+
+# Perform network administration operations and have raw access to the network.
+allow netutils_t self:capability { net_admin net_raw setuid setgid };
+
+# Create and use netlink sockets.
+allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+
+# Create and use packet sockets.
+allow netutils_t self:packet_socket create_socket_perms;
+
+# Create and use UDP sockets.
+allow netutils_t self:udp_socket create_socket_perms;
+
+# Create and use TCP sockets.
+allow netutils_t self:tcp_socket create_socket_perms;
+
+allow netutils_t self:unix_stream_socket create_socket_perms;
+
+# Read certain files in /etc
+allow netutils_t etc_t:file r_file_perms;
+read_locale(netutils_t)
+
+allow netutils_t fs_t:filesystem getattr;
+
+# Access terminals.
+allow netutils_t privfd:fd use;
+allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
+allow netutils_t proc_t:dir search;
+
+# for nscd
+dontaudit netutils_t var_t:dir search;
diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te
new file mode 100644
index 0000000..6f6489e
--- /dev/null
+++ b/strict/domains/program/newrole.te
@@ -0,0 +1,19 @@
+#DESC Newrole - SELinux utility to run a shell with a new role
+#
+# Authors: Anthony Colatrella (NSA)
+# Maintained by Stephen Smalley <sds at epoch.ncsc.mil>
+# X-Debian-Packages: policycoreutils
+#
+
+# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t
+bool secure_mode false;
+
+type newrole_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(userdomain, newrole_exec_t, newrole_t)
+
+newrole_domain(newrole)
+
+# Write to utmp.
+allow newrole_t var_run_t:dir r_dir_perms;
+allow newrole_t initrc_var_run_t:file rw_file_perms;
+
diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te
new file mode 100644
index 0000000..74db228
--- /dev/null
+++ b/strict/domains/program/nscd.te
@@ -0,0 +1,74 @@
+#DESC NSCD - Name service cache daemon cache lookup of user-name
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: nscd
+#
+define(`nscd_socket_domain', `
+can_unix_connect($1, nscd_t)
+allow $1 nscd_var_run_t:sock_file rw_file_perms;
+allow $1 { var_run_t var_t }:dir search;
+allow $1 nscd_t:nscd { getpwd getgrp gethost };
+dontaudit $1 nscd_t:fd use;
+dontaudit $1 nscd_var_run_t:dir { search getattr };
+dontaudit $1 nscd_var_run_t:file { getattr read };
+dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+')
+#################################
+#
+# Rules for the nscd_t domain.
+#
+# nscd is both the client program and the daemon.
+daemon_domain(nscd, `, userspace_objmgr')
+
+allow nscd_t etc_t:file r_file_perms;
+allow nscd_t etc_t:lnk_file read;
+can_network_client(nscd_t)
+can_ypbind(nscd_t)
+
+file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
+
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+
+nscd_socket_domain(nscd_client_domain)
+nscd_socket_domain(daemon)
+
+# Clients that are allowed to map the database via a fd obtained from nscd.
+nscd_socket_domain(nscd_shmem_domain)
+allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
+allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
+# Receive fd from nscd and map the backing file with read access.
+allow nscd_shmem_domain nscd_t:fd use;
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
+allow nscd_t self:nscd { admin getstat };
+allow nscd_t admin_tty_type:chr_file rw_file_perms;
+
+read_sysctl(nscd_t)
+allow nscd_t self:process { getattr setsched };
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:fifo_file { read write };
+allow nscd_t self:capability { kill setgid setuid net_bind_service };
+
+# for when /etc/passwd has just been updated and has the wrong type
+allow nscd_t shadow_t:file getattr;
+
+dontaudit nscd_t sysadm_home_dir_t:dir search;
+
+ifdef(`winbind.te', `
+#
+# Handle winbind for samba, Might only be needed for targeted policy
+#
+allow nscd_t winbind_var_run_t:sock_file { read write getattr };
+can_unix_connect(nscd_t, winbind_t)
+allow nscd_t samba_var_t:dir search;
+allow nscd_t winbind_var_run_t:dir { getattr search };
+')
+
+r_dir_file(nscd_t, selinux_config_t)
+can_getsecurity(nscd_t)
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
+allow nscd_t tmp_t:dir { search getattr };
+allow nscd_t tmp_t:lnk_file read;
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te
new file mode 100644
index 0000000..1598c23
--- /dev/null
+++ b/strict/domains/program/ntpd.te
@@ -0,0 +1,86 @@
+#DESC NTPD - Time synchronisation daemon
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: ntp ntp-simple
+#
+
+#################################
+#
+# Rules for the ntpd_t domain.
+#
+daemon_domain(ntpd, `, nscd_client_domain')
+type ntp_drift_t, file_type, sysadmfile;
+type ntp_port_t, port_type, reserved_port_type;
+
+type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+
+logdir_domain(ntpd)
+
+allow ntpd_t var_lib_t:dir r_dir_perms;
+allow ntpd_t usr_t:file r_file_perms;
+# reading /usr/share/ssl/cert.pem requires
+allow ntpd_t usr_t:lnk_file read;
+allow ntpd_t ntp_drift_t:dir rw_dir_perms;
+allow ntpd_t ntp_drift_t:file create_file_perms;
+
+# for SSP
+allow ntpd_t urandom_device_t:chr_file read;
+
+allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+dontaudit ntpd_t self:capability { net_admin };
+allow ntpd_t self:process { setcap setsched };
+# ntpdate wants sys_nice
+dontaudit ntpd_t self:capability { fsetid sys_nice };
+
+# for some reason it creates a file in /tmp
+tmp_domain(ntpd)
+
+allow ntpd_t etc_t:dir r_dir_perms;
+allow ntpd_t etc_t:file { read getattr };
+
+# Use the network.
+can_network(ntpd_t)
+can_ypbind(ntpd_t)
+allow ntpd_t ntp_port_t:udp_socket name_bind;
+allow ntpd_t self:unix_dgram_socket create_socket_perms;
+allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
+
+# so the start script can change firewall entries
+allow initrc_t net_conf_t:file { getattr read ioctl };
+
+# for cron jobs
+# system_crond_t is not right, cron is not doing what it should
+ifdef(`crond.te', `
+system_crond_entry(ntpd_exec_t, ntpd_t)
+')
+
+can_exec(ntpd_t, initrc_exec_t)
+allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t etc_runtime_t:file r_file_perms;
+can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
+allow ntpd_t { sbin_t bin_t }:dir search;
+allow ntpd_t bin_t:lnk_file read;
+read_sysctl(ntpd_t);
+allow ntpd_t proc_t:file r_file_perms;
+allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
+allow ntpd_t self:file { getattr read };
+dontaudit ntpd_t domain:dir search;
+ifdef(`logrotate.te', `
+can_exec(ntpd_t, logrotate_exec_t)
+')
+
+allow ntpd_t devtty_t:chr_file rw_file_perms;
+
+can_udp_send(ntpd_t, sysadm_t)
+can_udp_send(sysadm_t, ntpd_t)
+can_udp_send(ntpd_t, ntpd_t)
+ifdef(`firstboot.te', `
+dontaudit ntpd_t firstboot_t:fd use;
+')
+ifdef(`winbind.te', `
+allow ntpd_t winbind_var_run_t:dir r_dir_perms;
+allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
+')
+
diff --git a/strict/domains/program/pam.te b/strict/domains/program/pam.te
new file mode 100644
index 0000000..7c5710f
--- /dev/null
+++ b/strict/domains/program/pam.te
@@ -0,0 +1,40 @@
+#DESC Pam - PAM
+# X-Debian-Packages:
+#
+# /sbin/pam_timestamp_check
+type pam_exec_t, file_type, exec_type, sysadmfile;
+type pam_t, domain, privlog, nscd_client_domain;
+general_domain_access(pam_t);
+
+type pam_var_run_t, file_type, sysadmfile;
+allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
+allow pam_t pam_var_run_t:file { getattr read unlink };
+
+role system_r types pam_t;
+in_user_role(pam_t)
+domain_auto_trans(userdomain, pam_exec_t, pam_t)
+
+uses_shlib(pam_t)
+# Read the devpts root directory.
+allow pam_t devpts_t:dir r_dir_perms;
+
+# Access terminals.
+allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
+
+allow pam_t proc_t:dir search;
+allow pam_t proc_t:{ lnk_file file } { getattr read };
+
+# Read the /etc/nsswitch file
+allow pam_t etc_t:file r_file_perms;
+
+# Read /var/run.
+allow pam_t { var_t var_run_t }:dir r_dir_perms;
+tmp_domain(pam)
+
+allow pam_t local_login_t:fd use;
+dontaudit pam_t self:capability sys_tty_config;
+
+allow initrc_t pam_var_run_t:dir rw_dir_perms;
+allow initrc_t pam_var_run_t:file { getattr read unlink };
+dontaudit pam_t initrc_var_run_t:file { read write };
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
new file mode 100644
index 0000000..7270442
--- /dev/null
+++ b/strict/domains/program/pamconsole.te
@@ -0,0 +1,44 @@
+#DESC Pamconsole - PAM console
+# X-Debian-Packages:
+#
+# pam_console_apply
+
+daemon_base_domain(pam_console, `, nscd_client_domain')
+
+type pam_var_console_t, file_type, sysadmfile;
+
+allow pam_console_t etc_t:file { getattr read ioctl };
+allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
+
+allow pam_console_t self:capability { chown fowner fsetid };
+
+# Allow access to /dev/console through the fd:
+allow pam_console_t console_device_t:chr_file { read write };
+allow pam_console_t { kernel_t init_t }:fd use;
+
+# for /var/run/console.lock checking
+allow pam_console_t { var_t var_run_t }:dir search;
+r_dir_file(pam_console_t, pam_var_console_t)
+
+# Allow to set attributes on /dev entries
+allow pam_console_t device_t:dir { getattr read };
+allow pam_console_t device_t:lnk_file { getattr read };
+# mouse_device_t is for joy sticks
+allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
+
+allow pam_console_t mnt_t:dir r_dir_perms;
+
+ifdef(`gpm.te', `
+allow pam_console_t gpmctl_t:sock_file { getattr setattr };
+')
+ifdef(`hotplug.te', `
+dontaudit pam_console_t hotplug_etc_t:dir search;
+allow pam_console_t hotplug_t:fd use;
+')
+allow pam_console_t proc_t:file read;
+ifdef(`xdm.te', `
+allow pam_console_t xdm_var_run_t:file { getattr read };
+')
+allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow pam_console_t file_context_t:file { getattr read };
diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te
new file mode 100644
index 0000000..efae37c
--- /dev/null
+++ b/strict/domains/program/passwd.te
@@ -0,0 +1,150 @@
+#DESC Passwd - Password utilities
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: passwd
+#
+
+#################################
+#
+# Rules for the passwd_t domain.
+#
+define(`base_passwd_domain', `
+type $1_t, domain, privlog, $2;
+
+# for SSP
+allow $1_t urandom_device_t:chr_file read;
+
+allow $1_t self:process setrlimit;
+
+general_domain_access($1_t);
+uses_shlib($1_t);
+
+# Inherit and use descriptors from login.
+allow $1_t privfd:fd use;
+ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
+
+read_locale($1_t)
+
+allow $1_t fs_t:filesystem getattr;
+
+# allow checking if a shell is executable
+allow $1_t shell_exec_t:file execute;
+
+# Obtain contexts
+can_getsecurity($1_t)
+
+allow $1_t etc_t:file create_file_perms;
+
+# read /etc/mtab
+allow $1_t etc_runtime_t:file { getattr read };
+
+# Allow etc_t symlinks for /etc/alternatives on Debian.
+allow $1_t etc_t:lnk_file read;
+
+# Use capabilities.
+allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+
+# Access terminals.
+allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
+allow $1_t devtty_t:chr_file rw_file_perms;
+
+dontaudit $1_t devpts_t:dir getattr;
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+dontaudit $1_t initrc_var_run_t:file { read write };
+
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
+
+# When the wrong current passwd is entered, passwd, for some reason,
+# attempts to access /proc and /dev, but handles failure appropriately. So
+# do not audit those denials.
+dontaudit $1_t { proc_t device_t }:dir { search read };
+
+allow $1_t device_t:dir getattr;
+')
+
+#################################
+#
+# Rules for the passwd_t domain.
+#
+define(`passwd_domain', `
+base_passwd_domain($1, `auth_write, privowner')
+# Update /etc/shadow and /etc/passwd
+file_type_auto_trans($1_t, etc_t, shadow_t, file)
+allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
+can_setfscreate($1_t)
+')
+
+passwd_domain(passwd)
+passwd_domain(sysadm_passwd)
+base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
+can_setfscreate(chfn_t)
+
+# can exec /sbin/unix_chkpwd
+allow chfn_t { bin_t sbin_t }:dir search;
+
+# uses unix_chkpwd for checking passwords
+dontaudit chfn_t shadow_t:file read;
+allow chfn_t etc_t:dir rw_dir_perms;
+allow chfn_t etc_t:file create_file_perms;
+allow chfn_t proc_t:file { getattr read };
+allow chfn_t self:file write;
+
+in_user_role(passwd_t)
+in_user_role(chfn_t)
+role sysadm_r types passwd_t;
+role sysadm_r types sysadm_passwd_t;
+role sysadm_r types chfn_t;
+role system_r types passwd_t;
+role system_r types chfn_t;
+
+type admin_passwd_exec_t, file_type, sysadmfile;
+type passwd_exec_t, file_type, sysadmfile, exec_type;
+type chfn_exec_t, file_type, sysadmfile, exec_type;
+
+domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
+domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
+domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
+
+dontaudit chfn_t var_t:dir search;
+
+ifdef(`crack.te', `
+allow passwd_t var_t:dir search;
+dontaudit passwd_t var_run_t:dir search;
+allow passwd_t crack_db_t:dir r_dir_perms;
+allow passwd_t crack_db_t:file r_file_perms;
+', `
+dontaudit passwd_t var_t:dir search;
+')
+
+# allow vipw to exec the editor
+allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
+allow sysadm_passwd_t bin_t:lnk_file read;
+can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
+r_dir_file(sysadm_passwd_t, usr_t)
+
+# allow vipw to create temporary files under /var/tmp/vi.recover
+allow sysadm_passwd_t var_t:dir search;
+tmp_domain(sysadm_passwd)
+# for vipw - vi looks in the root home directory for config
+dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
+# for /etc/alternatives/vi
+allow sysadm_passwd_t etc_t:lnk_file read;
+
+# for nscd lookups
+dontaudit sysadm_passwd_t var_run_t:dir search;
+
+# for /proc/meminfo
+allow sysadm_passwd_t proc_t:file { getattr read };
+
+dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
+dontaudit sysadm_passwd_t devpts_t:dir search;
+
+# make sure that getcon succeeds
+allow passwd_t userdomain:dir search;
+allow passwd_t userdomain:file read;
+allow passwd_t userdomain:process getattr;
+
diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te
new file mode 100644
index 0000000..c23d92b
--- /dev/null
+++ b/strict/domains/program/ping.te
@@ -0,0 +1,59 @@
+#DESC Ping - Send ICMP messages to network hosts
+#
+# Author: David A. Wheeler <dwheeler at ida.org>
+# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
+#
+
+#################################
+#
+# Rules for the ping_t domain.
+#
+# ping_t is the domain for the ping program.
+# ping_exec_t is the type of the corresponding program.
+#
+type ping_t, domain, privlog, nscd_client_domain;
+role sysadm_r types ping_t;
+role system_r types ping_t;
+in_user_role(ping_t)
+type ping_exec_t, file_type, sysadmfile, exec_type;
+
+bool user_ping false;
+
+if (user_ping) {
+ domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
+ # allow access to the terminal
+ allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
+ ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
+}
+
+# Transition into this domain when you run this program.
+domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
+domain_auto_trans(initrc_t, ping_exec_t, ping_t)
+
+uses_shlib(ping_t)
+can_network_client(ping_t)
+can_ypbind(ping_t)
+allow ping_t etc_t:file { getattr read };
+allow ping_t self:unix_stream_socket create_socket_perms;
+
+# Let ping create raw ICMP packets.
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+
+allow ping_t netif_type:netif { rawip_send rawip_recv };
+allow ping_t node_type:node { rawip_send rawip_recv };
+
+# Use capabilities.
+allow ping_t self:capability { net_raw setuid };
+
+# Access the terminal.
+allow ping_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
+allow ping_t privfd:fd use;
+
+dontaudit ping_t fs_t:filesystem getattr;
+
+# it tries to access /var/run
+dontaudit ping_t var_t:dir search;
+dontaudit ping_t devtty_t:chr_file { read write };
+dontaudit ping_t self:capability sys_tty_config;
+
diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te
new file mode 100644
index 0000000..134b200
--- /dev/null
+++ b/strict/domains/program/portmap.te
@@ -0,0 +1,70 @@
+#DESC Portmap - Maintain RPC program number map
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: portmap
+#
+
+
+
+#################################
+#
+# Rules for the portmap_t domain.
+#
+daemon_domain(portmap, `, nscd_client_domain')
+
+can_network(portmap_t)
+can_ypbind(portmap_t)
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+
+type portmap_port_t, port_type, reserved_port_type;
+
+tmp_domain(portmap)
+
+allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
+
+# portmap binds to arbitary ports
+allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+
+allow portmap_t etc_t:file { getattr read };
+
+# Send to ypbind, initrc, rpc.statd, xinetd.
+ifdef(`ypbind.te',
+`can_udp_send(portmap_t, ypbind_t)')
+can_udp_send(portmap_t, { initrc_t init_t })
+can_udp_send(init_t, portmap_t)
+ifdef(`rpcd.te',
+`can_udp_send(portmap_t, rpcd_t)')
+ifdef(`inetd.te',
+`can_udp_send(portmap_t, inetd_t)')
+ifdef(`lpd.te',
+`can_udp_send(portmap_t, lpd_t)')
+ifdef(`tcpd.te', `
+can_udp_send(tcpd_t, portmap_t)
+')
+can_udp_send(portmap_t, kernel_t)
+can_udp_send(kernel_t, portmap_t)
+can_udp_send(sysadm_t, portmap_t)
+can_udp_send(portmap_t, sysadm_t)
+
+# Use capabilities
+allow portmap_t self:capability { net_bind_service setuid setgid };
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+
+application_domain(portmap_helper)
+role system_r types portmap_helper_t;
+domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
+dontaudit portmap_helper_t self:capability { net_admin };
+allow portmap_helper_t self:capability { net_bind_service };
+allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+can_network(portmap_helper_t)
+can_ypbind(portmap_helper_t)
+dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
+allow portmap_helper_t etc_t:file { getattr read };
+dontaudit portmap_helper_t userdomain:fd use;
+allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te
new file mode 100644
index 0000000..7d62e01
--- /dev/null
+++ b/strict/domains/program/postfix.te
@@ -0,0 +1,349 @@
+#DESC Postfix - Mail server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: postfix
+# Depends: mta.te
+#
+
+# Type for files created during execution of postfix.
+type postfix_var_run_t, file_type, sysadmfile, pidfile;
+
+type postfix_etc_t, file_type, sysadmfile;
+typealias postfix_etc_t alias etc_postfix_t;
+type postfix_exec_t, file_type, sysadmfile, exec_type;
+type postfix_public_t, file_type, sysadmfile;
+type postfix_private_t, file_type, sysadmfile;
+type postfix_spool_t, file_type, sysadmfile;
+type postfix_spool_maildrop_t, file_type, sysadmfile;
+type postfix_spool_flush_t, file_type, sysadmfile;
+type postfix_prng_t, file_type, sysadmfile;
+
+# postfix needs this for newaliases
+allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
+
+#################################
+#
+# Rules for the postfix_$1_t domain.
+#
+# postfix_$1_exec_t is the type of the postfix_$1 executables.
+#
+define(`postfix_domain', `
+daemon_core_rules(postfix_$1, `$2')
+allow postfix_$1_t self:process setpgid;
+allow postfix_$1_t postfix_master_t:process sigchld;
+allow postfix_master_t postfix_$1_t:process signal;
+
+allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
+allow postfix_$1_t postfix_etc_t:file r_file_perms;
+read_locale(postfix_$1_t)
+allow postfix_$1_t etc_t:file { getattr read };
+allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_$1_t self:unix_stream_socket connectto;
+
+allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
+allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
+allow postfix_$1_t shell_exec_t:file rx_file_perms;
+allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
+allow postfix_$1_t postfix_exec_t:file rx_file_perms;
+allow postfix_$1_t devtty_t:chr_file rw_file_perms;
+allow postfix_$1_t etc_runtime_t:file r_file_perms;
+allow postfix_$1_t proc_t:dir r_dir_perms;
+allow postfix_$1_t proc_t:file r_file_perms;
+allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
+allow postfix_$1_t fs_t:filesystem getattr;
+allow postfix_$1_t proc_net_t:dir search;
+allow postfix_$1_t proc_net_t:file { getattr read };
+can_exec(postfix_$1_t, postfix_$1_exec_t)
+
+allow postfix_$1_t tmp_t:dir getattr;
+
+file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
+
+read_sysctl(postfix_$1_t)
+
+')dnl end postfix_domain
+
+ifdef(`crond.te',
+`allow system_mail_t crond_t:tcp_socket { read write create };')
+
+postfix_domain(master, `, mail_server_domain')
+rhgb_domain(postfix_master_t)
+
+read_sysctl(postfix_master_t)
+
+domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
+allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
+
+ifdef(`direct_sysadm_daemon', `
+
+domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
+allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
+role_transition sysadm_r postfix_master_exec_t system_r;
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+dontaudit postfix_master_t admin_tty_type:chr_file { read write };
+allow postfix_master_t devpts_t:dir search;
+
+domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
+allow system_mail_t sysadm_t:process sigchld;
+allow system_mail_t privfd:fd use;
+
+')dnl end direct_sysadm_daemon
+
+allow postfix_master_t privfd:fd use;
+ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
+allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
+
+# postfix does a "find" on startup for some reason - keep it quiet
+dontaudit postfix_master_t selinux_config_t:dir search;
+can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
+ifdef(`distro_redhat', `
+file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
+', `
+file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
+')
+allow postfix_master_t sendmail_exec_t:file r_file_perms;
+allow postfix_master_t sbin_t:lnk_file { getattr read };
+ifdef(`pppd.te', `
+domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
+')
+can_exec(postfix_master_t, { ls_exec_t sbin_t })
+allow postfix_master_t self:fifo_file rw_file_perms;
+allow postfix_master_t usr_t:file r_file_perms;
+can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
+allow postfix_master_t postfix_public_t:sock_file create_file_perms;
+allow postfix_master_t postfix_public_t:dir rw_dir_perms;
+allow postfix_master_t postfix_private_t:dir rw_dir_perms;
+allow postfix_master_t postfix_private_t:sock_file create_file_perms;
+allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
+can_network(postfix_master_t)
+can_ypbind(postfix_master_t)
+allow postfix_master_t smtp_port_t:tcp_socket name_bind;
+allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
+allow postfix_master_t postfix_prng_t:file getattr;
+allow postfix_master_t privfd:fd use;
+allow postfix_master_t etc_aliases_t:file rw_file_perms;
+
+ifdef(`saslauthd.te',`
+allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
+allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
+can_unix_connect(postfix_smtpd_t,saslauthd_t)
+')
+
+create_dir_file(postfix_master_t, postfix_spool_flush_t)
+allow postfix_master_t random_device_t:chr_file { read getattr };
+allow postfix_master_t postfix_prng_t:file rw_file_perms;
+# for ls to get the current context
+allow postfix_master_t self:file { getattr read };
+
+# for SSP
+allow postfix_master_t urandom_device_t:chr_file read;
+
+# allow access to deferred queue and allow removing bogus incoming entries
+allow postfix_master_t postfix_spool_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_t:file create_file_perms;
+
+dontaudit postfix_master_t man_t:dir search;
+
+define(`postfix_server_domain', `
+postfix_domain($1, `$2')
+domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow postfix_$1_t self:capability { setuid setgid dac_override };
+can_network_client(postfix_$1_t)
+can_ypbind(postfix_$1_t)
+')
+
+postfix_server_domain(smtp, `, mail_server_sender')
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
+allow postfix_smtp_t urandom_device_t:chr_file { getattr read };
+allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
+# if you have two different mail servers on the same host let them talk via
+# SMTP, also if one mail server wants to talk to itself then allow it and let
+# the SMTP protocol sort it out (SE Linux is not to prevent mail server
+# misconfiguration)
+can_tcp_connect(postfix_smtp_t, mail_server_domain)
+
+postfix_server_domain(smtpd)
+allow postfix_smtpd_t urandom_device_t:chr_file { getattr read };
+allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
+allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
+# for OpenSSL certificates
+r_dir_file(postfix_smtpd_t,usr_t)
+allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
+
+# for prng_exch
+allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+
+allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+
+postfix_server_domain(local, `, mta_delivery_agent')
+ifdef(`procmail.te', `
+domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
+# for a bug in the postfix local program
+dontaudit procmail_t postfix_local_t:tcp_socket { read write };
+dontaudit procmail_t postfix_master_t:fd use;
+')
+allow postfix_local_t etc_aliases_t:file r_file_perms;
+allow postfix_local_t self:fifo_file rw_file_perms;
+allow postfix_local_t self:process setrlimit;
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+# for .forward - maybe we need a new type for it?
+allow postfix_local_t postfix_private_t:dir search;
+allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
+allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_local_t postfix_public_t:dir search;
+allow postfix_local_t postfix_public_t:sock_file write;
+can_exec(postfix_local_t, shell_exec_t)
+
+define(`postfix_public_domain',`
+postfix_server_domain($1)
+allow postfix_$1_t postfix_public_t:dir search;
+')
+
+postfix_public_domain(cleanup)
+create_dir_file(postfix_cleanup_t, postfix_spool_t)
+allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
+allow postfix_cleanup_t postfix_private_t:dir search;
+allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
+allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
+allow postfix_cleanup_t self:process setrlimit;
+
+allow user_mail_domain postfix_spool_t:dir r_dir_perms;
+allow user_mail_domain postfix_etc_t:dir r_dir_perms;
+allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
+allow user_mail_domain self:capability dac_override;
+
+define(`postfix_user_domain', `
+postfix_domain($1, `$2')
+domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
+in_user_role(postfix_$1_t)
+role sysadm_r types postfix_$1_t;
+allow postfix_$1_t userdomain:process sigchld;
+allow postfix_$1_t userdomain:fifo_file { write getattr };
+allow postfix_$1_t { userdomain privfd }:fd use;
+allow postfix_$1_t self:capability dac_override;
+')
+
+postfix_user_domain(postqueue)
+allow postfix_postqueue_t postfix_public_t:dir search;
+allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+allow postfix_postqueue_t initrc_t:process sigchld;
+allow postfix_postqueue_t initrc_t:fd use;
+
+# to write the mailq output, it really should not need read access!
+allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
+ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
+
+# wants to write to /var/spool/postfix/public/showq
+allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
+allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
+# write to /var/spool/postfix/public/qmgr
+allow postfix_postqueue_t postfix_public_t:fifo_file write;
+dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
+
+postfix_user_domain(showq)
+# the following auto_trans is usually in postfix server domain
+domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+allow postfix_showq_t self:udp_socket { create ioctl };
+r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
+domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+allow postfix_showq_t postfix_spool_t:file r_file_perms;
+allow postfix_showq_t self:tcp_socket create_socket_perms;
+allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
+dontaudit postfix_showq_t net_conf_t:file r_file_perms;
+
+postfix_user_domain(postdrop, `, mta_user_agent')
+allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
+allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
+allow postfix_postdrop_t postfix_public_t:dir search;
+allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
+dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
+dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
+allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+ifdef(`crond.te',
+`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
+allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
+# usually it does not need a UDP socket
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+allow postfix_postdrop_t self:capability sys_resource;
+
+postfix_public_domain(pickup)
+allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
+allow postfix_pickup_t postfix_private_t:dir search;
+allow postfix_pickup_t postfix_private_t:sock_file write;
+allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+postfix_public_domain(qmgr)
+allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_qmgr_t postfix_public_t:sock_file write;
+allow postfix_qmgr_t postfix_private_t:dir search;
+allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
+allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
+
+# for /var/spool/postfix/active
+create_dir_file(postfix_qmgr_t, postfix_spool_t)
+
+postfix_public_domain(bounce)
+type postfix_spool_bounce_t, file_type, sysadmfile;
+create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
+create_dir_file(postfix_bounce_t, postfix_spool_t)
+allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:file getattr;
+allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
+
+postfix_public_domain(pipe)
+allow postfix_pipe_t postfix_spool_t:dir search;
+allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
+allow postfix_pipe_t self:fifo_file { read write };
+allow postfix_pipe_t postfix_private_t:dir search;
+allow postfix_pipe_t postfix_private_t:sock_file write;
+ifdef(`procmail.te', `
+domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
+')
+ifdef(`sendmail.te', `
+allow sendmail_t postfix_etc_t:dir search;
+')
+
+# Program for creating database files
+application_domain(postfix_map)
+base_file_read_access(postfix_map_t)
+allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
+tmp_domain(postfix_map)
+create_dir_file(postfix_map_t, postfix_etc_t)
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit postfix_map_t proc_t:dir { getattr read search };
+dontaudit postfix_map_t local_login_t:fd use;
+allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
+read_locale(postfix_map_t)
+allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+dontaudit postfix_map_t var_t:dir search;
+can_network_server(postfix_map_t)
+allow postfix_local_t mail_spool_t:dir { remove_name };
+allow postfix_local_t mail_spool_t:file { unlink };
diff --git a/strict/domains/program/postgresql.te b/strict/domains/program/postgresql.te
new file mode 100644
index 0000000..f46ac65
--- /dev/null
+++ b/strict/domains/program/postgresql.te
@@ -0,0 +1,134 @@
+#DESC Postgresql - Database server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: postgresql
+#
+
+#################################
+#
+# Rules for the postgresql_t domain.
+#
+# postgresql_exec_t is the type of the postgresql executable.
+#
+type postgresql_port_t, port_type;
+daemon_domain(postgresql)
+allow initrc_t postgresql_exec_t:lnk_file read;
+allow postgresql_t usr_t:file { getattr read };
+
+allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
+
+ifdef(`distro_debian', `
+can_exec(postgresql_t, initrc_exec_t)
+# gross hack
+domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
+can_exec(postgresql_t, dpkg_exec_t)
+')
+
+dontaudit postgresql_t sysadm_home_dir_t:dir search;
+
+# quiet ps and killall
+dontaudit postgresql_t domain:dir { getattr search };
+
+# for currect directory of scripts
+allow postgresql_t { var_spool_t cron_spool_t }:dir search;
+
+# capability kill is for shutdown script
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
+dontaudit postgresql_t self:capability sys_admin;
+
+etcdir_domain(postgresql)
+typealias postgresql_etc_t alias etc_postgresql_t;
+type postgresql_db_t, file_type, sysadmfile;
+
+logdir_domain(postgresql)
+
+ifdef(`crond.te', `
+# allow crond to find /usr/lib/postgresql/bin/do.maintenance
+allow crond_t postgresql_db_t:dir search;
+system_crond_entry(postgresql_exec_t, postgresql_t)
+')
+
+tmp_domain(postgresql, `', `{ dir file sock_file }')
+file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
+
+# Use the network.
+can_network_server(postgresql_t)
+can_ypbind(postgresql_t)
+allow postgresql_t self:fifo_file { getattr read write ioctl };
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(postgresql_t, self)
+allow postgresql_t self:unix_dgram_socket create_socket_perms;
+
+allow postgresql_t self:shm create_shm_perms;
+
+ifdef(`targeted_policy', `', `
+bool allow_user_postgresql_connect false;
+
+if (allow_user_postgresql_connect) {
+# allow any user domain to connect to the database server
+can_tcp_connect(userdomain, postgresql_t)
+allow userdomain postgresql_t:unix_stream_socket connectto;
+allow userdomain postgresql_var_run_t:sock_file write;
+}
+')
+ifdef(`consoletype.te', `
+can_exec(postgresql_t, consoletype_exec_t)
+')
+
+ifdef(`hostname.te', `
+can_exec(postgresql_t, hostname_exec_t)
+')
+
+allow postgresql_t postgresql_port_t:tcp_socket name_bind;
+
+allow postgresql_t { proc_t self }:file { getattr read };
+
+# Allow access to the postgresql databases
+create_dir_file(postgresql_t, postgresql_db_t)
+file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
+allow postgresql_t var_lib_t:dir { getattr search };
+
+# because postgresql start scripts are broken and put the pid file in the DB
+# directory
+rw_dir_file(initrc_t, postgresql_db_t)
+
+# read config files
+allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
+r_dir_file(initrc_t, postgresql_etc_t)
+
+allow postgresql_t etc_t:dir rw_dir_perms;
+
+read_sysctl(postgresql_t)
+
+allow postgresql_t devtty_t:chr_file { read write };
+allow postgresql_t devpts_t:dir search;
+
+allow postgresql_t { bin_t sbin_t }:dir search;
+allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
+allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+
+allow postgresql_t self:sem create_sem_perms;
+
+allow postgresql_t initrc_var_run_t:file { getattr read lock };
+dontaudit postgresql_t selinux_config_t:dir { search };
+allow postgresql_t mail_spool_t:dir { search };
+rw_dir_create_file(postgresql_t, var_lock_t)
+can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
+ifdef(`apache.te', `
+#
+# Allow httpd to work with postgresql
+#
+allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
+can_unix_connect(httpd_t, postgresql_t)
+')
+
+ifdef(`distro_gentoo', `
+# "su - postgres ..." is called from initrc_t
+allow initrc_su_t postgresql_db_t:dir { search };
+allow postgresql_t initrc_su_t:process { sigchld };
+dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
+')
+
+dontaudit postgresql_t home_root_t:dir search;
+can_kerberos(postgresql_t)
+allow postgresql_t urandom_device_t:chr_file { getattr read };
diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te
new file mode 100644
index 0000000..f664e03
--- /dev/null
+++ b/strict/domains/program/pppd.te
@@ -0,0 +1,99 @@
+#DESC PPPD - PPP daemon
+#
+# Author: Russell Coker
+# X-Debian-Packages: ppp
+#
+
+#################################
+#
+# Rules for the pppd_t domain, et al.
+#
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+# pppd_secret_t is the type of the pap and chap password files
+#
+bool pppd_for_user false;
+
+daemon_domain(pppd, `, privmail')
+type pppd_secret_t, file_type, sysadmfile;
+
+# Define a separate type for /etc/ppp
+etcdir_domain(pppd)
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t, file_type, sysadmfile;
+# Automatically label newly created files under /etc/ppp with this type
+file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+
+# for SSP
+allow pppd_t urandom_device_t:chr_file read;
+
+allow pppd_t sysfs_t:dir search;
+
+log_domain(pppd)
+
+# Use the network.
+can_network_server(pppd_t)
+can_ypbind(pppd_t)
+
+# Use capabilities.
+allow pppd_t self:capability { net_admin setuid setgid fsetid };
+
+allow pppd_t var_lock_t:dir rw_dir_perms;
+allow pppd_t var_lock_t:file create_file_perms;
+
+# Access secret files
+allow pppd_t pppd_secret_t:file r_file_perms;
+
+ifdef(`postfix.te', `
+allow pppd_t postfix_etc_t:dir search;
+allow pppd_t postfix_etc_t:file r_file_perms;
+allow pppd_t postfix_master_exec_t:file read;
+allow postfix_postqueue_t pppd_t:fd use;
+allow postfix_postqueue_t pppd_t:process sigchld;
+')
+
+# allow running ip-up and ip-down scripts and running chat.
+can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
+allow pppd_t { bin_t sbin_t }:dir search;
+allow pppd_t bin_t:lnk_file read;
+
+# Access /dev/ppp.
+allow pppd_t ppp_device_t:chr_file rw_file_perms;
+allow pppd_t devtty_t:chr_file { read write };
+
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+
+allow pppd_t proc_t:dir search;
+allow pppd_t proc_t:{ file lnk_file } r_file_perms;
+
+allow pppd_t etc_runtime_t:file r_file_perms;
+
+allow pppd_t self:socket create_socket_perms;
+
+allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
+
+allow pppd_t devpts_t:dir search;
+
+# for scripts
+allow pppd_t self:fifo_file rw_file_perms;
+allow pppd_t etc_t:lnk_file read;
+
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+
+in_user_role(pppd_t)
+if (pppd_for_user) {
+# Run pppd in pppd_t by default for user
+domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t)
+allow unpriv_userdomain pppd_t:process signal;
+}
+
+# for pppoe
+can_create_pty(pppd)
+allow pppd_t self:file { read getattr };
+allow pppd_t self:capability { fowner net_raw };
+allow pppd_t self:packet_socket create_socket_perms;
+
+file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
+tmp_domain(pppd)
diff --git a/strict/domains/program/prelink.te b/strict/domains/program/prelink.te
new file mode 100644
index 0000000..2d36473
--- /dev/null
+++ b/strict/domains/program/prelink.te
@@ -0,0 +1,55 @@
+#DESC PRELINK - Security Enhanced version of the GNU Prelink
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+
+#################################
+#
+# Rules for the prelink_t domain.
+#
+# prelink_exec_t is the type of the prelink executable.
+#
+daemon_base_domain(prelink, `, admin')
+
+if (allow_execmem) {
+allow prelink_t self:process execmem;
+}
+if (allow_execmod) {
+allow prelink_t texrel_shlib_t:file execmod;
+}
+
+allow prelink_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(prelink_exec_t, prelink_t)
+allow system_crond_t prelink_log_t:dir rw_dir_perms;
+allow system_crond_t prelink_log_t:file create_file_perms;
+allow system_crond_t prelink_cache_t:file { getattr read unlink };
+allow prelink_t crond_log_t:file append;
+')
+
+logdir_domain(prelink)
+type etc_prelink_t, file_type, sysadmfile;
+type var_lock_prelink_t, file_type, sysadmfile, lockfile;
+
+allow prelink_t etc_prelink_t:file { getattr read };
+allow prelink_t file_type:dir rw_dir_perms;
+allow prelink_t file_type:lnk_file r_file_perms;
+allow prelink_t file_type:file getattr;
+allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t ld_so_t:file execute_no_trans;
+
+allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:fifo_file rw_file_perms;
+allow prelink_t self:file { getattr read };
+dontaudit prelink_t sysctl_kernel_t:dir search;
+dontaudit prelink_t sysctl_t:dir search;
+allow prelink_t etc_runtime_t:file { getattr read };
+read_locale(prelink_t)
+allow prelink_t urandom_device_t:chr_file read;
+allow prelink_t proc_t:file { getattr read };
+#
+# prelink_cache_t is the type of /etc/prelink.cache.
+#
+type prelink_cache_t, file_type, sysadmfile;
+file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file)
diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te
new file mode 100644
index 0000000..5762592
--- /dev/null
+++ b/strict/domains/program/privoxy.te
@@ -0,0 +1,25 @@
+#DESC privoxy - privacy enhancing proxy
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the privoxy_t domain.
+#
+daemon_domain(privoxy)
+
+logdir_domain(privoxy)
+
+# Use capabilities.
+allow privoxy_t self:capability net_bind_service;
+
+# Use the network.
+can_network(privoxy_t)
+allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
+allow privoxy_t etc_t:file { getattr read };
+allow privoxy_t self:capability { setgid setuid };
+allow privoxy_t self:unix_stream_socket create_socket_perms ;
+allow privoxy_t admin_tty_type:chr_file { read write };
+
diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te
new file mode 100644
index 0000000..81af770
--- /dev/null
+++ b/strict/domains/program/procmail.te
@@ -0,0 +1,78 @@
+#DESC Procmail - Mail delivery agent for mail servers
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: procmail
+#
+
+#################################
+#
+# Rules for the procmail_t domain.
+#
+# procmail_exec_t is the type of the procmail executable.
+#
+# privhome only works until we define a different type for maildir
+type procmail_t, domain, privlog, privhome, nscd_client_domain;
+type procmail_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types procmail_t;
+
+uses_shlib(procmail_t)
+allow procmail_t device_t:dir search;
+can_network_server(procmail_t)
+can_ypbind(procmail_t)
+
+allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
+
+allow procmail_t etc_t:dir r_dir_perms;
+allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
+allow procmail_t etc_t:lnk_file read;
+read_locale(procmail_t)
+read_sysctl(procmail_t)
+
+allow procmail_t sysctl_t:dir search;
+
+allow procmail_t self:process { setsched fork sigchld signal };
+dontaudit procmail_t sbin_t:dir { getattr search };
+can_exec(procmail_t, { bin_t shell_exec_t })
+allow procmail_t bin_t:dir { getattr search };
+allow procmail_t bin_t:lnk_file read;
+allow procmail_t self:fifo_file rw_file_perms;
+
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+
+# for /var/mail
+rw_dir_create_file(procmail_t, mail_spool_t)
+
+allow procmail_t var_t:dir { getattr search };
+allow procmail_t var_spool_t:dir r_dir_perms;
+
+allow procmail_t fs_t:filesystem getattr;
+allow procmail_t { self proc_t }:dir search;
+allow procmail_t proc_t:file { getattr read };
+allow procmail_t { self proc_t }:lnk_file read;
+
+# for if /var/mail is a symlink to /var/spool/mail
+#allow procmail_t mail_spool_t:lnk_file r_file_perms;
+
+# for spamassasin
+allow procmail_t usr_t:file { getattr ioctl read };
+
+# Search /var/run.
+allow procmail_t var_run_t:dir { getattr search };
+
+# Do not audit attempts to access /root.
+dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
+
+allow procmail_t devtty_t:chr_file { read write };
+
+allow procmail_t urandom_device_t:chr_file { getattr read };
+
+ifdef(`sendmail.te', `
+r_dir_file(procmail_t, etc_mail_t)
+allow procmail_t sendmail_t:tcp_socket { read write };
+')
+
+ifdef(`hide_broken_symptoms', `
+dontaudit procmail_t mqueue_spool_t:file { getattr read write };
+')
diff --git a/strict/domains/program/quota.te b/strict/domains/program/quota.te
new file mode 100644
index 0000000..7374053
--- /dev/null
+++ b/strict/domains/program/quota.te
@@ -0,0 +1,59 @@
+#DESC Quota - File system quota management utilities
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: quota quotatool
+#
+
+#################################
+#
+# Rules for the quota_t domain.
+#
+# needs auth attribute because it has read access to shadow_t because checkquota
+# is buggy
+daemon_base_domain(quota, `, auth, fs_domain')
+
+# so the administrator can run quotacheck
+domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
+role sysadm_r types quota_t;
+allow quota_t admin_tty_type:chr_file { read write };
+
+type quota_flag_t, file_type, sysadmfile;
+type quota_db_t, file_type, sysadmfile;
+
+rw_dir_create_file(initrc_t, quota_flag_t)
+
+allow quota_t fs_t:filesystem { getattr quotaget quotamod remount };
+# quotacheck creates new quota_db_t files
+file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
+# for some reason it wants dac_override not dac_read_search
+allow quota_t self:capability { sys_admin dac_override };
+allow quota_t file_type:{ fifo_file sock_file } getattr;
+allow quota_t file_t:file quotaon;
+
+# for quotacheck
+allow quota_t file_type:dir r_dir_perms;
+# The following line is apparently necessary, although read and
+# ioctl seem to be more than should be required.
+allow quota_t file_type:file { getattr read ioctl };
+allow quota_t file_type:{ fifo_file sock_file } getattr;
+allow quota_t file_type:lnk_file { read getattr };
+allow quota_t device_type:{ chr_file blk_file } getattr;
+
+allow quota_t fixed_disk_device_t:blk_file { getattr read };
+
+# for /quota.*
+allow quota_t quota_db_t:file { read write };
+dontaudit unpriv_userdomain quota_db_t:file getattr;
+allow quota_t quota_db_t:file quotaon;
+
+# Read /etc/mtab.
+allow quota_t etc_runtime_t:file { read getattr };
+
+allow quota_t device_t:dir r_dir_perms;
+allow quota_t fixed_disk_device_t:blk_file getattr;
+allow quota_t boot_t:dir r_dir_perms;
+allow quota_t sysctl_t:dir { getattr search };
+
+allow quota_t initrc_devpts_t:chr_file rw_file_perms;
+
+allow quota_t proc_t:file getattr;
diff --git a/strict/domains/program/radius.te b/strict/domains/program/radius.te
new file mode 100644
index 0000000..4e7f194
--- /dev/null
+++ b/strict/domains/program/radius.te
@@ -0,0 +1,69 @@
+#DESC RADIUS - Radius server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius
+#
+
+#################################
+#
+# Rules for the radiusd_t domain.
+#
+# radiusd_exec_t is the type of the radiusd executable.
+#
+type radius_port_t, port_type;
+type radacct_port_t, port_type;
+daemon_domain(radiusd, `, auth')
+
+etcdir_domain(radiusd)
+typealias radiusd_etc_t alias etc_radiusd_t;
+
+system_crond_entry(radiusd_exec_t, radiusd_t)
+
+allow radiusd_t self:process setsched;
+
+allow radiusd_t proc_t:file { read getattr };
+
+dontaudit radiusd_t sysadm_home_dir_t:dir getattr;
+
+# allow pthreads to read kernel version
+read_sysctl(radiusd_t)
+
+# read config files
+allow radiusd_t etc_t:dir r_dir_perms;
+allow radiusd_t { etc_t etc_runtime_t }:file { read getattr };
+allow radiusd_t etc_t:lnk_file read;
+
+# write log files
+logdir_domain(radiusd)
+allow radiusd_t radiusd_log_t:dir create;
+
+allow radiusd_t usr_t:file r_file_perms;
+
+can_exec(radiusd_t, lib_t)
+can_exec(radiusd_t, { bin_t shell_exec_t })
+allow radiusd_t { bin_t sbin_t }:dir search;
+allow radiusd_t bin_t:lnk_file read;
+
+allow radiusd_t devtty_t:chr_file { read write };
+allow radiusd_t self:fifo_file rw_file_perms;
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+
+can_network_server(radiusd_t)
+can_ypbind(radiusd_t)
+allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
+
+# for RADIUS proxy port
+allow radiusd_t port_t:udp_socket name_bind;
+
+ifdef(`snmpd.te', `
+can_tcp_connect(radiusd_t, snmpd_t)
+')
+ifdef(`logrotate.te', `
+can_exec(radiusd_t, logrotate_exec_t)
+')
+can_udp_send(sysadm_t, radiusd_t)
+can_udp_send(radiusd_t, sysadm_t)
+
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/strict/domains/program/radvd.te b/strict/domains/program/radvd.te
new file mode 100644
index 0000000..1e8b3ff
--- /dev/null
+++ b/strict/domains/program/radvd.te
@@ -0,0 +1,29 @@
+#DESC Radv - IPv6 route advisory daemon
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: radvd
+#
+
+#################################
+#
+# Rules for the radvd_t domain.
+#
+daemon_domain(radvd)
+
+etc_domain(radvd)
+allow radvd_t etc_t:file { getattr read };
+
+allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
+
+allow radvd_t self:capability net_raw;
+allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
+allow radvd_t self:unix_stream_socket create_socket_perms;
+
+can_network_server(radvd_t)
+
+allow radvd_t proc_t:dir r_dir_perms;
+allow radvd_t proc_t:file { getattr read };
+allow radvd_t etc_t:lnk_file read;
+
+allow radvd_t sysctl_net_t:file r_file_perms;
+allow radvd_t sysctl_net_t:dir r_dir_perms;
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
new file mode 100644
index 0000000..fb014d7
--- /dev/null
+++ b/strict/domains/program/restorecon.te
@@ -0,0 +1,63 @@
+#DESC restorecon - Restore or check the context of a file
+#
+# Authors: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: policycoreutils
+#
+
+#################################
+#
+# Rules for the restorecon_t domain.
+#
+# restorecon_exec_t is the type of the restorecon executable.
+#
+# needs auth_write attribute because it has relabelfrom/relabelto
+# access to shadow_t
+type restorecon_t, domain, privlog, privowner, auth_write, change_context;
+type restorecon_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types restorecon_t;
+role sysadm_r types restorecon_t;
+
+allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
+allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+
+domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t)
+allow restorecon_t { userdomain init_t privfd }:fd use;
+
+uses_shlib(restorecon_t)
+allow restorecon_t self:capability { dac_override dac_read_search fowner };
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that restorecon can not be run!
+allow restorecon_t lib_t:file { read execute };
+
+# Get security policy decisions.
+can_getsecurity(restorecon_t)
+
+r_dir_file(restorecon_t, policy_config_t)
+
+allow restorecon_t file_type:dir r_dir_perms;
+allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto };
+allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
+allow restorecon_t unlabeled_t:dir read;
+allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto };
+ifdef(`distro_redhat', `
+allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+')
+
+allow restorecon_t ptyfile:chr_file getattr;
+
+allow restorecon_t fs_t:filesystem getattr;
+allow restorecon_t fs_type:dir r_dir_perms;
+
+allow restorecon_t etc_runtime_t:file read;
+allow restorecon_t etc_t:file read;
+allow restorecon_t proc_t:file { getattr read };
+dontaudit restorecon_t proc_t:lnk_file { getattr read };
+
+allow restorecon_t device_t:file { read write };
+allow restorecon_t kernel_t:fd use;
+allow restorecon_t kernel_t:fifo_file { read write };
+allow restorecon_t kernel_t:unix_dgram_socket { read write };
+r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
+
diff --git a/strict/domains/program/rhgb.te b/strict/domains/program/rhgb.te
new file mode 100644
index 0000000..cc15ff1
--- /dev/null
+++ b/strict/domains/program/rhgb.te
@@ -0,0 +1,101 @@
+#DESC rhgb - Red Hat Graphical Boot
+#
+# Author: Russell Coker <russell at coker.com.au>
+# Depends: xdm.te gnome-pty-helper.te xserver.te
+
+daemon_base_domain(rhgb)
+
+allow rhgb_t { bin_t sbin_t }:dir search;
+allow rhgb_t bin_t:lnk_file read;
+
+domain_auto_trans(rhgb_t, shell_exec_t, initrc_t)
+domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t)
+can_exec(rhgb_t, { bin_t sbin_t gph_exec_t })
+
+allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
+allow rhgb_t self:fifo_file rw_file_perms;
+
+# for gnome-pty-helper
+gph_domain(rhgb, system)
+allow initrc_t rhgb_gph_t:fd use;
+
+allow rhgb_t proc_t:file { getattr read };
+
+allow rhgb_t devtty_t:chr_file { read write };
+allow rhgb_t tty_device_t:chr_file rw_file_perms;
+
+read_locale(rhgb_t)
+allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
+
+# for ramfs file systems
+allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
+allow rhgb_t ramfs_t:sock_file create_file_perms;
+allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
+allow insmod_t ramfs_t:file write;
+allow insmod_t rhgb_t:fd use;
+
+allow rhgb_t ramfs_t:filesystem { mount unmount };
+allow rhgb_t mnt_t:dir { search mounton };
+allow rhgb_t self:capability { sys_admin sys_tty_config };
+dontaudit rhgb_t var_run_t:dir search;
+
+can_network_client(rhgb_t)
+can_ypbind(rhgb_t)
+
+# for fonts
+allow rhgb_t usr_t:{ file lnk_file } { getattr read };
+
+# for running setxkbmap
+r_dir_file(rhgb_t, var_lib_xkb_t)
+
+# for localization
+allow rhgb_t lib_t:file { getattr read };
+
+allow rhgb_t initctl_t:fifo_file write;
+
+ifdef(`hide_broken_symptoms', `
+# it should not do this
+dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+')dnl end hide_broken_symptoms
+
+can_create_pty(rhgb)
+
+allow rhgb_t self:shm create_shm_perms;
+allow xdm_xserver_t rhgb_t:shm rw_shm_perms;
+
+can_unix_connect(initrc_t, rhgb_t)
+tmpfs_domain(rhgb)
+allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
+
+allow rhgb_t fonts_t:dir { getattr read search };
+allow rhgb_t fonts_t:file { getattr read };
+
+# for nscd
+dontaudit rhgb_t var_t:dir search;
+
+ifdef(`hide_broken_symptoms', `
+# for a bug in the X server
+dontaudit insmod_t xdm_xserver_t:tcp_socket { read write };
+dontaudit insmod_t serial_device:chr_file { read write };
+dontaudit mount_t rhgb_gph_t:fd use;
+dontaudit mount_t rhgb_t:unix_stream_socket { read write };
+dontaudit mount_t ptmx_t:chr_file { read write };
+')dnl end hide_broken_symptoms
+
+ifdef(`firstboot.te', `
+allow rhgb_t firstboot_rw_t:file r_file_perms;
+')
+allow rhgb_t tmp_t:dir search;
+allow rhgb_t xdm_xserver_t:process sigkill;
+allow domain rhgb_devpts_t:chr_file { read write };
+ifdef(`fsadm.te', `
+dontaudit fsadm_t ramfs_t:fifo_file write;
+')
+allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
+dontaudit rhgb_t default_t:file read;
+
+allow initrc_t ramfs_t:dir search;
+allow initrc_t ramfs_t:sock_file write;
+allow initrc_t rhgb_t:unix_stream_socket { read write };
+
+allow rhgb_t default_t:file { getattr read };
diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te
new file mode 100644
index 0000000..0c896cf
--- /dev/null
+++ b/strict/domains/program/rlogind.te
@@ -0,0 +1,37 @@
+#DESC Rlogind - Remote login daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: rsh-client rsh-redone-client
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the rlogind_t domain.
+#
+remote_login_daemon(rlogind)
+typeattribute rlogind_t auth_chkpwd;
+
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t)
+')
+
+# for /usr/lib/telnetlogin
+can_exec(rlogind_t, rlogind_exec_t)
+
+# Use capabilities.
+allow rlogind_t self:capability { net_bind_service };
+
+# Run login in remote_login_t.
+allow remote_login_t inetd_t:fd use;
+allow remote_login_t inetd_t:tcp_socket rw_file_perms;
+
+# Send SIGCHLD to inetd on death.
+allow rlogind_t inetd_t:process sigchld;
+
+allow rlogind_t home_dir_type:dir search;
+allow rlogind_t home_type:file { getattr read };
+allow rlogind_t self:file { getattr read };
+allow rlogind_t default_t:dir search;
+typealias rlogind_port_t alias rlogin_port_t;
+read_sysctl(rlogind_t);
diff --git a/strict/domains/program/rpcd.te b/strict/domains/program/rpcd.te
new file mode 100644
index 0000000..d921e3c
--- /dev/null
+++ b/strict/domains/program/rpcd.te
@@ -0,0 +1,141 @@
+#DESC Rpcd - RPC daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# Depends: portmap.te
+# X-Debian-Packages: nfs-common
+#
+
+#################################
+#
+# Rules for the rpcd_t and nfsd_t domain.
+#
+define(`rpc_domain', `
+daemon_base_domain($1)
+can_network($1_t)
+can_ypbind($1_t)
+allow $1_t etc_t:file { getattr read };
+read_locale($1_t)
+allow $1_t self:capability net_bind_service;
+dontaudit $1_t self:capability net_admin;
+
+allow $1_t var_t:dir { getattr search };
+allow $1_t var_lib_t:dir search;
+allow $1_t var_lib_nfs_t:dir create_dir_perms;
+allow $1_t var_lib_nfs_t:file create_file_perms;
+# do not log when it tries to bind to a port belonging to another domain
+dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+allow $1_t self:netlink_route_socket r_netlink_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+# bind to arbitary unused ports
+allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
+allow $1_t sysctl_rpc_t:dir search;
+allow $1_t sysctl_rpc_t:file rw_file_perms;
+')
+
+type exports_t, file_type, sysadmfile;
+dontaudit userdomain exports_t:file getattr;
+
+# rpcd_t is the domain of rpc daemons.
+# rpcd_exec_t is the type of rpc daemon programs.
+#
+rpc_domain(rpcd)
+var_run_domain(rpcd)
+allow rpcd_t rpcd_var_run_t:dir setattr;
+
+# for rpc.rquotad
+allow rpcd_t sysctl_t:dir r_dir_perms;
+allow rpcd_t self:fifo_file rw_file_perms;
+
+# rpcd_t needs to talk to the portmap_t domain
+can_udp_send(rpcd_t, portmap_t)
+
+allow initrc_t exports_t:file r_file_perms;
+ifdef(`distro_redhat', `
+allow rpcd_t self:capability { chown dac_override setgid setuid };
+# for /etc/rc.d/init.d/nfs to create /etc/exports
+allow initrc_t exports_t:file write;
+')
+
+allow rpcd_t self:file { getattr read };
+
+# nfs kernel server needs kernel UDP access. It is less risky and painful
+# to just give it everything.
+can_network_server(kernel_t)
+#can_udp_send(kernel_t, rpcd_t)
+#can_udp_send(rpcd_t, kernel_t)
+
+rpc_domain(nfsd)
+domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
+role sysadm_r types nfsd_t;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+allow nfsd_t proc_t:file r_file_perms;
+allow nfsd_t proc_net_t:dir search;
+allow nfsd_t exports_t:file { getattr read };
+
+allow nfsd_t nfsd_fs_t:filesystem mount;
+allow nfsd_t nfsd_fs_t:dir search;
+allow nfsd_t nfsd_fs_t:file rw_file_perms;
+allow initrc_t sysctl_rpc_t:dir search;
+allow initrc_t sysctl_rpc_t:file rw_file_perms;
+
+type nfsd_rw_t, file_type, sysadmfile, usercanread;
+type nfsd_ro_t, file_type, sysadmfile, usercanread;
+
+bool nfs_export_all_rw false;
+
+if(nfs_export_all_rw) {
+allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+create_dir_file(kernel_t,{ file_type -shadow_t })
+}
+
+dontaudit kernel_t shadow_t:file getattr;
+
+bool nfs_export_all_ro false;
+
+if(nfs_export_all_ro) {
+allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ file_type -shadow_t })
+}
+
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
+create_dir_file(kernel_t, nfsd_rw_t);
+r_dir_file(kernel_t, nfsd_ro_t);
+
+allow kernel_t nfsd_t:udp_socket rw_socket_perms;
+can_udp_send(kernel_t, nfsd_t)
+can_udp_send(nfsd_t, kernel_t)
+
+# does not really need this, but it is easier to just allow it
+allow nfsd_t var_run_t:dir search;
+
+allow nfsd_t self:capability { sys_admin sys_resource };
+allow nfsd_t fs_t:filesystem getattr;
+
+can_udp_send(nfsd_t, portmap_t)
+can_udp_send(portmap_t, nfsd_t)
+
+can_tcp_connect(nfsd_t, portmap_t)
+
+# for exportfs and rpc.mountd
+allow nfsd_t tmp_t:dir getattr;
+
+r_dir_file(rpcd_t, rpc_pipefs_t)
+allow rpcd_t rpc_pipefs_t:sock_file { read write };
+dontaudit rpcd_t selinux_config_t:dir { search };
+allow rpcd_t proc_net_t:dir search;
+
+
+rpc_domain(gssd)
+can_kerberos(gssd_t)
+allow gssd_t krb5_keytab_t:file r_file_perms;
+allow gssd_t urandom_device_t:chr_file { getattr read };
+r_dir_file(gssd_t, tmp_t)
+tmp_domain(gssd)
+allow gssd_t self:fifo_file { read write };
+r_dir_file(gssd_t, proc_net_t)
+allow gssd_t rpc_pipefs_t:dir r_dir_perms;
+allow gssd_t rpc_pipefs_t:sock_file { read write };
diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te
new file mode 100644
index 0000000..c964b14
--- /dev/null
+++ b/strict/domains/program/rpm.te
@@ -0,0 +1,255 @@
+#DESC RPM - Red Hat package management
+#
+# X-Debian-Packages:
+#################################
+#
+# Rules for running the Redhat Package Manager (RPM) tools.
+#
+# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
+# rpm_exec_t is the type of the rpm executables.
+# var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
+# var_lib_rpm_t is the type for rpm files in /var/lib
+#
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
+role system_r types rpm_t;
+uses_shlib(rpm_t)
+type rpm_exec_t, file_type, sysadmfile, exec_type;
+
+general_domain_access(rpm_t)
+can_ps(rpm_t, domain)
+allow rpm_t self:process setrlimit;
+system_crond_entry(rpm_exec_t, rpm_t)
+role sysadm_r types rpm_t;
+domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
+
+type rpm_file_t, file_type, sysadmfile;
+
+tmp_domain(rpm)
+
+tmpfs_domain(rpm)
+
+log_domain(rpm)
+
+can_network(rpm_t)
+can_ypbind(rpm_t)
+
+# Allow the rpm domain to execute other programs
+can_exec_any(rpm_t)
+
+# Capabilties needed by rpm utils
+allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
+
+# Access /var/lib/rpm files
+var_lib_domain(rpm)
+allow userdomain var_lib_t:dir { getattr search };
+r_dir_file(userdomain, rpm_var_lib_t)
+r_dir_file(rpm_t, proc_t)
+
+allow rpm_t sysfs_t:dir r_dir_perms;
+allow rpm_t usbdevfs_t:dir r_dir_perms;
+
+# for installing kernel packages
+allow rpm_t fixed_disk_device_t:blk_file { getattr read };
+
+# Access terminals.
+allow rpm_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
+allow rpm_t privfd:fd use;
+allow rpm_t devtty_t:chr_file rw_file_perms;
+
+domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
+domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
+
+ifdef(`cups.te', `
+r_dir_file(cupsd_t, rpm_var_lib_t)
+allow cupsd_t initrc_exec_t:file { getattr read };
+domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
+')
+
+# for a bug in rm
+dontaudit initrc_t pidfile:file write;
+
+# bash tries to access a block device in the initrd
+dontaudit initrc_t unlabeled_t:blk_file getattr;
+
+# bash tries ioctl for some reason
+dontaudit initrc_t pidfile:file ioctl;
+
+allow rpm_t autofs_t:dir { search getattr };
+allow rpm_t autofs_t:filesystem getattr;
+allow rpm_script_t autofs_t:dir { search getattr };
+allow rpm_t devpts_t:dir { setattr r_dir_perms };
+allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr;
+dontaudit rpm_t security_t:filesystem getattr;
+can_getcon(rpm_t)
+can_setfscreate(rpm_t)
+can_setexec(rpm_t)
+read_sysctl(rpm_t)
+general_domain_access(rpm_script_t)
+
+# read/write/create any files in the system
+allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
+allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
+allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
+allow rpm_t sysfs_t:filesystem getattr;
+allow rpm_t tmpfs_t:filesystem getattr;
+dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+# needs rw permission to the directory for an rpm package that includes a mount
+# point
+allow rpm_t fs_type:dir { setattr rw_dir_perms };
+allow rpm_t fs_type:filesystem getattr;
+
+# allow compiling and loading new policy
+create_dir_file(rpm_t, { policy_src_t policy_config_t })
+
+can_getsecurity({ rpm_t rpm_script_t })
+dontaudit rpm_t shadow_t:file { getattr read };
+allow rpm_t urandom_device_t:chr_file read;
+allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
+allow rpm_t ttyfile:chr_file unlink;
+allow rpm_script_t tty_device_t:chr_file getattr;
+allow rpm_script_t devpts_t:dir search;
+allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
+
+allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
+
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
+# policy for rpm scriptlet
+role system_r types rpm_script_t;
+uses_shlib(rpm_script_t)
+read_locale(rpm_script_t)
+
+can_ps(rpm_script_t, domain)
+
+ifdef(`lpd.te', `
+can_exec(rpm_script_t, printconf_t)
+')
+
+read_sysctl(rpm_script_t)
+
+type rpm_script_exec_t, file_type, sysadmfile, exec_type;
+
+role sysadm_r types rpm_script_t;
+domain_trans(rpm_t, shell_exec_t, rpm_script_t)
+ifdef(`hide_broken_symptoms', `
+ifdef(`pamconsole.te', `
+domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
+')
+')
+
+tmp_domain(rpm_script)
+
+tmpfs_domain(rpm_script)
+
+# Allow the rpm domain to execute other programs
+can_exec_any(rpm_script_t)
+
+# Capabilties needed by rpm scripts utils
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+
+# ideally we would not need this
+allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
+allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
+allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms;
+
+# for kernel package installation
+ifdef(`mount.te', `
+allow mount_t rpm_t:fifo_file rw_file_perms;
+')
+
+# Commonly used from postinst scripts
+ifdef(`consoletype.te', `
+allow consoletype_t rpm_t:fifo_file r_file_perms;
+')
+ifdef(`crond.te', `
+allow crond_t rpm_t:fifo_file r_file_perms;
+')
+
+allow rpm_script_t proc_t:dir r_dir_perms;
+allow rpm_script_t proc_t:{ file lnk_file } r_file_perms;
+
+allow rpm_script_t devtty_t:chr_file rw_file_perms;
+allow rpm_script_t devpts_t:dir r_dir_perms;
+allow rpm_script_t admin_tty_type:chr_file rw_file_perms;
+allow rpm_script_t etc_runtime_t:file { getattr read };
+allow rpm_script_t privfd:fd use;
+allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
+
+allow rpm_script_t urandom_device_t:chr_file read;
+
+ifdef(`ssh-agent.te', `
+domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+')
+
+ifdef(`useradd.te', `
+domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
+domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
+role system_r types { useradd_t groupadd_t };
+allow { useradd_t groupadd_t } rpm_t:fd use;
+allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
+')
+
+domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
+
+domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
+domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
+domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
+ifdef(`bootloader.te', `
+domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
+allow bootloader_t rpm_t:fifo_file rw_file_perms;
+')
+
+domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t)
+
+rw_dir_file(rpm_script_t, nfs_t)
+allow rpm_script_t nfs_t:filesystem getattr;
+
+allow rpm_script_t fs_t:filesystem { getattr mount unmount };
+allow rpm_script_t rpm_script_tmp_t:dir mounton;
+can_exec(rpm_script_t, usr_t)
+can_exec(rpm_script_t, sbin_t)
+
+allow rpm_t mount_t:tcp_socket write;
+create_dir_file(rpm_t, nfs_t)
+allow rpm_t { removable_t nfs_t }:filesystem getattr;
+
+allow rpm_script_t userdomain:fd use;
+
+allow domain rpm_t:fifo_file r_file_perms;
+allow domain rpm_t:fd use;
+
+ifdef(`ssh.te', `
+allow sshd_t rpm_script_t:fd use;
+allow sshd_t rpm_t:fd use;
+')
+
+dontaudit rpm_script_t shadow_t:file getattr;
+allow rpm_script_t sysfs_t:dir r_dir_perms;
+
+ifdef(`prelink.te', `
+domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
+')
+
+allow rpm_t rpc_pipefs_t:dir search;
+allow rpm_script_t init_t:dir search;
+
+type rpmbuild_exec_t, file_type, sysadmfile, exec_type;
+type rpmbuild_t, domain;
+allow rpmbuild_t policy_config_t:dir search;
+allow rpmbuild_t policy_src_t:dir search;
+allow rpmbuild_t policy_src_t:file { getattr read };
+can_getsecurity(rpmbuild_t)
+
+allow rpm_script_t domain:process { signal signull };
+
+# Access /var/lib/rpm.
+allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
+allow initrc_t rpm_var_lib_t:file create_file_perms;
+
+ifdef(`unlimitedRPM', `
+typeattribute rpm_t auth_write;
+unconfined_domain(rpm_t)
+typeattribute rpm_script_t auth_write;
+unconfined_domain(rpm_script_t)
+')
+
diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te
new file mode 100644
index 0000000..f1da21e
--- /dev/null
+++ b/strict/domains/program/rshd.te
@@ -0,0 +1,69 @@
+#DESC RSHD - RSH daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: rsh-server rsh-redone-server
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the rshd_t domain.
+#
+type rsh_port_t, port_type, reserved_port_type;
+daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
+
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
+')
+
+# Use sockets inherited from inetd.
+allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# Use capabilities.
+allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
+
+# Use the network.
+can_network_server(rshd_t)
+allow rshd_t reserved_port_t:tcp_socket name_bind;
+dontaudit rshd_t reserved_port_type:tcp_socket name_bind;
+
+can_ypbind(rshd_t)
+
+allow rshd_t etc_t:file { getattr read };
+read_locale(rshd_t)
+allow rshd_t self:unix_dgram_socket create_socket_perms;
+allow rshd_t self:unix_stream_socket create_stream_socket_perms;
+allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
+can_kerberos(rshd_t)
+allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
+allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
+ifdef(`rlogind.te', `
+allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
+allow rshd_t urandom_device_t:chr_file { getattr read };
+
+# Read the user's .rhosts file.
+allow rshd_t home_type:file r_file_perms ;
+
+# Random reasons
+can_getsecurity(rshd_t)
+can_setexec(rshd_t)
+r_dir_file(rshd_t, selinux_config_t)
+r_dir_file(rshd_t, default_context_t)
+read_sysctl(rshd_t);
+
+if (use_nfs_home_dirs) {
+r_dir_file(rshd_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+r_dir_file(rshd_t, cifs_t)
+}
+
+allow rshd_t self:process { fork signal setsched setpgid };
+allow rshd_t self:fifo_file rw_file_perms;
+
+ifdef(`targeted_policy', `
+unconfined_domain(rshd_t)
+domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
+')
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
new file mode 100644
index 0000000..1090463
--- /dev/null
+++ b/strict/domains/program/rsync.te
@@ -0,0 +1,19 @@
+#DESC rsync - flexible replacement for rcp
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the rsync_t domain.
+#
+# rsync_exec_t is the type of the rsync executable.
+#
+
+inetd_child_domain(rsync)
+type rsync_data_t, file_type, sysadmfile;
+r_dir_file(rsync_t, rsync_data_t)
+ifdef(`ftpd.te', `
+r_dir_file(rsync_t, ftpd_anon_t)
+')
diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te
new file mode 100644
index 0000000..43b31ef
--- /dev/null
+++ b/strict/domains/program/samba.te
@@ -0,0 +1,182 @@
+#DESC SAMBA - SMB file server
+#
+# Author: Ryan Bergauer (bergauer at rice.edu)
+# X-Debian-Packages: samba
+#
+
+#################################
+#
+# Declarations for Samba
+#
+
+daemon_domain(smbd, `, auth_chkpwd')
+daemon_domain(nmbd)
+type samba_etc_t, file_type, sysadmfile, usercanread;
+type samba_log_t, file_type, sysadmfile, logfile;
+type samba_var_t, file_type, sysadmfile;
+type samba_share_t, file_type, sysadmfile, customizable;
+type samba_secrets_t, file_type, sysadmfile;
+typealias samba_var_t alias samba_spool_t;
+
+# for /var/run/samba/messages.tdb
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t self:process setrlimit;
+
+# not sure why it needs this
+tmp_domain(smbd)
+
+ifdef(`crond.te', `
+allow system_crond_t samba_etc_t:file { read getattr lock };
+allow system_crond_t samba_log_t:file { read getattr lock };
+#allow system_crond_t samba_secrets_t:file { read getattr lock };
+')
+
+#################################
+#
+# Rules for the smbd_t domain.
+#
+
+# Permissions normally found in every_domain.
+general_domain_access(smbd_t)
+general_proc_read_access(smbd_t)
+
+type smbd_port_t, port_type, reserved_port_type;
+allow smbd_t smbd_port_t:tcp_socket name_bind;
+
+# Use capabilities.
+allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
+
+# Use the network.
+can_network_server(smbd_t)
+
+allow smbd_t urandom_device_t:chr_file { getattr read };
+
+# Permissions for Samba files in /etc/samba
+# either allow read access to the directory or allow the auto_trans rule to
+# allow creation of the secrets.tdb file and the MACHINE.SID file
+#allow smbd_t samba_etc_t:dir { search getattr };
+file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
+
+allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
+
+# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
+allow smbd_t var_lib_t:dir search;
+allow smbd_t samba_var_t:dir create_dir_perms;
+allow smbd_t samba_var_t:file create_file_perms;
+
+# Permissions to write log files.
+allow smbd_t samba_log_t:file { create ra_file_perms };
+allow smbd_t var_log_t:dir search;
+allow smbd_t samba_log_t:dir ra_dir_perms;
+
+allow smbd_t usr_t:file { getattr read };
+
+# Access Samba shares.
+create_dir_file(smbd_t, samba_share_t)
+
+ifdef(`logrotate.te', `
+# the application should be changed
+can_exec(logrotate_t, samba_log_t)
+')
+#################################
+#
+# Rules for the nmbd_t domain.
+#
+
+# Permissions normally found in every_domain.
+general_domain_access(nmbd_t)
+general_proc_read_access(nmbd_t)
+
+type nmbd_port_t, port_type, reserved_port_type;
+allow nmbd_t nmbd_port_t:udp_socket name_bind;
+
+# Use capabilities.
+allow nmbd_t self:capability net_bind_service;
+
+# Use the network.
+can_network_server(nmbd_t)
+
+# Permissions for Samba files in /etc/samba
+allow nmbd_t samba_etc_t:file { getattr read };
+allow nmbd_t samba_etc_t:dir { search getattr };
+
+# Permissions for Samba cache files in /var/cache/samba
+allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
+allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
+
+allow nmbd_t usr_t:file { getattr read };
+
+# Permissions to write log files.
+allow nmbd_t samba_log_t:file { create ra_file_perms };
+allow nmbd_t var_log_t:dir search;
+allow nmbd_t samba_log_t:dir ra_dir_perms;
+ifdef(`cups.te', `
+allow smbd_t cupsd_rw_etc_t:file { getattr read };
+')
+# Needed for winbindd
+allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
+
+# Support Samba sharing of home directories
+bool samba_enable_home_dirs false;
+
+ifdef(`mount.te', `
+#
+# Domain for running smbmount
+#
+
+# Derive from app. domain. Transition from mount.
+application_domain(smbmount, `, fs_domain, nscd_client_domain')
+domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+
+# Capabilities
+# FIXME: is all of this really necessary?
+allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+# Access samba config
+allow smbmount_t samba_etc_t:file r_file_perms;
+allow smbmount_t samba_etc_t:dir r_dir_perms;
+
+# Write samba log
+allow smbmount_t samba_log_t:file create_file_perms;
+allow smbmount_t samba_log_t:dir r_dir_perms;
+
+# Write stuff in var
+allow smbmount_t var_log_t:dir r_dir_perms;
+rw_dir_create_file(smbmount_t, samba_var_t)
+
+# Access mtab
+file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
+
+# Read nsswitch.conf
+allow smbmount_t etc_t:file r_file_perms;
+
+# Networking
+can_network(smbmount_t)
+can_ypbind(smbmount_t)
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+allow kernel_t smbmount_t:tcp_socket { read write };
+allow userdomain smbmount_t:tcp_socket write;
+
+# Proc
+# FIXME: is this necessary?
+r_dir_file(smbmount_t, proc_t)
+
+# Fork smbmnt
+allow smbmount_t bin_t:dir r_dir_perms;
+can_exec(smbmount_t, smbmount_exec_t)
+allow smbmount_t self:process { fork signal_perms };
+
+# Mount
+allow smbmount_t cifs_t:filesystem mount_fs_perms;
+allow smbmount_t cifs_t:dir r_dir_perms;
+allow smbmount_t mnt_t:dir r_dir_perms;
+allow smbmount_t mnt_t:dir mounton;
+
+# Terminal
+read_locale(smbmount_t)
+access_terminal(smbmount_t, sysadm)
+allow smbmount_t userdomain:fd use;
+allow smbmount_t local_login_t:fd use;
+')
diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te
new file mode 100644
index 0000000..f51ccd0
--- /dev/null
+++ b/strict/domains/program/saslauthd.te
@@ -0,0 +1,23 @@
+#DESC saslauthd - Authentication daemon for SASL
+#
+# Author: Colin Walters <walters at verbum.org>
+#
+
+daemon_domain(saslauthd, `, auth_chkpwd')
+
+allow saslauthd_t self:fifo_file { read write };
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
+
+allow saslauthd_t etc_t:dir { getattr search };
+allow saslauthd_t etc_t:file r_file_perms;
+allow saslauthd_t net_conf_t:file r_file_perms;
+
+allow saslauthd_t self:file r_file_perms;
+allow saslauthd_t proc_t:file read;
+
+allow saslauthd_t urandom_device_t:chr_file { getattr read };
+
+# Needs investigation
+dontaudit saslauthd_t home_root_t:dir getattr;
diff --git a/strict/domains/program/screen.te b/strict/domains/program/screen.te
new file mode 100644
index 0000000..e9be1a0
--- /dev/null
+++ b/strict/domains/program/screen.te
@@ -0,0 +1,13 @@
+#DESC screen - Program to detach sessions
+#
+# X-Debian-Packages: screen
+# Domains for the screen program.
+
+#
+# screen_exec_t is the type of the screen executable.
+#
+type screen_exec_t, file_type, sysadmfile, exec_type;
+type screen_dir_t, file_type, sysadmfile, pidfile;
+
+# Everything else is in the screen_domain macro in
+# macros/program/screen_macros.te.
diff --git a/strict/domains/program/sendmail.te b/strict/domains/program/sendmail.te
new file mode 100644
index 0000000..958d13e
--- /dev/null
+++ b/strict/domains/program/sendmail.te
@@ -0,0 +1,111 @@
+#DESC Sendmail - Mail server
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sendmail sendmail-wide
+# Depends: mta.te
+#
+
+#################################
+#
+# Rules for the sendmail_t domain.
+#
+# sendmail_t is the domain for the sendmail
+# daemon started by the init rc scripts.
+#
+
+# etc_mail_t is the type of /etc/mail.
+type etc_mail_t, file_type, sysadmfile, usercanread;
+
+daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm)
+
+tmp_domain(sendmail)
+logdir_domain(sendmail)
+
+# Use capabilities
+allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
+
+# Use the network.
+can_network(sendmail_t)
+can_ypbind(sendmail_t)
+
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:fifo_file rw_file_perms;
+
+# Bind to the SMTP port.
+allow sendmail_t smtp_port_t:tcp_socket name_bind;
+
+allow sendmail_t etc_t:file { getattr read };
+
+# Write to /etc/aliases and /etc/mail.
+allow sendmail_t etc_aliases_t:file { setattr rw_file_perms };
+#
+# Need this transition to create /etc/aliases.db
+#
+ifdef(`distro_redhat', `
+ifdef(`rpm.te', `
+domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t)
+')
+')
+
+allow sendmail_t etc_mail_t:dir rw_dir_perms;
+allow sendmail_t etc_mail_t:file create_file_perms;
+# for the start script to run make -C /etc/mail
+allow initrc_t etc_mail_t:dir rw_dir_perms;
+allow initrc_t etc_mail_t:file create_file_perms;
+allow system_mail_t initrc_t:fd use;
+allow system_mail_t initrc_t:fifo_file write;
+
+# Write to /var/spool/mail and /var/spool/mqueue.
+allow sendmail_t var_spool_t:dir { getattr search };
+allow sendmail_t mail_spool_t:dir rw_dir_perms;
+allow sendmail_t mail_spool_t:file create_file_perms;
+allow sendmail_t mqueue_spool_t:dir rw_dir_perms;
+allow sendmail_t mqueue_spool_t:file create_file_perms;
+allow sendmail_t urandom_device_t:chr_file { getattr read };
+
+# Read /usr/lib/sasl2/.*
+allow sendmail_t lib_t:file { getattr read };
+
+# When sendmail runs as user_mail_domain, it needs some extra permissions
+# to update /etc/mail/statistics.
+allow user_mail_domain etc_mail_t:file rw_file_perms;
+
+# Silently deny attempts to access /root.
+dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+
+# Run procmail in its own domain, if defined.
+ifdef(`procmail.te',`
+domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t)
+domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
+allow sendmail_t bin_t:dir { getattr search };
+')
+
+read_sysctl(sendmail_t)
+read_sysctl(system_mail_t)
+
+allow system_mail_t etc_mail_t:dir { getattr search };
+allow system_mail_t etc_runtime_t:file { getattr read };
+allow system_mail_t proc_t:dir search;
+allow system_mail_t proc_t:file { getattr read };
+allow system_mail_t proc_t:lnk_file read;
+dontaudit system_mail_t proc_net_t:dir search;
+allow system_mail_t fs_t:filesystem getattr;
+allow system_mail_t self:dir { getattr search };
+allow system_mail_t var_t:dir getattr;
+allow system_mail_t var_spool_t:dir getattr;
+dontaudit system_mail_t userpty_type:chr_file { getattr read write };
+
+# sendmail -q
+allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
+allow system_mail_t mqueue_spool_t:file create_file_perms;
+
+ifdef(`crond.te', `
+dontaudit system_mail_t system_crond_tmp_t:file append;
+')
+dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+allow sendmail_t initrc_var_run_t:file { getattr read };
+dontaudit sendmail_t initrc_var_run_t:file { lock write };
+
diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te
new file mode 100644
index 0000000..26c275f
--- /dev/null
+++ b/strict/domains/program/setfiles.te
@@ -0,0 +1,62 @@
+#DESC Setfiles - SELinux filesystem labeling utilities
+#
+# Authors: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: policycoreutils
+#
+
+#################################
+#
+# Rules for the setfiles_t domain.
+#
+# setfiles_exec_t is the type of the setfiles executable.
+#
+# needs auth_write attribute because it has relabelfrom/relabelto
+# access to shadow_t
+type setfiles_t, domain, privlog, privowner, auth_write, change_context;
+type setfiles_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types setfiles_t;
+role sysadm_r types setfiles_t;
+
+allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
+allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
+
+allow setfiles_t self:unix_dgram_socket create_socket_perms;
+
+domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
+allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
+
+uses_shlib(setfiles_t)
+allow setfiles_t self:capability { dac_override dac_read_search fowner };
+
+# for upgrading glibc and other shared objects - without this the upgrade
+# scripts will put things in a state such that setfiles can not be run!
+allow setfiles_t lib_t:file { read execute };
+
+# Get security policy decisions.
+can_getsecurity(setfiles_t)
+
+r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
+
+allow setfiles_t file_type:dir r_dir_perms;
+allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
+allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
+allow setfiles_t unlabeled_t:dir read;
+allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
+allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
+# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
+dontaudit setfiles_t ttyfile:chr_file relabelfrom;
+
+allow setfiles_t fs_t:filesystem getattr;
+allow setfiles_t fs_type:dir r_dir_perms;
+
+read_locale(setfiles_t)
+
+allow setfiles_t etc_runtime_t:file read;
+allow setfiles_t etc_t:file read;
+allow setfiles_t proc_t:file { getattr read };
+dontaudit setfiles_t proc_t:lnk_file { getattr read };
+
+# for config files in a home directory
+allow setfiles_t home_type:file r_file_perms;
+dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;
diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te
new file mode 100644
index 0000000..bab118a
--- /dev/null
+++ b/strict/domains/program/slapd.te
@@ -0,0 +1,61 @@
+#DESC Slapd - OpenLDAP server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: slapd
+#
+
+#################################
+#
+# Rules for the slapd_t domain.
+#
+# slapd_exec_t is the type of the slapd executable.
+#
+daemon_domain(slapd)
+
+type ldap_port_t, port_type, reserved_port_type;
+allow slapd_t ldap_port_t:tcp_socket name_bind;
+
+etc_domain(slapd)
+typealias slapd_etc_t alias etc_slapd_t;
+type slapd_db_t, file_type, sysadmfile;
+type slapd_replog_t, file_type, sysadmfile;
+
+tmp_domain(slapd)
+
+# Use the network.
+can_network(slapd_t)
+can_ypbind(slapd_t)
+allow slapd_t self:fifo_file { read write };
+allow slapd_t self:unix_stream_socket create_socket_perms;
+allow slapd_t self:unix_dgram_socket create_socket_perms;
+# allow any domain to connect to the LDAP server
+can_tcp_connect(domain, slapd_t)
+
+# Use capabilities should not need kill...
+allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
+allow slapd_t self:process setsched;
+
+allow slapd_t proc_t:file r_file_perms;
+
+# Allow access to the slapd databases
+create_dir_file(slapd_t, slapd_db_t)
+allow initrc_t slapd_db_t:dir r_dir_perms;
+allow slapd_t var_lib_t:dir r_dir_perms;
+
+# Allow access to write the replication log (should tighten this)
+create_dir_file(slapd_t, slapd_replog_t)
+
+# read config files
+allow slapd_t etc_t:{ file lnk_file } { getattr read };
+allow slapd_t etc_runtime_t:file { getattr read };
+
+# for startup script
+allow initrc_t slapd_etc_t:file read;
+
+allow slapd_t etc_t:dir r_dir_perms;
+
+read_sysctl(slapd_t)
+
+allow slapd_t usr_t:file { read getattr };
+allow slapd_t urandom_device_t:chr_file { getattr read };
+allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te
new file mode 100644
index 0000000..da3219c
--- /dev/null
+++ b/strict/domains/program/slocate.te
@@ -0,0 +1,76 @@
+#DESC LOCATE - Security Enhanced version of the GNU Locate
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the locate_t domain.
+#
+# locate_exec_t is the type of the locate executable.
+#
+daemon_base_domain(locate)
+
+allow locate_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(locate_exec_t, locate_t)
+allow system_crond_t locate_log_t:dir rw_dir_perms;
+allow system_crond_t locate_log_t:file { create append getattr };
+allow system_crond_t locate_etc_t:file { getattr read };
+')
+
+allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
+
+allow locate_t { fs_type file_type }:dir r_dir_perms;
+allow locate_t file_type:lnk_file r_file_perms;
+allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
+dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
+dontaudit locate_t security_t:dir getattr;
+dontaudit locate_t shadow_t:file getattr;
+
+allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
+allow locate_t unlabeled_t:dir_file_class_set getattr;
+allow locate_t unlabeled_t:dir read;
+
+logdir_domain(locate)
+etcdir_domain(locate)
+typealias locate_etc_t alias etc_locate_t;
+
+type var_lib_locate_t, file_type, sysadmfile;
+
+create_dir_file(locate_t, var_lib_locate_t)
+dontaudit locate_t sysadmfile:file getattr;
+
+allow locate_t proc_t:file { getattr read };
+allow locate_t self:unix_stream_socket create_socket_perms;
+#
+# Need to be able to exec renice
+#
+can_exec(locate_t, bin_t)
+
+dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
+dontaudit locate_t rpc_pipefs_t:file getattr;
+
+#
+# Read Mtab file
+#
+allow locate_t etc_runtime_t:file { getattr read };
+
+#
+# Read nsswitch file
+#
+allow locate_t etc_t:file { getattr read };
+dontaudit locate_t self:capability dac_override;
+allow locate_t self:capability dac_read_search;
+
+# sysadm_t runs locate in his own domain.
+# We use a type alias to simplify the rest of the policy,
+# which often refers to $1_locate_t for the user domains.
+typealias sysadm_t alias sysadm_locate_t;
+
+allow locate_t userdomain:fd use;
+ifdef(`cardmgr.te', `
+allow locate_t cardmgr_var_run_t:chr_file getattr;
+')
diff --git a/strict/domains/program/slrnpull.te b/strict/domains/program/slrnpull.te
new file mode 100644
index 0000000..25edb93
--- /dev/null
+++ b/strict/domains/program/slrnpull.te
@@ -0,0 +1,24 @@
+#DESC slrnpull
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+
+#################################
+#
+# Rules for the slrnpull_t domain.
+#
+# slrnpull_exec_t is the type of the slrnpull executable.
+#
+daemon_domain(slrnpull)
+type slrnpull_spool_t, file_type, sysadmfile;
+
+log_domain(slrnpull)
+
+ifdef(`logrotate.te', `
+create_dir_file(logrotate_t, slrnpull_spool_t)
+')
+system_crond_entry(slrnpull_exec_t, slrnpull_t)
+allow userdomain slrnpull_spool_t:dir search;
+rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
+allow slrnpull_t var_spool_t:dir search;
+allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
diff --git a/strict/domains/program/snmpd.te b/strict/domains/program/snmpd.te
new file mode 100644
index 0000000..5b794ed
--- /dev/null
+++ b/strict/domains/program/snmpd.te
@@ -0,0 +1,80 @@
+#DESC SNMPD - Simple Network Management Protocol daemon
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: snmpd
+#
+
+#################################
+#
+# Rules for the snmpd_t domain.
+#
+daemon_domain(snmpd)
+
+#temp
+allow snmpd_t var_t:dir getattr;
+
+can_network_server(snmpd_t)
+can_ypbind(snmpd_t)
+
+type snmp_port_t, port_type, reserved_port_type;
+allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
+
+etc_domain(snmpd)
+typealias snmpd_etc_t alias etc_snmpd_t;
+
+# for the .index file
+var_lib_domain(snmpd)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
+file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+typealias snmpd_var_lib_t alias snmpd_var_rw_t;
+
+log_domain(snmpd)
+# for /usr/share/snmp/mibs
+allow snmpd_t usr_t:file { getattr read };
+
+can_udp_send(sysadm_t, snmpd_t)
+can_udp_send(snmpd_t, sysadm_t)
+
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_socket_perms;
+allow snmpd_t etc_t:lnk_file read;
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
+allow snmpd_t urandom_device_t:chr_file read;
+allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
+
+allow snmpd_t proc_t:dir search;
+allow snmpd_t proc_t:file r_file_perms;
+allow snmpd_t self:file { getattr read };
+allow snmpd_t self:fifo_file { read write };
+
+ifdef(`distro_redhat', `
+ifdef(`rpm.te', `
+r_dir_file(snmpd_t, rpm_var_lib_t)
+dontaudit snmpd_t rpm_var_lib_t:dir write;
+dontaudit snmpd_t rpm_var_lib_t:file write;
+')
+')
+
+allow snmpd_t home_root_t:dir search;
+allow snmpd_t initrc_var_run_t:file r_file_perms;
+dontaudit snmpd_t initrc_var_run_t:file write;
+dontaudit snmpd_t rpc_pipefs_t:dir getattr;
+allow snmpd_t rpc_pipefs_t:dir getattr;
+read_sysctl(snmpd_t)
+dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
+allow snmpd_t sysfs_t:dir { getattr read search };
+ifdef(`amanda.te', `
+dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
+')
+ifdef(`cupsd.te', `
+allow snmpd_t cupsd_rw_etc_t:file { getattr read };
+')
+allow snmpd_t var_lib_nfs_t:dir search;
+
+# needed in order to retrieve net traffic data
+allow snmpd_t proc_net_t:dir search;
+allow snmpd_t proc_net_t:file r_file_perms;
+
+dontaudit snmpd_t domain:dir { getattr search };
+
+dontaudit snmpd_t selinux_config_t:dir search;
diff --git a/strict/domains/program/sound.te b/strict/domains/program/sound.te
new file mode 100644
index 0000000..01f7355
--- /dev/null
+++ b/strict/domains/program/sound.te
@@ -0,0 +1,26 @@
+#DESC Sound - Sound utilities
+#
+# Authors: Mark Westerman <mark.westerman at .com>
+# X-Debian-Packages: esound
+#
+#################################
+#
+# Rules for the sound_t domain.
+#
+daemon_base_domain(sound)
+type sound_file_t, file_type, sysadmfile;
+allow initrc_t sound_file_t:file { getattr read };
+allow sound_t sound_file_t:file rw_file_perms;
+
+# Use capabilities.
+# Commented out by default.
+#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override };
+dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override };
+
+# Read and write the sound device.
+allow sound_t sound_device_t:chr_file rw_file_perms;
+
+# Read and write ttys.
+allow sound_t sysadm_tty_device_t:chr_file rw_file_perms;
+read_locale(sound_t)
+allow initrc_t sound_file_t:file { setattr write };
diff --git a/strict/domains/program/spamassassin.te b/strict/domains/program/spamassassin.te
new file mode 100644
index 0000000..d08eaa3
--- /dev/null
+++ b/strict/domains/program/spamassassin.te
@@ -0,0 +1,11 @@
+#DESC Spamassassin
+#
+# Author: Colin Walters <walters at debian.org>
+# X-Debian-Packages: spamassassin
+#
+
+type spamassassin_exec_t, file_type, sysadmfile, exec_type;
+
+bool spamassasin_can_network false;
+
+# Everything else is in spamassassin_macros.te.
diff --git a/strict/domains/program/spamc.te b/strict/domains/program/spamc.te
new file mode 100644
index 0000000..9b49fbf
--- /dev/null
+++ b/strict/domains/program/spamc.te
@@ -0,0 +1,10 @@
+#DESC Spamc - Spamassassin client
+#
+# Author: Colin Walters <walters at debian.org>
+# X-Debian-Packages: spamc
+# Depends: spamassassin.te
+#
+
+type spamc_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in spamassassin_macros.te.
diff --git a/strict/domains/program/spamd.te b/strict/domains/program/spamd.te
new file mode 100644
index 0000000..c54d771
--- /dev/null
+++ b/strict/domains/program/spamd.te
@@ -0,0 +1,72 @@
+#DESC Spamd - Spamassassin daemon
+#
+# Author: Colin Walters <walters at debian.org>
+# X-Debian-Packages: spamassassin
+# Depends: spamassassin.te
+#
+
+daemon_domain(spamd)
+
+tmp_domain(spamd)
+
+type spamd_port_t, port_type, reserved_port_type;
+allow spamd_t spamd_port_t:tcp_socket name_bind;
+
+general_domain_access(spamd_t)
+uses_shlib(spamd_t)
+can_ypbind(spamd_t)
+read_sysctl(spamd_t)
+
+# Various Perl bits
+allow spamd_t lib_t:file rx_file_perms;
+dontaudit spamd_t shadow_t:file { getattr read };
+dontaudit spamd_t initrc_var_run_t:file { read write lock };
+dontaudit spamd_t sysadm_home_dir_t:dir getattr;
+
+can_network_server(spamd_t)
+allow spamd_t self:capability net_bind_service;
+
+allow spamd_t proc_t:file { getattr read };
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+
+allow spamd_t { bin_t sbin_t }:dir { getattr search };
+can_exec(spamd_t, bin_t)
+
+ifdef(`sendmail.te', `
+allow spamd_t etc_mail_t:dir { getattr read search };
+allow spamd_t etc_mail_t:file { getattr ioctl read };
+')
+allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };
+
+ifdef(`amavis.te', `
+# for bayes tokens
+allow spamd_t var_lib_t:dir { getattr search };
+rw_dir_create_file(spamd_t, amavisd_lib_t)
+')
+
+allow spamd_t usr_t:file { getattr ioctl read };
+allow spamd_t usr_t:lnk_file { getattr read };
+allow spamd_t urandom_device_t:chr_file { getattr read };
+
+system_crond_entry(spamd_exec_t, spamd_t)
+
+allow spamd_t autofs_t:dir { search getattr };
+
+if (use_nfs_home_dirs) {
+allow spamd_t nfs_t:dir rw_dir_perms;
+allow spamd_t nfs_t:file create_file_perms;
+}
+
+if (use_samba_home_dirs) {
+allow spamd_t cifs_t:dir rw_dir_perms;
+allow spamd_t cifs_t:file create_file_perms;
+}
+
+allow spamd_t home_root_t:dir getattr;
+allow spamd_t user_home_dir_type:dir { search getattr };
+
+
diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te
new file mode 100644
index 0000000..b0810b1
--- /dev/null
+++ b/strict/domains/program/squid.te
@@ -0,0 +1,76 @@
+#DESC Squid - Web cache
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: squid
+#
+
+#################################
+#
+# Rules for the squid_t domain.
+#
+# squid_t is the domain the squid process runs in
+ifdef(`apache.te',`
+can_tcp_connect(squid_t, httpd_t)
+')
+
+daemon_domain(squid, `, web_client_domain, nscd_client_domain')
+type squid_conf_t, file_type, sysadmfile;
+general_domain_access(squid_t)
+allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
+allow squid_t squid_conf_t:dir r_dir_perms;
+allow squid_t squid_conf_t:lnk_file read;
+
+logdir_domain(squid)
+rw_dir_create_file(initrc_t, squid_log_t)
+
+allow squid_t usr_t:file { getattr read };
+
+# type for /var/cache/squid
+type squid_cache_t, file_type, sysadmfile;
+
+allow squid_t self:capability { setgid setuid net_bind_service };
+allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
+allow squid_t etc_t:lnk_file read;
+allow squid_t self:unix_stream_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:fifo_file rw_file_perms;
+
+read_sysctl(squid_t)
+
+allow squid_t devtty_t:chr_file rw_file_perms;
+
+allow squid_t { self proc_t }:file { read getattr };
+
+# for when we use /var/spool/cache
+allow squid_t var_spool_t:dir search;
+
+# Grant permissions to create, access, and delete cache files.
+# No type transitions required, as the files inherit the parent directory type.
+create_dir_file(squid_t, squid_cache_t)
+ifdef(`logrotate.te',
+`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
+ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
+
+# Use the network
+can_network(squid_t)
+can_ypbind(squid_t)
+can_tcp_connect(web_client_domain, squid_t)
+
+# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
+allow squid_t http_cache_port_t:tcp_socket name_bind;
+allow squid_t http_cache_port_t:udp_socket name_bind;
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+# also allow exec()ing itself
+can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )
+allow squid_t { bin_t sbin_t }:dir search;
+allow squid_t { bin_t sbin_t }:lnk_file read;
+
+dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr;
+ifdef(`targeted_policy', `
+dontaudit squid_t tty_device_t:chr_file { read write };
+')
+allow squid_t urandom_device_t:chr_file { getattr read };
+
+#squid requires the following when run in diskd mode, the recommended setting
+allow squid_t tmpfs_t:file { read write };
diff --git a/strict/domains/program/ssh-agent.te b/strict/domains/program/ssh-agent.te
new file mode 100644
index 0000000..f2e3d84
--- /dev/null
+++ b/strict/domains/program/ssh-agent.te
@@ -0,0 +1,13 @@
+#DESC ssh-agent - agent to securely store ssh-keys
+#
+# Authors: Thomas Bleher <ThomasBleher at gmx.de>
+#
+# X-Debian-Packages: ssh
+#
+
+# Type for the ssh-agent executable.
+type ssh_agent_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the ssh_agent_domain macro in
+# macros/program/ssh_agent_macros.te.
+
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
new file mode 100644
index 0000000..d07b314
--- /dev/null
+++ b/strict/domains/program/ssh.te
@@ -0,0 +1,228 @@
+#DESC SSH - SSH daemon
+#
+# Authors: Anthony Colatrella (NSA) <amcolat at epoch.ncsc.mil>
+# Stephen Smalley <sds at epoch.ncsc.mil>
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: ssh
+#
+
+# Allow ssh logins as sysadm_r:sysadm_t
+bool ssh_sysadm_login false;
+
+ifdef(`inetd.te', `
+# Allow ssh to run from inetd instead of as a daemon.
+bool run_ssh_inetd false;
+')
+
+# sshd_exec_t is the type of the sshd executable.
+# sshd_key_t is the type of the ssh private key files
+type sshd_exec_t, file_type, exec_type, sysadmfile;
+type sshd_key_t, file_type, sysadmfile;
+
+type ssh_port_t, port_type, reserved_port_type;
+
+define(`sshd_program_domain', `
+# privowner is for changing the identity on the terminal device
+# privfd is for passing the terminal file handle to the user process
+# auth_chkpwd is for running unix_chkpwd and unix_verify.
+type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain;
+can_exec($1_t, sshd_exec_t)
+r_dir_file($1_t, self)
+role system_r types $1_t;
+dontaudit $1_t shadow_t:file { getattr read };
+uses_shlib($1_t)
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:fifo_file rw_file_perms;
+allow $1_t self:process { fork sigchld signal setsched setrlimit };
+
+dontaudit $1_t self:lnk_file read;
+
+# do not allow statfs()
+dontaudit $1_t fs_type:filesystem getattr;
+
+allow $1_t bin_t:dir search;
+allow $1_t bin_t:lnk_file read;
+
+# for sshd subsystems, such as sftp-server.
+allow $1_t bin_t:file getattr;
+
+# Read /var.
+allow $1_t var_t:dir { getattr search };
+
+# Read /var/log.
+allow $1_t var_log_t:dir search;
+
+# Read /etc.
+allow $1_t etc_t:dir search;
+# ioctl is for pam_console
+dontaudit $1_t etc_t:file ioctl;
+allow $1_t etc_t:file { getattr read };
+allow $1_t etc_t:lnk_file { getattr read };
+allow $1_t etc_runtime_t:file { getattr read };
+
+# Read and write /dev/tty and /dev/null.
+allow $1_t devtty_t:chr_file rw_file_perms;
+allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
+
+# Read /dev/urandom
+allow $1_t urandom_device_t:chr_file { getattr read };
+
+can_network($1_t)
+
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t { home_root_t home_dir_type }:dir { search getattr };
+if (use_nfs_home_dirs) {
+allow $1_t autofs_t:dir { search getattr };
+allow $1_t nfs_t:dir { search getattr };
+allow $1_t nfs_t:file { getattr read };
+}
+
+if (use_samba_home_dirs) {
+allow $1_t cifs_t:dir { search getattr };
+allow $1_t cifs_t:file { getattr read };
+}
+
+# Set exec context.
+can_setexec($1_t)
+
+# Update utmp.
+allow $1_t initrc_var_run_t:file rw_file_perms;
+
+# Update wtmp.
+allow $1_t wtmp_t:file rw_file_perms;
+
+# Get security policy decisions.
+can_getsecurity($1_t)
+
+# Allow read access to login context
+r_dir_file( $1_t, default_context_t)
+
+# Access key files
+allow $1_t sshd_key_t:file { getattr read };
+
+# Update /var/log/lastlog.
+allow $1_t lastlog_t:file rw_file_perms;
+
+read_locale($1_t)
+read_sysctl($1_t)
+
+# Can create ptys
+can_create_pty($1, `, server_pty')
+allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
+dontaudit sshd_t userpty_type:chr_file relabelfrom;
+')dnl end sshd_program_domain
+
+# macro for defining which domains a sshd can spawn
+# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the
+# type of the pty for the child
+define(`sshd_spawn_domain', `
+login_spawn_domain($1, $2)
+ifdef(`xauth.te', `
+domain_trans($1_t, xauth_exec_t, $2)
+')
+
+# Relabel and access ptys created by sshd
+# ioctl is necessary for logout() processing for utmp entry and for w to
+# display the tty.
+# some versions of sshd on the new SE Linux require setattr
+allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr };
+
+# inheriting stream sockets is needed for "ssh host command" as no pty
+# is allocated
+allow $2 $1_t:unix_stream_socket rw_stream_socket_perms;
+')dnl end sshd_spawn_domain definition
+
+#################################
+#
+# Rules for the sshd_t domain, et al.
+#
+# sshd_t is the domain for the sshd program.
+# sshd_extern_t is the domain for ssh from outside our network
+#
+sshd_program_domain(sshd)
+if (ssh_sysadm_login) {
+sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
+} else {
+sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
+}
+
+ifdef(`use_x_ports', `
+# for X forwarding
+allow sshd_t xserver_port_t:tcp_socket name_bind;
+')
+
+r_dir_file(sshd_t, selinux_config_t)
+sshd_program_domain(sshd_extern)
+sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
+
+# for when the network connection breaks after running newrole -r sysadm_r
+dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
+
+# Allow checking users mail at login
+allow sshd_t { var_spool_t mail_spool_t }:dir search;
+allow sshd_t mail_spool_t:lnk_file read;
+allow sshd_t mail_spool_t:file getattr;
+
+ifdef(`inetd.te', `
+if (run_ssh_inetd) {
+allow inetd_t ssh_port_t:tcp_socket name_bind;
+domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
+domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
+allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms;
+allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search };
+allow { sshd_t sshd_extern_t } self:process signal;
+} else {
+')
+allow { sshd_t sshd_extern_t } initrc_devpts_t:chr_file rw_file_perms;
+allow { sshd_t sshd_extern_t } self:capability net_bind_service;
+allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
+
+# for port forwarding
+can_tcp_connect(userdomain, sshd_t)
+
+domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+dontaudit initrc_t sshd_key_t:file { getattr read };
+
+# Inherit and use descriptors from init.
+allow { sshd_t sshd_extern_t } init_t:fd use;
+ifdef(`inetd.te', `
+}
+')
+
+# Create /var/run/sshd.pid
+var_run_domain(sshd)
+var_run_domain(sshd_extern)
+
+ifdef(`direct_sysadm_daemon', `
+# Direct execution by sysadm_r.
+domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
+role_transition sysadm_r sshd_exec_t system_r;
+')
+
+undefine(`sshd_program_domain')
+
+# so a tunnel can point to another ssh tunnel...
+can_tcp_connect(sshd_t, sshd_t)
+
+tmp_domain(sshd, `', { dir file sock_file })
+ifdef(`pam.te', `
+can_exec(sshd_t, pam_exec_t)
+')
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+daemon_base_domain(ssh_keygen)
+allow ssh_keygen_t etc_t:file { getattr read };
+file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
+
+# Type for the ssh executable.
+type ssh_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the ssh_domain macro in
+# macros/program/ssh_macros.te.
+
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
+allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
diff --git a/strict/domains/program/stunnel.te b/strict/domains/program/stunnel.te
new file mode 100644
index 0000000..1b3a937
--- /dev/null
+++ b/strict/domains/program/stunnel.te
@@ -0,0 +1,33 @@
+# DESC: selinux policy for stunnel
+#
+# Author: petre rodan <kaiowas at gentoo.org>
+#
+ifdef(`distro_gentoo', `
+type stunnel_port_t, port_type;
+
+daemon_domain(stunnel)
+
+can_network(stunnel_t)
+
+allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:fifo_file { read write };
+allow stunnel_t self:tcp_socket { read write };
+allow stunnel_t self:unix_stream_socket { connect create };
+
+r_dir_file(stunnel_t, etc_t)
+', `
+inetd_child_domain(stunnel, tcp)
+allow stunnel_t self:capability sys_chroot;
+
+bool stunnel_is_daemon false;
+if (stunnel_is_daemon) {
+# Policy to run stunnel as a daemon should go here.
+allow stunnel_t self:tcp_socket rw_stream_socket_perms;
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+}
+')
+
+type stunnel_etc_t, file_type, sysadmfile;
+r_dir_file(stunnel_t, stunnel_etc_t)
+allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
+
diff --git a/strict/domains/program/su.te b/strict/domains/program/su.te
new file mode 100644
index 0000000..3a277f7
--- /dev/null
+++ b/strict/domains/program/su.te
@@ -0,0 +1,14 @@
+#DESC Su - Run shells with substitute user and group
+#
+# Domains for the su program.
+# X-Debian-Packages: login
+
+#
+# su_exec_t is the type of the su executable.
+#
+type su_exec_t, file_type, sysadmfile;
+
+allow sysadm_su_t user_home_dir_type:dir search;
+
+# Everything else is in the su_domain macro in
+# macros/program/su_macros.te.
diff --git a/strict/domains/program/sudo.te b/strict/domains/program/sudo.te
new file mode 100644
index 0000000..a1fad31
--- /dev/null
+++ b/strict/domains/program/sudo.te
@@ -0,0 +1,11 @@
+#DESC sudo - execute a command as another user
+#
+# Authors: Dan Walsh, Russell Coker
+# Maintained by Dan Walsh <dwalsh at redhat.com>
+#
+
+# Type for the sudo executable.
+type sudo_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the sudo_domain macro in
+# macros/program/sudo_macros.te.
diff --git a/strict/domains/program/sulogin.te b/strict/domains/program/sulogin.te
new file mode 100644
index 0000000..0bed085
--- /dev/null
+++ b/strict/domains/program/sulogin.te
@@ -0,0 +1,56 @@
+#DESC sulogin - Single-User login
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+# X-Debian-Packages: sysvinit
+
+#################################
+#
+# Rules for the sulogin_t domain
+#
+
+type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth;
+type sulogin_exec_t, file_type, exec_type, sysadmfile;
+role system_r types sulogin_t;
+
+general_domain_access(sulogin_t)
+
+domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
+allow sulogin_t initrc_t:process getpgid;
+uses_shlib(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
+ifdef(`distro_suse', `
+define(`sulogin_no_pam', `')
+')
+ifdef(`distro_debian', `
+define(`sulogin_no_pam', `')
+')
+
+ifdef(`sulogin_no_pam', `
+domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
+allow sulogin_t init_t:process getpgid;
+allow sulogin_t self:capability sys_tty_config;
+', `
+domain_trans(sulogin_t, shell_exec_t, sysadm_t)
+allow sulogin_t shell_exec_t:file r_file_perms;
+
+can_setexec(sulogin_t)
+can_getsecurity(sulogin_t)
+')
+
+r_dir_file(sulogin_t, etc_t)
+
+allow sulogin_t bin_t:dir r_dir_perms;
+r_dir_file(sulogin_t, proc_t)
+allow sulogin_t root_t:dir search;
+
+allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+allow sulogin_t default_context_t:dir search;
+allow sulogin_t default_context_t:file { getattr read };
+
+r_dir_file(sulogin_t, selinux_config_t)
+
+# because file systems are not mounted
+dontaudit sulogin_t file_t:dir search;
diff --git a/strict/domains/program/swat.te b/strict/domains/program/swat.te
new file mode 100644
index 0000000..aa94d2f
--- /dev/null
+++ b/strict/domains/program/swat.te
@@ -0,0 +1,14 @@
+#DESC swat - Samba Web Administration Tool
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the swat_t domain.
+#
+# swat_exec_t is the type of the swat executable.
+#
+
+inetd_child_domain(swat)
diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te
new file mode 100644
index 0000000..76d518e
--- /dev/null
+++ b/strict/domains/program/syslogd.te
@@ -0,0 +1,107 @@
+#DESC Syslogd - System log daemon
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: sysklogd syslog-ng
+#
+
+#################################
+#
+# Rules for the syslogd_t domain.
+#
+# syslogd_t is the domain of syslogd.
+# syslogd_exec_t is the type of the syslogd executable.
+# devlog_t is the type of the Unix domain socket created
+# by syslogd.
+#
+ifdef(`klogd.te', `
+daemon_domain(syslogd)
+', `
+daemon_domain(syslogd, `, privmem')
+')
+
+# can_network is for the UDP socket
+can_network_udp(syslogd_t)
+can_ypbind(syslogd_t)
+
+r_dir_file(syslogd_t, sysfs_t)
+
+type devlog_t, file_type, sysadmfile, dev_fs;
+
+# if something can log to syslog they should be able to log to the console
+allow privlog console_device_t:chr_file { ioctl read write getattr };
+
+tmp_domain(syslogd)
+
+# read files in /etc
+allow syslogd_t etc_t:file r_file_perms;
+
+# Use capabilities.
+allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
+
+# Modify/create log files.
+create_append_log_file(syslogd_t, var_log_t)
+
+# Create and bind to /dev/log or /var/run/log.
+file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
+ifdef(`distro_suse', `
+# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
+')
+allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+allow syslogd_t self:fifo_file rw_file_perms;
+allow syslogd_t devlog_t:unix_stream_socket name_bind;
+allow syslogd_t devlog_t:unix_dgram_socket name_bind;
+# log to the xconsole
+allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
+
+# Domains with the privlog attribute may log to syslogd.
+allow privlog devlog_t:sock_file rw_file_perms;
+can_unix_send(privlog,syslogd_t)
+can_unix_connect(privlog,syslogd_t)
+# allow /dev/log to be a link elsewhere for chroot setup
+allow privlog devlog_t:lnk_file read;
+
+ifdef(`crond.te', `
+# Write to the cron log.
+allow syslogd_t crond_log_t:file rw_file_perms;
+# for daemon re-start
+allow system_crond_t syslogd_t:lnk_file read;
+')
+
+ifdef(`logrotate.te', `
+allow logrotate_t syslogd_exec_t:file r_file_perms;
+')
+
+# for sending messages to logged in users
+allow syslogd_t initrc_var_run_t:file { read lock };
+dontaudit syslogd_t initrc_var_run_t:file write;
+allow syslogd_t ttyfile:chr_file { getattr write };
+
+ifdef(`klogd.te', `', `
+# Allow access to /proc/kmsg for syslog-ng
+allow syslogd_t proc_t:dir search;
+allow syslogd_t proc_kmsg_t:file { getattr read };
+allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+')
+#
+# Special case to handle crashes
+#
+allow syslogd_t { device_t file_t }:sock_file unlink;
+
+# Allow syslog to a terminal
+allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
+
+# Allow name_bind for remote logging
+type syslogd_port_t, port_type, reserved_port_type;
+allow syslogd_t syslogd_port_t:udp_socket name_bind;
+#
+# /initrd is not umounted before minilog starts
+#
+dontaudit syslogd_t file_t:dir search;
+allow syslogd_t { tmpfs_t devpts_t }:dir search;
+dontaudit syslogd_t unlabeled_t:file read;
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
+allow syslogd_t self:capability net_admin;
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/sysstat.te b/strict/domains/program/sysstat.te
new file mode 100644
index 0000000..4010c95
--- /dev/null
+++ b/strict/domains/program/sysstat.te
@@ -0,0 +1,66 @@
+#DESC Sysstat - Sar and similar programs
+#
+# Authors: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: sysstat
+#
+
+#################################
+#
+# Rules for the sysstat_t domain.
+#
+# sysstat_exec_t is the type of the sysstat executable.
+#
+type sysstat_t, domain, privlog;
+type sysstat_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types sysstat_t;
+
+allow sysstat_t device_t:dir search;
+
+allow sysstat_t self:process { sigchld fork };
+
+#for date
+can_exec(sysstat_t, { sysstat_exec_t bin_t })
+allow sysstat_t bin_t:dir r_dir_perms;
+dontaudit sysstat_t sbin_t:dir search;
+
+dontaudit sysstat_t self:capability sys_admin;
+allow sysstat_t self:capability sys_resource;
+
+allow sysstat_t devtty_t:chr_file rw_file_perms;
+
+allow sysstat_t urandom_device_t:chr_file read;
+
+# for mtab
+allow sysstat_t etc_runtime_t:file { read getattr };
+# for fstab
+allow sysstat_t etc_t:file { read getattr };
+
+dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
+
+allow sysstat_t self:fifo_file rw_file_perms;
+
+# Type for files created during execution of sysstatd.
+logdir_domain(sysstat)
+typealias sysstat_log_t alias var_log_sysstat_t;
+allow sysstat_t var_t:dir search;
+
+allow sysstat_t etc_t:dir r_dir_perms;
+read_locale(sysstat_t)
+
+allow sysstat_t fs_t:filesystem getattr;
+
+# get info from /proc
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
+
+domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)
+allow sysstat_t init_t:fd use;
+allow sysstat_t console_device_t:chr_file { read write };
+
+uses_shlib(sysstat_t)
+
+system_crond_entry(sysstat_exec_t, sysstat_t)
+allow system_crond_t sysstat_log_t:dir { write remove_name add_name };
+allow system_crond_t sysstat_log_t:file create_file_perms;
+allow sysstat_t initrc_devpts_t:chr_file { read write };
diff --git a/strict/domains/program/tcpd.te b/strict/domains/program/tcpd.te
new file mode 100644
index 0000000..af135be
--- /dev/null
+++ b/strict/domains/program/tcpd.te
@@ -0,0 +1,43 @@
+#DESC Tcpd - Access control facilities from internet services
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: tcpd
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the tcpd_t domain.
+#
+type tcpd_t, domain, privlog;
+role system_r types tcpd_t;
+uses_shlib(tcpd_t)
+type tcpd_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)
+
+allow tcpd_t fs_t:filesystem getattr;
+
+# no good reason for this, probably nscd
+dontaudit tcpd_t var_t:dir search;
+
+can_network_server(tcpd_t)
+can_ypbind(tcpd_t)
+allow tcpd_t self:unix_dgram_socket create_socket_perms;
+allow tcpd_t self:unix_stream_socket create_socket_perms;
+allow tcpd_t etc_t:file { getattr read };
+read_locale(tcpd_t)
+
+tmp_domain(tcpd)
+
+# Use sockets inherited from inetd.
+allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# Run each daemon with a defined domain in its own domain.
+# These rules have been moved to each target domain .te file.
+
+# Run other daemons in the inetd_child_t domain.
+allow tcpd_t { bin_t sbin_t }:dir search;
+domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
+
+allow tcpd_t device_t:dir search;
diff --git a/strict/domains/program/telnetd.te b/strict/domains/program/telnetd.te
new file mode 100644
index 0000000..bbbb2c1
--- /dev/null
+++ b/strict/domains/program/telnetd.te
@@ -0,0 +1,10 @@
+# telnet server daemon
+#
+
+#################################
+#
+# Rules for the telnetd_t domain
+#
+
+remote_login_daemon(telnetd)
+typealias telnetd_port_t alias telnet_port_t;
diff --git a/strict/domains/program/tftpd.te b/strict/domains/program/tftpd.te
new file mode 100644
index 0000000..3e9de29
--- /dev/null
+++ b/strict/domains/program/tftpd.te
@@ -0,0 +1,43 @@
+#DESC TFTP - UDP based file server for boot loaders
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: tftpd atftpd
+# Depends: inetd.te
+#
+
+#################################
+#
+# Rules for the tftpd_t domain.
+#
+# tftpd_exec_t is the type of the tftpd executable.
+#
+daemon_domain(tftpd)
+
+type tftp_port_t, port_type, reserved_port_type;
+
+# tftpdir_t is the type of files in the /tftpboot directories.
+type tftpdir_t, file_type, sysadmfile;
+r_dir_file(tftpd_t, tftpdir_t)
+
+domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
+
+# Use the network.
+can_network_udp(tftpd_t)
+allow tftpd_t tftp_port_t:udp_socket name_bind;
+ifdef(`inetd.te', `
+allow inetd_t tftp_port_t:udp_socket name_bind;
+')
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+
+# allow any domain to connect to the TFTP server
+allow tftpd_t inetd_t:udp_socket rw_socket_perms;
+
+# Use capabilities
+allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot };
+
+allow tftpd_t etc_t:dir r_dir_perms;
+allow tftpd_t etc_t:file r_file_perms;
+
+allow tftpd_t var_t:dir r_dir_perms;
+allow tftpd_t var_t:{ file lnk_file } r_file_perms;
diff --git a/strict/domains/program/timidity.te b/strict/domains/program/timidity.te
new file mode 100644
index 0000000..e007d3f
--- /dev/null
+++ b/strict/domains/program/timidity.te
@@ -0,0 +1,34 @@
+# DESC timidity - MIDI to WAV converter and player
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+#
+# Note: You only need this policy if you want to run timidity as a server
+
+daemon_base_domain(timidity)
+can_network_server(timidity_t)
+
+allow timidity_t device_t:lnk_file read;
+
+# read /usr/share/alsa/alsa.conf
+allow timidity_t usr_t:file { getattr read };
+# read /etc/esd.conf and /proc/cpuinfo
+allow timidity_t { etc_t proc_t }:file { getattr read };
+# read libartscbackend.la - should these be shlib_t?
+allow timidity_t lib_t:file { getattr read };
+
+allow timidity_t sound_device_t:chr_file { read write ioctl };
+
+# stupid timidity won't start if it can't search its current directory.
+# allow this so /etc/init.d/alsasound start works from /root
+allow timidity_t sysadm_home_dir_t:dir search;
+
+allow timidity_t tmp_t:dir search;
+tmpfs_domain(timidity)
+
+allow timidity_t self:shm create_shm_perms;
+
+allow timidity_t self:unix_stream_socket create_stream_socket_perms;
+
+allow timidity_t devpts_t:dir search;
+allow timidity_t self:capability { dac_override dac_read_search };
+allow timidity_t self:process getsched;
diff --git a/strict/domains/program/tmpreaper.te b/strict/domains/program/tmpreaper.te
new file mode 100644
index 0000000..8b2111b
--- /dev/null
+++ b/strict/domains/program/tmpreaper.te
@@ -0,0 +1,33 @@
+#DESC Tmpreaper - Monitor and maintain temporary files
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: tmpreaper
+#
+
+#################################
+#
+# Rules for the tmpreaper_t domain.
+#
+type tmpreaper_t, domain, privlog;
+type tmpreaper_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types tmpreaper_t;
+
+system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
+uses_shlib(tmpreaper_t)
+# why does it need setattr?
+allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
+allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t self:process { fork sigchld };
+allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+allow tmpreaper_t fs_t:filesystem getattr;
+
+r_dir_file(tmpreaper_t, etc_t)
+allow tmpreaper_t var_t:dir { getattr search };
+r_dir_file(tmpreaper_t, var_lib_t)
+allow tmpreaper_t device_t:dir { getattr search };
+allow tmpreaper_t urandom_device_t:chr_file { getattr read };
+
+read_locale(tmpreaper_t)
+
diff --git a/strict/domains/program/traceroute.te b/strict/domains/program/traceroute.te
new file mode 100644
index 0000000..ed9106a
--- /dev/null
+++ b/strict/domains/program/traceroute.te
@@ -0,0 +1,65 @@
+#DESC Traceroute - Display network routes
+#
+# Author: Russell Coker <russell at coker.com.au>
+# based on the work of David A. Wheeler <dwheeler at ida.org>
+# X-Debian-Packages: traceroute lft
+#
+
+#################################
+#
+# Rules for the traceroute_t domain.
+#
+# traceroute_t is the domain for the traceroute program.
+# traceroute_exec_t is the type of the corresponding program.
+#
+type traceroute_t, domain, privlog, nscd_client_domain;
+role sysadm_r types traceroute_t;
+role system_r types traceroute_t;
+# for user_ping:
+in_user_role(traceroute_t)
+uses_shlib(traceroute_t)
+can_network_client(traceroute_t)
+can_ypbind(traceroute_t)
+allow traceroute_t node_t:rawip_socket node_bind;
+type traceroute_exec_t, file_type, sysadmfile, exec_type;
+
+# Transition into this domain when you run this program.
+domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t)
+domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
+
+allow traceroute_t etc_t:file { getattr read };
+
+# Use capabilities.
+allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+
+allow traceroute_t self:rawip_socket create_socket_perms;
+allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow traceroute_t self:unix_stream_socket create_socket_perms;
+allow traceroute_t device_t:dir search;
+
+# for lft
+allow traceroute_t self:packet_socket create_socket_perms;
+r_dir_file(traceroute_t, proc_t)
+r_dir_file(traceroute_t, proc_net_t)
+
+# Access the terminal.
+allow traceroute_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
+allow traceroute_t privfd:fd use;
+
+# dont need this
+dontaudit traceroute_t fs_t:filesystem getattr;
+dontaudit traceroute_t var_t:dir search;
+
+ifdef(`ping.te', `
+if (user_ping) {
+ domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
+ # allow access to the terminal
+ allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
+}
+')
+#rules needed for nmap
+allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+allow traceroute_t usr_t:file { getattr read };
+read_locale(traceroute_t)
+dontaudit traceroute_t userdomain:dir search;
diff --git a/strict/domains/program/tvtime.te b/strict/domains/program/tvtime.te
new file mode 100644
index 0000000..fa72021
--- /dev/null
+++ b/strict/domains/program/tvtime.te
@@ -0,0 +1,12 @@
+#DESC tvtime - a high quality television application
+#
+# Domains for the tvtime program.
+# Author : Dan Walsh <dwalsh at redhat.com>
+#
+# tvtime_exec_t is the type of the tvtime executable.
+#
+type tvtime_exec_t, file_type, sysadmfile, exec_type;
+type tvtime_dir_t, file_type, sysadmfile, pidfile;
+
+# Everything else is in the tvtime_domain macro in
+# macros/program/tvtime_macros.te.
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
new file mode 100644
index 0000000..74c368d
--- /dev/null
+++ b/strict/domains/program/udev.te
@@ -0,0 +1,141 @@
+#DESC udev - Linux configurable dynamic device naming support
+#
+# Author: Dan Walsh dwalsh at redhat.com
+#
+
+#################################
+#
+# Rules for the udev_t domain.
+#
+# udev_exec_t is the type of the udev executable.
+#
+daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner')
+
+general_domain_access(udev_t)
+
+if (allow_execmem) {
+# for alsactl
+allow udev_t self:process execmem;
+}
+
+etc_domain(udev)
+typealias udev_etc_t alias etc_udev_t;
+type udev_helper_exec_t, file_type, sysadmfile, exec_type;
+can_exec_any(udev_t)
+
+#
+# Rules used for udev
+#
+type udev_tdb_t, file_type, sysadmfile, dev_fs;
+typealias udev_tdb_t alias udev_tbl_t;
+file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
+allow udev_t self:file { getattr read };
+allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
+allow udev_t self:unix_dgram_socket create_socket_perms;
+allow udev_t self:fifo_file rw_file_perms;
+allow udev_t device_t:sock_file create_file_perms;
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
+ifdef(`distro_redhat', `
+allow udev_t tmpfs_t:dir rw_dir_perms;
+allow udev_t tmpfs_t:sock_file create_file_perms;
+allow udev_t tmpfs_t:lnk_file create_lnk_perms;
+allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
+allow udev_t tmpfs_t:dir search;
+
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
+')
+allow udev_t etc_t:file { getattr read ioctl };
+allow udev_t { bin_t sbin_t }:dir r_dir_perms;
+allow udev_t { sbin_t bin_t }:lnk_file read;
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
+can_exec(udev_t, udev_exec_t)
+r_dir_file(udev_t, sysfs_t)
+allow udev_t sysadm_tty_device_t:chr_file { read write };
+
+# to read the file_contexts file
+r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
+
+allow udev_t policy_config_t:dir search;
+allow udev_t proc_t:file { getattr read ioctl };
+allow udev_t proc_kcore_t:file getattr;
+
+# Get security policy decisions.
+can_getsecurity(udev_t)
+
+# set file system create context
+can_setfscreate(udev_t)
+
+allow udev_t kernel_t:fd use;
+allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
+
+allow udev_t initrc_var_run_t:file r_file_perms;
+dontaudit udev_t initrc_var_run_t:file write;
+
+domain_auto_trans(initrc_t, udev_exec_t, udev_t)
+domain_auto_trans(kernel_t, udev_exec_t, udev_t)
+domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
+ifdef(`hide_broken_symptoms', `
+dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
+')
+allow udev_t devpts_t:dir { getattr search };
+allow udev_t etc_runtime_t:file { getattr read };
+ifdef(`xdm.te', `
+allow udev_t xdm_var_run_t:file { getattr read };
+')
+dontaudit udev_t staff_home_dir_t:dir search;
+
+ifdef(`hotplug.te', `
+r_dir_file(udev_t, hotplug_etc_t)
+')
+allow udev_t var_log_t:dir search;
+
+ifdef(`consoletype.te', `
+can_exec(udev_t, consoletype_exec_t)
+')
+ifdef(`pamconsole.te', `
+allow udev_t pam_var_console_t:dir search;
+allow udev_t pam_var_console_t:file { getattr read };
+domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
+')
+allow udev_t var_lock_t:dir search;
+allow udev_t var_lock_t:file getattr;
+domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`hide_broken_symptoms', `
+dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
+')
+
+dontaudit udev_t file_t:dir search;
+ifdef(`dhcpc.te', `
+domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
+')
+
+allow udev_t udev_helper_exec_t:dir r_dir_perms;
+
+dbusd_client(system, udev)
+
+allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
+allow udev_t sysctl_dev_t:dir search;
+allow udev_t mnt_t:dir search;
+allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
+allow udev_t self:rawip_socket create_socket_perms;
+dontaudit udev_t domain:dir r_dir_perms;
+dontaudit udev_t ttyfile:chr_file unlink;
+ifdef(`hotplug.te', `
+r_dir_file(udev_t, hotplug_var_run_t)
+')
+r_dir_file(udev_t, modules_object_t)
+#
+# Udev is now writing dhclient-eth*.conf* files.
+#
+ifdef(`dhcpd.te', `define(`use_dhcp')')
+ifdef(`dhcpc.te', `define(`use_dhcp')')
+ifdef(`use_dhcp', `
+allow udev_t dhcp_etc_t:file rw_file_perms;
+file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
+')
+r_dir_file(udev_t, domain)
+allow udev_t modules_dep_t:file r_file_perms;
diff --git a/strict/domains/program/uml.te b/strict/domains/program/uml.te
new file mode 100644
index 0000000..75ae501
--- /dev/null
+++ b/strict/domains/program/uml.te
@@ -0,0 +1,14 @@
+
+# Author: Russell Coker <russell at coker.com.au>
+#
+type uml_exec_t, file_type, sysadmfile, exec_type;
+type uml_ro_t, file_type, sysadmfile;
+
+# the main code is in macros/program/uml_macros.te
+
+daemon_domain(uml_switch)
+allow uml_switch_t self:unix_dgram_socket create_socket_perms;
+allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
+allow initrc_t uml_switch_var_run_t:sock_file setattr;
+rw_dir_create_file(initrc_t, uml_switch_var_run_t)
diff --git a/strict/domains/program/unconfined.te b/strict/domains/program/unconfined.te
new file mode 100644
index 0000000..9497a3c
--- /dev/null
+++ b/strict/domains/program/unconfined.te
@@ -0,0 +1,15 @@
+#DESC Unconfined - Use to essentially disable SELinux for a particular program
+# This domain will be useful as a workaround for e.g. third-party daemon software
+# that has no policy, until one can be written for it.
+#
+# To use, label the executable with unconfined_exec_t, e.g.:
+# chcon -t unconfined_exec_t /usr/local/bin/appsrv
+# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
+
+type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
+type unconfined_exec_t, file_type, sysadmfile, exec_type;
+role sysadm_r types unconfined_t;
+domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
+role system_r types unconfined_t;
+domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t)
+unconfined_domain(unconfined_t)
diff --git a/strict/domains/program/unused/amavis.te b/strict/domains/program/unused/amavis.te
new file mode 100644
index 0000000..eb029f7
--- /dev/null
+++ b/strict/domains/program/unused/amavis.te
@@ -0,0 +1,85 @@
+#DESC Amavis - Anti-virus
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper
+# Depends: clamav.te
+#
+
+#################################
+#
+# Rules for the amavisd_t domain.
+#
+type amavisd_etc_t, file_type, sysadmfile;
+type amavisd_lib_t, file_type, sysadmfile;
+
+type amavis_port_t, port_type;
+daemon_domain(amavisd)
+tmp_domain(amavisd)
+
+allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
+allow initrc_t amavisd_lib_t:file unlink;
+allow initrc_t amavisd_var_run_t:dir setattr;
+allow amavisd_t self:capability { chown dac_override setgid setuid };
+dontaudit amavisd_t self:capability sys_tty_config;
+
+allow amavisd_t usr_t:{ file lnk_file } { getattr read };
+dontaudit amavisd_t usr_t:file ioctl;
+
+# networking
+can_network(amavisd_t)
+can_ypbind(amavisd_t);
+can_tcp_connect(mail_server_sender, amavisd_t);
+can_tcp_connect(amavisd_t, mail_server_domain)
+allow amavisd_t amavis_port_t:tcp_socket name_bind;
+
+ifdef(`scannerdaemon.te', `
+can_tcp_connect(amavisd_t, scannerdaemon_t);
+allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms;
+allow scannerdaemon_t amavisd_lib_t:file r_file_perms;
+')
+
+ifdef(`clamav.te', `
+clamscan_domain(amavisd)
+role system_r types amavisd_clamscan_t;
+domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t)
+allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms;
+allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms;
+can_clamd_connect(amavisd)
+allow clamd_t amavisd_lib_t:dir r_dir_perms;
+allow clamd_t amavisd_lib_t:file r_file_perms;
+')
+
+# Can create unix sockets
+allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
+allow amavisd_t self:unix_dgram_socket create_socket_perms;
+allow amavisd_t self:fifo_file getattr;
+
+read_locale(amavisd_t)
+
+# Access config files (amavisd).
+allow amavisd_t amavisd_etc_t:file r_file_perms;
+
+log_domain(amavisd)
+
+# Access amavisd var/lib files.
+create_dir_file(amavisd_t, amavisd_lib_t)
+
+# Run helper programs.
+can_exec_any(amavisd_t,bin_t)
+allow amavisd_t bin_t:dir { getattr search };
+allow amavisd_t sbin_t:dir search;
+allow amavisd_t var_lib_t:dir search;
+
+# allow access to files for scanning (required for amavis):
+allow clamd_t self:capability { dac_override dac_read_search };
+
+# unknown stuff
+allow amavisd_t self:fifo_file { ioctl read write };
+allow amavisd_t { random_device_t urandom_device_t }:chr_file read;
+allow amavisd_t proc_t:file { getattr read };
+allow amavisd_t etc_runtime_t:file { getattr read };
+
+# broken stuff
+dontaudit amavisd_t sysadm_home_dir_t:dir search;
+dontaudit amavisd_t shadow_t:file { getattr read };
+dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
diff --git a/strict/domains/program/unused/asterisk.te b/strict/domains/program/unused/asterisk.te
new file mode 100644
index 0000000..c8d182d
--- /dev/null
+++ b/strict/domains/program/unused/asterisk.te
@@ -0,0 +1,58 @@
+#DESC Asterisk IP telephony server
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+# X-Debian-Packages: asterisk
+
+type asterisk_port_t, port_type;
+
+daemon_domain(asterisk)
+allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
+allow initrc_t asterisk_var_run_t:fifo_file unlink;
+
+allow asterisk_t self:process setsched;
+allow asterisk_t self:fifo_file rw_file_perms;
+
+allow asterisk_t proc_t:file { getattr read };
+
+allow asterisk_t { bin_t sbin_t }:dir search;
+allow asterisk_t bin_t:lnk_file read;
+can_exec(asterisk_t, bin_t)
+
+etcdir_domain(asterisk)
+logdir_domain(asterisk)
+var_lib_domain(asterisk)
+
+allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind;
+
+# for VOIP voice channels.
+allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind;
+
+allow asterisk_t device_t:lnk_file read;
+allow asterisk_t sound_device_t:chr_file rw_file_perms;
+
+type asterisk_spool_t, file_type, sysadmfile;
+create_dir_file(asterisk_t, asterisk_spool_t)
+allow asterisk_t var_spool_t:dir search;
+
+# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+# are labeled usr_t
+allow asterisk_t usr_t:file r_file_perms;
+
+can_network_server(asterisk_t)
+can_ypbind(asterisk_t)
+allow asterisk_t etc_t:file { getattr read };
+
+allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow asterisk_t self:sem create_sem_perms;
+allow asterisk_t self:shm create_shm_perms;
+
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
+
+# for shutdown
+dontaudit asterisk_t self:capability sys_tty_config;
+
+tmpfs_domain(asterisk)
+tmp_domain(asterisk)
diff --git a/strict/domains/program/unused/audio-entropyd.te b/strict/domains/program/unused/audio-entropyd.te
new file mode 100644
index 0000000..216108a
--- /dev/null
+++ b/strict/domains/program/unused/audio-entropyd.te
@@ -0,0 +1,12 @@
+#DESC audio-entropyd - Generate entropy from audio input
+#
+# Author: Chris PeBenito <pebenito at gentoo.org>
+#
+
+daemon_domain(entropyd)
+
+allow entropyd_t self:capability { ipc_lock sys_admin };
+
+allow entropyd_t random_device_t:chr_file rw_file_perms;
+allow entropyd_t device_t:dir r_dir_perms;
+allow entropyd_t sound_device_t:chr_file r_file_perms;
diff --git a/strict/domains/program/unused/authbind.te b/strict/domains/program/unused/authbind.te
new file mode 100644
index 0000000..d34e659
--- /dev/null
+++ b/strict/domains/program/unused/authbind.te
@@ -0,0 +1,30 @@
+#DESC Authbind - Program to bind to low ports as non-root
+#
+# Authors: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: authbind
+#
+
+#################################
+#
+# Rules for the authbind_t domain.
+#
+# authbind_exec_t is the type of the authbind executable.
+#
+type authbind_t, domain, privlog;
+type authbind_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types authbind_t;
+
+etcdir_domain(authbind)
+typealias authbind_etc_t alias etc_authbind_t;
+
+can_exec(authbind_t, authbind_etc_t)
+allow authbind_t etc_t:dir r_dir_perms;
+
+uses_shlib(authbind_t)
+
+allow authbind_t self:capability net_bind_service;
+
+allow authbind_t domain:fd use;
+
+allow authbind_t console_device_t:chr_file { read write };
diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te
new file mode 100644
index 0000000..211e761
--- /dev/null
+++ b/strict/domains/program/unused/backup.te
@@ -0,0 +1,59 @@
+#DESC Backup - Backup scripts
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: dpkg
+#
+
+#################################
+#
+# Rules for the backup_t domain.
+#
+type backup_t, domain, privlog, auth;
+type backup_exec_t, file_type, sysadmfile, exec_type;
+
+type backup_store_t, file_type, sysadmfile;
+
+role system_r types backup_t;
+role sysadm_r types backup_t;
+
+domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
+allow backup_t privfd:fd use;
+ifdef(`crond.te', `
+system_crond_entry(backup_exec_t, backup_t)
+rw_dir_create_file(system_crond_t, backup_store_t)
+')
+
+# for SSP
+allow backup_t urandom_device_t:chr_file read;
+
+can_network_client(backup_t)
+can_ypbind(backup_t)
+uses_shlib(backup_t)
+
+allow backup_t devtty_t:chr_file rw_file_perms;
+
+allow backup_t { file_type fs_type }:dir r_dir_perms;
+allow backup_t file_type:{ file lnk_file } r_file_perms;
+allow backup_t file_type:{ sock_file fifo_file } getattr;
+allow backup_t { device_t device_type ttyfile }:chr_file getattr;
+allow backup_t { device_t device_type }:blk_file getattr;
+allow backup_t var_t:file create_file_perms;
+
+allow backup_t proc_t:dir r_dir_perms;
+allow backup_t proc_t:file r_file_perms;
+allow backup_t proc_t:lnk_file { getattr read };
+read_sysctl(backup_t)
+
+allow backup_t self:fifo_file rw_file_perms;
+allow backup_t self:process { signal sigchld fork };
+allow backup_t self:capability dac_override;
+
+rw_dir_file(backup_t, backup_store_t)
+allow backup_t backup_store_t:file { create setattr };
+
+allow backup_t fs_t:filesystem getattr;
+
+allow backup_t self:unix_stream_socket create_socket_perms;
+
+can_exec(backup_t, bin_t)
+ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)')
diff --git a/strict/domains/program/unused/calamaris.te b/strict/domains/program/unused/calamaris.te
new file mode 100644
index 0000000..1bfce36
--- /dev/null
+++ b/strict/domains/program/unused/calamaris.te
@@ -0,0 +1,72 @@
+#DESC Calamaris - Squid log analysis
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: calamaris
+# Depends: squid.te
+#
+
+#################################
+#
+# Rules for the calamaris_t domain.
+#
+# calamaris_t is the domain the calamaris process runs in
+
+system_domain(calamaris, `, privmail')
+
+ifdef(`crond.te', `
+system_crond_entry(calamaris_exec_t, calamaris_t)
+')
+
+allow calamaris_t { var_t var_run_t }:dir { getattr search };
+allow calamaris_t squid_log_t:dir search;
+allow calamaris_t squid_log_t:file { getattr read };
+allow calamaris_t { usr_t lib_t }:file { getattr read };
+allow calamaris_t usr_t:lnk_file { getattr read };
+dontaudit calamaris_t usr_t:file ioctl;
+
+type calamaris_www_t, file_type, sysadmfile;
+ifdef(`apache.te', `
+allow calamaris_t httpd_sys_content_t:dir search;
+')
+rw_dir_create_file(calamaris_t, calamaris_www_t)
+
+# for when squid has a different UID
+allow calamaris_t self:capability dac_override;
+
+logdir_domain(calamaris)
+
+allow calamaris_t device_t:dir search;
+allow calamaris_t devtty_t:chr_file { read write };
+
+allow calamaris_t urandom_device_t:chr_file { getattr read };
+
+allow calamaris_t self:process { fork signal_perms setsched };
+read_sysctl(calamaris_t)
+allow calamaris_t proc_t:dir search;
+allow calamaris_t proc_t:file { getattr read };
+allow calamaris_t { proc_t self }:lnk_file read;
+allow calamaris_t self:dir search;
+
+allow calamaris_t { bin_t sbin_t }:dir search;
+allow calamaris_t bin_t:lnk_file read;
+allow calamaris_t etc_runtime_t:file { getattr read };
+allow calamaris_t self:fifo_file { getattr read write ioctl };
+read_locale(calamaris_t)
+
+can_exec(calamaris_t, bin_t)
+allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
+allow calamaris_t self:udp_socket create_socket_perms;
+allow calamaris_t etc_t:file { getattr read };
+allow calamaris_t etc_t:lnk_file read;
+dontaudit calamaris_t etc_t:file ioctl;
+dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search };
+can_network_server(calamaris_t)
+can_ypbind(calamaris_t)
+ifdef(`named.te', `
+can_udp_send(calamaris_t, named_t)
+can_udp_send(named_t, calamaris_t)
+')
+
+ifdef(`apache.te', `
+r_dir_file(httpd_t, calamaris_www_t)
+')
diff --git a/strict/domains/program/unused/ciped.te b/strict/domains/program/unused/ciped.te
new file mode 100644
index 0000000..91ed9f3
--- /dev/null
+++ b/strict/domains/program/unused/ciped.te
@@ -0,0 +1,32 @@
+
+
+daemon_base_domain(ciped)
+
+# for SSP
+allow ciped_t urandom_device_t:chr_file read;
+
+type cipe_port_t, port_type;
+
+can_network_udp(ciped_t)
+can_ypbind(ciped_t)
+allow ciped_t cipe_port_t:udp_socket name_bind;
+
+allow ciped_t devpts_t:dir search;
+allow ciped_t devtty_t:chr_file { read write };
+allow ciped_t etc_runtime_t:file { getattr read };
+allow ciped_t etc_t:file { getattr read };
+allow ciped_t proc_t:file { getattr read };
+allow ciped_t { bin_t sbin_t }:dir { getattr search read };
+allow ciped_t bin_t:lnk_file read;
+can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t })
+allow ciped_t self:fifo_file rw_file_perms;
+
+read_locale(ciped_t)
+
+allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+allow ciped_t self:unix_dgram_socket create_socket_perms;
+allow ciped_t self:unix_stream_socket create_socket_perms;
+
+allow ciped_t random_device_t:chr_file { getattr read };
+
+dontaudit ciped_t var_t:dir search;
diff --git a/strict/domains/program/unused/clamav.te b/strict/domains/program/unused/clamav.te
new file mode 100644
index 0000000..47407db
--- /dev/null
+++ b/strict/domains/program/unused/clamav.te
@@ -0,0 +1,88 @@
+#DESC CLAM - Anti-virus program
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+# X-Debian-Packages: clamav
+#
+
+#################################
+#
+# Rules for the clamscan_t domain.
+#
+
+# Virus database
+type clamav_var_lib_t, file_type, sysadmfile;
+
+# clamscan_t is the domain of the clamscan virus scanner
+type clamscan_exec_t, file_type, sysadmfile, exec_type;
+
+daemon_base_domain(freshclam)
+read_locale(freshclam_t)
+
+# not sure why it needs this
+read_sysctl(freshclam_t)
+
+can_network_server(freshclam_t)
+can_ypbind(freshclam_t)
+
+# Access virus signatures
+allow freshclam_t { var_t var_lib_t }:dir search;
+rw_dir_create_file(freshclam_t, clamav_var_lib_t)
+
+allow freshclam_t devtty_t:chr_file { read write };
+allow freshclam_t devpts_t:dir search;
+allow freshclam_t etc_t:file { getattr read };
+allow freshclam_t proc_t:file { getattr read };
+
+allow freshclam_t urandom_device_t:chr_file { getattr read };
+dontaudit freshclam_t urandom_device_t:chr_file ioctl;
+
+# for nscd
+dontaudit freshclam_t var_run_t:dir search;
+
+# setuid/getuid used (although maybe not required...)
+allow freshclam_t self:capability { setgid setuid };
+
+allow freshclam_t sbin_t:dir search;
+
+# Allow notification to daemon that virus database has changed
+can_clamd_connect(freshclam)
+
+allow freshclam_t etc_runtime_t:file { read getattr };
+allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
+allow freshclam_t self:unix_dgram_socket create_socket_perms;
+allow freshclam_t self:fifo_file rw_file_perms;
+
+# Log files for freshclam executable
+logdir_domain(freshclam)
+allow initrc_t freshclam_log_t:file append;
+
+system_crond_entry(freshclam_exec_t, freshclam_t)
+domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
+
+domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
+role sysadm_r types freshclam_t;
+
+# macros/program/clamav_macros.te.
+user_clamscan_domain(sysadm)
+
+# clamd executable
+daemon_domain(clamd)
+
+tmp_domain(clamd)
+logdir_domain(clamd)
+
+file_type_auto_trans(clamd_t, var_run_t, clamd_var_run_t, sock_file)
+
+allow clamd_t self:capability { kill setgid setuid };
+
+allow clamd_t var_lib_t:dir search;
+r_dir_file(clamd_t, clamav_var_lib_t)
+r_dir_file(clamd_t, etc_t)
+# allow access /proc/sys/kernel/version
+read_sysctl(clamd_t)
+allow clamd_t self:unix_stream_socket create_stream_socket_perms;
+allow clamd_t self:unix_dgram_socket create_stream_socket_perms;
+allow clamd_t self:fifo_file rw_file_perms;
+
+allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
+dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
diff --git a/strict/domains/program/unused/courier.te b/strict/domains/program/unused/courier.te
new file mode 100644
index 0000000..d2e9ad0
--- /dev/null
+++ b/strict/domains/program/unused/courier.te
@@ -0,0 +1,140 @@
+#DESC Courier - POP and IMAP servers
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: courier-base
+#
+
+# Type for files created during execution of courier.
+type courier_var_run_t, file_type, sysadmfile, pidfile;
+type courier_var_lib_t, file_type, sysadmfile;
+
+type courier_etc_t, file_type, sysadmfile;
+typealias courier_etc_t alias etc_courier_t;
+
+# allow start scripts to read the config
+allow initrc_t courier_etc_t:file r_file_perms;
+
+type courier_exec_t, file_type, sysadmfile, exec_type;
+type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type;
+
+define(`courier_domain', `
+#################################
+#
+# Rules for the courier_$1_t domain.
+#
+# courier_$1_exec_t is the type of the courier_$1 executables.
+#
+daemon_base_domain(courier_$1, `$2')
+
+allow courier_$1_t var_run_t:dir search;
+rw_dir_create_file(courier_$1_t, courier_var_run_t)
+allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
+
+# allow it to read config files etc
+allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
+allow courier_$1_t courier_etc_t:file r_file_perms;
+allow courier_$1_t etc_t:dir r_dir_perms;
+allow courier_$1_t etc_t:file r_file_perms;
+
+# execute scripts etc
+allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
+allow courier_$1_t bin_t:dir r_dir_perms;
+allow courier_$1_t fs_t:filesystem getattr;
+
+# set process group and allow permissions over-ride
+allow courier_$1_t self:process setpgid;
+allow courier_$1_t self:capability dac_override;
+
+# Use the network.
+can_network_server(courier_$1_t)
+allow courier_$1_t self:fifo_file { read write getattr };
+allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_$1_t self:unix_dgram_socket create_socket_perms;
+
+allow courier_$1_t null_device_t:chr_file rw_file_perms;
+
+# allow it to log to /dev/tty
+allow courier_$1_t devtty_t:chr_file rw_file_perms;
+
+allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
+allow courier_$1_t usr_t:dir r_dir_perms;
+allow courier_$1_t root_t:dir r_dir_perms;
+can_exec(courier_$1_t, courier_$1_exec_t)
+can_exec(courier_$1_t, bin_t)
+allow courier_$1_t bin_t:dir search;
+
+allow courier_$1_t proc_t:dir r_dir_perms;
+allow courier_$1_t proc_t:file r_file_perms;
+
+')dnl
+
+courier_domain(authdaemon, `, auth_chkpwd')
+allow courier_authdaemon_t sbin_t:dir search;
+allow courier_authdaemon_t lib_t:file { read getattr };
+allow courier_authdaemon_t tmp_t:dir getattr;
+allow courier_authdaemon_t self:file { getattr read };
+read_locale(courier_authdaemon_t)
+can_exec(courier_authdaemon_t, courier_exec_t)
+dontaudit courier_authdaemon_t selinux_config_t:dir search;
+
+# for SSP
+allow courier_authdaemon_t urandom_device_t:chr_file read;
+
+# should not be needed!
+allow courier_authdaemon_t home_root_t:dir search;
+allow courier_authdaemon_t user_home_dir_type:dir search;
+dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
+allow courier_authdaemon_t self:unix_stream_socket connectto;
+allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+
+courier_domain(tcpd)
+allow courier_tcpd_t self:capability { kill net_bind_service };
+allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
+allow courier_tcpd_t sbin_t:dir search;
+allow courier_tcpd_t var_lib_t:dir search;
+# for TLS
+allow courier_tcpd_t urandom_device_t:chr_file read;
+read_locale(courier_tcpd_t)
+can_exec(courier_tcpd_t, courier_exec_t)
+allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+
+can_tcp_connect(userdomain, courier_tcpd_t)
+rw_dir_create_file(courier_tcpd_t, courier_var_lib_t)
+
+# domain for pop and imap
+courier_domain(pop)
+read_locale(courier_pop_t)
+domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t)
+allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
+allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+allow courier_pop_t courier_authdaemon_t:process sigchld;
+domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
+
+# inherits file handle - should it?
+allow courier_pop_t courier_var_lib_t:file { read write };
+
+# do the actual work (read the Maildir)
+# imap needs to write files
+allow courier_pop_t home_root_t:dir { getattr search };
+allow courier_pop_t user_home_dir_type:dir { getattr search };
+# pop does not need to create subdirs, IMAP does
+#rw_dir_create_file(courier_pop_t, user_home_type)
+create_dir_file(courier_pop_t, user_home_type)
+
+# for calendaring
+courier_domain(pcp)
+
+allow courier_pcp_t self:capability { setuid setgid };
+allow courier_pcp_t random_device_t:chr_file r_file_perms;
+
+# for webmail
+courier_domain(sqwebmail)
+ifdef(`crond.te', `
+system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t)
+')
+read_sysctl(courier_sqwebmail_t)
diff --git a/strict/domains/program/unused/dante.te b/strict/domains/program/unused/dante.te
new file mode 100644
index 0000000..ca1649a
--- /dev/null
+++ b/strict/domains/program/unused/dante.te
@@ -0,0 +1,20 @@
+#DESC dante - socks daemon
+#
+# Author: petre rodan <kaiowas at gentoo.org>
+#
+
+type dante_conf_t, file_type, sysadmfile;
+type socks_port_t, port_type;
+
+daemon_domain(dante)
+can_network_server(dante_t)
+
+allow dante_t self:fifo_file { read write };
+allow dante_t self:capability { setuid };
+allow dante_t self:unix_dgram_socket { connect create write };
+allow dante_t self:unix_stream_socket { connect create read setopt write };
+
+allow dante_t socks_port_t:tcp_socket name_bind;
+
+allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
+r_dir_file(dante_t, dante_conf_t)
diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te
new file mode 100644
index 0000000..8b134dc
--- /dev/null
+++ b/strict/domains/program/unused/ddclient.te
@@ -0,0 +1,41 @@
+#DESC ddclient - Update dynamic IP address at DynDNS.org
+#
+# Author: Greg Norris <haphazard at kc.rr.com>
+# X-Debian-Packages: ddclient
+#
+
+#################################
+#
+# Rules for the ddclient_t domain.
+#
+daemon_domain(ddclient);
+type ddclient_etc_t, file_type, sysadmfile;
+type ddclient_var_t, file_type, sysadmfile;
+log_domain(ddclient)
+var_lib_domain(ddclient)
+
+base_file_read_access(ddclient_t)
+can_exec(ddclient_t, { shell_exec_t bin_t })
+
+# ddclient can be launched by pppd
+ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)')
+
+# misc. requirements
+allow ddclient_t self:fifo_file rw_file_perms;
+allow ddclient_t self:socket create_socket_perms;
+allow ddclient_t etc_t:file { getattr read };
+allow ddclient_t etc_runtime_t:file r_file_perms;
+allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
+allow ddclient_t urandom_device_t:chr_file { read };
+general_proc_read_access(ddclient_t)
+allow ddclient_t sysctl_net_t:dir { search };
+
+# network-related goodies
+can_network_client(ddclient_t)
+allow ddclient_t self:unix_dgram_socket create_socket_perms;
+allow ddclient_t self:unix_stream_socket create_socket_perms;
+
+# allow access to ddclient.conf and ddclient.cache
+allow ddclient_t ddclient_etc_t:file r_file_perms;
+allow ddclient_t ddclient_var_t:dir rw_dir_perms;
+allow ddclient_t ddclient_var_t:file create_file_perms;
diff --git a/strict/domains/program/unused/devfsd.te b/strict/domains/program/unused/devfsd.te
new file mode 100644
index 0000000..7bbc314
--- /dev/null
+++ b/strict/domains/program/unused/devfsd.te
@@ -0,0 +1,93 @@
+#DESC Devfsd - Control daemon for devfs device file system
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: devfsd
+#
+
+#################################
+#
+# Rules for the devfsd_t domain.
+#
+etcdir_domain(devfsd)
+typealias devfsd_etc_t alias etc_devfsd_t;
+
+allow kernel_t { device_t root_t }:dir mounton;
+
+daemon_domain(devfsd, `, privmodule')
+
+allow devfsd_t urandom_device_t:chr_file read;
+
+# for startup scripts
+can_exec(devfsd_t, bin_t)
+allow devfsd_t self:fifo_file rw_file_perms;
+allow devfsd_t proc_t:dir r_dir_perms;
+allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
+allow devfsd_t devtty_t:chr_file rw_file_perms;
+
+# for alsa
+allow devfsd_t proc_t:file setattr;
+
+# for /sbin/modprobe
+allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;
+
+ifdef(`distro_debian', `
+# for the makedev script - this may be a bad idea
+domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)
+
+# for package upgrade
+allow devfsd_t lib_t:file execute;
+')
+
+# mknod capability is for the startup scripts
+allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };
+
+# allow devfsd to change any object from type devfsd_t to any other type
+# also allow to unlink
+allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
+# allow devfsd to get and set attributes of any device node and to change the
+# type to any device type
+allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
+allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
+allow devfsd_t initctl_t:fifo_file getattr;
+allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
+allow devfsd_t device_t:dir { r_dir_perms setattr };
+
+allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
+allow devfsd_t devpts_t:chr_file { getattr setattr };
+allow devpts_t device_t:filesystem associate;
+allow initctl_t device_t:filesystem associate;
+allow device_t device_t:filesystem associate;
+allow devlog_t device_t:filesystem associate;
+
+# allow all devices to be under device_t
+allow { device_type ttyfile ptyfile } device_t:filesystem associate;
+
+allow domain device_t:lnk_file r_file_perms;
+
+# read the config files
+allow devfsd_t etc_t:dir r_dir_perms;
+
+# allow the permissions and symlinks to be done
+allow devfsd_t device_t:lnk_file create_file_perms;
+allow devfsd_t device_t:dir rw_dir_perms;
+allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
+allow devfsd_t file_type:lnk_file r_file_perms;
+
+allow devfsd_t self:unix_dgram_socket create_socket_perms;
+allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
+allow devfsd_t self:unix_dgram_socket sendto;
+allow devfsd_t self:unix_stream_socket connect;
+
+allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
+dontaudit userdomain devfs_control_t:chr_file getattr;
+
+# allow resolv.conf and UDP access for LDAP or other NSS data source
+allow devfsd_t self:udp_socket create_socket_perms;
+
+allow devfsd_t privfd:fd use;
+
+allow kernel_t device_t:filesystem mount;
+
+# for nss-ldap etc
+can_network_client_tcp(devfsd_t)
+can_ypbind(devfsd_t)
diff --git a/strict/domains/program/unused/distcc.te b/strict/domains/program/unused/distcc.te
new file mode 100644
index 0000000..dee96a7
--- /dev/null
+++ b/strict/domains/program/unused/distcc.te
@@ -0,0 +1,35 @@
+#DESC distcc - Distributed compiler daemon
+#
+# Author: Chris PeBenito <pebenito at gentoo.org>
+#
+
+daemon_domain(distccd)
+can_network_server(distccd_t)
+can_ypbind(distccd_t)
+log_domain(distccd)
+tmp_domain(distccd)
+
+type distccd_port_t, port_type;
+allow distccd_t distccd_port_t:tcp_socket name_bind;
+allow distccd_t self:capability { setgid setuid };
+
+# distccd can renice
+allow distccd_t self:process setsched;
+
+# compiler stuff
+allow distccd_t { bin_t sbin_t }:dir { search getattr };
+allow distccd_t { bin_t sbin_t }:lnk_file { getattr read };
+can_exec(distccd_t,bin_t)
+can_exec(distccd_t,lib_t)
+
+# comm stuff
+allow distccd_t net_conf_t:file r_file_perms;
+allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write };
+allow distccd_t self:fifo_file { read write getattr };
+
+# config access
+allow distccd_t { etc_t etc_runtime_t }:file r_file_perms;
+allow distccd_t proc_t:file r_file_perms;
+
+allow distccd_t var_t:dir search;
+allow distccd_t admin_tty_type:chr_file { ioctl read write };
diff --git a/strict/domains/program/unused/dnsmasq.te b/strict/domains/program/unused/dnsmasq.te
new file mode 100644
index 0000000..bdef592
--- /dev/null
+++ b/strict/domains/program/unused/dnsmasq.te
@@ -0,0 +1,38 @@
+#DESC dnsmasq - DNS forwarder and DHCP server
+#
+# Author: Greg Norris <haphazard at kc.rr.com>
+# X-Debian-Packages: dnsmasq
+#
+
+#################################
+#
+# Rules for the dnsmasq_t domain.
+#
+daemon_domain(dnsmasq);
+type dnsmasq_lease_t, file_type, sysadmfile;
+
+# misc. requirements
+allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
+allow dnsmasq_t urandom_device_t:chr_file read;
+
+# network-related goodies
+can_network_server(dnsmasq_t)
+can_ypbind(dnsmasq_t)
+allow dnsmasq_t self:packet_socket create_socket_perms;
+allow dnsmasq_t self:rawip_socket create_socket_perms;
+allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
+allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;
+
+# UDP ports 53 and 67
+allow dnsmasq_t dhcpd_port_t:udp_socket name_bind;
+allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind;
+
+# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
+# Comment out the following entry if you do not want to allow this behaviour.
+allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind;
+
+# allow access to dnsmasq.conf
+allow dnsmasq_t etc_t:file r_file_perms;
+
+# dhcp leases
+file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file)
diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te
new file mode 100644
index 0000000..89458ef
--- /dev/null
+++ b/strict/domains/program/unused/dpkg.te
@@ -0,0 +1,413 @@
+#DESC Dpkg - Debian package manager
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: dpkg
+#
+
+#################################
+#
+# Rules for the dpkg_t domain.
+#
+type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
+type dpkg_exec_t, file_type, sysadmfile, exec_type;
+type dpkg_var_lib_t, file_type, sysadmfile;
+type dpkg_etc_t, file_type, sysadmfile, usercanread;
+typealias dpkg_etc_t alias etc_dpkg_t;
+type dpkg_lock_t, file_type, sysadmfile;
+type debconf_cache_t, file_type, sysadmfile;
+
+tmp_domain(dpkg)
+can_setfscreate(dpkg_t)
+can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })
+
+ifdef(`load_policy.te', `
+domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
+')
+ifdef(`rlogind.te', `
+# for ssh
+can_exec(dpkg_t, rlogind_exec_t)
+')
+can_exec(dpkg_t, { init_exec_t etc_t })
+ifdef(`hostname.te', `
+can_exec(dpkg_t, hostname_exec_t)
+')
+ifdef(`mta.te', `
+allow system_mail_t dpkg_tmp_t:file { getattr read };
+')
+ifdef(`logrotate.te', `
+allow logrotate_t dpkg_var_lib_t:file create_file_perms;
+')
+
+# for open office
+can_exec(dpkg_t, usr_t)
+
+allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read;
+
+# for upgrading policycoreutils and loading policy
+allow dpkg_t security_t:dir { getattr search };
+allow dpkg_t security_t:file { getattr read };
+
+ifdef(`setfiles.te',
+`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)')
+ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)')
+ifdef(`modutil.te', `
+domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
+domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
+
+# for touch
+allow initrc_t modules_dep_t:file write;
+')
+ifdef(`ipsec.te', `
+allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
+allow ipsec_mgmt_t dpkg_t:fifo_file write;
+allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write };
+allow ipsec_t dpkg_t:fifo_file { read write };
+domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+ifdef(`cardmgr.te', `
+allow cardmgr_t dpkg_t:fd use;
+allow cardmgr_t dpkg_t:fifo_file write;
+domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
+# for start-stop-daemon
+allow dpkg_t cardmgr_t:process signull;
+')
+ifdef(`mount.te', `
+domain_auto_trans(dpkg_t, mount_exec_t, mount_t)
+')
+ifdef(`mozilla.te', `
+# hate to do this, for mozilla install scripts
+can_exec(dpkg_t, mozilla_exec_t)
+')
+ifdef(`postfix.te', `
+domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t)
+')
+ifdef(`apache.te', `
+domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t)
+')
+ifdef(`named.te', `
+file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file)
+')
+ifdef(`nsd.te', `
+allow nsd_crond_t initrc_t:fd use;
+allow nsd_crond_t initrc_devpts_t:chr_file { read write };
+domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t)
+')
+# because the syslogd package is broken and does not use the start scripts
+ifdef(`klogd.te', `
+domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t)
+')
+ifdef(`syslogd.te', `
+domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t)
+allow system_crond_t syslogd_t:dir search;
+allow system_crond_t syslogd_t:file { getattr read };
+allow system_crond_t syslogd_t:process signal;
+')
+# mysqld is broken too
+ifdef(`mysqld.te', `
+domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t)
+can_unix_connect(dpkg_t, mysqld_t)
+allow mysqld_t dpkg_tmp_t:file { getattr read };
+')
+ifdef(`postgresql.te', `
+# because postgresql postinst creates scripts in /tmp and then runs them
+# also the init scripts do more than they should
+allow { initrc_t postgresql_t } dpkg_tmp_t:file write;
+# for "touch" when it tries to create the log file
+# this works for upgrades, maybe we should allow create access for first install
+allow initrc_t postgresql_log_t:file { write setattr };
+# for dumpall
+can_exec(postgresql_t, postgresql_db_t)
+')
+ifdef(`sysstat.te', `
+domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t)
+')
+ifdef(`rpcd.te', `
+allow rpcd_t dpkg_t:fd use;
+allow rpcd_t dpkg_t:fifo_file { read write };
+')
+ifdef(`load_policy.te', `
+allow load_policy_t initrc_t:fifo_file { read write };
+')
+ifdef(`checkpolicy.te', `
+domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
+role system_r types checkpolicy_t;
+allow checkpolicy_t initrc_t:fd use;
+allow checkpolicy_t initrc_t:fifo_file write;
+allow checkpolicy_t initrc_devpts_t:chr_file { read write };
+')
+ifdef(`amavis.te', `
+r_dir_file(initrc_t, dpkg_var_lib_t)
+')
+ifdef(`nessusd.te', `
+domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t)
+')
+ifdef(`crack.te', `
+allow crack_t initrc_t:fd use;
+domain_auto_trans(dpkg_t, crack_exec_t, crack_t)
+')
+ifdef(`xdm.te', `
+domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t)
+')
+ifdef(`clamav.te', `
+domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t)
+')
+ifdef(`squid.te', `
+domain_auto_trans(dpkg_t, squid_exec_t, squid_t)
+')
+ifdef(`useradd.te', `
+domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t)
+domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
+role system_r types { useradd_t groupadd_t };
+')
+ifdef(`passwd.te', `
+domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
+')
+ifdef(`ldconfig.te', `
+domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
+')
+ifdef(`portmap.te', `
+# for pmap_dump
+domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t)
+')
+
+# for apt
+type apt_t, domain, admin, privmail, web_client_domain;
+type apt_exec_t, file_type, sysadmfile, exec_type;
+type apt_var_lib_t, file_type, sysadmfile;
+type var_cache_apt_t, file_type, sysadmfile;
+etcdir_domain(apt)
+typealias apt_etc_t alias etc_apt_t;
+type apt_rw_etc_t, file_type, sysadmfile;
+typealias apt_rw_etc_t alias etc_apt_rw_t;
+tmp_domain(apt, `', `{ dir file lnk_file }')
+can_exec(apt_t, apt_tmp_t)
+
+rw_dir_create_file(apt_t, apt_rw_etc_t)
+
+allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search };
+
+dontaudit apt_t var_log_t:dir getattr;
+dontaudit apt_t var_run_t:dir search;
+
+# for rc files such as ~/.less
+r_dir_file(apt_t, sysadm_home_t)
+allow apt_t sysadm_home_dir_t:dir { search getattr };
+
+allow apt_t bin_t:lnk_file r_file_perms;
+
+rw_dir_create_file(apt_t, debconf_cache_t)
+r_dir_file(userdomain, debconf_cache_t)
+
+# for python
+read_sysctl(apt_t)
+read_sysctl(dpkg_t)
+
+allow dpkg_t console_device_t:chr_file rw_file_perms;
+
+allow apt_t self:unix_stream_socket create_socket_perms;
+
+allow dpkg_t domain:dir r_dir_perms;
+allow dpkg_t domain:{ file lnk_file } r_file_perms;
+
+# for shared objects that are not yet labelled (upgrades)
+allow { apt_t dpkg_t } lib_t:file execute;
+
+# when dpkg runs postinst scripts run them in initrc_t domain so that the
+# daemons are started in the correct context
+domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t)
+
+ifdef(`bootloader.te', `
+domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)
+# for mkinitrd
+can_exec(bootloader_t, dpkg_exec_t)
+# for lilo to run dpkg
+allow bootloader_t dpkg_etc_t:file { getattr read };
+')
+
+# for kernel-image postinst
+dontaudit dpkg_t fixed_disk_device_t:blk_file read;
+
+# for /usr/lib/dpkg/controllib.pl calling getpwnam(3)
+dontaudit dpkg_t shadow_t:file { getattr read };
+
+# allow user domains to execute dpkg
+allow userdomain dpkg_exec_t:dir r_dir_perms;
+can_exec(userdomain, { dpkg_exec_t apt_exec_t })
+
+# allow everyone to read dpkg database
+allow userdomain var_lib_t:dir search;
+r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t })
+
+# for /var/lib/dpkg/lock
+rw_dir_create_file(apt_t, dpkg_var_lib_t)
+
+ifdef(`crond.te', `
+rw_dir_create_file(system_crond_t, dpkg_var_lib_t)
+allow system_crond_t dpkg_etc_t:file r_file_perms;
+
+# for Debian cron job
+create_dir_file(system_crond_t, tetex_data_t)
+can_exec(dpkg_t, tetex_data_t)
+')
+
+r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t })
+allow install_menu_t initrc_t:fifo_file { read write };
+allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms;
+can_exec(sysadm_t, dpkg_etc_t)
+
+# Inherit and use descriptors from open_init_pty
+allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
+dontaudit dpkg_t privfd:fd use;
+allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
+allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;
+
+allow ifconfig_t dpkg_t:fd use;
+allow ifconfig_t dpkg_t:fifo_file { read write };
+
+uses_shlib({ dpkg_t apt_t })
+allow dpkg_t proc_t:dir r_dir_perms;
+allow dpkg_t proc_t:{ file lnk_file } r_file_perms;
+allow dpkg_t fs_t:filesystem getattr;
+
+allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable };
+
+# for fgconsole - need policy for it
+allow dpkg_t self:capability sys_tty_config;
+
+allow dpkg_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_t self:unix_stream_socket create_stream_socket_perms;
+can_unix_connect(dpkg_t, self)
+allow dpkg_t self:unix_dgram_socket sendto;
+allow dpkg_t self:unix_stream_socket connect;
+
+allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms;
+allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms;
+
+# dpkg really needs to be able to kill any process, unfortunate but true
+allow dpkg_t domain:process signal;
+allow dpkg_t sysadm_t:process sigchld;
+allow dpkg_t self:process { setpgid signal_perms fork getsched };
+
+# read/write/create any files in the system
+allow dpkg_t sysadmfile:dir create_dir_perms;
+allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
+allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
+allow dpkg_t device_type:{ chr_file blk_file } getattr;
+dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+allow dpkg_t proc_kmsg_t:file getattr;
+allow dpkg_t fs_type:dir getattr;
+
+# allow compiling and loading new policy
+create_dir_file(dpkg_t, { policy_src_t policy_config_t })
+
+# change to the apt_t domain on exec from dpkg_t (dselect)
+domain_auto_trans(dpkg_t, apt_exec_t, apt_t)
+
+# allow apt to change /var/lib/apt files
+allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms;
+allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms;
+
+# allow apt to create /usr/lib/site-python/DebianControlParser.pyc
+rw_dir_create_file(apt_t, lib_t)
+
+# for apt-listbugs
+allow apt_t usr_t:file { getattr read ioctl };
+allow apt_t usr_t:lnk_file read;
+
+# allow /var/cache/apt/archives to be owned by non-root
+allow apt_t self:capability { chown dac_override fowner fsetid };
+
+can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
+allow apt_t { bin_t sbin_t }:dir search;
+allow apt_t self:process { signal sigchld fork };
+allow apt_t sysadm_t:process sigchld;
+can_network({ apt_t dpkg_t })
+can_ypbind({ apt_t dpkg_t })
+
+allow { apt_t dpkg_t } var_t:dir { search getattr };
+dontaudit apt_t { fs_type file_type }:dir getattr;
+allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms;
+
+allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms };
+
+# for /proc/meminfo and for "ps"
+allow apt_t { proc_t apt_t }:dir r_dir_perms;
+allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms;
+allow apt_t self:fifo_file rw_file_perms;
+allow dpkg_t self:fifo_file rw_file_perms;
+
+allow apt_t etc_t:dir r_dir_perms;
+allow apt_t etc_t:file r_file_perms;
+allow apt_t etc_t:lnk_file read;
+read_locale(apt_t)
+r_dir_file(userdomain, apt_etc_t)
+
+# apt wants to check available disk space
+allow apt_t fs_t:filesystem getattr;
+allow apt_t etc_runtime_t:file r_file_perms;
+
+# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you
+# have apt run dpkg.
+# This means that getting apt_t access is almost as good as dpkg_t which has
+# as much power as sysadm_t...
+domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t)
+
+# hack to allow update-menus/install-menu to manage menus
+type install_menu_t, domain, admin, etc_writer;
+type install_menu_exec_t, file_type, sysadmfile, exec_type;
+var_run_domain(install_menu)
+
+allow install_menu_t self:unix_stream_socket create_socket_perms;
+
+type debian_menu_t, file_type, sysadmfile;
+
+r_dir_file(userdomain, debian_menu_t)
+dontaudit install_menu_t sysadm_home_dir_t:dir search;
+create_dir_file(install_menu_t, debian_menu_t)
+allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
+allow install_menu_t self:process signal;
+allow install_menu_t proc_t:dir search;
+allow install_menu_t proc_t:file r_file_perms;
+can_getcon(install_menu_t)
+can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t })
+allow install_menu_t { bin_t sbin_t }:dir search;
+allow install_menu_t bin_t:lnk_file read;
+
+# for menus
+allow install_menu_t usr_t:file r_file_perms;
+
+# for /etc/kde3/debian/kde-update-menu.sh
+can_exec(install_menu_t, etc_t)
+
+allow install_menu_t var_t:dir search;
+tmp_domain(install_menu)
+
+create_dir_file(install_menu_t, var_lib_t)
+ifdef(`xdm.te', `
+create_dir_file(install_menu_t, xdm_var_lib_t)
+')
+allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms;
+allow install_menu_t { var_spool_t etc_t }:file create_file_perms;
+allow install_menu_t self:fifo_file rw_file_perms;
+allow install_menu_t etc_runtime_t:file r_file_perms;
+allow install_menu_t devtty_t:chr_file rw_file_perms;
+allow install_menu_t fs_t:filesystem getattr;
+
+domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
+allow dpkg_t install_menu_t:process signal_perms;
+
+allow install_menu_t privfd:fd use;
+uses_shlib(install_menu_t)
+
+allow install_menu_t self:process { fork sigchld };
+
+role system_r types { dpkg_t apt_t install_menu_t };
+
+#################################
+#
+# Rules for the run_deb_t domain.
+#
+#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t)
+#domain_trans(run_deb_t, apt_exec_t, apt_t)
+domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t)
+domain_auto_trans(initrc_t, apt_exec_t, apt_t)
diff --git a/strict/domains/program/unused/gatekeeper.te b/strict/domains/program/unused/gatekeeper.te
new file mode 100644
index 0000000..161f474
--- /dev/null
+++ b/strict/domains/program/unused/gatekeeper.te
@@ -0,0 +1,53 @@
+#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: opengate openh323gk
+#
+
+#################################
+#
+# Rules for the gatekeeper_t domain.
+#
+# gatekeeper_exec_t is the type of the gk executable.
+#
+daemon_domain(gatekeeper)
+
+# for SSP
+allow gatekeeper_t urandom_device_t:chr_file read;
+
+type gatekeeper_port_t, port_type;
+etc_domain(gatekeeper)
+typealias gatekeeper_etc_t alias etc_gatekeeper_t;
+allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+logdir_domain(gatekeeper)
+
+# Use the network.
+can_network_server(gatekeeper_t)
+can_ypbind(gatekeeper_t)
+allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind;
+allow gatekeeper_t self:unix_stream_socket create_socket_perms;
+
+# for stupid symlinks
+tmp_domain(gatekeeper)
+
+# pthreads wants to know the kernel version
+read_sysctl(gatekeeper_t)
+
+allow gatekeeper_t etc_t:file { getattr read };
+
+allow gatekeeper_t etc_t:dir r_dir_perms;
+allow gatekeeper_t sbin_t:dir r_dir_perms;
+
+allow gatekeeper_t self:process setsched;
+allow gatekeeper_t self:fifo_file rw_file_perms;
+
+allow gatekeeper_t proc_t:file read;
+
+# for local users to run VOIP software
+can_udp_send(userdomain, gatekeeper_t)
+can_udp_send(gatekeeper_t, userdomain)
+can_tcp_connect(gatekeeper_t, userdomain)
+
+# this is crap, gk wants to create symlinks in /etc every time it starts and
+# remove them when it exits.
+#allow gatekeeper_t etc_t:dir rw_dir_perms;
diff --git a/strict/domains/program/unused/gift.te b/strict/domains/program/unused/gift.te
new file mode 100644
index 0000000..90e19ea
--- /dev/null
+++ b/strict/domains/program/unused/gift.te
@@ -0,0 +1,9 @@
+# DESC - giFT file sharing tool
+#
+# Author: Ivan Gyurdiev <ivg2 at cornell.edu>
+#
+
+type gift_exec_t, file_type, exec_type, sysadmfile;
+type giftd_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/gift_macros.te
diff --git a/strict/domains/program/unused/imazesrv.te b/strict/domains/program/unused/imazesrv.te
new file mode 100644
index 0000000..af18409
--- /dev/null
+++ b/strict/domains/program/unused/imazesrv.te
@@ -0,0 +1,30 @@
+#DESC Imazesrv - Imaze Server
+#
+# Author: Torsten Knodt <tk-selinux at datas-world.de>
+# based on games.te by Russell Coker <russell at coker.com.au>
+#
+
+# type for shared data from imazesrv
+type imazesrv_data_t, file_type, sysadmfile;
+type imazesrv_data_labs_t, file_type, sysadmfile;
+
+# domain imazesrv_t is for system operation of imazesrv
+# also defines imazesrv_exec_t
+daemon_domain(imazesrv)
+log_domain(imazesrv);
+
+r_dir_file(imazesrv_t, imazesrv_data_t)
+
+type imaze_port_t, port_type;
+allow imazesrv_t imaze_port_t:tcp_socket name_bind;
+allow imazesrv_t imaze_port_t:udp_socket name_bind;
+
+create_append_log_file(imazesrv_t,imazesrv_log_t)
+
+can_network_server(imazesrv_t)
+
+allow imazesrv_t self:capability net_bind_service;
+
+r_dir_file(imazesrv_t, etc_t)
+
+general_domain_access(imazesrv_t)
diff --git a/strict/domains/program/unused/ircd.te b/strict/domains/program/unused/ircd.te
new file mode 100644
index 0000000..1b9c5fd
--- /dev/null
+++ b/strict/domains/program/unused/ircd.te
@@ -0,0 +1,45 @@
+#DESC Ircd - IRC server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu
+#
+
+#################################
+#
+# Rules for the ircd_t domain.
+#
+# ircd_exec_t is the type of the slapd executable.
+#
+daemon_domain(ircd)
+
+type ircd_port_t, port_type;
+allow ircd_t ircd_port_t:tcp_socket name_bind;
+
+etcdir_domain(ircd)
+typealias ircd_etc_t alias etc_ircd_t;
+
+logdir_domain(ircd)
+
+var_lib_domain(ircd)
+
+# Use the network.
+can_network_server(ircd_t)
+can_ypbind(ircd_t)
+#allow ircd_t self:fifo_file { read write };
+allow ircd_t self:unix_stream_socket create_socket_perms;
+allow ircd_t self:unix_dgram_socket create_socket_perms;
+
+allow ircd_t devtty_t:chr_file rw_file_perms;
+
+allow ircd_t sbin_t:dir search;
+
+allow ircd_t proc_t:file { getattr read };
+
+# read config files
+allow ircd_t { etc_t etc_runtime_t }:file { getattr read };
+allow ircd_t etc_t:lnk_file read;
+
+ifdef(`logrotate.te', `
+allow logrotate_t ircd_var_run_t:dir search;
+allow logrotate_t ircd_var_run_t:file { getattr read };
+')
diff --git a/strict/domains/program/unused/jabberd.te b/strict/domains/program/unused/jabberd.te
new file mode 100644
index 0000000..55f0819
--- /dev/null
+++ b/strict/domains/program/unused/jabberd.te
@@ -0,0 +1,32 @@
+#DESC jabberd - Jabber daemon
+#
+# Author: Colin Walters <walters at verbum.org>
+# X-Debian-Packages: jabber
+
+daemon_domain(jabberd)
+logdir_domain(jabberd)
+var_lib_domain(jabberd)
+
+type jabber_client_port_t, port_type;
+type jabber_interserver_port_t, port_type;
+
+allow jabberd_t jabber_client_port_t:tcp_socket name_bind;
+allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind;
+
+allow jabberd_t etc_t:lnk_file read;
+allow jabberd_t { etc_t etc_runtime_t }:file { read getattr };
+
+# For SSL
+allow jabberd_t random_device_t:file r_file_perms;
+
+can_network_server(jabberd_t)
+can_ypbind(jabberd_t)
+
+allow jabberd_t self:unix_dgram_socket create_socket_perms;
+allow jabberd_t self:unix_stream_socket create_socket_perms;
+allow jabberd_t self:fifo_file { read write getattr };
+
+allow jabberd_t self:capability dac_override;
+
+# allow any user domain to connect to jabber
+can_tcp_connect(userdomain, jabberd_t)
diff --git a/strict/domains/program/unused/lcd.te b/strict/domains/program/unused/lcd.te
new file mode 100644
index 0000000..2e2eddf
--- /dev/null
+++ b/strict/domains/program/unused/lcd.te
@@ -0,0 +1,35 @@
+#DESC lcd - program for Cobalt LCD device
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#################################
+#
+# Rules for the lcd_t domain.
+#
+# lcd_t is the domain for the lcd program.
+# lcd_exec_t is the type of the corresponding program.
+#
+type lcd_t, domain, privlog;
+role sysadm_r types lcd_t;
+role system_r types lcd_t;
+uses_shlib(lcd_t)
+type lcd_exec_t, file_type, sysadmfile, exec_type;
+type lcd_device_t, file_type;
+
+# Transition into this domain when you run this program.
+domain_auto_trans(initrc_t, lcd_exec_t, lcd_t)
+domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t)
+
+allow lcd_t lcd_device_t:chr_file rw_file_perms;
+
+# for /etc/locks/.lcd_lock
+lock_domain(lcd)
+allow lcd_t etc_t:lnk_file read;
+allow lcd_t var_t:dir search;
+
+# Access the terminal.
+allow lcd_t admin_tty_type:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;')
+allow lcd_t privfd:fd use;
+
diff --git a/strict/domains/program/unused/lrrd.te b/strict/domains/program/unused/lrrd.te
new file mode 100644
index 0000000..3059c03
--- /dev/null
+++ b/strict/domains/program/unused/lrrd.te
@@ -0,0 +1,70 @@
+#DESC LRRD - network-wide load graphing
+#
+# Author: Erich Schubert <erich at debian.org>
+# X-Debian-Packages: lrrd-client, lrrd-server
+#
+
+#################################
+#
+# Rules for the lrrd_t domain.
+#
+# lrrd_exec_t is the type of the lrrd executable.
+#
+daemon_domain(lrrd)
+
+allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
+
+etcdir_domain(lrrd)
+typealias lrrd_etc_t alias etc_lrrd_t;
+type lrrd_var_lib_t, file_type, sysadmfile;
+type lrrd_port_t, port_type;
+
+log_domain(lrrd)
+tmp_domain(lrrd)
+
+# has cron jobs
+system_crond_entry(lrrd_exec_t, lrrd_t)
+allow crond_t lrrd_var_lib_t:dir search;
+
+# init script
+allow initrc_t lrrd_log_t:file { write append setattr ioctl };
+
+# allow to drop privileges and renice
+allow lrrd_t self:capability { setgid setuid };
+allow lrrd_t self:process { getsched setsched };
+
+allow lrrd_t urandom_device_t:chr_file { getattr read };
+allow lrrd_t proc_t:file { getattr read };
+allow lrrd_t usr_t:file { read ioctl };
+
+can_exec(lrrd_t, bin_t)
+allow lrrd_t bin_t:dir search;
+allow lrrd_t usr_t:lnk_file read;
+
+# Allow access to the lrrd databases
+create_dir_file(lrrd_t, lrrd_var_lib_t)
+allow lrrd_t var_lib_t:dir search;
+
+# read config files
+r_dir_file(initrc_t, lrrd_etc_t)
+allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
+# for accessing the output directory
+ifdef(`apache.te', `
+allow lrrd_t httpd_sys_content_t:dir search;
+')
+
+allow lrrd_t etc_t:dir search;
+
+can_unix_connect(sysadm_t, lrrd_t)
+can_unix_connect(lrrd_t, lrrd_t)
+can_unix_send(lrrd_t, lrrd_t)
+can_network_server(lrrd_t)
+can_ypbind(lrrd_t)
+
+ifdef(`logrotate.te', `
+r_dir_file(logrotate_t, lrrd_etc_t)
+allow logrotate_t lrrd_var_lib_t:dir search;
+allow logrotate_t lrrd_var_run_t:dir search;
+allow logrotate_t lrrd_var_run_t:sock_file write;
+can_unix_connect(logrotate_t, lrrd_t)
+')
diff --git a/strict/domains/program/unused/monopd.te b/strict/domains/program/unused/monopd.te
new file mode 100644
index 0000000..56ced81
--- /dev/null
+++ b/strict/domains/program/unused/monopd.te
@@ -0,0 +1,30 @@
+#DESC MonopD - Monopoly Daemon
+#
+# Author: Torsten Knodt <tk-selinux at datas-world.de>
+# based on the dhcpd_t policy from:
+# Russell Coker <russell at coker.com.au>
+#
+
+#################################
+#
+# Rules for the monopd_t domain.
+#
+daemon_domain(monopd)
+
+type etc_monopd_t, file_type, sysadmfile;
+type share_monopd_t, file_type, sysadmfile;
+
+# Use the network.
+can_network_server(monopd_t)
+can_ypbind(monopd_t)
+
+type monopd_port_t, port_type;
+allow monopd_t monopd_port_t:tcp_socket name_bind;
+
+r_dir_file(monopd_t,etc_monopd_t)
+r_dir_file(monopd_t,share_monopd_t)
+
+allow monopd_t self:unix_dgram_socket create_socket_perms;
+allow monopd_t self:unix_stream_socket create_socket_perms;
+
+r_dir_file(monopd_t, etc_t)
diff --git a/strict/domains/program/unused/nagios.te b/strict/domains/program/unused/nagios.te
new file mode 100644
index 0000000..fb5fd14
--- /dev/null
+++ b/strict/domains/program/unused/nagios.te
@@ -0,0 +1,91 @@
+#DESC Net Saint / NAGIOS - network monitoring server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: netsaint, nagios
+# Depends: mta.te
+#
+
+#################################
+#
+# Rules for the nagios_t domain.
+#
+# nagios_exec_t is the type of the netsaint/nagios executable.
+#
+daemon_domain(nagios, `, privmail')
+
+etcdir_domain(nagios)
+typealias nagios_etc_t alias etc_nagios_t;
+
+logdir_domain(nagios)
+allow nagios_t nagios_log_t:fifo_file create_file_perms;
+allow initrc_t nagios_log_t:dir rw_dir_perms;
+
+tmp_domain(nagios)
+allow system_mail_t nagios_tmp_t:file { getattr read };
+# for open file handles
+dontaudit system_mail_t nagios_etc_t:file read;
+dontaudit system_mail_t nagios_log_t:fifo_file read;
+
+# Use the network.
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:unix_stream_socket create_socket_perms;
+allow nagios_t self:unix_dgram_socket create_socket_perms;
+
+# Use capabilities
+allow nagios_t self:capability { dac_override setgid setuid };
+allow nagios_t self:process setpgid;
+
+allow nagios_t { bin_t sbin_t }:dir search;
+allow nagios_t bin_t:lnk_file read;
+can_exec(nagios_t, { shell_exec_t bin_t })
+
+allow nagios_t proc_t:file { getattr read };
+
+can_network_server(nagios_t)
+can_ypbind(nagios_t)
+
+# read config files
+allow nagios_t { etc_t etc_runtime_t }:file { getattr read };
+allow nagios_t etc_t:lnk_file read;
+
+allow nagios_t etc_t:dir r_dir_perms;
+
+# for ps
+r_dir_file(nagios_t, domain)
+allow nagios_t boot_t:dir search;
+allow nagios_t system_map_t:file { getattr read };
+
+# for who
+allow nagios_t initrc_var_run_t:file { getattr read lock };
+
+system_domain(nagios_cgi)
+allow nagios_cgi_t device_t:dir search;
+r_dir_file(nagios_cgi_t, nagios_etc_t)
+allow nagios_cgi_t var_log_t:dir search;
+r_dir_file(nagios_cgi_t, nagios_log_t)
+allow nagios_cgi_t self:process { fork signal_perms };
+allow nagios_cgi_t self:fifo_file rw_file_perms;
+allow nagios_cgi_t bin_t:dir search;
+can_exec(nagios_cgi_t, bin_t)
+read_locale(nagios_cgi_t)
+
+# for ps
+allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read };
+r_dir_file(nagios_cgi_t, { proc_t self nagios_t })
+allow nagios_cgi_t boot_t:dir search;
+allow nagios_cgi_t system_map_t:file { getattr read };
+dontaudit nagios_cgi_t domain:dir getattr;
+allow nagios_cgi_t self:unix_stream_socket create_socket_perms;
+
+ifdef(`apache.te', `
+r_dir_file(httpd_t, nagios_etc_t)
+domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t)
+allow nagios_cgi_t httpd_log_t:file append;
+')
+
+ifdef(`ping.te', `
+domain_auto_trans(nagios_t, ping_exec_t, ping_t)
+allow nagios_t ping_t:process { sigkill signal };
+dontaudit ping_t nagios_etc_t:file read;
+dontaudit ping_t nagios_log_t:fifo_file read;
+')
diff --git a/strict/domains/program/unused/nessusd.te b/strict/domains/program/unused/nessusd.te
new file mode 100644
index 0000000..e0f71fd
--- /dev/null
+++ b/strict/domains/program/unused/nessusd.te
@@ -0,0 +1,55 @@
+#DESC Nessus network scanning daemon
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: nessus
+#
+
+#################################
+#
+# Rules for the nessusd_t domain.
+#
+# nessusd_exec_t is the type of the nessusd executable.
+#
+daemon_domain(nessusd)
+
+etc_domain(nessusd)
+typealias nessusd_etc_t alias etc_nessusd_t;
+type nessusd_db_t, file_type, sysadmfile;
+
+type nessus_port_t, port_type;
+allow nessusd_t nessus_port_t:tcp_socket name_bind;
+
+#tmp_domain(nessusd)
+
+# Use the network.
+can_network(nessusd_t)
+can_ypbind(nessusd_t)
+allow nessusd_t self:unix_stream_socket create_socket_perms;
+#allow nessusd_t self:unix_dgram_socket create_socket_perms;
+
+# why ioctl on /dev/urandom?
+allow nessusd_t random_device_t:chr_file { getattr read ioctl };
+allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms;
+allow nessusd_t self:capability net_raw;
+
+# for nmap etc
+allow nessusd_t { bin_t sbin_t }:dir search;
+allow nessusd_t bin_t:lnk_file read;
+can_exec(nessusd_t, bin_t)
+allow nessusd_t self:fifo_file { getattr read write };
+
+# allow user domains to connect to nessusd
+can_tcp_connect(userdomain, nessusd_t)
+
+allow nessusd_t self:process setsched;
+
+allow nessusd_t proc_t:file { getattr read };
+
+# Allow access to the nessusd authentication database
+create_dir_file(nessusd_t, nessusd_db_t)
+allow nessusd_t var_lib_t:dir r_dir_perms;
+
+# read config files
+allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms;
+
+logdir_domain(nessusd)
diff --git a/strict/domains/program/unused/nrpe.te b/strict/domains/program/unused/nrpe.te
new file mode 100644
index 0000000..87d1a02
--- /dev/null
+++ b/strict/domains/program/unused/nrpe.te
@@ -0,0 +1,40 @@
+# DESC nrpe - Nagios Remote Plugin Execution
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+#
+# Depends: tcpd.te
+# X-Debian-Packages: nagios-nrpe-server
+#
+# This policy assumes that nrpe is called from inetd
+
+daemon_base_domain(nrpe)
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
+')
+domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)
+
+allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
+
+allow nrpe_t self:fifo_file rw_file_perms;
+allow nrpe_t self:unix_dgram_socket create_socket_perms;
+# use sockets inherited from inetd
+allow nrpe_t inetd_t:tcp_socket { ioctl read write };
+allow nrpe_t devtty_t:chr_file { read write };
+
+allow nrpe_t self:process setpgid;
+
+etc_domain(nrpe)
+read_locale(nrpe_t)
+
+# permissions for the scripts executed by nrpe
+#
+# call shell programs
+can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
+allow nrpe_t { bin_t sbin_t }:dir search;
+# for /bin/sh
+allow nrpe_t bin_t:lnk_file read;
+
+# read /proc/meminfo, /proc/self/mounts and /etc/mtab
+allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
+
+# you will have to add more permissions here, depending on the scripts you call!
diff --git a/strict/domains/program/unused/nsd.te b/strict/domains/program/unused/nsd.te
new file mode 100644
index 0000000..2711cdd
--- /dev/null
+++ b/strict/domains/program/unused/nsd.te
@@ -0,0 +1,101 @@
+#DESC Authoritative only name server
+#
+# Author: Russell Coker
+# X-Debian-Packages: nsd
+#
+#
+
+#################################
+#
+# Rules for the nsd_t domain.
+#
+
+daemon_domain(nsd)
+
+# a type for nsd.db
+type nsd_db_t, file_type, sysadmfile;
+
+# for zone update cron job
+type nsd_crond_t, domain, privlog;
+role system_r types nsd_crond_t;
+uses_shlib(nsd_crond_t)
+can_network_client(nsd_crond_t)
+can_ypbind(nsd_crond_t)
+allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
+allow nsd_crond_t self:process { fork signal_perms };
+system_crond_entry(nsd_exec_t, nsd_crond_t)
+allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read };
+allow nsd_crond_t proc_t:lnk_file { getattr read };
+allow nsd_crond_t { bin_t sbin_t }:dir search;
+can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t })
+allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr;
+allow nsd_crond_t bin_t:lnk_file read;
+read_locale(nsd_crond_t)
+allow nsd_crond_t self:fifo_file rw_file_perms;
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_override kill };
+allow nsd_crond_t nsd_t:process signal;
+dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr };
+dontaudit nsd_crond_t self:capability sys_nice;
+dontaudit nsd_crond_t domain:dir search;
+allow nsd_crond_t self:process setsched;
+can_ps(nsd_crond_t, nsd_t)
+
+file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
+file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file)
+allow nsd_crond_t var_lib_t:dir search;
+
+allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
+allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
+allow nsd_crond_t proc_t:dir r_dir_perms;
+allow nsd_crond_t device_t:dir search;
+allow nsd_crond_t devtty_t:chr_file rw_file_perms;
+allow nsd_crond_t etc_t:file { getattr read };
+allow nsd_crond_t etc_t:lnk_file read;
+allow nsd_crond_t { var_t var_run_t }:dir search;
+allow nsd_crond_t nsd_var_run_t:file { getattr read };
+
+# for SSP
+allow nsd_crond_t urandom_device_t:chr_file read;
+
+# A type for configuration files of nsd
+type nsd_conf_t, file_type, sysadmfile;
+# A type for zone files
+type nsd_zone_t, file_type, sysadmfile;
+
+r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t })
+# zone files may be in /var/lib/nsd
+allow nsd_t var_lib_t:dir search;
+r_dir_file(initrc_t, nsd_conf_t)
+allow nsd_t etc_runtime_t:file { getattr read };
+allow nsd_t proc_t:file { getattr read };
+allow nsd_t { sbin_t bin_t }:dir search;
+can_exec(nsd_t, { nsd_exec_t bin_t })
+
+# Use capabilities. chown is for chowning /var/run/nsd.pid
+allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service };
+
+allow nsd_t etc_t:{ file lnk_file } { getattr read };
+
+# nsd can use network
+can_network_server(nsd_t)
+can_ypbind(nsd_t)
+# allow client access from caching BIND
+ifdef(`named.te', `
+can_udp_send(named_t, nsd_t)
+can_udp_send(nsd_t, named_t)
+can_tcp_connect(named_t, nsd_t)
+')
+
+# if you want to allow all programs to contact the primary name server
+#can_udp_send(domain, nsd_t)
+#can_udp_send(nsd_t, domain)
+#can_tcp_connect(domain, nsd_t)
+
+# Bind to the named port.
+allow nsd_t dns_port_t:udp_socket name_bind;
+allow nsd_t dns_port_t:tcp_socket name_bind;
+
+allow nsd_t self:unix_stream_socket create_stream_socket_perms;
+allow nsd_t self:unix_dgram_socket create_socket_perms;
+
diff --git a/strict/domains/program/unused/oav-update.te b/strict/domains/program/unused/oav-update.te
new file mode 100644
index 0000000..a9843c6
--- /dev/null
+++ b/strict/domains/program/unused/oav-update.te
@@ -0,0 +1,38 @@
+#DESC Oav - Anti-virus update program
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+# X-Debian-Packages:
+#
+
+type oav_update_var_lib_t, file_type, sysadmfile;
+type oav_update_exec_t, file_type, sysadmfile, exec_type;
+type oav_update_etc_t, file_type, sysadmfile;
+
+# Derived domain based on the calling user domain and the program.
+type oav_update_t, domain, privlog;
+
+# Transition from the sysadm domain to the derived domain.
+role sysadm_r types oav_update_t;
+domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t)
+
+# Transition from the sysadm domain to the derived domain.
+role system_r types oav_update_t;
+system_crond_entry(oav_update_exec_t, oav_update_t)
+
+# Uses shared librarys
+uses_shlib(oav_update_t)
+
+# Run helper programs.
+can_exec_any(oav_update_t,bin_t)
+
+# Can read /etc/oav-update/* files
+allow oav_update_t oav_update_etc_t:dir r_dir_perms;
+allow oav_update_t oav_update_etc_t:file r_file_perms;
+
+# Can read /var/lib/oav-update/current
+allow oav_update_t oav_update_var_lib_t:dir create_dir_perms;
+allow oav_update_t oav_update_var_lib_t:file create_file_perms;
+allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
+
+# Can download via network
+can_network_server(oav_update_t)
diff --git a/strict/domains/program/unused/openca-ca.te b/strict/domains/program/unused/openca-ca.te
new file mode 100644
index 0000000..411c61d
--- /dev/null
+++ b/strict/domains/program/unused/openca-ca.te
@@ -0,0 +1,134 @@
+#DESC OpenCA - Open Certificate Authority
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+# X-Debian-Packages:
+# Depends: apache.te
+#
+
+#################################
+#
+# domain for openCA cgi-bin scripts.
+#
+# Type that system CGI scripts run as
+#
+type openca_ca_t, domain;
+role system_r types openca_ca_t;
+uses_shlib(openca_ca_t)
+
+# Types that system CGI scripts on the disk are
+# labeled with
+#
+type openca_ca_exec_t, file_type, sysadmfile;
+
+# When the server starts the script it needs to get the proper context
+#
+domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t)
+
+#
+# Allow httpd daemon to search /usr/share/openca
+#
+allow httpd_t openca_usr_share_t:dir { getattr search };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+allow httpd_t bin_t:file { read execute }; # execute perl
+
+allow httpd_t openca_ca_exec_t:file {execute getattr read};
+allow httpd_t openca_ca_t:process {signal sigkill sigstop};
+allow httpd_t openca_ca_t:process transition;
+allow httpd_t openca_ca_exec_t:dir r_dir_perms;
+
+##################################################################
+# Allow the script to get the file descriptor from the http deamon
+# and send sigchild to http deamon
+#################################################################
+allow openca_ca_t httpd_t:process sigchld;
+allow openca_ca_t httpd_t:fd use;
+allow openca_ca_t httpd_t:fifo_file {getattr write};
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow openca_ca_t httpd_log_t:file { append getattr };
+
+#############################################################
+# Allow the script access to the library files so it can run
+#############################################################
+can_exec(openca_ca_t, lib_t)
+
+########################################################################
+# The script needs to inherit the file descriptor and find the script it
+# needs to run
+########################################################################
+allow openca_ca_t initrc_t:fd use;
+allow openca_ca_t init_t:fd use;
+allow openca_ca_t default_t:dir r_dir_perms;
+allow openca_ca_t random_device_t:chr_file r_file_perms;
+
+#######################################################################
+# Allow the script to return its output
+######################################################################
+#allow openca_ca_t httpd_var_run_t: file rw_file_perms;
+allow openca_ca_t null_device_t: chr_file rw_file_perms;
+allow openca_ca_t httpd_cache_t: file rw_file_perms;
+
+###########################################################################
+# Allow the script interpreters to run the scripts. So
+# the perl executable will be able to run a perl script
+#########################################################################
+can_exec(openca_ca_t, bin_t)
+
+############################################################################
+# Allow the script process to search the cgi directory, and users directory
+##############################################################################
+allow openca_ca_t openca_ca_exec_t:dir search;
+
+#
+# Allow access to writeable files under /etc/openca
+#
+allow openca_ca_t openca_etc_writeable_t:file create_file_perms;
+allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms;
+
+#
+# Allow access to other files under /etc/openca
+#
+allow openca_ca_t openca_etc_t:file r_file_perms;
+allow openca_ca_t openca_etc_t:dir r_dir_perms;
+
+#
+# Allow access to private CA key
+#
+allow openca_ca_t openca_var_lib_keys_t:file create_file_perms;
+allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms;
+
+#
+# Allow access to other /var/lib/openca files
+#
+allow openca_ca_t openca_var_lib_t:file create_file_perms;
+allow openca_ca_t openca_var_lib_t:dir create_dir_perms;
+
+#
+# Allow access to other /usr/share/openca files
+#
+allow openca_ca_t openca_usr_share_t:file r_file_perms;
+allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
+allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
+
+# /etc/openca standard files
+type openca_etc_t, file_type, sysadmfile;
+
+# /etc/openca template files
+type openca_etc_in_t, file_type, sysadmfile;
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t, file_type, sysadmfile;
+
+# /var/lib/openca
+type openca_var_lib_t, file_type, sysadmfile;
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t, file_type, sysadmfile;
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t, file_type, sysadmfile;
diff --git a/strict/domains/program/unused/openvpn.te b/strict/domains/program/unused/openvpn.te
new file mode 100644
index 0000000..241c8f2
--- /dev/null
+++ b/strict/domains/program/unused/openvpn.te
@@ -0,0 +1,41 @@
+#DESC OpenVPN - Firewall-friendly SSL-based VPN
+#
+# Author: Colin Walters <walters at verbum.org>
+#
+########################################
+#
+
+daemon_domain(openvpn)
+etcdir_domain(openvpn)
+
+type openvpn_port_t, port_type;
+
+allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
+
+allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
+allow openvpn_t devpts_t:dir { search getattr };
+allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
+allow openvpn_t proc_t:file { getattr read };
+
+allow openvpn_t self:unix_dgram_socket create_socket_perms;
+allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
+allow openvpn_t self:unix_dgram_socket sendto;
+allow openvpn_t self:unix_stream_socket connectto;
+allow openvpn_t self:capability { net_admin setgid setuid };
+r_dir_file(openvpn_t, sysctl_net_t)
+
+can_network_server(openvpn_t)
+allow openvpn_t openvpn_port_t:udp_socket name_bind;
+
+# OpenVPN executes a lot of helper programs and scripts
+allow openvpn_t { bin_t sbin_t }:dir { search getattr };
+allow openvpn_t bin_t:lnk_file { getattr read };
+can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
+# Do not transition to ifconfig_t, since then it needs
+# permission to access openvpn_t:udp_socket, which seems
+# worse.
+can_exec(openvpn_t, ifconfig_exec_t)
+
+# The Fedora init script iterates over /etc/openvpn/*.conf, and
+# starts a daemon for each file.
+r_dir_file(initrc_t, openvpn_etc_t)
diff --git a/strict/domains/program/unused/perdition.te b/strict/domains/program/unused/perdition.te
new file mode 100644
index 0000000..c75a8e9
--- /dev/null
+++ b/strict/domains/program/unused/perdition.te
@@ -0,0 +1,30 @@
+#DESC Perdition POP and IMAP proxy
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: perdition
+#
+
+#################################
+#
+# Rules for the perdition_t domain.
+#
+daemon_domain(perdition)
+
+allow perdition_t pop_port_t:tcp_socket name_bind;
+
+etc_domain(perdition)
+typealias perdition_etc_t alias etc_perdition_t;
+
+# Use the network.
+can_network_server(perdition_t)
+allow perdition_t self:unix_stream_socket create_socket_perms;
+allow perdition_t self:unix_dgram_socket create_socket_perms;
+
+# allow any domain to connect to the proxy
+can_tcp_connect(userdomain, perdition_t)
+
+# Use capabilities
+allow perdition_t self:capability { setgid setuid net_bind_service };
+
+allow perdition_t etc_t:file { getattr read };
+allow perdition_t etc_t:lnk_file read;
diff --git a/strict/domains/program/unused/portslave.te b/strict/domains/program/unused/portslave.te
new file mode 100644
index 0000000..a70597f
--- /dev/null
+++ b/strict/domains/program/unused/portslave.te
@@ -0,0 +1,85 @@
+#DESC Portslave - Terminal server software
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: portslave
+# Depends: pppd.te
+#
+
+#################################
+#
+# Rules for the portslave_t domain.
+#
+daemon_base_domain(portslave, `, privmail, auth_chkpwd')
+
+type portslave_etc_t, file_type, sysadmfile;
+
+general_domain_access(portslave_t)
+domain_auto_trans(init_t, portslave_exec_t, portslave_t)
+ifdef(`rlogind.te', `
+domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
+')
+ifdef(`inetd.te', `
+domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
+allow portslave_t inetd_t:tcp_socket { getattr read write };
+')
+
+allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
+read_locale(portslave_t)
+r_dir_file(portslave_t, portslave_etc_t)
+
+allow portslave_t pppd_etc_t:dir r_dir_perms;
+allow portslave_t pppd_etc_rw_t:file { getattr read };
+
+allow portslave_t proc_t:file { getattr read };
+
+allow portslave_t { var_t var_log_t devpts_t }:dir search;
+
+allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
+
+allow portslave_t pppd_secret_t:file r_file_perms;
+
+can_network_server(portslave_t)
+allow portslave_t fs_t:filesystem getattr;
+ifdef(`radius.te', `
+can_udp_send(portslave_t, radiusd_t)
+can_udp_send(radiusd_t, portslave_t)
+')
+# for rlogin etc
+can_exec(portslave_t, { bin_t ssh_exec_t })
+# net_bind_service for rlogin
+allow portslave_t self:capability { net_bind_service sys_tty_config };
+# for ssh
+allow portslave_t urandom_device_t:chr_file read;
+ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
+
+# for pppd
+allow portslave_t self:capability { setuid setgid net_admin fsetid };
+allow portslave_t ppp_device_t:chr_file rw_file_perms;
+
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+
+# for ctlportslave
+dontaudit portslave_t self:capability sys_admin;
+
+file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
+can_exec(portslave_t, { etc_t shell_exec_t })
+
+# Run login in local_login_t domain.
+#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
+
+# Write to /var/run/utmp.
+allow portslave_t initrc_var_run_t:file rw_file_perms;
+
+# Write to /var/log/wtmp.
+allow portslave_t wtmp_t:file rw_file_perms;
+
+# Read and write ttys.
+allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
+allow portslave_t ttyfile:chr_file rw_file_perms;
+
+
+rw_dir_create_file(portslave_t, var_lock_t)
+can_exec(portslave_t, pppd_exec_t)
+allow portslave_t { bin_t sbin_t }:dir search;
+allow portslave_t bin_t:lnk_file read;
diff --git a/strict/domains/program/unused/postgrey.te b/strict/domains/program/unused/postgrey.te
new file mode 100644
index 0000000..5176665
--- /dev/null
+++ b/strict/domains/program/unused/postgrey.te
@@ -0,0 +1,32 @@
+#DESC postgrey - Postfix Grey-listing server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: postgrey
+
+type postgrey_port_t, port_type;
+
+daemon_domain(postgrey)
+
+allow postgrey_t urandom_device_t:chr_file { getattr read };
+
+# for perl
+allow postgrey_t sbin_t:dir search;
+allow postgrey_t usr_t:{ file lnk_file } { getattr read };
+dontaudit postgrey_t usr_t:file ioctl;
+
+allow postgrey_t { etc_t etc_runtime_t }:file { getattr read };
+etcdir_domain(postgrey)
+
+can_network_server_tcp(postgrey_t)
+can_ypbind(postgrey_t)
+allow postgrey_t postgrey_port_t:tcp_socket name_bind;
+allow postgrey_t self:unix_dgram_socket create_socket_perms;
+allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
+allow postgrey_t proc_t:file { getattr read };
+
+allow postgrey_t self:capability { chown setgid setuid };
+dontaudit postgrey_t self:capability sys_tty_config;
+
+var_lib_domain(postgrey)
+
+allow postgrey_t tmp_t:dir getattr;
diff --git a/strict/domains/program/unused/pump.te b/strict/domains/program/unused/pump.te
new file mode 100644
index 0000000..e69de29
diff --git a/strict/domains/program/unused/pxe.te b/strict/domains/program/unused/pxe.te
new file mode 100644
index 0000000..27d39d2
--- /dev/null
+++ b/strict/domains/program/unused/pxe.te
@@ -0,0 +1,22 @@
+#DESC PXE - a server for the PXE network boot protocol
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: pxe
+#
+
+#################################
+#
+# Rules for the pxe_t domain.
+#
+daemon_domain(pxe)
+
+type pxe_port_t, port_type;
+allow pxe_t pxe_port_t:udp_socket name_bind;
+
+allow pxe_t etc_t:file { getattr read };
+
+allow pxe_t self:capability { chown setgid setuid };
+
+allow pxe_t zero_device_t:chr_file rw_file_perms;
+
+log_domain(pxe)
diff --git a/strict/domains/program/unused/qmail.te b/strict/domains/program/unused/qmail.te
new file mode 100644
index 0000000..b93321b
--- /dev/null
+++ b/strict/domains/program/unused/qmail.te
@@ -0,0 +1,198 @@
+#DESC Qmail - Mail server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: qmail-src qmail
+# Depends: inetd.te mta.te
+#
+
+
+# Type for files created during execution of qmail.
+type qmail_var_run_t, file_type, sysadmfile, pidfile;
+
+type qmail_etc_t, file_type, sysadmfile;
+typealias qmail_etc_t alias etc_qmail_t;
+
+allow inetd_t smtp_port_t:tcp_socket name_bind;
+
+type qmail_exec_t, file_type, sysadmfile, exec_type;
+type qmail_spool_t, file_type, sysadmfile;
+type var_qmail_t, file_type, sysadmfile;
+
+define(`qmaild_sub_domain', `
+daemon_sub_domain($1, $2, `$3')
+allow $2_t qmail_etc_t:dir { getattr search };
+allow $2_t qmail_etc_t:{ lnk_file file } { getattr read };
+allow $2_t { var_t var_spool_t }:dir search;
+allow $2_t console_device_t:chr_file rw_file_perms;
+allow $2_t fs_t:filesystem getattr;
+')
+
+#################################
+#
+# Rules for the qmail_$1_t domain.
+#
+# qmail_$1_exec_t is the type of the qmail_$1 executables.
+#
+define(`qmail_daemon_domain', `
+qmaild_sub_domain(qmail_start_t, qmail_$1, `$2')
+allow qmail_$1_t qmail_start_t:fifo_file { read write };
+')dnl
+
+
+daemon_base_domain(qmail_start)
+
+allow qmail_start_t self:capability { setgid setuid };
+allow qmail_start_t { bin_t sbin_t }:dir search;
+allow qmail_start_t qmail_etc_t:dir search;
+allow qmail_start_t qmail_etc_t:file { getattr read };
+can_exec(qmail_start_t, qmail_start_exec_t)
+allow qmail_start_t self:fifo_file { getattr read write };
+
+qmail_daemon_domain(lspawn, `, mta_delivery_agent')
+allow qmail_lspawn_t self:fifo_file { read write };
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process { fork signal_perms };
+allow qmail_lspawn_t sbin_t:dir search;
+can_exec(qmail_lspawn_t, qmail_exec_t)
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+allow qmail_lspawn_t qmail_spool_t:dir search;
+allow qmail_lspawn_t qmail_spool_t:file { read getattr };
+allow qmail_lspawn_t etc_t:file { getattr read };
+allow qmail_lspawn_t tmp_t:dir getattr;
+dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search };
+
+qmail_daemon_domain(send, `, mail_server_sender')
+rw_dir_create_file(qmail_send_t, qmail_spool_t)
+allow qmail_send_t qmail_spool_t:fifo_file read;
+allow qmail_send_t self:process { fork signal_perms };
+allow qmail_send_t self:fifo_file write;
+domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t)
+allow qmail_send_t sbin_t:dir search;
+
+qmail_daemon_domain(splogger)
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+allow qmail_splogger_t etc_t:lnk_file read;
+dontaudit qmail_splogger_t initrc_t:fd use;
+read_locale(qmail_splogger_t)
+
+qmail_daemon_domain(rspawn)
+allow qmail_rspawn_t qmail_spool_t:dir search;
+allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
+allow qmail_rspawn_t self:process { fork signal_perms };
+allow qmail_rspawn_t self:fifo_file read;
+allow qmail_rspawn_t { bin_t sbin_t }:dir search;
+
+qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
+allow qmail_rspawn_t qmail_remote_exec_t:file read;
+can_network_server(qmail_remote_t)
+can_ypbind(qmail_remote_t)
+allow qmail_remote_t qmail_spool_t:dir search;
+allow qmail_remote_t qmail_spool_t:file rw_file_perms;
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+qmail_daemon_domain(clean)
+allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
+allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
+
+# privhome will do until we get a separate maildir type
+qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
+allow qmail_lspawn_t qmail_local_exec_t:file read;
+allow qmail_local_t self:process { fork signal_perms };
+domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
+allow qmail_local_t qmail_queue_exec_t:file read;
+allow qmail_local_t qmail_spool_t:file { ioctl read };
+allow qmail_local_t self:fifo_file write;
+allow qmail_local_t sbin_t:dir search;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+allow qmail_local_t etc_t:file { getattr read };
+
+# for piping mail to a command
+can_exec(qmail_local_t, shell_exec_t)
+allow qmail_local_t bin_t:dir search;
+allow qmail_local_t bin_t:lnk_file read;
+allow qmail_local_t devtty_t:chr_file rw_file_perms;
+allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
+
+ifdef(`tcpd.te', `
+qmaild_sub_domain(tcpd_t, qmail_tcp_env)
+# bug
+can_exec(tcpd_t, tcpd_exec_t)
+', `
+qmaild_sub_domain(inetd_t, qmail_tcp_env)
+')
+allow qmail_tcp_env_t inetd_t:fd use;
+allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
+allow qmail_tcp_env_t inetd_t:process sigchld;
+allow qmail_tcp_env_t sbin_t:dir search;
+can_network_server(qmail_tcp_env_t)
+can_ypbind(qmail_tcp_env_t)
+
+qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+can_network_server(qmail_smtpd_t)
+can_ypbind(qmail_smtpd_t)
+allow qmail_smtpd_t inetd_t:fd use;
+allow qmail_smtpd_t inetd_t:tcp_socket { read write };
+allow qmail_smtpd_t inetd_t:process sigchld;
+allow qmail_smtpd_t self:process { fork signal_perms };
+allow qmail_smtpd_t self:fifo_file write;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+allow qmail_smtpd_t sbin_t:dir search;
+domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
+allow qmail_smtpd_t qmail_queue_exec_t:file read;
+
+qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
+allow qmail_inject_t self:process { fork signal_perms };
+allow qmail_inject_t self:fifo_file write;
+allow qmail_inject_t sbin_t:dir search;
+role sysadm_r types qmail_inject_t;
+in_user_role(qmail_inject_t)
+
+qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent')
+in_user_role(qmail_qread_t)
+role sysadm_r types qmail_qread_t;
+r_dir_file(qmail_qread_t, qmail_spool_t)
+allow qmail_qread_t self:capability dac_override;
+allow qmail_qread_t privfd:fd use;
+
+qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
+role sysadm_r types qmail_queue_t;
+in_user_role(qmail_queue_t)
+allow qmail_inject_t qmail_queue_exec_t:file read;
+rw_dir_create_file(qmail_queue_t, qmail_spool_t)
+allow qmail_queue_t qmail_spool_t:fifo_file { read write };
+allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write;
+allow qmail_queue_t qmail_start_t:fifo_file { read write };
+allow qmail_queue_t privfd:fd use;
+allow qmail_queue_t crond_t:fifo_file { read write };
+allow qmail_queue_t inetd_t:fd use;
+allow qmail_queue_t inetd_t:tcp_socket { read write };
+allow qmail_queue_t sysadm_t:fd use;
+allow qmail_queue_t sysadm_t:fifo_file write;
+
+allow user_crond_t qmail_etc_t:dir search;
+allow user_crond_t qmail_etc_t:file read;
+
+qmaild_sub_domain(user_crond_t, qmail_serialmail)
+in_user_role(qmail_serialmail_t)
+can_network_server(qmail_serialmail_t)
+can_ypbind(qmail_serialmail_t)
+can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
+allow qmail_serialmail_t self:process { fork signal_perms };
+allow qmail_serialmail_t proc_t:file { getattr read };
+allow qmail_serialmail_t etc_runtime_t:file { getattr read };
+allow qmail_serialmail_t home_root_t:dir search;
+allow qmail_serialmail_t user_home_dir_type:dir { search read getattr };
+rw_dir_create_file(qmail_serialmail_t, user_home_type)
+allow qmail_serialmail_t self:fifo_file { read write };
+allow qmail_serialmail_t self:udp_socket create_socket_perms;
+allow qmail_serialmail_t self:tcp_socket create_socket_perms;
+allow qmail_serialmail_t privfd:fd use;
+allow qmail_serialmail_t crond_t:fifo_file { read write ioctl };
+allow qmail_serialmail_t devtty_t:chr_file { read write };
+
+# for tcpclient
+can_exec(qmail_serialmail_t, bin_t)
+allow qmail_serialmail_t bin_t:dir search;
diff --git a/strict/domains/program/unused/resmgrd.te b/strict/domains/program/unused/resmgrd.te
new file mode 100644
index 0000000..9224ad3
--- /dev/null
+++ b/strict/domains/program/unused/resmgrd.te
@@ -0,0 +1,25 @@
+# DESC resmgrd - resource manager daemon
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+
+daemon_base_domain(resmgrd)
+var_run_domain(resmgrd, { file sock_file })
+etc_domain(resmgrd)
+read_locale(resmgrd_t)
+allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
+
+allow resmgrd_t etc_t:file { getattr read };
+allow resmgrd_t self:unix_stream_socket create_stream_socket_perms;
+allow resmgrd_t self:unix_dgram_socket create_socket_perms;
+
+# hardware access
+allow resmgrd_t device_t:lnk_file { getattr read };
+# not sure if it needs write access, needs to be investigated further...
+allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
+allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write };
+allow resmgrd_t scanner_device_t:chr_file { getattr };
+# I think a dontaudit should be enough there
+dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
+
+# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te
+
diff --git a/strict/domains/program/unused/rssh.te b/strict/domains/program/unused/rssh.te
new file mode 100644
index 0000000..73bab4a
--- /dev/null
+++ b/strict/domains/program/unused/rssh.te
@@ -0,0 +1,13 @@
+#DESC Rssh - Restricted (scp/sftp) only shell
+#
+# Authors: Colin Walters <walters at verbum.org>
+# X-Debian-Package: rssh
+#
+
+type rssh_exec_t, file_type, sysadmfile, exec_type;
+
+ifdef(`ssh.te',`
+allow sshd_t rssh_exec_t:file r_file_perms;
+')
+
+# See rssh_macros.te for the rest.
diff --git a/strict/domains/program/unused/scannerdaemon.te b/strict/domains/program/unused/scannerdaemon.te
new file mode 100644
index 0000000..6245e8b
--- /dev/null
+++ b/strict/domains/program/unused/scannerdaemon.te
@@ -0,0 +1,58 @@
+#DESC Scannerdaemon - Virus scanner daemon
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the scannerdaemon_t domain.
+#
+type scannerdaemon_etc_t, file_type, sysadmfile;
+
+#networking
+daemon_domain(scannerdaemon)
+can_network_server(scannerdaemon_t)
+ifdef(`postfix.te',
+`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);')
+
+# for testing
+can_tcp_connect(sysadm_t,scannerdaemon_t)
+
+# Can create unix sockets
+allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+# Access config files (libc6).
+allow scannerdaemon_t etc_t:file r_file_perms;
+allow scannerdaemon_t etc_t:lnk_file r_file_perms;
+allow scannerdaemon_t proc_t:file r_file_perms;
+allow scannerdaemon_t etc_runtime_t:file r_file_perms;
+
+# Access config files (scannerdaemon).
+allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
+
+# Access signature files.
+ifdef(`oav-update.te',`
+allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
+allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
+')
+
+log_domain(scannerdaemon)
+ifdef(`logrotate.te', `
+allow logrotate_t scannerdaemon_log_t:file create_file_perms;
+')
+
+# Can run kaffe
+# Run helper programs.
+can_exec_any(scannerdaemon_t)
+allow scannerdaemon_t var_lib_t:dir search;
+allow scannerdaemon_t { sbin_t bin_t }:dir search;
+allow scannerdaemon_t bin_t:lnk_file read;
+
+# unknown stuff
+allow scannerdaemon_t self:fifo_file { read write };
+
+# broken stuff
+dontaudit scannerdaemon_t sysadm_home_dir_t:dir search;
+dontaudit scannerdaemon_t devtty_t:chr_file { read write };
+dontaudit scannerdaemon_t shadow_t:file { read getattr };
diff --git a/strict/domains/program/unused/seuser.te b/strict/domains/program/unused/seuser.te
new file mode 100644
index 0000000..dc87742
--- /dev/null
+++ b/strict/domains/program/unused/seuser.te
@@ -0,0 +1,148 @@
+#DESC SE Linux User Manager (seuser)
+#DEPENDS checkpolicy.te load_policy.te
+#
+# Authors: don.patterson at tresys.com, mayerf at tresys.com
+# Additions: wsalamon at tislabs.com, dac at tresys.com
+
+#
+
+#################################
+#
+# Rules for the seuser_t domain.
+#
+# seuser_t is the domain of the seuser application when it is executed.
+# seuser_conf_t is the type of the seuser configuration file.
+# seuser_exec_t is the type of the seuser executable.
+# seuser_tmp_t is the type of the temporary file(s) created by seuser.
+#
+##############################################
+# Define types, and typical rules including
+# access to execute and transition
+##############################################
+
+# Defined seuser types
+type seuser_t, domain, privhome ;
+type seuser_conf_t, file_type, sysadmfile ;
+type seuser_exec_t, file_type, sysadmfile, exec_type ;
+tmp_domain(seuser)
+
+# Authorize roles
+role sysadm_r types seuser_t ;
+
+# Allow sysadm_t to run with privilege
+domain_auto_trans(sysadm_t, seuser_exec_t, seuser_t)
+
+# Grant the new domain permissions to many common operations
+# FIX: Should be more resticted than this.
+#every_domain(seuser_t)
+allow seuser_t self:process { fork sigchld };
+allow seuser_t self:fifo_file read;
+allow seuser_t self:unix_stream_socket {create connect};
+allow seuser_t self:dir search;
+allow seuser_t self:file { read getattr };
+
+allow seuser_t etc_t:dir search;
+allow seuser_t etc_t:{lnk_file file} { read getattr};
+read_locale(seuser_t)
+allow seuser_t { var_run_t var_t}:dir search;
+
+uses_shlib(seuser_t)
+
+allow seuser_t devtty_t:chr_file {read write };
+allow seuser_t proc_t:dir search;
+allow seuser_t proc_t:{lnk_file file} { getattr read };
+
+allow seuser_t root_t:dir search;
+allow seuser_t staff_home_dir_t:dir search;
+allow seuser_t home_root_t:dir { getattr search };
+allow seuser_t staff_home_dir_t:dir getattr;
+allow seuser_t default_t:file {read getattr};
+
+allow seuser_t bin_t:dir { getattr search read} ;
+allow seuser_t bin_t:lnk_file { read getattr };
+allow seuser_t sbin_t:dir search;
+
+# Inherit and use descriptors from login.
+allow seuser_t privfd:fd use;
+
+###############################################
+
+# Use capabilities to self
+allow seuser_t self:capability { dac_override setuid setgid } ;
+
+# Grant the seuser domain ability to change passwords for a user.
+allow seuser_t self:passwd { passwd chfn chsh } ;
+
+# Read permissions for seuser.conf file
+allow seuser_t seuser_conf_t:file r_file_perms ;
+
+
+###################################################################
+# Policy section: Define the ability to change and load policies
+###################################################################
+
+# seuser_t domain needs to transition to the checkpolicy and loadpolicy
+# domains in order to install and load new policies.
+domain_auto_trans(seuser_t, checkpolicy_exec_t, checkpolicy_t)
+domain_auto_trans(seuser_t, load_policy_exec_t, load_policy_t)
+
+# allow load_policy and checkpolicy domains access to seuser_tmp_t
+# files in order for their stdout/stderr able to be put into
+# seuser's tmp files.
+#
+# Since both these domains carefully try to limit where the
+# assoicated program can read from, we won't use the standard
+# rw_file_perm macro, but instead only grant the minimum needed
+# to redirect output, write and getattr.
+allow checkpolicy_t seuser_tmp_t:file { getattr write } ;
+allow load_policy_t seuser_tmp_t:file { getattr write } ;
+allow useradd_t seuser_tmp_t:file { getattr write } ;
+
+
+# FIX: Temporarily allow seuser_t permissions for executing programs with a
+# bint_t type without changing domains. We have to give seuser_t the following
+# access because we use the policy make process to build new plicy.conf files.
+# At some point, a new policy management infrastructure should remove the ability
+# to modify policy source files with arbitrary progams
+#
+can_exec(seuser_t, bin_t)
+can_exec(seuser_t, shell_exec_t)
+
+
+# Read/write permission to the login context files in /etc/security
+allow seuser_t login_contexts:file create_file_perms ;
+
+# Read/write permission to the policy source and its' directory
+allow seuser_t policy_src_t:dir create_dir_perms ;
+allow seuser_t policy_src_t:file create_file_perms ;
+
+# Allow search and stat for policy_config_t
+allow seuser_t policy_config_t:dir { search getattr } ;
+allow seuser_t policy_config_t:file stat_file_perms;
+
+
+#ifdef(`xserver.te', `
+############################################################
+# Xserver section - To support our GUI interface,
+############################################################
+# Permission to create files in /tmp/.X11-Unix
+#allow seuser_t sysadm_xserver_tmp_t:dir search ;
+#allow seuser_t sysadm_xserver_tmp_t:sock_file write ;
+#allow seuser_t user_xserver_tmp_t:dir search ;
+#allow seuser_t user_xserver_tmp_t:sock_file write ;
+
+# Permission to establish a Unix stream connection to X server
+#can_unix_connect(seuser_t, user_xserver_t)
+#can_unix_connect(seuser_t, sysadm_xserver_t)
+#')
+ifdef(`xdm.te', `
+can_unix_connect(seuser_t, xdm_xserver_t)
+')
+
+# seuser_t domain needs execute access to the library files so that it can run.
+can_exec(seuser_t, lib_t)
+
+# Access ttys
+allow seuser_t sysadm_tty_device_t:chr_file rw_file_perms ;
+allow seuser_t sysadm_devpts_t:chr_file rw_file_perms ;
+
diff --git a/strict/domains/program/unused/snort.te b/strict/domains/program/unused/snort.te
new file mode 100644
index 0000000..d0ddd69
--- /dev/null
+++ b/strict/domains/program/unused/snort.te
@@ -0,0 +1,33 @@
+#DESC Snort - Network sniffer
+#
+# Author: Shaun Savage <savages at pcez.com>
+# Modified by Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: snort-common
+#
+
+daemon_domain(snort)
+
+logdir_domain(snort)
+allow snort_t snort_log_t:dir create;
+can_network_server(snort_t)
+type snort_etc_t, file_type, sysadmfile;
+
+# Create temporary files.
+tmp_domain(snort)
+
+# use iptable netlink
+allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:packet_socket create_socket_perms;
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+
+r_dir_file(snort_t, snort_etc_t)
+allow snort_t etc_t:file { getattr read };
+allow snort_t etc_t:lnk_file read;
+
+allow snort_t self:unix_dgram_socket create_socket_perms;
+allow snort_t self:unix_stream_socket create_socket_perms;
+
+# for start script
+allow initrc_t snort_etc_t:file read;
+
+dontaudit snort_t { etc_runtime_t proc_t }:file read;
diff --git a/strict/domains/program/unused/sound-server.te b/strict/domains/program/unused/sound-server.te
new file mode 100644
index 0000000..09894f0
--- /dev/null
+++ b/strict/domains/program/unused/sound-server.te
@@ -0,0 +1,43 @@
+#DESC sound server - for network audio server programs, nasd, yiff, etc
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#################################
+#
+# Rules for the soundd_t domain.
+#
+# soundd_exec_t is the type of the soundd executable.
+#
+daemon_domain(soundd)
+
+type soundd_port_t, port_type;
+allow soundd_t soundd_port_t:tcp_socket name_bind;
+
+type etc_soundd_t, file_type, sysadmfile;
+type soundd_state_t, file_type, sysadmfile;
+
+tmp_domain(soundd)
+rw_dir_create_file(soundd_t, soundd_state_t)
+
+allow soundd_t sound_device_t:chr_file rw_file_perms;
+allow soundd_t device_t:lnk_file read;
+
+# Use the network.
+can_network_server(soundd_t)
+allow soundd_t self:unix_stream_socket create_stream_socket_perms;
+allow soundd_t self:unix_dgram_socket create_socket_perms;
+# allow any domain to connect to the sound server
+can_tcp_connect(userdomain, soundd_t)
+
+allow soundd_t self:process setpgid;
+
+# read config files
+allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
+
+allow soundd_t etc_t:dir r_dir_perms;
+r_dir_file(soundd_t, etc_soundd_t)
+
+# for yiff - probably need some rules for the client support too
+allow soundd_t self:shm create_shm_perms;
+tmpfs_domain(soundd)
diff --git a/strict/domains/program/unused/speedmgmt.te b/strict/domains/program/unused/speedmgmt.te
new file mode 100644
index 0000000..6d399fb
--- /dev/null
+++ b/strict/domains/program/unused/speedmgmt.te
@@ -0,0 +1,26 @@
+#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#################################
+#
+# Rules for the speedmgmt_t domain.
+#
+# speedmgmt_exec_t is the type of the speedmgmt executable.
+#
+daemon_domain(speedmgmt)
+tmp_domain(speedmgmt)
+
+# for accessing USB
+allow speedmgmt_t proc_t:dir r_dir_perms;
+allow speedmgmt_t usbdevfs_t:file rw_file_perms;
+allow speedmgmt_t usbdevfs_t:dir r_dir_perms;
+
+allow speedmgmt_t usr_t:file r_file_perms;
+
+allow speedmgmt_t self:unix_dgram_socket create_socket_perms;
+
+# allow time
+allow speedmgmt_t etc_t:dir r_dir_perms;
+allow speedmgmt_t etc_t:lnk_file r_file_perms;
diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te
new file mode 100644
index 0000000..c827eae
--- /dev/null
+++ b/strict/domains/program/unused/sxid.te
@@ -0,0 +1,61 @@
+#DESC Sxid - SUID/SGID program monitoring
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: sxid
+#
+
+#################################
+#
+# Rules for the sxid_t domain.
+#
+# sxid_exec_t is the type of the sxid executable.
+#
+daemon_base_domain(sxid, `, privmail')
+tmp_domain(sxid)
+
+allow sxid_t fs_t:filesystem getattr;
+
+ifdef(`crond.te', `
+system_crond_entry(sxid_exec_t, sxid_t)
+')
+#allow system_crond_t sxid_log_t:file create_file_perms;
+
+read_locale(sxid_t)
+
+can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
+allow sxid_t bin_t:lnk_file read;
+
+log_domain(sxid)
+
+allow sxid_t file_type:notdevfile_class_set getattr;
+allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
+allow sxid_t ttyfile:chr_file getattr;
+allow sxid_t file_type:dir { getattr read search };
+allow sxid_t sysadmfile:file read;
+allow sxid_t fs_type:dir { getattr read search };
+
+# Use the network.
+can_network_server(sxid_t)
+allow sxid_t self:fifo_file rw_file_perms;
+allow sxid_t self:unix_stream_socket create_socket_perms;
+
+allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
+read_sysctl(sxid_t)
+allow sxid_t devtty_t:chr_file rw_file_perms;
+
+allow sxid_t self:capability { dac_override dac_read_search fsetid };
+dontaudit sxid_t self:capability { setuid setgid };
+
+ifdef(`mta.te', `
+# sxid leaves an open file handle to /proc/mounts
+dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };
+
+# allow mta to read the log files
+allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
+# stop warnings if mailx is passed a read/write file handle
+dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
+')
+
+allow logrotate_t sxid_t:file { getattr write };
+
+dontaudit sxid_t security_t:dir { getattr read search };
diff --git a/strict/domains/program/unused/tinydns.te b/strict/domains/program/unused/tinydns.te
new file mode 100644
index 0000000..a8c101a
--- /dev/null
+++ b/strict/domains/program/unused/tinydns.te
@@ -0,0 +1,58 @@
+#DESC TINYDNS - Name server for djbdns
+#
+# Authors: Matthew J. Fanto <mattjf at uncompiled.com>
+#
+# Based off Named policy file written by
+# Yuichi Nakamura <ynakam at ori.hitachi-sk.co.jp>,
+# Russell Coker
+# X-Debian-Packages: djbdns-installer djbdns
+#
+#
+
+#################################
+#
+# Rules for the tinydns_t domain.
+#
+daemon_domain(tinydns)
+
+can_exec(tinydns_t, tinydns_exec_t)
+allow tinydns_t sbin_t:dir search;
+
+allow tinydns_t self:process setsched;
+
+# A type for configuration files of tinydns.
+type tinydns_conf_t, file_type, sysadmfile;
+
+# for primary zone files - the data file
+type tinydns_zone_t, file_type, sysadmfile;
+
+allow tinydns_t etc_t:file { getattr read };
+allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };
+
+#tinydns can use network
+can_network_server(tinydns_t)
+allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+# allow UDP transfer to/from any program
+can_udp_send(domain, tinydns_t)
+can_udp_send(tinydns_t, domain)
+# tinydns itself doesn't do zone transfers
+# so we don't need to have it tcp_connect
+
+#read configuration files
+r_dir_file(tinydns_t, tinydns_conf_t)
+
+r_dir_file(tinydns_t, tinydns_zone_t)
+
+# allow tinydns to create datagram sockets (udp)
+# allow tinydns_t self:unix_stream_socket create_stream_socket_perms;
+allow tinydns_t self:unix_dgram_socket create_socket_perms;
+
+# Read /dev/random.
+allow tinydns_t device_t:dir r_dir_perms;
+allow tinydns_t random_device_t:chr_file r_file_perms;
+
+# Set own capabilities.
+allow tinydns_t self:process setcap;
+
+# for chmod in start script
+dontaudit initrc_t tinydns_var_run_t:dir setattr;
diff --git a/strict/domains/program/unused/transproxy.te b/strict/domains/program/unused/transproxy.te
new file mode 100644
index 0000000..fb0710f
--- /dev/null
+++ b/strict/domains/program/unused/transproxy.te
@@ -0,0 +1,38 @@
+#DESC Transproxy - Transparent proxy for web access
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: transproxy
+#
+
+#################################
+#
+# Rules for the transproxy_t domain.
+#
+# transproxy_exec_t is the type of the transproxy executable.
+#
+daemon_domain(transproxy)
+
+type transproxy_port_t, port_type;
+
+# Use the network.
+can_network_server_tcp(transproxy_t)
+allow transproxy_t transproxy_port_t:tcp_socket name_bind;
+
+#allow transproxy_t self:fifo_file { read write };
+allow transproxy_t self:unix_stream_socket create_socket_perms;
+allow transproxy_t self:unix_dgram_socket create_socket_perms;
+
+# Use capabilities
+allow transproxy_t self:capability { setgid setuid };
+#allow transproxy_t self:process setsched;
+
+#allow transproxy_t proc_t:file r_file_perms;
+
+# read config files
+allow transproxy_t etc_t:lnk_file read;
+allow transproxy_t etc_t:file { read getattr };
+
+#allow transproxy_t etc_t:dir r_dir_perms;
+
+#read_sysctl(transproxy_t)
+
diff --git a/strict/domains/program/unused/uml_net.te b/strict/domains/program/unused/uml_net.te
new file mode 100644
index 0000000..63ae6b7
--- /dev/null
+++ b/strict/domains/program/unused/uml_net.te
@@ -0,0 +1,30 @@
+#DESC uml_net helper program for user-mode Linux
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+# WARNING: Do not install this file on any machine that has hostile users.
+
+type uml_net_t, domain, privlog;
+type uml_net_exec_t, file_type, sysadmfile, exec_type;
+in_user_role(uml_net_t)
+allow uml_net_t self:process { fork signal_perms };
+allow uml_net_t { bin_t sbin_t }:dir search;
+allow uml_net_t self:fifo_file { read write };
+allow uml_net_t device_t:dir search;
+allow uml_net_t self:udp_socket { create ioctl };
+uses_shlib(uml_net_t)
+allow uml_net_t devtty_t:chr_file { read write };
+allow uml_net_t etc_runtime_t:file { getattr read };
+allow uml_net_t etc_t:file read;
+allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
+allow uml_net_t proc_t:file { getattr read };
+
+# if you want ip_forward to be set then you should set it yourself
+dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search;
+dontaudit uml_net_t sysctl_net_t:file write;
+
+dontaudit ifconfig_t uml_net_t:udp_socket { read write };
+dontaudit uml_net_t self:capability sys_module;
+
+allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl };
+can_exec(uml_net_t, { shell_exec_t sbin_t })
diff --git a/strict/domains/program/unused/uptimed.te b/strict/domains/program/unused/uptimed.te
new file mode 100644
index 0000000..c4bd79e
--- /dev/null
+++ b/strict/domains/program/unused/uptimed.te
@@ -0,0 +1,36 @@
+#DESC uptimed - a uptime daemon
+#
+# Author: Carsten Grohmann <carsten at securityenhancedlinux.de>
+#
+# Date: 19. June 2003
+#
+
+#################################
+#
+# General Types
+#
+
+type etc_uptimed_t, file_type, sysadmfile;
+type uptimed_spool_t, file_type, sysadmfile;
+
+#################################
+#
+# Rules for the uptimed_t domain.
+#
+daemon_domain(uptimed, `,privmail')
+file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t)
+allow uptimed_t { etc_uptimed_t proc_t }:file { getattr read };
+read_locale(uptimed_t)
+allow uptimed_t uptimed_spool_t:file create_file_perms;
+allow uptimed_t self:unix_dgram_socket create_socket_perms;
+
+# to send mail
+can_exec(uptimed_t, shell_exec_t)
+allow uptimed_t { bin_t sbin_t }:dir search;
+allow uptimed_t bin_t:lnk_file read;
+allow uptimed_t etc_runtime_t:file { getattr read };
+allow uptimed_t self:fifo_file { getattr write };
+
+# rules for uprecords - it runs in the user context
+allow userdomain uptimed_spool_t:dir search;
+allow userdomain uptimed_spool_t:file { getattr read };
diff --git a/strict/domains/program/unused/uwimapd.te b/strict/domains/program/unused/uwimapd.te
new file mode 100644
index 0000000..7274d38
--- /dev/null
+++ b/strict/domains/program/unused/uwimapd.te
@@ -0,0 +1,46 @@
+#DESC uw-imapd-ssl server
+#
+# Author: Ed Street <edstreet at street-tek.com>
+# X-Debian-Packages: uw-imapd (was uw-imapd-ssl)
+# Depends: inetd.te
+#
+
+daemon_domain(imapd, `, auth_chkpwd, privhome')
+tmp_domain(imapd)
+
+can_network_server_tcp(imapd_t)
+
+#declare our own services
+allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow imapd_t pop_port_t:tcp_socket name_bind;
+
+#declare this a socket from inetd
+allow imapd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow imapd_t self:unix_stream_socket create_socket_perms;
+domain_auto_trans(inetd_t, imapd_exec_t, imapd_t)
+ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)')
+
+#friendly stuff we dont want to see :)
+dontaudit imapd_t bin_t:dir search;
+
+#read /etc/ for hostname nsswitch.conf
+allow imapd_t etc_t:file { getattr read };
+
+#socket i/o stuff
+allow imapd_t inetd_t:tcp_socket { read write ioctl getattr };
+
+#read resolv.conf
+allow imapd_t net_conf_t:file { getattr read };
+
+#urandom, for ssl
+allow imapd_t random_device_t:chr_file read;
+allow imapd_t urandom_device_t:chr_file { read getattr };
+
+allow imapd_t self:fifo_file rw_file_perms;
+
+#mail directory
+rw_dir_file(imapd_t, mail_spool_t)
+
+#home directory
+allow imapd_t home_root_t:dir search;
+allow imapd_t self:file { read getattr };
diff --git a/strict/domains/program/unused/watchdog.te b/strict/domains/program/unused/watchdog.te
new file mode 100644
index 0000000..2693382
--- /dev/null
+++ b/strict/domains/program/unused/watchdog.te
@@ -0,0 +1,52 @@
+#DESC Watchdog - Software watchdog daemon
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: watchdog
+#
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+daemon_domain(watchdog, `, privmail')
+type watchdog_device_t, device_type, dev_fs;
+
+log_domain(watchdog)
+
+allow watchdog_t etc_t:file r_file_perms;
+allow watchdog_t etc_t:lnk_file read;
+allow watchdog_t self:unix_dgram_socket create_socket_perms;
+
+allow watchdog_t proc_t:file r_file_perms;
+
+allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+can_network(watchdog_t)
+can_ypbind(watchdog_t)
+allow watchdog_t bin_t:dir search;
+allow watchdog_t bin_t:lnk_file read;
+allow watchdog_t init_t:process signal;
+allow watchdog_t kernel_t:process sigstop;
+
+allow watchdog_t watchdog_device_t:chr_file { getattr write };
+
+# for orderly shutdown
+can_exec(watchdog_t, shell_exec_t)
+allow watchdog_t domain:process { signal_perms getsession };
+allow watchdog_t self:capability kill;
+allow watchdog_t sbin_t:dir search;
+
+# for updating mtab on umount
+file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot };
+allow watchdog_t fixed_disk_device_t:blk_file swapon;
+allow watchdog_t { proc_t fs_t }:filesystem unmount;
+
+# record the fact that we are going down
+allow watchdog_t wtmp_t:file append;
+
+# do not care about saving the random seed
+dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;
diff --git a/strict/domains/program/unused/xprint.te b/strict/domains/program/unused/xprint.te
new file mode 100644
index 0000000..e1af323
--- /dev/null
+++ b/strict/domains/program/unused/xprint.te
@@ -0,0 +1,50 @@
+#DESC X print server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: xprt-xprintorg
+#
+
+#################################
+#
+# Rules for the xprint_t domain.
+#
+# xprint_exec_t is the type of the xprint executable.
+#
+daemon_domain(xprint)
+
+allow initrc_t readable_t:dir r_dir_perms;
+allow initrc_t fonts_t:dir r_dir_perms;
+
+allow xprint_t var_lib_t:dir search;
+allow xprint_t fonts_t:dir r_dir_perms;
+allow xprint_t fonts_t:file { getattr read };
+
+allow xprint_t { bin_t sbin_t }:dir search;
+can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t })
+allow xprint_t bin_t:lnk_file { getattr read };
+
+allow xprint_t tmp_t:dir { getattr search };
+ifdef(`xdm.te', `
+allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms;
+allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms;
+')
+
+# Use the network.
+can_network_server(xprint_t)
+can_ypbind(xprint_t)
+allow xprint_t self:fifo_file rw_file_perms;
+allow xprint_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xprint_t proc_t:file { getattr read };
+allow xprint_t self:file { getattr read };
+
+# read config files
+allow xprint_t { etc_t etc_runtime_t }:file { getattr read };
+ifdef(`cups.te', `
+allow xprint_t cupsd_etc_t:dir search;
+allow xprint_t cupsd_etc_t:file { getattr read };
+')
+
+r_dir_file(xprint_t, usr_t)
+
+allow xprint_t urandom_device_t:chr_file { getattr read };
diff --git a/strict/domains/program/updfstab.te b/strict/domains/program/updfstab.te
new file mode 100644
index 0000000..5c5c452
--- /dev/null
+++ b/strict/domains/program/updfstab.te
@@ -0,0 +1,74 @@
+#DESC updfstab - Red Hat utility to change /etc/fstab
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+daemon_base_domain(updfstab, `, fs_domain, etc_writer')
+
+rw_dir_create_file(updfstab_t, etc_t)
+create_dir_file(updfstab_t, mnt_t)
+
+# Read /dev directories and modify sym-links
+allow updfstab_t device_t:dir rw_dir_perms;
+allow updfstab_t device_t:lnk_file create_file_perms;
+
+# Access disk devices.
+allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
+allow updfstab_t removable_device_t:blk_file rw_file_perms;
+allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
+
+# for /proc/partitions
+allow updfstab_t proc_t:file { getattr read };
+
+# for /proc/self/mounts
+r_dir_file(updfstab_t, self)
+
+# for /etc/mtab
+allow updfstab_t etc_runtime_t:file { getattr read };
+
+read_locale(updfstab_t)
+
+ifdef(`dbusd.te', `
+dbusd_client(system, updfstab)
+allow updfstab_t system_dbusd_t:dbus { send_msg };
+')
+
+# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
+# I will not allow it
+read_sysctl(updfstab_t)
+dontaudit updfstab_t sysctl_kernel_t:file write;
+allow updfstab_t modules_conf_t:file { getattr read };
+allow updfstab_t sbin_t:dir search;
+allow updfstab_t sbin_t:lnk_file read;
+allow updfstab_t { var_t var_log_t }:dir search;
+
+allow updfstab_t kernel_t:fd use;
+
+allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
+allow updfstab_t self:unix_dgram_socket create_socket_perms;
+
+ifdef(`modutil.te', `
+dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
+can_exec(updfstab_t, insmod_exec_t)
+allow updfstab_t modules_object_t:dir search;
+allow updfstab_t modules_dep_t:file { getattr read };
+')
+
+ifdef(`pamconsole.te', `
+domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
+')
+allow updfstab_t kernel_t:system syslog_console;
+allow updfstab_t sysadm_tty_device_t:chr_file { read write };
+allow updfstab_t self:capability dac_override;
+dontaudit updfstab_t self:capability sys_admin;
+
+r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
+can_getsecurity(updfstab_t)
+
+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
+dontaudit updfstab_t devtty_t:chr_file { read write };
+allow updfstab_t self:fifo_file { getattr read write ioctl };
+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir search;
+allow updfstab_t fs_t:filesystem { getattr };
diff --git a/strict/domains/program/usbmodules.te b/strict/domains/program/usbmodules.te
new file mode 100644
index 0000000..f76f56b
--- /dev/null
+++ b/strict/domains/program/usbmodules.te
@@ -0,0 +1,35 @@
+#DESC USBModules - List kernel modules for USB devices
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the usbmodules_t domain.
+#
+type usbmodules_t, domain, privlog;
+type usbmodules_exec_t, file_type, sysadmfile, exec_type;
+
+in_user_role(usbmodules_t)
+role sysadm_r types usbmodules_t;
+role system_r types usbmodules_t;
+
+domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t)
+ifdef(`hotplug.te',`
+domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t)
+allow usbmodules_t hotplug_etc_t:file r_file_perms;
+allow usbmodules_t hotplug_etc_t:dir search;
+')
+allow usbmodules_t init_t:fd use;
+allow usbmodules_t console_device_t:chr_file { read write };
+
+uses_shlib(usbmodules_t)
+
+# allow usb device access
+allow usbmodules_t usbdevfs_t:file rw_file_perms;
+
+allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms;
+
+# needs etc_t read access for the hotplug config, maybe should have a new type
+allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms;
diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te
new file mode 100644
index 0000000..2b1118f
--- /dev/null
+++ b/strict/domains/program/useradd.te
@@ -0,0 +1,100 @@
+#DESC Useradd - Manage system user accounts
+#
+# Authors: Chris Vance <cvance at tislabs.com> David Caplan <dac at tresys.com>
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: passwd
+#
+
+#################################
+#
+# Rules for the useradd_t and groupadd_t domains.
+#
+# useradd_t is the domain of the useradd/userdel programs.
+# groupadd_t is for adding groups (can not create home dirs)
+#
+define(`user_group_add_program', `
+type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
+role sysadm_r types $1_t;
+role system_r types $1_t;
+
+general_domain_access($1_t)
+uses_shlib($1_t)
+
+type $1_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+domain_auto_trans(initrc_t, $1_exec_t, $1_t)
+
+# Use capabilities.
+allow $1_t self:capability { dac_override chown kill };
+
+# Allow access to context for shadow file
+can_getsecurity($1_t)
+
+# Inherit and use descriptors from login.
+allow $1_t { init_t privfd }:fd use;
+
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+allow $1_t { bin_t sbin_t }:dir r_dir_perms;
+can_exec($1_t, { bin_t sbin_t })
+
+# Update /etc/shadow and /etc/passwd
+file_type_auto_trans($1_t, etc_t, shadow_t, file)
+allow $1_t etc_t:file create_file_perms;
+
+# some apps ask for these accesses, but seems to work regardless
+dontaudit $1_t var_run_t:dir search;
+r_dir_file($1_t, selinux_config_t)
+
+# Set fscreate context.
+can_setfscreate($1_t)
+
+allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
+
+read_locale($1_t)
+
+# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
+# but will operate without them.
+dontaudit $1_t { device_t var_t var_log_t }:dir search;
+allow useradd_t lastlog_t:file { read write };
+
+# For userdel and groupadd
+allow $1_t fs_t:filesystem getattr;
+
+# Access terminals.
+allow $1_t ttyfile:chr_file rw_file_perms;
+allow $1_t ptyfile:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
+
+# for when /root is the cwd
+dontaudit $1_t sysadm_home_dir_t:dir search;
+')
+user_group_add_program(useradd)
+
+# for getting the number of groups
+read_sysctl(useradd_t)
+
+# Add/remove user home directories
+file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
+file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
+
+# create/delete mail spool file in /var/mail
+allow useradd_t var_spool_t:dir search;
+allow useradd_t mail_spool_t:dir { search write add_name remove_name };
+allow useradd_t mail_spool_t:file create_file_perms;
+# /var/mail is a link to /var/spool/mail
+allow useradd_t mail_spool_t:lnk_file read;
+
+allow useradd_t self:capability { fowner fsetid setuid sys_resource };
+can_exec(useradd_t, shell_exec_t)
+
+# /usr/bin/userdel locks the user being deleted, allow write access to utmp
+allow useradd_t initrc_var_run_t:file { read write lock };
+
+user_group_add_program(groupadd)
+
+dontaudit groupadd_t self:capability fsetid;
+
+allow groupadd_t self:capability { setuid sys_resource };
+allow groupadd_t self:process setrlimit;
+allow groupadd_t initrc_var_run_t:file r_file_perms;
+dontaudit groupadd_t initrc_var_run_t:file write;
diff --git a/strict/domains/program/userhelper.te b/strict/domains/program/userhelper.te
new file mode 100644
index 0000000..cab6c70
--- /dev/null
+++ b/strict/domains/program/userhelper.te
@@ -0,0 +1,22 @@
+#DESC Userhelper - SELinux utility to run a shell with a new role
+#
+# Authors: Dan Walsh (Red Hat)
+# Maintained by Dan Walsh <dwalsh at redhat.com>
+#
+
+#################################
+#
+# Rules for the userhelper_t domain.
+#
+# userhelper_exec_t is the type of the userhelper executable.
+# userhelper_conf_t is the type of the userhelper configuration files.
+#
+type userhelper_exec_t, file_type, exec_type, sysadmfile;
+type userhelper_conf_t, file_type, sysadmfile;
+
+# Everything else is in the userhelper_domain macro in
+# macros/program/userhelper_macros.te.
+
+ifdef(`xdm.te', `
+dontaudit xdm_t userhelper_conf_t:dir search;
+')
diff --git a/strict/domains/program/usernetctl.te b/strict/domains/program/usernetctl.te
new file mode 100644
index 0000000..6a2c64f
--- /dev/null
+++ b/strict/domains/program/usernetctl.te
@@ -0,0 +1,64 @@
+#DESC usernetctl - User network interface configuration helper
+#
+# Author: Colin Walters <walters at redhat.com>
+
+type usernetctl_exec_t, file_type, sysadmfile, exec_type;
+
+type usernetctl_t, domain, privfd;
+
+if (user_net_control) {
+domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t)
+} else {
+can_exec(userdomain, usernetctl_exec_t)
+}
+in_user_role(usernetctl_t)
+role sysadm_r types usernetctl_t;
+
+define(`usernetctl_transition',`
+domain_auto_trans(usernetctl_t, $1_exec_t, $1_t)
+in_user_role($1_t)
+allow $1_t userpty_type:chr_file { getattr read write };
+')
+
+ifdef(`ifconfig.te',`
+usernetctl_transition(ifconfig)
+')
+ifdef(`iptables.te',`
+usernetctl_transition(iptables)
+')
+ifdef(`dhcpc.te',`
+usernetctl_transition(dhcpc)
+allow usernetctl_t dhcp_etc_t:file ra_file_perms;
+')
+ifdef(`modutil.te',`
+usernetctl_transition(insmod)
+')
+ifdef(`consoletype.te',`
+usernetctl_transition(consoletype)
+')
+ifdef(`hostname.te',`
+usernetctl_transition(hostname)
+')
+
+allow usernetctl_t self:capability { setuid setgid dac_override };
+
+base_file_read_access(usernetctl_t)
+base_pty_perms(usernetctl)
+allow usernetctl_t devtty_t:chr_file rw_file_perms;
+uses_shlib(usernetctl_t)
+read_locale(usernetctl_t)
+general_domain_access(usernetctl_t)
+
+r_dir_file(usernetctl_t, proc_t)
+dontaudit usernetctl_t { domain - usernetctl_t }:dir search;
+
+allow usernetctl_t userpty_type:chr_file rw_file_perms;
+
+can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t})
+can_exec(usernetctl_t, etc_t)
+
+r_dir_file(usernetctl_t, etc_t)
+allow usernetctl_t { var_t var_run_t }:dir { getattr read search };
+allow usernetctl_t etc_runtime_t:file r_file_perms;
+allow usernetctl_t net_conf_t:file r_file_perms;
+
diff --git a/strict/domains/program/utempter.te b/strict/domains/program/utempter.te
new file mode 100644
index 0000000..eb1af02
--- /dev/null
+++ b/strict/domains/program/utempter.te
@@ -0,0 +1,52 @@
+#DESC Utempter - Privileged helper for utmp/wtmp updates
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages:
+#
+
+#################################
+#
+# Rules for the utempter_t domain.
+#
+# This is the domain for the utempter program. utempter is
+# executed by xterm to update utmp and wtmp.
+# utempter_exec_t is the type of the utempter binary.
+#
+type utempter_t, domain, nscd_client_domain;
+in_user_role(utempter_t)
+role sysadm_r types utempter_t;
+uses_shlib(utempter_t)
+type utempter_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
+
+# Use capabilities.
+allow utempter_t self:capability setgid;
+
+allow utempter_t etc_t:file { getattr read };
+
+# Update /var/run/utmp and /var/log/wtmp.
+allow utempter_t initrc_var_run_t:file rw_file_perms;
+allow utempter_t var_log_t:dir search;
+allow utempter_t wtmp_t:file rw_file_perms;
+
+# dontaudit access to /dev/ptmx.
+dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
+dontaudit utempter_t sysadm_devpts_t:chr_file { read write };
+
+# Allow utemper to write to /tmp/.xses-*
+allow utempter_t user_tmpfile:file { getattr write append };
+
+# Inherit and use descriptors from login.
+allow utempter_t privfd:fd use;
+ifdef(`xdm.te', `
+allow utempter_t xdm_t:fd use;
+allow utempter_t xdm_t:fifo_file { write getattr };
+')
+
+allow utempter_t self:unix_stream_socket create_stream_socket_perms;
+
+# Access terminals.
+allow utempter_t ttyfile:chr_file getattr;
+allow utempter_t ptyfile:chr_file getattr;
+allow utempter_t devpts_t:dir search;
+dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write };
diff --git a/strict/domains/program/vmware.te b/strict/domains/program/vmware.te
new file mode 100644
index 0000000..fcda9b8
--- /dev/null
+++ b/strict/domains/program/vmware.te
@@ -0,0 +1,52 @@
+#DESC VMWare - Virtual machine
+#
+# Domains,types and permissions for running VMWare (the program) and for
+# running a SELinux system in a VMWare session (the VMWare-tools).
+#
+# Based on work contributed by Mark Westerman (mark.westerman at westcam.com),
+# modifications by NAI Labs.
+#
+# Domain is for the VMWare admin programs and daemons.
+# X-Debian-Packages:
+#
+# NOTE: The user vmware domain is provided separately in
+# macros/program/vmware_macros.te
+#
+# Next two domains are create by the daemon_domain() macro.
+# The vmware_t domain is for running VMWare daemons
+# The vmware_exec_t type is for the VMWare daemon and admin programs.
+#
+# quick hack making it privhome, should have a domain for each user in a macro
+daemon_domain(vmware, `, privhome')
+
+#
+# The vmware_user_exec_t type is for the user programs.
+#
+type vmware_user_exec_t, file_type, sysadmfile, exec_type;
+
+# Type for vmware devices.
+type vmware_device_t, device_type, dev_fs;
+
+# The sys configuration used for the /etc/vmware configuration files
+type vmware_sys_conf_t, file_type, sysadmfile;
+
+#########################################################################
+# Additional rules to start/stop VMWare
+#
+
+# Give init access to VMWare configuration files
+allow initrc_t vmware_sys_conf_t:file { ioctl read append };
+
+#
+# Rules added to kernel_t domain for VMWare to start up
+#
+# VMWare need access to pcmcia devices for network
+ifdef(`cardmgr.te', `
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te
new file mode 100644
index 0000000..4ba342e
--- /dev/null
+++ b/strict/domains/program/vpnc.te
@@ -0,0 +1,41 @@
+#DESC vpnc
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+
+#################################
+#
+# Rules for the vpnc_t domain, et al.
+#
+# vpnc_t is the domain for the vpnc program.
+# vpnc_exec_t is the type of the vpnc executable.
+#
+daemon_domain(vpnc)
+
+allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
+
+# Use the network.
+can_network(vpnc_t)
+can_ypbind(vpnc_t)
+allow vpnc_t self:socket create_socket_perms;
+
+# Use capabilities.
+allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
+
+allow vpnc_t devpts_t:dir search;
+allow vpnc_t etc_t:file { getattr read };
+allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t port_t:udp_socket name_bind;
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir search;
+allow vpnc_t sbin_t:dir search;
+allow vpnc_t bin_t:dir search;
+allow vpnc_t bin_t:lnk_file read;
+r_dir_file(vpnc_t, proc_net_t)
diff --git a/strict/domains/program/webalizer.te b/strict/domains/program/webalizer.te
new file mode 100644
index 0000000..73b1902
--- /dev/null
+++ b/strict/domains/program/webalizer.te
@@ -0,0 +1,48 @@
+# DESC webalizer - webalizer
+#
+# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp)
+#
+# Depends: apache.te
+
+application_domain(webalizer)
+# to use from cron
+system_crond_entry(webalizer_exec_t,webalizer_t)
+role system_r types webalizer_t;
+
+##type definision
+# type for usage file
+type webalizer_usage_t,file_type,sysadmfile;
+# type for /var/lib/webalizer
+type webalizer_write_t,file_type,sysadmfile;
+# type for webalizer.conf
+etc_domain(webalizer)
+
+#read apache log
+allow webalizer_t var_log_t:dir r_dir_perms;
+r_dir_file(webalizer_t, httpd_log_t)
+
+#r/w /var/lib/webalizer
+var_lib_domain(webalizer)
+
+#read /var/www/usage
+create_dir_file(webalizer_t, httpd_sys_content_t)
+
+#read system files under /etc
+allow webalizer_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale(webalizer_t)
+
+# can use tmp file
+tmp_domain(webalizer)
+
+# can read /proc
+read_sysctl(webalizer_t)
+allow webalizer_t proc_t:dir search;
+allow webalizer_t proc_t:file r_file_perms;
+
+# network
+can_network_server(webalizer_t)
+
+#process communication inside webalizer itself
+general_domain_access(webalizer_t)
+
+allow webalizer_t self:capability dac_override;
diff --git a/strict/domains/program/winbind.te b/strict/domains/program/winbind.te
new file mode 100644
index 0000000..36cef3e
--- /dev/null
+++ b/strict/domains/program/winbind.te
@@ -0,0 +1,33 @@
+#DESC winbind - Name Service Switch daemon for resolving names from NT servers
+#
+# Author: Dan Walsh (dwalsh at redhat.com)
+#
+
+#################################
+#
+# Declarations for winbind
+#
+
+daemon_domain(winbind, `, privhome, auth_chkpwd')
+log_domain(winbind)
+allow winbind_t etc_t:file r_file_perms;
+allow winbind_t etc_t:lnk_file read;
+can_network(winbind_t)
+ifdef(`samba.te', `', `
+type samba_etc_t, file_type, sysadmfile, usercanread;
+type samba_log_t, file_type, sysadmfile, logfile;
+type samba_var_t, file_type, sysadmfile;
+type samba_secrets_t, file_type, sysadmfile;
+')
+rw_dir_file(winbind_t, samba_etc_t)
+rw_dir_create_file(winbind_t, samba_log_t)
+allow winbind_t samba_secrets_t:file rw_file_perms;
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t urandom_device_t:chr_file { getattr read };
+allow winbind_t self:fifo_file { read write };
+rw_dir_create_file(winbind_t, samba_var_t)
+allow winbind_t krb5_conf_t:file { getattr read };
+dontaudit winbind_t krb5_conf_t:file { write };
+allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow winbind_t winbind_var_run_t:sock_file create_file_perms;
diff --git a/strict/domains/program/xauth.te b/strict/domains/program/xauth.te
new file mode 100644
index 0000000..020aa8d
--- /dev/null
+++ b/strict/domains/program/xauth.te
@@ -0,0 +1,15 @@
+#DESC Xauth - X authority file utility
+#
+# Domains for the xauth program.
+# X-Debian-Packages: xbase-clients
+
+# Author: Russell Coker <russell at coker.com.au>
+#
+# xauth_exec_t is the type of the xauth executable.
+#
+type xauth_exec_t, file_type, sysadmfile, exec_type;
+
+file_type_auto_trans(sysadm_xauth_t, staff_home_dir_t, staff_home_xauth_t)
+
+# Everything else is in the xauth_domain macro in
+# macros/program/xauth_macros.te.
diff --git a/strict/domains/program/xdm.te b/strict/domains/program/xdm.te
new file mode 100644
index 0000000..4b116e4
--- /dev/null
+++ b/strict/domains/program/xdm.te
@@ -0,0 +1,344 @@
+#DESC XDM - X Display Manager
+#
+# Authors: Mark Westerman mark.westerman at westcam.com
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: gdm xdm wdm kdm
+# Depends: xserver.te
+#
+# Some wdm-specific changes by Tom Vogt <tom at lemuria.org>
+#
+# Some alterations and documentation by Stephen Smalley <sds at epoch.ncsc.mil>
+#
+
+#################################
+#
+# Rules for the xdm_t domain.
+#
+# xdm_t is the domain of a X Display Manager process
+# spawned by getty.
+# xdm_exec_t is the type of the [xgkw]dm program
+#
+daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
+
+# for running xdm from init
+domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+
+allow xdm_t xdm_var_run_t:dir setattr;
+
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+allow initrc_t xdm_var_run_t:fifo_file unlink;
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
+
+tmp_domain(xdm, `', `{ file dir sock_file }')
+var_lib_domain(xdm)
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+type xsession_exec_t, file_type, sysadmfile, exec_type;
+type xdm_rw_etc_t, file_type, sysadmfile;
+typealias xdm_rw_etc_t alias etc_xdm_t;
+
+allow xdm_t default_context_t:dir search;
+allow xdm_t default_context_t:{ file lnk_file } { read getattr };
+
+can_network(xdm_t)
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:fifo_file rw_file_perms;
+
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_t xdm_xserver_t:process signal;
+can_unix_connect(xdm_t, xdm_xserver_t)
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+allow xdm_xserver_t xdm_t:process signal;
+# for reboot
+allow xdm_t initctl_t:fifo_file write;
+
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t xdm_rw_etc_t:file { getattr read };
+ifdef(`distro_suse', `
+# set permissions on /tmp/.X11-unix
+allow initrc_t xdm_tmp_t:dir setattr;
+')
+
+#
+# Use capabilities.
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
+
+allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl };
+
+# Transition to user domains for user sessions.
+domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
+allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
+allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
+allow unpriv_userdomain xdm_xserver_t:fd use;
+allow unpriv_userdomain xdm_xserver_tmpfs_t:file read;
+allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
+allow xdm_xserver_t unpriv_userdomain:fd use;
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# gnome-session creates socket under /tmp/.ICE-unix/
+allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
+allow unpriv_userdomain xdm_tmp_t:sock_file create;
+
+# Allow xdm logins as sysadm_r:sysadm_t
+bool xdm_sysadm_login false;
+if (xdm_sysadm_login) {
+domain_trans(xdm_t, xsession_exec_t, sysadm_t)
+allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
+allow sysadm_t xdm_xserver_t:shm r_shm_perms;
+allow sysadm_t xdm_xserver_t:fd use;
+allow sysadm_t xdm_xserver_tmpfs_t:file read;
+allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
+allow xdm_xserver_t sysadm_t:fd use;
+}
+can_setexec(xdm_t)
+
+# Label pid and temporary files with derived types.
+rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
+allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
+
+# Run helper programs.
+allow xdm_t etc_t:file { getattr read };
+allow xdm_t bin_t:dir { getattr search };
+# lib_t is for running cpp
+can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
+allow xdm_t { bin_t sbin_t }:lnk_file read;
+ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
+ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
+allow xdm_t xdm_xserver_t:process sigkill;
+allow xdm_t xdm_xserver_tmp_t:file unlink;
+
+# Access devices.
+allow xdm_t device_t:dir { read search };
+allow xdm_t console_device_t:chr_file setattr;
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t framebuf_device_t:chr_file { getattr setattr };
+allow xdm_t mouse_device_t:chr_file { getattr setattr };
+allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
+allow xdm_t dri_device_t:chr_file rw_file_perms;
+allow xdm_t device_t:dir rw_dir_perms;
+allow xdm_t agp_device_t:chr_file rw_file_perms;
+allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
+allow xdm_t v4l_device_t:chr_file { setattr getattr };
+allow xdm_t scanner_device_t:chr_file { setattr getattr };
+allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
+allow xdm_t device_t:lnk_file read;
+can_resmgrd_connect(xdm_t)
+
+# Access xdm log files.
+file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
+allow xdm_t xserver_log_t:dir rw_dir_perms;
+allow xdm_t xserver_log_t:dir setattr;
+# Access /var/gdm/.gdmfifo.
+allow xdm_t xserver_log_t:fifo_file create_file_perms;
+
+allow xdm_t self:shm create_shm_perms;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
+allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
+allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file read;
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
+allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
+
+# Remove /tmp/.X11-unix/X0.
+allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
+allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
+
+ifdef(`gpm.te', `
+# Talk to the console mouse server.
+allow xdm_t gpmctl_t:sock_file { getattr setattr write };
+allow xdm_t gpm_t:unix_stream_socket connectto;
+')
+
+allow xdm_t sysfs_t:dir search;
+
+# Update utmp and wtmp.
+allow xdm_t initrc_var_run_t: file { read write lock };
+allow xdm_t wtmp_t:file append;
+
+# Update lastlog.
+allow xdm_t lastlog_t:file rw_file_perms;
+
+# Ask the security server for SIDs for user sessions.
+can_getsecurity(xdm_t)
+
+tmpfs_domain(xdm)
+
+# Need to further investigate these permissions and
+# perhaps define derived types.
+allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
+allow xdm_t var_lib_t:file { create write unlink };
+allow xdm_t var_lock_t:dir { write search add_name remove_name };
+allow xdm_t var_lock_t:file { create write unlink };
+
+# Connect to xfs.
+ifdef(`xfs.te', `
+allow xdm_t xfs_tmp_t:dir search;
+allow xdm_t xfs_tmp_t:sock_file write;
+can_unix_connect(xdm_t, xfs_t)
+')
+
+allow xdm_t self:process { setpgid setsched };
+allow xdm_t etc_t:lnk_file read;
+allow xdm_t etc_runtime_t:file { getattr read };
+
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
+allow xdm_t xdm_rw_etc_t:file create_file_perms;
+
+# Signal any user domain.
+allow xdm_t userdomain:process signal_perms;
+
+allow xdm_t proc_t:file { getattr read };
+
+read_sysctl(xdm_t)
+
+# Search /proc for any user domain processes.
+allow xdm_t userdomain:dir r_dir_perms;
+allow xdm_t userdomain:{ file lnk_file } r_file_perms;
+
+# Allow xdm access to the user domains
+allow xdm_t home_root_t:dir search;
+allow xdm_xserver_t home_root_t:dir search;
+
+# Do not audit denied attempts to access devices.
+dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
+dontaudit xdm_t device_t:file_class_set rw_file_perms;
+dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t devpts_t:dir search;
+
+# Do not audit denied probes of /proc.
+dontaudit xdm_t domain:dir r_dir_perms;
+dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
+
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+allow xdm_t usr_t:{ lnk_file file } { getattr read };
+r_dir_file(xdm_t, fonts_t)
+
+# Do not audit attempts to write to index files under /usr
+dontaudit xdm_t usr_t:file write;
+
+# Do not audit access to /root
+dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
+
+# Do not audit user access to the X log files due to file handle inheritance
+dontaudit unpriv_userdomain xserver_log_t:file { write append };
+
+# Do not audit attempts to check whether user root has email
+dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
+dontaudit xdm_t mail_spool_t:file getattr;
+
+# Access sound device.
+allow xdm_t sound_device_t:chr_file { setattr getattr };
+
+# Allow setting of attributes on power management devices.
+allow xdm_t power_device_t:chr_file { getattr setattr };
+
+# Run the X server in a derived domain.
+xserver_domain(xdm)
+
+ifdef(`rhgb.te', `
+allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
+allow xdm_xserver_t ramfs_t:file create_file_perms;
+allow rhgb_t xdm_xserver_t:process signal;
+')
+
+# Unrestricted inheritance.
+allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
+
+# Run xkbcomp.
+allow xdm_xserver_t var_lib_t:dir search;
+allow xdm_xserver_t var_lib_xkb_t:lnk_file read;
+can_exec(xdm_xserver_t, var_lib_xkb_t)
+
+# Insert video drivers.
+allow xdm_xserver_t self:capability mknod;
+allow xdm_xserver_t sysctl_modprobe_t:file read;
+domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
+allow insmod_t xdm_t:fd use;
+allow insmod_t xserver_log_t:file write;
+allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
+
+# Read /proc/dri/.*
+allow xdm_xserver_t proc_t:dir { search read };
+
+# Search /var/run.
+allow xdm_xserver_t var_run_t:dir search;
+
+# Search home directories.
+allow xdm_xserver_t user_home_type:dir search;
+allow xdm_xserver_t user_home_type:file { getattr read };
+
+if (use_nfs_home_dirs) {
+allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
+allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
+# for .dmrc
+allow xdm_t user_home_dir_type:dir { getattr search };
+allow xdm_t user_home_type:file { getattr read };
+
+allow xdm_t mnt_t:dir { getattr read search };
+#
+# Wants to delete .xsession-errors file
+#
+allow xdm_t user_home_type:file unlink;
+#
+# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+#
+ifdef(`pam.te', `
+dontaudit pam_t xdm_t:fd use;
+allow xdm_t pam_var_run_t:dir create_dir_perms;
+allow xdm_t pam_var_run_t:file create_file_perms;
+allow pam_t xdm_t:fifo_file { getattr ioctl write };
+can_exec(xdm_t, pam_exec_t)
+# For pam_console
+rw_dir_create_file(xdm_t, pam_var_console_t)
+')
+
+allow xdm_t var_log_t:file read;
+allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process setrlimit;
+allow xdm_t wtmp_t:file { getattr read };
+
+domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
+#
+# Poweroff wants to create the /root/poweroff directory when run from xdm
+# Seems to work without it.
+#
+dontaudit xdm_t root_t:dir { add_name write };
+dontaudit xdm_t root_t:file create;
+#
+# xdm tries to bind to biff_port_t
+#
+dontaudit xdm_t port_type:tcp_socket name_bind;
+
+# VNC v4 module in X server
+type vnc_port_t, port_type;
+allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
+ifdef(`crack.te', `
+allow xdm_t crack_db_t:file r_file_perms;
+')
+r_dir_file(xdm_t, selinux_config_t)
+
+# Run telinit->init to shutdown.
+can_exec(xdm_t, init_exec_t)
diff --git a/strict/domains/program/xfs.te b/strict/domains/program/xfs.te
new file mode 100644
index 0000000..0c9e93f
--- /dev/null
+++ b/strict/domains/program/xfs.te
@@ -0,0 +1,50 @@
+#DESC XFS - X Font Server
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: xfs
+#
+
+#################################
+#
+# Rules for the xfs_t domain.
+#
+# xfs_t is the domain of the X font server.
+# xfs_exec_t is the type of the xfs executable.
+#
+daemon_domain(xfs)
+
+# for /tmp/.font-unix/fs7100
+ifdef(`distro_debian', `
+type xfs_tmp_t, file_type, sysadmfile, tmpfile;
+allow xfs_t tmp_t:dir search;
+file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
+', `
+tmp_domain(xfs, `', `{dir sock_file}')
+')
+
+allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
+allow xfs_t proc_t:file { getattr read };
+
+allow xfs_t self:process setpgid;
+can_ypbind(xfs_t)
+
+# Use capabilities.
+allow xfs_t self:capability { setgid setuid };
+
+# Bind to /tmp/.font-unix/fs-1.
+allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
+
+# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
+allow xfs_t fonts_t:dir search;
+allow xfs_t fonts_t:file { getattr read };
+
+# Unlink the xfs socket.
+allow initrc_t xfs_tmp_t:dir rw_dir_perms;
+allow initrc_t xfs_tmp_t:dir rmdir;
+allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
+allow initrc_t fonts_t:dir create_dir_perms;
+allow initrc_t fonts_t:file create_file_perms;
+
diff --git a/strict/domains/program/xserver.te b/strict/domains/program/xserver.te
new file mode 100644
index 0000000..7cfce4c
--- /dev/null
+++ b/strict/domains/program/xserver.te
@@ -0,0 +1,21 @@
+#DESC XServer - X Server
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# X-Debian-Packages: xserver-common xserver-xfree86
+#
+
+# Type for the executable used to start the X server, e.g. Xwrapper.
+type xserver_exec_t, file_type, sysadmfile, exec_type;
+
+# Type for the X server log file.
+type xserver_log_t, file_type, sysadmfile, logfile;
+
+# type for /var/lib/xkb
+type var_lib_xkb_t, file_type, sysadmfile, usercanread;
+
+# Allow the xserver to check for fonts in ~/.gnome or ~/.kde
+bool allow_xserver_home_fonts false;
+
+# Everything else is in the xserver_domain macro in
+# macros/program/xserver_macros.te.
+
diff --git a/strict/domains/program/ypbind.te b/strict/domains/program/ypbind.te
new file mode 100644
index 0000000..605afd1
--- /dev/null
+++ b/strict/domains/program/ypbind.te
@@ -0,0 +1,43 @@
+#DESC Ypbind - NIS/YP
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: nis
+# Depends: portmap.te named.te
+#
+
+#################################
+#
+# Rules for the ypbind_t domain.
+#
+daemon_domain(ypbind)
+
+tmp_domain(ypbind)
+
+# Use capabilities.
+allow ypbind_t self:capability { net_bind_service };
+dontaudit ypbind_t self:capability net_admin;
+
+# Use the network.
+can_network(ypbind_t)
+allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+
+allow ypbind_t self:fifo_file rw_file_perms;
+
+read_sysctl(ypbind_t)
+
+# Send to portmap and initrc.
+can_udp_send(ypbind_t, portmap_t)
+can_udp_send(ypbind_t, initrc_t)
+
+# Read and write /var/yp.
+allow ypbind_t var_yp_t:dir rw_dir_perms;
+allow ypbind_t var_yp_t:file create_file_perms;
+allow initrc_t var_yp_t:dir { getattr read };
+allow ypbind_t etc_t:file { getattr read };
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_udp_send(initrc_t, ypbind_t)
+
diff --git a/strict/domains/program/ypserv.te b/strict/domains/program/ypserv.te
new file mode 100644
index 0000000..656c15d
--- /dev/null
+++ b/strict/domains/program/ypserv.te
@@ -0,0 +1,41 @@
+#DESC Ypserv - NIS/YP
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+# Depends: portmap.te
+#
+
+#################################
+#
+# Rules for the ypserv_t domain.
+#
+daemon_domain(ypserv)
+
+tmp_domain(ypserv)
+
+# Use capabilities.
+allow ypserv_t self:capability { net_bind_service };
+
+# Use the network.
+can_network_server(ypserv_t)
+
+allow ypserv_t self:fifo_file rw_file_perms;
+
+read_sysctl(ypserv_t)
+
+# Send to portmap and initrc.
+can_udp_send(ypserv_t, portmap_t)
+can_udp_send(ypserv_t, initrc_t)
+
+type ypserv_conf_t, file_type, sysadmfile;
+
+# Read and write /var/yp.
+allow ypserv_t var_yp_t:dir rw_dir_perms;
+allow ypserv_t var_yp_t:file create_file_perms;
+allow ypserv_t ypserv_conf_t:file { getattr read };
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`rpcd.te', `
+allow rpcd_t ypserv_conf_t:file { getattr read };
+')
+allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/strict/domains/program/zebra.te b/strict/domains/program/zebra.te
new file mode 100644
index 0000000..12ef473
--- /dev/null
+++ b/strict/domains/program/zebra.te
@@ -0,0 +1,33 @@
+#DESC Zebra - BGP server
+#
+# Author: Russell Coker <russell at coker.com.au>
+# X-Debian-Packages: zebra
+#
+type zebra_port_t, port_type;
+
+daemon_domain(zebra, `, sysctl_net_writer')
+type zebra_conf_t, file_type, sysadmfile;
+r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
+
+can_network_server(zebra_t)
+can_ypbind(zebra_t)
+allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
+
+allow zebra_t self:process setcap;
+allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw };
+file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file)
+
+logdir_domain(zebra)
+
+# /tmp/.bgpd is such a bad idea!
+tmp_domain(zebra, `', sock_file)
+
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:rawip_socket create_socket_perms;
+allow zebra_t self:netlink_route_socket r_netlink_socket_perms;
+allow zebra_t zebra_port_t:tcp_socket name_bind;
+
+allow zebra_t proc_t:file { getattr read };
+allow zebra_t { sysctl_t sysctl_net_t }:dir search;
+allow zebra_t sysctl_net_t:file rw_file_perms;
diff --git a/strict/domains/user.te b/strict/domains/user.te
new file mode 100644
index 0000000..02f6be9
--- /dev/null
+++ b/strict/domains/user.te
@@ -0,0 +1,132 @@
+#DESC User - Domains for ordinary users.
+#
+#################################
+
+# Booleans for user domains.
+
+# Allow users to read system messages.
+bool user_dmesg false;
+
+# Support NFS home directories
+bool use_nfs_home_dirs false;
+
+# Allow execution of anonymous mappings, e.g. executable stack.
+bool allow_execmem false;
+
+# Support Share libraries with Text Relocation
+bool allow_execmod false;
+
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users) disabling this forces FTP passive mode
+# and may change other protocols
+bool user_tcp_server false;
+
+# Allow system to run with NIS
+bool allow_ypbind false;
+
+# Allow system to run with kerberos
+bool allow_kerberos false;
+
+# Allow users to rw usb devices
+bool user_rw_usb false;
+
+# Allow users to control network interfaces (also needs USERCTL=true)
+bool user_net_control false;
+
+# Allow regular users direct mouse access
+bool user_direct_mouse false;
+
+# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
+bool user_rw_noexattrfile false;
+
+# Allow reading of default_t files.
+bool read_default_t false;
+
+# Allow staff_r users to search the sysadm home dir and read
+# files (such as ~/.bashrc)
+bool staff_read_sysadm_file false;
+
+# change from role $1_r to $2_r and relabel tty appropriately
+define(`role_tty_type_change', `
+allow $1_r $2_r;
+type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+# avoid annoying messages on terminal hangup
+dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+# Reach sysadm_t via programs like userhelper/sudo/su
+undefine(`reach_sysadm')
+define(`reach_sysadm', `
+ifdef(`userhelper.te', `userhelper_domain($1)')
+ifdef(`sudo.te', `sudo_domain($1)')
+ifdef(`su.te', `
+su_domain($1)
+# When an ordinary user domain runs su, su may try to
+# update the /root/.Xauthority file, and the user shell may
+# try to update the shell history. This is not allowed, but
+# we dont need to audit it.
+dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
+') dnl ifdef su.te
+')
+
+# Privileged user domain
+undefine(`priv_user')
+define(`priv_user', `
+# Reach sysadm_t
+reach_sysadm($1)
+
+# Read file_contexts for rpm and get security decisions.
+r_dir_file($1_t, file_context_t)
+can_getsecurity($1_t)
+
+# Signal and see information about unprivileged user domains.
+allow $1_t unpriv_userdomain:process signal_perms;
+can_ps($1_t, unpriv_userdomain)
+allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
+
+# Read /root files if boolean is enabled.
+if (staff_read_sysadm_file) {
+allow $1_t sysadm_home_dir_t:dir { getattr search };
+allow $1_t sysadm_home_t:file { getattr read };
+}
+
+') dnl priv_user
+
+full_user_role(user)
+
+ifdef(`user_canbe_sysadm', `
+reach_sysadm(user)
+role_tty_type_change(user, sysadm)
+')
+
+# Do not add any rules referring to user_t to this file! That will break
+# support for multiple user roles.
+
+# a role for staff that allows seeing all domains and control over the user_t
+# domain
+full_user_role(staff)
+
+priv_user(staff)
+# if adding new user roles make sure you edit the in_user_role macro in
+# macros/user_macros.te to match
+
+# lots of user programs accidentally search /root, and also the admin often
+# logs in as UID=0 domain=user_t...
+dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+
+#
+# Allow the user roles to transition
+# into each other.
+role_tty_type_change(sysadm, user)
+role_tty_type_change(staff, sysadm)
+role_tty_type_change(sysadm, staff)
+
+# "ps aux" and "ls -l /dev/pts" make too much noise without this
+dontaudit unpriv_userdomain ptyfile:chr_file getattr;
+
diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc
new file mode 100644
index 0000000..2de04ab
--- /dev/null
+++ b/strict/file_contexts/distros.fc
@@ -0,0 +1,153 @@
+ifdef(`distro_redhat', `
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
+/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t
+/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
+/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
+/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t
+/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t
+/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
+/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
+/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
+/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t
+/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t
+/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t
+/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
+/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
+/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
+/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t
+/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t
+/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
+/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t
+/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t
+/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
+/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
+/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t
+/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t
+/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t
+/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t
+/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t
+/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
+/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
+/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
+/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
+#
+# /emul/ia32-linux/usr
+#
+/emul(/.*)? system_u:object_r:usr_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
+/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t
+# /emul/ia32-linux/lib
+/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
+# /emul/ia32-linux/bin
+/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t
+# /emul/ia32-linux/sbin
+/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t
+
+ifdef(`dbusd.te', `', `
+/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t
+')
+
+# The following are libraries with text relocations in need of execmod permissions
+# Some of them should be fixed and removed from this list
+
+# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/libpthread\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgpreload_addrcheck\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgpreload_memcheck\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_addrcheck\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_cachegrind\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_callgrind\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_corecheck\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_helgrind\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_lackey\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_none\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
+# Fedora Extras packages: ladspa, imlib2, ocaml
+/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t
+
+# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t
+
+# Flash plugin, Macromedia
+HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
+
+# Jai, Sun Microsystems (Jpackage SPRM)
+/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
+
+')
+
+ifdef(`distro_suse', `
+/var/lib/samba/bin/.+ system_u:object_r:bin_t
+/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t
+/usr/lib/samba/classic/.* -- system_u:object_r:bin_t
+/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/success -- system_u:object_r:etc_runtime_t
+/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t
+')
diff --git a/strict/file_contexts/homedir_template b/strict/file_contexts/homedir_template
new file mode 100644
index 0000000..1206f76
--- /dev/null
+++ b/strict/file_contexts/homedir_template
@@ -0,0 +1,32 @@
+# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
+# HOME_DIR expands to each user's home directory,
+# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
+# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
+HOME_ROOT -d system_u:object_r:home_root_t
+HOME_DIR -d system_u:object_r:ROLE_home_dir_t
+HOME_DIR/.+ system_u:object_r:ROLE_home_t
+HOME_ROOT/\.journal <<none>>
+HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
+HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t
+HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_home_irc_t
+HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t
+HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t
+HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t
+HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t
+HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t
+HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t
+HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
+HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t
+HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t
+HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
diff --git a/strict/file_contexts/program/acct.fc b/strict/file_contexts/program/acct.fc
new file mode 100644
index 0000000..7616d8b
--- /dev/null
+++ b/strict/file_contexts/program/acct.fc
@@ -0,0 +1,5 @@
+# berkeley process accounting
+/sbin/accton -- system_u:object_r:acct_exec_t
+/usr/sbin/accton -- system_u:object_r:acct_exec_t
+/var/account(/.*)? system_u:object_r:acct_data_t
+/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t
diff --git a/strict/file_contexts/program/amanda.fc b/strict/file_contexts/program/amanda.fc
new file mode 100644
index 0000000..09dd2fe
--- /dev/null
+++ b/strict/file_contexts/program/amanda.fc
@@ -0,0 +1,70 @@
+#
+# Author: Carsten Grohmann <carstengrohmann at gmx.de>
+#
+
+# amanda
+/etc/amanda(/.*)? system_u:object_r:amanda_config_t
+/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t
+/etc/amandates system_u:object_r:amanda_amandates_t
+/etc/dumpdates system_u:object_r:amanda_dumpdates_t
+/root/restore -d system_u:object_r:amanda_recover_dir_t
+/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t
+/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t
+/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t
+/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t
+/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t
+/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t
+/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t
+/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t
+/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t
+/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t
+/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t
+/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t
+/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t
+/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t
+/var/lib/amanda -d system_u:object_r:amanda_var_lib_t
+/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t
+/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t
+/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t
+/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t
+/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t
+/var/lib/amanda/index system_u:object_r:amanda_data_t
+/var/log/amanda(/.*)? system_u:object_r:amanda_log_t
diff --git a/strict/file_contexts/program/amavis.fc b/strict/file_contexts/program/amavis.fc
new file mode 100644
index 0000000..12a2064
--- /dev/null
+++ b/strict/file_contexts/program/amavis.fc
@@ -0,0 +1,6 @@
+# amavis
+/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t
+/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t
+/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t
+/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t
+/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t
diff --git a/strict/file_contexts/program/anaconda.fc b/strict/file_contexts/program/anaconda.fc
new file mode 100644
index 0000000..a0cbc0e
--- /dev/null
+++ b/strict/file_contexts/program/anaconda.fc
@@ -0,0 +1,5 @@
+#
+# Anaconda file context
+# currently anaconda does not have any file context since it is started during install
+# This is a placeholder to stop makefile from complaining
+#
diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc
new file mode 100644
index 0000000..4fe5dac
--- /dev/null
+++ b/strict/file_contexts/program/apache.fc
@@ -0,0 +1,46 @@
+# apache
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
+/var/www(/.*)? system_u:object_r:httpd_sys_content_t
+/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
+/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
+/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
+/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t
+/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
+/etc/httpd -d system_u:object_r:httpd_config_t
+/etc/httpd/conf.* system_u:object_r:httpd_config_t
+/etc/httpd/logs system_u:object_r:httpd_log_t
+/etc/httpd/modules system_u:object_r:httpd_modules_t
+/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t
+/etc/vhosts -- system_u:object_r:httpd_config_t
+/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t
+/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t
+/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t
+/usr/sbin/httpd -- system_u:object_r:httpd_exec_t
+/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t
+/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t
+/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
+/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t
+/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
+/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t
+/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t
+/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t
+/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t
+/var/run/apache(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
+/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t
+/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t
+/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t
+/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t
+/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t
+/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t
+/var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
+/var/run/gcache_port -s system_u:object_r:httpd_var_run_t
+ifdef(`distro_suse', `
+# suse puts shell scripts there :-(
+/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
+')
+/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t
+/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t
+/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t
+/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
diff --git a/strict/file_contexts/program/apmd.fc b/strict/file_contexts/program/apmd.fc
new file mode 100644
index 0000000..da3c93a
--- /dev/null
+++ b/strict/file_contexts/program/apmd.fc
@@ -0,0 +1,11 @@
+# apmd
+/usr/sbin/apmd -- system_u:object_r:apmd_exec_t
+/usr/sbin/acpid -- system_u:object_r:apmd_exec_t
+/usr/bin/apm -- system_u:object_r:apm_exec_t
+/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t
+/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t
+/var/log/acpid -- system_u:object_r:apmd_log_t
+ifdef(`distro_suse', `
+/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t
+')
+
diff --git a/strict/file_contexts/program/arpwatch.fc b/strict/file_contexts/program/arpwatch.fc
new file mode 100644
index 0000000..5b2aa5a
--- /dev/null
+++ b/strict/file_contexts/program/arpwatch.fc
@@ -0,0 +1,4 @@
+# arpwatch - keep track of ethernet/ip address pairings
+/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t
+/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t
+/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t
diff --git a/strict/file_contexts/program/asterisk.fc b/strict/file_contexts/program/asterisk.fc
new file mode 100644
index 0000000..6f4eb4b
--- /dev/null
+++ b/strict/file_contexts/program/asterisk.fc
@@ -0,0 +1,7 @@
+# asterisk
+/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t
+/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t
+/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t
+/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t
+/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t
+/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t
diff --git a/strict/file_contexts/program/audio-entropyd.fc b/strict/file_contexts/program/audio-entropyd.fc
new file mode 100644
index 0000000..a8f616a
--- /dev/null
+++ b/strict/file_contexts/program/audio-entropyd.fc
@@ -0,0 +1 @@
+/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t
diff --git a/strict/file_contexts/program/auditd.fc b/strict/file_contexts/program/auditd.fc
new file mode 100644
index 0000000..32401bb
--- /dev/null
+++ b/strict/file_contexts/program/auditd.fc
@@ -0,0 +1,3 @@
+# auditd
+/sbin/auditd -- system_u:object_r:auditd_exec_t
+/var/log/audit.log -- system_u:object_r:auditd_log_t
diff --git a/strict/file_contexts/program/authbind.fc b/strict/file_contexts/program/authbind.fc
new file mode 100644
index 0000000..9fed63e
--- /dev/null
+++ b/strict/file_contexts/program/authbind.fc
@@ -0,0 +1,3 @@
+# authbind
+/etc/authbind(/.*)? system_u:object_r:authbind_etc_t
+/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t
diff --git a/strict/file_contexts/program/automount.fc b/strict/file_contexts/program/automount.fc
new file mode 100644
index 0000000..f7b56f7
--- /dev/null
+++ b/strict/file_contexts/program/automount.fc
@@ -0,0 +1,5 @@
+# automount
+/usr/sbin/automount -- system_u:object_r:automount_exec_t
+/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t
+/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t
+/etc/auto\..+ -- system_u:object_r:automount_etc_t
diff --git a/strict/file_contexts/program/backup.fc b/strict/file_contexts/program/backup.fc
new file mode 100644
index 0000000..ed82809
--- /dev/null
+++ b/strict/file_contexts/program/backup.fc
@@ -0,0 +1,6 @@
+# backup
+# label programs that do backups to other files on disk (IE a cron job that
+# calls tar) in backup_exec_t and label the directory for storing them as
+# backup_store_t, Debian uses /var/backups
+#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t
+/var/backups(/.*)? system_u:object_r:backup_store_t
diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc
new file mode 100644
index 0000000..258ff2b
--- /dev/null
+++ b/strict/file_contexts/program/bluetooth.fc
@@ -0,0 +1,7 @@
+# bluetooth
+/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
+/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t
+/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t
+/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
+/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t
+/var/run/sdp -- system_u:object_r:bluetooth_var_run_t
diff --git a/strict/file_contexts/program/bootloader.fc b/strict/file_contexts/program/bootloader.fc
new file mode 100644
index 0000000..90f8e85
--- /dev/null
+++ b/strict/file_contexts/program/bootloader.fc
@@ -0,0 +1,11 @@
+# bootloader
+/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t
+/initrd\.img.* -l system_u:object_r:boot_t
+/sbin/lilo.* -- system_u:object_r:bootloader_exec_t
+/sbin/grub.* -- system_u:object_r:bootloader_exec_t
+/vmlinuz.* -l system_u:object_r:boot_t
+/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t
+/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t
+/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t
+/sbin/ybin.* -- system_u:object_r:bootloader_exec_t
+/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t
diff --git a/strict/file_contexts/program/calamaris.fc b/strict/file_contexts/program/calamaris.fc
new file mode 100644
index 0000000..36d8c87
--- /dev/null
+++ b/strict/file_contexts/program/calamaris.fc
@@ -0,0 +1,4 @@
+# squid
+/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t
+/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t
+/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t
diff --git a/strict/file_contexts/program/canna.fc b/strict/file_contexts/program/canna.fc
new file mode 100644
index 0000000..4b207a8
--- /dev/null
+++ b/strict/file_contexts/program/canna.fc
@@ -0,0 +1,12 @@
+# canna.fc
+/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t
+/usr/sbin/jserver -- system_u:object_r:canna_exec_t
+/usr/bin/cannaping -- system_u:object_r:canna_exec_t
+/usr/bin/catdic -- system_u:object_r:canna_exec_t
+/var/log/canna(/.*)? system_u:object_r:canna_log_t
+/var/log/wnn(/.*)? system_u:object_r:canna_log_t
+/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t
+/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t
+/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t
+/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t
+/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t
diff --git a/strict/file_contexts/program/cardmgr.fc b/strict/file_contexts/program/cardmgr.fc
new file mode 100644
index 0000000..2e4b109
--- /dev/null
+++ b/strict/file_contexts/program/cardmgr.fc
@@ -0,0 +1,7 @@
+# cardmgr
+/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t
+/sbin/cardctl -- system_u:object_r:cardctl_exec_t
+/var/run/stab -- system_u:object_r:cardmgr_var_run_t
+/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t
+/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t
+/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t
diff --git a/strict/file_contexts/program/cdrecord.fc b/strict/file_contexts/program/cdrecord.fc
new file mode 100644
index 0000000..d03d3bc
--- /dev/null
+++ b/strict/file_contexts/program/cdrecord.fc
@@ -0,0 +1,3 @@
+# cdrecord
+/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t
+
diff --git a/strict/file_contexts/program/checkpolicy.fc b/strict/file_contexts/program/checkpolicy.fc
new file mode 100644
index 0000000..8c0c732
--- /dev/null
+++ b/strict/file_contexts/program/checkpolicy.fc
@@ -0,0 +1,2 @@
+# checkpolicy
+/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t
diff --git a/strict/file_contexts/program/chkpwd.fc b/strict/file_contexts/program/chkpwd.fc
new file mode 100644
index 0000000..444e3e5
--- /dev/null
+++ b/strict/file_contexts/program/chkpwd.fc
@@ -0,0 +1,6 @@
+# chkpwd
+/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t
+/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t
+ifdef(`distro_suse', `
+/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t
+')
diff --git a/strict/file_contexts/program/chroot.fc b/strict/file_contexts/program/chroot.fc
new file mode 100644
index 0000000..aa61acc
--- /dev/null
+++ b/strict/file_contexts/program/chroot.fc
@@ -0,0 +1 @@
+/usr/sbin/chroot -- system_u:object_r:chroot_exec_t
diff --git a/strict/file_contexts/program/ciped.fc b/strict/file_contexts/program/ciped.fc
new file mode 100644
index 0000000..e3a12a1
--- /dev/null
+++ b/strict/file_contexts/program/ciped.fc
@@ -0,0 +1,3 @@
+/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t
+/etc/cipe/ip-up.* -- system_u:object_r:bin_t
+/etc/cipe/ip-down.* -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc
new file mode 100644
index 0000000..f08b276
--- /dev/null
+++ b/strict/file_contexts/program/clamav.fc
@@ -0,0 +1,12 @@
+# clamscan
+/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t
+/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t
+/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t
+/usr/sbin/clamd -- system_u:object_r:clamd_exec_t
+/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t
+/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t
+/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t
+/var/run/clamd\.ctl -s system_u:object_r:clamd_var_run_t
+/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
+/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t
+/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
diff --git a/strict/file_contexts/program/comsat.fc b/strict/file_contexts/program/comsat.fc
new file mode 100644
index 0000000..7026d56
--- /dev/null
+++ b/strict/file_contexts/program/comsat.fc
@@ -0,0 +1,2 @@
+# biff server
+/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t
diff --git a/strict/file_contexts/program/consoletype.fc b/strict/file_contexts/program/consoletype.fc
new file mode 100644
index 0000000..f310f37
--- /dev/null
+++ b/strict/file_contexts/program/consoletype.fc
@@ -0,0 +1,2 @@
+# consoletype
+/sbin/consoletype -- system_u:object_r:consoletype_exec_t
diff --git a/strict/file_contexts/program/courier.fc b/strict/file_contexts/program/courier.fc
new file mode 100644
index 0000000..16f6adb
--- /dev/null
+++ b/strict/file_contexts/program/courier.fc
@@ -0,0 +1,18 @@
+# courier pop, imap, and webmail
+/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t
+/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t
+/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t
+/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t
+/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t
+/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t
+/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t
+/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t
+/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t
+/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t
+/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t
+/var/run/courier(/.*)? system_u:object_r:courier_var_run_t
+/etc/courier(/.*)? system_u:object_r:courier_etc_t
diff --git a/strict/file_contexts/program/cpucontrol.fc b/strict/file_contexts/program/cpucontrol.fc
new file mode 100644
index 0000000..e2275c6
--- /dev/null
+++ b/strict/file_contexts/program/cpucontrol.fc
@@ -0,0 +1,3 @@
+# cpucontrol
+/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t
+/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t
diff --git a/strict/file_contexts/program/cpuspeed.fc b/strict/file_contexts/program/cpuspeed.fc
new file mode 100644
index 0000000..60d8465
--- /dev/null
+++ b/strict/file_contexts/program/cpuspeed.fc
@@ -0,0 +1,3 @@
+# cpuspeed
+/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t
+/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t
diff --git a/strict/file_contexts/program/crack.fc b/strict/file_contexts/program/crack.fc
new file mode 100644
index 0000000..fac9bd6
--- /dev/null
+++ b/strict/file_contexts/program/crack.fc
@@ -0,0 +1,4 @@
+# crack - for password checking
+/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t
+/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t
+/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t
diff --git a/strict/file_contexts/program/crond.fc b/strict/file_contexts/program/crond.fc
new file mode 100644
index 0000000..90869cf
--- /dev/null
+++ b/strict/file_contexts/program/crond.fc
@@ -0,0 +1,29 @@
+# crond
+/etc/crontab -- system_u:object_r:system_cron_spool_t
+/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t
+/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t
+/usr/sbin/anacron -- system_u:object_r:anacron_exec_t
+/var/spool/cron -d system_u:object_r:cron_spool_t
+/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t
+/var/spool/cron/crontabs/.* -- <<none>>
+/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t
+/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t
+/var/spool/cron/[^/]* -- <<none>>
+/var/log/cron.* -- system_u:object_r:crond_log_t
+/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t
+/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t
+# fcron
+/usr/sbin/fcron -- system_u:object_r:crond_exec_t
+/var/spool/fcron -d system_u:object_r:cron_spool_t
+/var/spool/fcron/.* <<none>>
+/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t
+/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t
+/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t
+/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t
+/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t
+# atd
+/usr/sbin/atd -- system_u:object_r:crond_exec_t
+/var/spool/at -d system_u:object_r:cron_spool_t
+/var/spool/at/spool -d system_u:object_r:cron_spool_t
+/var/spool/at/[^/]* -- <<none>>
+/var/run/atd\.pid -- system_u:object_r:crond_var_run_t
diff --git a/strict/file_contexts/program/crontab.fc b/strict/file_contexts/program/crontab.fc
new file mode 100644
index 0000000..5c18699
--- /dev/null
+++ b/strict/file_contexts/program/crontab.fc
@@ -0,0 +1,3 @@
+# crontab
+/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t
+/usr/bin/at -- system_u:object_r:crontab_exec_t
diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc
new file mode 100644
index 0000000..2395746
--- /dev/null
+++ b/strict/file_contexts/program/cups.fc
@@ -0,0 +1,36 @@
+# cups printing
+/etc/cups(/.*)? system_u:object_r:cupsd_etc_t
+/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t
+/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
+/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
+/etc/cups/client\.conf -- system_u:object_r:etc_t
+/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t
+/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
+/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t
+/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t
+/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
+/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
+/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
+ifdef(`hald.te', `
+# cupsd_config depends on hald
+/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t
+/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t
+/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t
+')
+/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
+/var/spool/cups(/.*)? system_u:object_r:print_spool_t
+/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
+/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t
+/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t
+/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t
+/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t
+/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
+/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
+/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t
diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc
new file mode 100644
index 0000000..6129446
--- /dev/null
+++ b/strict/file_contexts/program/cyrus.fc
@@ -0,0 +1,4 @@
+# cyrus
+/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t
+/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t
+/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t
diff --git a/strict/file_contexts/program/dante.fc b/strict/file_contexts/program/dante.fc
new file mode 100644
index 0000000..ce7f335
--- /dev/null
+++ b/strict/file_contexts/program/dante.fc
@@ -0,0 +1,4 @@
+# dante
+/usr/sbin/sockd -- system_u:object_r:dante_exec_t
+/etc/socks(/.*)? system_u:object_r:dante_conf_t
+/var/run/sockd.pid -- system_u:object_r:dante_var_run_t
diff --git a/strict/file_contexts/program/dbskkd.fc b/strict/file_contexts/program/dbskkd.fc
new file mode 100644
index 0000000..77ff4f1
--- /dev/null
+++ b/strict/file_contexts/program/dbskkd.fc
@@ -0,0 +1,2 @@
+# A dictionary server for the SKK Japanese input method system.
+/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t
diff --git a/strict/file_contexts/program/dbusd.fc b/strict/file_contexts/program/dbusd.fc
new file mode 100644
index 0000000..9f56c33
--- /dev/null
+++ b/strict/file_contexts/program/dbusd.fc
@@ -0,0 +1,3 @@
+/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t
+/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t
+/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t
diff --git a/strict/file_contexts/program/ddclient.fc b/strict/file_contexts/program/ddclient.fc
new file mode 100644
index 0000000..ba003c9
--- /dev/null
+++ b/strict/file_contexts/program/ddclient.fc
@@ -0,0 +1,11 @@
+# ddclient
+/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t
+/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t
+/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t
+/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t
+# ddt - Dynamic DNS client
+/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t
+/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t
+/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t
+/var/lib/ddt-client(/.*)? system_u:object_r:var_lib_ddclient_t
+/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t
diff --git a/strict/file_contexts/program/devfsd.fc b/strict/file_contexts/program/devfsd.fc
new file mode 100644
index 0000000..7587e2e
--- /dev/null
+++ b/strict/file_contexts/program/devfsd.fc
@@ -0,0 +1,4 @@
+# devfsd
+/etc/devfs(/.*)? system_u:object_r:devfsd_etc_t
+/sbin/devfsd.* -- system_u:object_r:devfsd_exec_t
+/etc/init\.d/makedev -- system_u:object_r:devfsd_exec_t
diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc
new file mode 100644
index 0000000..4085e1d
--- /dev/null
+++ b/strict/file_contexts/program/dhcpc.fc
@@ -0,0 +1,16 @@
+# dhcpcd
+/etc/dhcpc.* system_u:object_r:dhcp_etc_t
+/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t
+/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
+/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
+/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
+/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
+/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
+/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t
+/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t
+# pump
+/sbin/pump -- system_u:object_r:dhcpc_exec_t
+ifdef(`dhcp_defined', `', `
+/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
+define(`dhcp_defined')
+')
diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc
new file mode 100644
index 0000000..4e612cf
--- /dev/null
+++ b/strict/file_contexts/program/dhcpd.fc
@@ -0,0 +1,33 @@
+# dhcpd
+/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t
+/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
+/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t
+/var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+/var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t
+ifdef(`dhcp_defined', `', `
+/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
+define(`dhcp_defined')
+')
+
+ifdef(`distro_gentoo', `
+/etc/dhcp -d system_u:object_r:dhcp_etc_t
+/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
+/var/lib/dhcp -d system_u:object_r:dhcp_state_t
+/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
+
+# for the chroot setup
+/chroot/dhcp -d system_u:object_r:root_t
+/chroot/dhcp/dev -d system_u:object_r:device_t
+/chroot/dhcp/etc -d system_u:object_r:etc_t
+/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t
+/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
+/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t
+/chroot/dhcp/var -d system_u:object_r:var_t
+/chroot/dhcp/var/run -d system_u:object_r:var_run_t
+/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t
+/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t
+/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t
+')
+
diff --git a/strict/file_contexts/program/dictd.fc b/strict/file_contexts/program/dictd.fc
new file mode 100644
index 0000000..75e4493
--- /dev/null
+++ b/strict/file_contexts/program/dictd.fc
@@ -0,0 +1,4 @@
+# dictd
+/etc/dictd\.conf -- system_u:object_r:dictd_etc_t
+/usr/sbin/dictd -- system_u:object_r:dictd_exec_t
+/var/lib/dictd(/.*)? system_u:object_r:var_lib_dictd_t
diff --git a/strict/file_contexts/program/distcc.fc b/strict/file_contexts/program/distcc.fc
new file mode 100644
index 0000000..3ab9797
--- /dev/null
+++ b/strict/file_contexts/program/distcc.fc
@@ -0,0 +1,2 @@
+# distcc
+/usr/bin/distccd -- system_u:object_r:distccd_exec_t
diff --git a/strict/file_contexts/program/dmesg.fc b/strict/file_contexts/program/dmesg.fc
new file mode 100644
index 0000000..2df5752
--- /dev/null
+++ b/strict/file_contexts/program/dmesg.fc
@@ -0,0 +1,2 @@
+# dmesg
+/bin/dmesg -- system_u:object_r:dmesg_exec_t
diff --git a/strict/file_contexts/program/dnsmasq.fc b/strict/file_contexts/program/dnsmasq.fc
new file mode 100644
index 0000000..e1b1c35
--- /dev/null
+++ b/strict/file_contexts/program/dnsmasq.fc
@@ -0,0 +1,4 @@
+# dnsmasq
+/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t
+/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t
+/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t
diff --git a/strict/file_contexts/program/dovecot.fc b/strict/file_contexts/program/dovecot.fc
new file mode 100644
index 0000000..83fc652
--- /dev/null
+++ b/strict/file_contexts/program/dovecot.fc
@@ -0,0 +1,12 @@
+# for Dovecot POP and IMAP server
+/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t
+')
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t
+')
+/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t
+/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t
+/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t
+/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/dpkg.fc b/strict/file_contexts/program/dpkg.fc
new file mode 100644
index 0000000..44f0f2c
--- /dev/null
+++ b/strict/file_contexts/program/dpkg.fc
@@ -0,0 +1,50 @@
+# dpkg/dselect/apt
+/etc/apt(/.*)? system_u:object_r:apt_etc_t
+/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t
+/usr/bin/apt-cache -- system_u:object_r:apt_exec_t
+/usr/bin/apt-config -- system_u:object_r:apt_exec_t
+/usr/bin/apt-get -- system_u:object_r:apt_exec_t
+/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t
+/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t
+/usr/bin/dselect -- system_u:object_r:dpkg_exec_t
+/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t
+/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t
+/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t
+/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t
+/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t
+/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t
+/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t
+/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t
+/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t
+/usr/share/lintian/.+ -- system_u:object_r:bin_t
+/usr/share/kernel-package/.+ -- system_u:object_r:bin_t
+/usr/share/smartmontools/selftests -- system_u:object_r:bin_t
+/usr/share/bug/[^/]+ -- system_u:object_r:bin_t
+/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t
+/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t
+/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t
+/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t
+/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t
+/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t
+/var/lib/kde(/.*)? system_u:object_r:debian_menu_t
+/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t
+/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t
+/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t
+/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t
+/etc/kde2/.+\.sh -- system_u:object_r:install_menu_exec_t
+/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t
+/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t
+/usr/share/dlint/digparse -- system_u:object_r:bin_t
+/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t
+/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t
+/var/lib/defoma(/.*)? system_u:object_r:fonts_t
+/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t
+/usr/share/intltool-debian/.* -- system_u:object_r:bin_t
+/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t
+/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t
+/usr/share/shorewall/.* -- system_u:object_r:bin_t
+/usr/share/reportbug/.* -- system_u:object_r:bin_t
+/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t
+/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t
+/bin/mountpoint -- system_u:object_r:fsadm_exec_t
diff --git a/strict/file_contexts/program/fetchmail.fc b/strict/file_contexts/program/fetchmail.fc
new file mode 100644
index 0000000..fe0fd08
--- /dev/null
+++ b/strict/file_contexts/program/fetchmail.fc
@@ -0,0 +1,5 @@
+# fetchmail
+/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t
+/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t
+/var/run/fetchmail(/.*)? -- system_u:object_r:fetchmail_var_run_t
+/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t
diff --git a/strict/file_contexts/program/fingerd.fc b/strict/file_contexts/program/fingerd.fc
new file mode 100644
index 0000000..59cc062
--- /dev/null
+++ b/strict/file_contexts/program/fingerd.fc
@@ -0,0 +1,6 @@
+# fingerd
+/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t
+/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t
+/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t
+/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t
+/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t
diff --git a/strict/file_contexts/program/firstboot.fc b/strict/file_contexts/program/firstboot.fc
new file mode 100644
index 0000000..ae3179d
--- /dev/null
+++ b/strict/file_contexts/program/firstboot.fc
@@ -0,0 +1,4 @@
+# firstboot
+/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t
+/usr/share/firstboot system_u:object_r:firstboot_rw_t
+/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t
diff --git a/strict/file_contexts/program/fs_daemon.fc b/strict/file_contexts/program/fs_daemon.fc
new file mode 100644
index 0000000..19ac531
--- /dev/null
+++ b/strict/file_contexts/program/fs_daemon.fc
@@ -0,0 +1,4 @@
+# fs admin daemons
+/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t
+/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t
+/etc/smartd\.conf -- system_u:object_r:etc_runtime_t
diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc
new file mode 100644
index 0000000..f755f4a
--- /dev/null
+++ b/strict/file_contexts/program/fsadm.fc
@@ -0,0 +1,36 @@
+# fs admin utilities
+/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
+/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
+/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
+/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
+/sbin/e2label -- system_u:object_r:fsadm_exec_t
+/sbin/findfs -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs -- system_u:object_r:fsadm_exec_t
+/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
+/sbin/mkswap -- system_u:object_r:fsadm_exec_t
+/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
+/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/fdisk -- system_u:object_r:fsadm_exec_t
+/sbin/parted -- system_u:object_r:fsadm_exec_t
+/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
+/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
+/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
+/sbin/hdparm -- system_u:object_r:fsadm_exec_t
+/sbin/raidstart -- system_u:object_r:fsadm_exec_t
+/sbin/mkraid -- system_u:object_r:fsadm_exec_t
+/sbin/blockdev -- system_u:object_r:fsadm_exec_t
+/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
+/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
+/sbin/lsraid -- system_u:object_r:fsadm_exec_t
+/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
+/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
+/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
+/usr/bin/raw -- system_u:object_r:fsadm_exec_t
+/sbin/partx -- system_u:object_r:fsadm_exec_t
+/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
+/sbin/partprobe -- system_u:object_r:fsadm_exec_t
diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc
new file mode 100644
index 0000000..0260197
--- /dev/null
+++ b/strict/file_contexts/program/ftpd.fc
@@ -0,0 +1,15 @@
+# ftpd
+/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t
+/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t
+/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t
+/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t
+/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t
+/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t
+/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t
+/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t
+/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
+/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
+/var/log/xferlog.* -- system_u:object_r:xferlog_t
+/var/log/xferreport.* -- system_u:object_r:xferlog_t
+/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t
+/var/ftp(/.*)? system_u:object_r:ftpd_anon_t
diff --git a/strict/file_contexts/program/games.fc b/strict/file_contexts/program/games.fc
new file mode 100644
index 0000000..a4ab933
--- /dev/null
+++ b/strict/file_contexts/program/games.fc
@@ -0,0 +1,56 @@
+# games
+/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t
+/var/games(/.*)? system_u:object_r:games_data_t
+/usr/games/.* -- system_u:object_r:games_exec_t
+/var/lib/games(/.*)? system_u:object_r:games_data_t
+/usr/bin/micq -- system_u:object_r:games_exec_t
+/usr/bin/blackjack -- system_u:object_r:games_exec_t
+/usr/bin/gataxx -- system_u:object_r:games_exec_t
+/usr/bin/glines -- system_u:object_r:games_exec_t
+/usr/bin/gnect -- system_u:object_r:games_exec_t
+/usr/bin/gnibbles -- system_u:object_r:games_exec_t
+/usr/bin/gnobots2 -- system_u:object_r:games_exec_t
+/usr/bin/gnome-stones -- system_u:object_r:games_exec_t
+/usr/bin/gnomine -- system_u:object_r:games_exec_t
+/usr/bin/gnotravex -- system_u:object_r:games_exec_t
+/usr/bin/gnotski -- system_u:object_r:games_exec_t
+/usr/bin/gtali -- system_u:object_r:games_exec_t
+/usr/bin/iagno -- system_u:object_r:games_exec_t
+/usr/bin/mahjongg -- system_u:object_r:games_exec_t
+/usr/bin/same-gnome -- system_u:object_r:games_exec_t
+/usr/bin/sol -- system_u:object_r:games_exec_t
+/usr/bin/atlantik -- system_u:object_r:games_exec_t
+/usr/bin/kasteroids -- system_u:object_r:games_exec_t
+/usr/bin/katomic -- system_u:object_r:games_exec_t
+/usr/bin/kbackgammon -- system_u:object_r:games_exec_t
+/usr/bin/kbattleship -- system_u:object_r:games_exec_t
+/usr/bin/kblackbox -- system_u:object_r:games_exec_t
+/usr/bin/kbounce -- system_u:object_r:games_exec_t
+/usr/bin/kenolaba -- system_u:object_r:games_exec_t
+/usr/bin/kfouleggs -- system_u:object_r:games_exec_t
+/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t
+/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t
+/usr/bin/klickety -- system_u:object_r:games_exec_t
+/usr/bin/klines -- system_u:object_r:games_exec_t
+/usr/bin/kmahjongg -- system_u:object_r:games_exec_t
+/usr/bin/kmines -- system_u:object_r:games_exec_t
+/usr/bin/kolf -- system_u:object_r:games_exec_t
+/usr/bin/konquest -- system_u:object_r:games_exec_t
+/usr/bin/kpat -- system_u:object_r:games_exec_t
+/usr/bin/kpoker -- system_u:object_r:games_exec_t
+/usr/bin/kreversi -- system_u:object_r:games_exec_t
+/usr/bin/ksame -- system_u:object_r:games_exec_t
+/usr/bin/kshisen -- system_u:object_r:games_exec_t
+/usr/bin/ksirtet -- system_u:object_r:games_exec_t
+/usr/bin/ksmiletris -- system_u:object_r:games_exec_t
+/usr/bin/ksnake -- system_u:object_r:games_exec_t
+/usr/bin/ksokoban -- system_u:object_r:games_exec_t
+/usr/bin/kspaceduel -- system_u:object_r:games_exec_t
+/usr/bin/ktron -- system_u:object_r:games_exec_t
+/usr/bin/ktuberling -- system_u:object_r:games_exec_t
+/usr/bin/kwin4 -- system_u:object_r:games_exec_t
+/usr/bin/kwin4proc -- system_u:object_r:games_exec_t
+/usr/bin/lskat -- system_u:object_r:games_exec_t
+/usr/bin/lskatproc -- system_u:object_r:games_exec_t
+/usr/bin/Maelstrom -- system_u:object_r:games_exec_t
+
diff --git a/strict/file_contexts/program/gatekeeper.fc b/strict/file_contexts/program/gatekeeper.fc
new file mode 100644
index 0000000..e51491a
--- /dev/null
+++ b/strict/file_contexts/program/gatekeeper.fc
@@ -0,0 +1,7 @@
+# gatekeeper
+/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t
+/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t
+/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t
+/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t
+/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t
+/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t
diff --git a/strict/file_contexts/program/getty.fc b/strict/file_contexts/program/getty.fc
new file mode 100644
index 0000000..f908221
--- /dev/null
+++ b/strict/file_contexts/program/getty.fc
@@ -0,0 +1,3 @@
+# getty
+/sbin/.*getty -- system_u:object_r:getty_exec_t
+/etc/mgetty(/.*)? system_u:object_r:getty_etc_t
diff --git a/strict/file_contexts/program/gift.fc b/strict/file_contexts/program/gift.fc
new file mode 100644
index 0000000..88ed5f2
--- /dev/null
+++ b/strict/file_contexts/program/gift.fc
@@ -0,0 +1,5 @@
+/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t
+/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t
+/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t
+/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t
+HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t
diff --git a/strict/file_contexts/program/gnome-pty-helper.fc b/strict/file_contexts/program/gnome-pty-helper.fc
new file mode 100644
index 0000000..24a0b1b
--- /dev/null
+++ b/strict/file_contexts/program/gnome-pty-helper.fc
@@ -0,0 +1,3 @@
+# gnome-pty-helper
+/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t
+/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t
diff --git a/strict/file_contexts/program/gpg-agent.fc b/strict/file_contexts/program/gpg-agent.fc
new file mode 100644
index 0000000..bb25b63
--- /dev/null
+++ b/strict/file_contexts/program/gpg-agent.fc
@@ -0,0 +1,3 @@
+# gpg-agent
+/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t
+/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t
diff --git a/strict/file_contexts/program/gpg.fc b/strict/file_contexts/program/gpg.fc
new file mode 100644
index 0000000..1cc9508
--- /dev/null
+++ b/strict/file_contexts/program/gpg.fc
@@ -0,0 +1,5 @@
+# gpg
+HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t
+/usr/bin/gpg -- system_u:object_r:gpg_exec_t
+/usr/bin/kgpg -- system_u:object_r:gpg_exec_t
+/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
diff --git a/strict/file_contexts/program/gpm.fc b/strict/file_contexts/program/gpm.fc
new file mode 100644
index 0000000..b681881
--- /dev/null
+++ b/strict/file_contexts/program/gpm.fc
@@ -0,0 +1,5 @@
+# gpm
+/dev/gpmctl -s system_u:object_r:gpmctl_t
+/dev/gpmdata -p system_u:object_r:gpmctl_t
+/usr/sbin/gpm -- system_u:object_r:gpm_exec_t
+/etc/gpm(/.*)? system_u:object_r:gpm_conf_t
diff --git a/strict/file_contexts/program/groupadd.fc b/strict/file_contexts/program/groupadd.fc
new file mode 100644
index 0000000..e69de29
diff --git a/strict/file_contexts/program/hald.fc b/strict/file_contexts/program/hald.fc
new file mode 100644
index 0000000..ca142cf
--- /dev/null
+++ b/strict/file_contexts/program/hald.fc
@@ -0,0 +1,6 @@
+# hald - hardware information daemon
+/usr/sbin/hald -- system_u:object_r:hald_exec_t
+/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
+/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t
+/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t
+/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/hostname.fc b/strict/file_contexts/program/hostname.fc
new file mode 100644
index 0000000..685e74e
--- /dev/null
+++ b/strict/file_contexts/program/hostname.fc
@@ -0,0 +1 @@
+/bin/hostname -- system_u:object_r:hostname_exec_t
diff --git a/strict/file_contexts/program/hotplug.fc b/strict/file_contexts/program/hotplug.fc
new file mode 100644
index 0000000..78f844b
--- /dev/null
+++ b/strict/file_contexts/program/hotplug.fc
@@ -0,0 +1,13 @@
+# hotplug
+/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t
+/sbin/hotplug -- system_u:object_r:hotplug_exec_t
+/sbin/netplugd -- system_u:object_r:hotplug_exec_t
+/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t
+/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t
+/etc/netplug\.d(/.*)? system_u:object_r:sbin_t
+/etc/hotplug/.*agent -- system_u:object_r:sbin_t
+/etc/hotplug/.*rc -- system_u:object_r:sbin_t
+/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t
+/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t
+/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t
+/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t
diff --git a/strict/file_contexts/program/howl.fc b/strict/file_contexts/program/howl.fc
new file mode 100644
index 0000000..bbdb03f
--- /dev/null
+++ b/strict/file_contexts/program/howl.fc
@@ -0,0 +1,3 @@
+/usr/bin/nifd -- system_u:object_r:howl_exec_t
+/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t
+/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t
diff --git a/strict/file_contexts/program/hwclock.fc b/strict/file_contexts/program/hwclock.fc
new file mode 100644
index 0000000..2193e15
--- /dev/null
+++ b/strict/file_contexts/program/hwclock.fc
@@ -0,0 +1,3 @@
+# hwclock
+/sbin/hwclock -- system_u:object_r:hwclock_exec_t
+/etc/adjtime -- system_u:object_r:adjtime_t
diff --git a/strict/file_contexts/program/i18n_input.fc b/strict/file_contexts/program/i18n_input.fc
new file mode 100644
index 0000000..41379d0
--- /dev/null
+++ b/strict/file_contexts/program/i18n_input.fc
@@ -0,0 +1,7 @@
+# i18n_input.fc
+/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t
+/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t
+/usr/bin/httx -- system_u:object_r:i18n_input_exec_t
+/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t
+/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t
+/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t
diff --git a/strict/file_contexts/program/ifconfig.fc b/strict/file_contexts/program/ifconfig.fc
new file mode 100644
index 0000000..547558e
--- /dev/null
+++ b/strict/file_contexts/program/ifconfig.fc
@@ -0,0 +1,12 @@
+# ifconfig
+/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t
+/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t
+/sbin/ip -- system_u:object_r:ifconfig_exec_t
+/sbin/tc -- system_u:object_r:ifconfig_exec_t
+/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t
+/bin/ip -- system_u:object_r:ifconfig_exec_t
+/sbin/ethtool -- system_u:object_r:ifconfig_exec_t
+/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t
+/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t
+/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t
+/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t
diff --git a/strict/file_contexts/program/imazesrv.fc b/strict/file_contexts/program/imazesrv.fc
new file mode 100644
index 0000000..dae194e
--- /dev/null
+++ b/strict/file_contexts/program/imazesrv.fc
@@ -0,0 +1,4 @@
+# imazesrv
+/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t
+/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t
+/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t
diff --git a/strict/file_contexts/program/inetd.fc b/strict/file_contexts/program/inetd.fc
new file mode 100644
index 0000000..64b8c6c
--- /dev/null
+++ b/strict/file_contexts/program/inetd.fc
@@ -0,0 +1,8 @@
+# inetd
+/usr/sbin/inetd -- system_u:object_r:inetd_exec_t
+/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t
+/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t
+/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t
+/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t
+/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t
+/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t
diff --git a/strict/file_contexts/program/init.fc b/strict/file_contexts/program/init.fc
new file mode 100644
index 0000000..6342ad4
--- /dev/null
+++ b/strict/file_contexts/program/init.fc
@@ -0,0 +1,3 @@
+# init
+/dev/initctl -p system_u:object_r:initctl_t
+/sbin/init -- system_u:object_r:init_exec_t
diff --git a/strict/file_contexts/program/initrc.fc b/strict/file_contexts/program/initrc.fc
new file mode 100644
index 0000000..b23d55e
--- /dev/null
+++ b/strict/file_contexts/program/initrc.fc
@@ -0,0 +1,39 @@
+# init rc scripts
+ifdef(`targeted_policy', `
+/etc/X11/prefdm -- system_u:object_r:bin_t
+', `
+/etc/X11/prefdm -- system_u:object_r:initrc_exec_t
+')
+/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t
+/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t
+/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t
+/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t
+/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t
+/etc/init\.d/.* -- system_u:object_r:initrc_exec_t
+/etc/init\.d/functions -- system_u:object_r:etc_t
+/var/run/utmp -- system_u:object_r:initrc_var_run_t
+/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t
+/var/run/random-seed -- system_u:object_r:initrc_var_run_t
+/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t
+ifdef(`distro_suse', `
+/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t
+/var/run/keymap -- system_u:object_r:initrc_var_run_t
+/var/run/numlock-on -- system_u:object_r:initrc_var_run_t
+')
+
+ifdef(`distro_gentoo', `
+/sbin/rc -- system_u:object_r:initrc_exec_t
+/sbin/runscript -- system_u:object_r:initrc_exec_t
+/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t
+/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t
+')
+
+# run_init
+/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
+/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t
+/etc/nologin.* -- system_u:object_r:etc_runtime_t
+/etc/nohotplug -- system_u:object_r:etc_runtime_t
+ifdef(`distro_redhat', `
+/halt -- system_u:object_r:etc_runtime_t
+/\.autofsck -- system_u:object_r:etc_runtime_t
+')
diff --git a/strict/file_contexts/program/innd.fc b/strict/file_contexts/program/innd.fc
new file mode 100644
index 0000000..f0413f9
--- /dev/null
+++ b/strict/file_contexts/program/innd.fc
@@ -0,0 +1,49 @@
+# innd
+/usr/sbin/innd.* -- system_u:object_r:innd_exec_t
+/usr/bin/rpost -- system_u:object_r:innd_exec_t
+/usr/bin/suck -- system_u:object_r:innd_exec_t
+/var/run/innd(/.*)? system_u:object_r:innd_var_run_t
+/etc/news(/.*)? system_u:object_r:innd_etc_t
+/etc/news/boot -- system_u:object_r:innd_exec_t
+/var/spool/news(/.*)? system_u:object_r:news_spool_t
+/var/log/news(/.*)? system_u:object_r:innd_log_t
+/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t
+/var/run/news(/.*)? system_u:object_r:innd_var_run_t
+/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t
+/usr/bin/inews -- system_u:object_r:innd_exec_t
+/usr/bin/rnews -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t
diff --git a/strict/file_contexts/program/ipsec.fc b/strict/file_contexts/program/ipsec.fc
new file mode 100644
index 0000000..7df06bb
--- /dev/null
+++ b/strict/file_contexts/program/ipsec.fc
@@ -0,0 +1,31 @@
+# IPSEC utilities and daemon.
+
+/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t
+/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t
+/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t
+/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t
+/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
+/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t
+/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t
+/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
+/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t
+/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
+/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
+/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
+/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t
+/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t
+/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t
+/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
+/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
+/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t
+
+# Kame
+/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
+/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t
+/sbin/setkey -- system_u:object_r:ipsec_exec_t
+/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t
+/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t
+/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t
diff --git a/strict/file_contexts/program/iptables.fc b/strict/file_contexts/program/iptables.fc
new file mode 100644
index 0000000..3dcde2e
--- /dev/null
+++ b/strict/file_contexts/program/iptables.fc
@@ -0,0 +1,8 @@
+# iptables
+/sbin/ipchains.* -- system_u:object_r:iptables_exec_t
+/sbin/iptables.* -- system_u:object_r:iptables_exec_t
+/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t
+/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t
+/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t
+/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t
+
diff --git a/strict/file_contexts/program/irc.fc b/strict/file_contexts/program/irc.fc
new file mode 100644
index 0000000..5086de7
--- /dev/null
+++ b/strict/file_contexts/program/irc.fc
@@ -0,0 +1,5 @@
+# irc clients
+/usr/bin/[st]irc -- system_u:object_r:irc_exec_t
+/usr/bin/ircII -- system_u:object_r:irc_exec_t
+/usr/bin/tinyirc -- system_u:object_r:irc_exec_t
+HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_home_irc_t
diff --git a/strict/file_contexts/program/ircd.fc b/strict/file_contexts/program/ircd.fc
new file mode 100644
index 0000000..2ef668c
--- /dev/null
+++ b/strict/file_contexts/program/ircd.fc
@@ -0,0 +1,6 @@
+# ircd - irc server
+/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t
+/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t
+/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t
+/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t
+/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t
diff --git a/strict/file_contexts/program/irqbalance.fc b/strict/file_contexts/program/irqbalance.fc
new file mode 100644
index 0000000..c849491
--- /dev/null
+++ b/strict/file_contexts/program/irqbalance.fc
@@ -0,0 +1,2 @@
+# irqbalance
+/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t
diff --git a/strict/file_contexts/program/jabberd.fc b/strict/file_contexts/program/jabberd.fc
new file mode 100644
index 0000000..c614cb8
--- /dev/null
+++ b/strict/file_contexts/program/jabberd.fc
@@ -0,0 +1,4 @@
+# jabberd
+/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t
+/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t
+/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t
diff --git a/strict/file_contexts/program/java.fc b/strict/file_contexts/program/java.fc
new file mode 100644
index 0000000..8edf85b
--- /dev/null
+++ b/strict/file_contexts/program/java.fc
@@ -0,0 +1,2 @@
+# java
+/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t
diff --git a/strict/file_contexts/program/kerberos.fc b/strict/file_contexts/program/kerberos.fc
new file mode 100644
index 0000000..06adff4
--- /dev/null
+++ b/strict/file_contexts/program/kerberos.fc
@@ -0,0 +1,11 @@
+# MIT Kerberos krbkdc, kadmind
+/etc/krb5\.keytab system_u:object_r:krb5_keytab_t
+/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t
+/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t
+/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
+/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
+/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
+/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
+/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t
+/var/log/kadmind\.log system_u:object_r:kadmind_log_t
+/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t
diff --git a/strict/file_contexts/program/klogd.fc b/strict/file_contexts/program/klogd.fc
new file mode 100644
index 0000000..c06679d
--- /dev/null
+++ b/strict/file_contexts/program/klogd.fc
@@ -0,0 +1,4 @@
+# klogd
+/sbin/klogd -- system_u:object_r:klogd_exec_t
+/usr/sbin/klogd -- system_u:object_r:klogd_exec_t
+/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t
diff --git a/strict/file_contexts/program/ktalkd.fc b/strict/file_contexts/program/ktalkd.fc
new file mode 100644
index 0000000..525c7a2
--- /dev/null
+++ b/strict/file_contexts/program/ktalkd.fc
@@ -0,0 +1,2 @@
+# kde talk daemon
+/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t
diff --git a/strict/file_contexts/program/kudzu.fc b/strict/file_contexts/program/kudzu.fc
new file mode 100644
index 0000000..eed8191
--- /dev/null
+++ b/strict/file_contexts/program/kudzu.fc
@@ -0,0 +1,3 @@
+# kudzu
+/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
+/sbin/kmodule -- system_u:object_r:kudzu_exec_t
diff --git a/strict/file_contexts/program/lcd.fc b/strict/file_contexts/program/lcd.fc
new file mode 100644
index 0000000..4294d44
--- /dev/null
+++ b/strict/file_contexts/program/lcd.fc
@@ -0,0 +1,2 @@
+# lcd
+/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t
diff --git a/strict/file_contexts/program/ldconfig.fc b/strict/file_contexts/program/ldconfig.fc
new file mode 100644
index 0000000..040a60a
--- /dev/null
+++ b/strict/file_contexts/program/ldconfig.fc
@@ -0,0 +1 @@
+/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t
diff --git a/strict/file_contexts/program/load_policy.fc b/strict/file_contexts/program/load_policy.fc
new file mode 100644
index 0000000..5a8981c
--- /dev/null
+++ b/strict/file_contexts/program/load_policy.fc
@@ -0,0 +1,3 @@
+# load_policy
+/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
+/sbin/load_policy -- system_u:object_r:load_policy_exec_t
diff --git a/strict/file_contexts/program/loadkeys.fc b/strict/file_contexts/program/loadkeys.fc
new file mode 100644
index 0000000..f440f3c
--- /dev/null
+++ b/strict/file_contexts/program/loadkeys.fc
@@ -0,0 +1,3 @@
+# loadkeys
+/bin/unikeys -- system_u:object_r:loadkeys_exec_t
+/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
diff --git a/strict/file_contexts/program/lockdev.fc b/strict/file_contexts/program/lockdev.fc
new file mode 100644
index 0000000..9185bec
--- /dev/null
+++ b/strict/file_contexts/program/lockdev.fc
@@ -0,0 +1,2 @@
+# lockdev
+/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t
diff --git a/strict/file_contexts/program/login.fc b/strict/file_contexts/program/login.fc
new file mode 100644
index 0000000..2f0ea0c
--- /dev/null
+++ b/strict/file_contexts/program/login.fc
@@ -0,0 +1,3 @@
+# login
+/bin/login -- system_u:object_r:login_exec_t
+/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t
diff --git a/strict/file_contexts/program/logrotate.fc b/strict/file_contexts/program/logrotate.fc
new file mode 100644
index 0000000..a7c9ea3
--- /dev/null
+++ b/strict/file_contexts/program/logrotate.fc
@@ -0,0 +1,13 @@
+# logrotate
+/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t
+/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t
+ifdef(`distro_debian', `
+/usr/bin/savelog -- system_u:object_r:logrotate_exec_t
+/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t
+', `
+/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t
+')
+/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t
+/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t
+# using a hard-coded name under /var/tmp is a bug - new version fixes it
+/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t
diff --git a/strict/file_contexts/program/lpd.fc b/strict/file_contexts/program/lpd.fc
new file mode 100644
index 0000000..eb9f8d9
--- /dev/null
+++ b/strict/file_contexts/program/lpd.fc
@@ -0,0 +1,8 @@
+# lpd
+/dev/printer -s system_u:object_r:printer_t
+/usr/sbin/lpd -- system_u:object_r:lpd_exec_t
+/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t
+/var/spool/lpd(/.*)? system_u:object_r:print_spool_t
+/usr/share/printconf/.* -- system_u:object_r:printconf_t
+/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t
+/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t
diff --git a/strict/file_contexts/program/lpr.fc b/strict/file_contexts/program/lpr.fc
new file mode 100644
index 0000000..618ddcc
--- /dev/null
+++ b/strict/file_contexts/program/lpr.fc
@@ -0,0 +1,4 @@
+# lp utilities.
+/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t
+/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t
+/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t
diff --git a/strict/file_contexts/program/lrrd.fc b/strict/file_contexts/program/lrrd.fc
new file mode 100644
index 0000000..08494fc
--- /dev/null
+++ b/strict/file_contexts/program/lrrd.fc
@@ -0,0 +1,10 @@
+# lrrd
+/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t
+/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t
+/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t
+/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t
+/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t
+/var/log/lrrd.* -- system_u:object_r:lrrd_log_t
+/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
+/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
+/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t
diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc
new file mode 100644
index 0000000..fc65c44
--- /dev/null
+++ b/strict/file_contexts/program/lvm.fc
@@ -0,0 +1,67 @@
+# lvm
+/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t
+/etc/lvm(/.*)? system_u:object_r:lvm_etc_t
+/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t
+/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t
+/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t
+/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t
+/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t
+# LVM creates lock files in /var before /var is mounted
+# configure LVM to put lockfiles in /etc/lvm/lock instead
+# for this policy to work (unless you have no separate /var)
+/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t
+/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
+/dev/lvm -c system_u:object_r:fixed_disk_device_t
+/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t
+/dev/mapper/control -c system_u:object_r:lvm_control_t
+/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t
+/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t
+/sbin/e2fsadm -- system_u:object_r:lvm_exec_t
+/sbin/lvchange -- system_u:object_r:lvm_exec_t
+/sbin/lvcreate -- system_u:object_r:lvm_exec_t
+/sbin/lvdisplay -- system_u:object_r:lvm_exec_t
+/sbin/lvextend -- system_u:object_r:lvm_exec_t
+/sbin/lvmchange -- system_u:object_r:lvm_exec_t
+/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t
+/sbin/lvmsadc -- system_u:object_r:lvm_exec_t
+/sbin/lvmsar -- system_u:object_r:lvm_exec_t
+/sbin/lvreduce -- system_u:object_r:lvm_exec_t
+/sbin/lvremove -- system_u:object_r:lvm_exec_t
+/sbin/lvrename -- system_u:object_r:lvm_exec_t
+/sbin/lvscan -- system_u:object_r:lvm_exec_t
+/sbin/pvchange -- system_u:object_r:lvm_exec_t
+/sbin/pvcreate -- system_u:object_r:lvm_exec_t
+/sbin/pvdata -- system_u:object_r:lvm_exec_t
+/sbin/pvdisplay -- system_u:object_r:lvm_exec_t
+/sbin/pvmove -- system_u:object_r:lvm_exec_t
+/sbin/pvscan -- system_u:object_r:lvm_exec_t
+/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t
+/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t
+/sbin/vgchange -- system_u:object_r:lvm_exec_t
+/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t
+/sbin/vgck -- system_u:object_r:lvm_exec_t
+/sbin/vgcreate -- system_u:object_r:lvm_exec_t
+/sbin/vgdisplay -- system_u:object_r:lvm_exec_t
+/sbin/vgexport -- system_u:object_r:lvm_exec_t
+/sbin/vgextend -- system_u:object_r:lvm_exec_t
+/sbin/vgimport -- system_u:object_r:lvm_exec_t
+/sbin/vgmerge -- system_u:object_r:lvm_exec_t
+/sbin/vgmknodes -- system_u:object_r:lvm_exec_t
+/sbin/vgreduce -- system_u:object_r:lvm_exec_t
+/sbin/vgremove -- system_u:object_r:lvm_exec_t
+/sbin/vgrename -- system_u:object_r:lvm_exec_t
+/sbin/vgscan -- system_u:object_r:lvm_exec_t
+/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t
+/sbin/vgsplit -- system_u:object_r:lvm_exec_t
+/sbin/vgwrapper -- system_u:object_r:lvm_exec_t
+/sbin/cryptsetup -- system_u:object_r:lvm_exec_t
+/sbin/dmsetup -- system_u:object_r:lvm_exec_t
+/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t
+/sbin/lvm -- system_u:object_r:lvm_exec_t
+/sbin/lvm\.static -- system_u:object_r:lvm_exec_t
+/usr/sbin/lvm -- system_u:object_r:lvm_exec_t
+/sbin/lvresize -- system_u:object_r:lvm_exec_t
+/sbin/lvs -- system_u:object_r:lvm_exec_t
+/sbin/pvremove -- system_u:object_r:lvm_exec_t
+/sbin/pvs -- system_u:object_r:lvm_exec_t
+/sbin/vgs -- system_u:object_r:lvm_exec_t
diff --git a/strict/file_contexts/program/mailman.fc b/strict/file_contexts/program/mailman.fc
new file mode 100644
index 0000000..68fa8dd
--- /dev/null
+++ b/strict/file_contexts/program/mailman.fc
@@ -0,0 +1,24 @@
+# mailman list server
+/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t
+/var/log/mailman(/.*)? system_u:object_r:mailman_log_t
+/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t
+/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
+/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t
+/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t
+
+ifdef(`distro_debian', `
+/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
+/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
+/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
+/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t
+/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t
+')
+
+ifdef(`distro_redhat', `
+/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t
+/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t
+/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
+/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t
+/etc/mailman(/.*)? system_u:object_r:mailman_data_t
+/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t
+')
diff --git a/strict/file_contexts/program/mdadm.fc b/strict/file_contexts/program/mdadm.fc
new file mode 100644
index 0000000..7ca9f0d
--- /dev/null
+++ b/strict/file_contexts/program/mdadm.fc
@@ -0,0 +1,4 @@
+# mdadm - manage MD devices aka Linux Software Raid.
+/sbin/mdmpd -- system_u:object_r:mdadm_exec_t
+/sbin/mdadm -- system_u:object_r:mdadm_exec_t
+/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
diff --git a/strict/file_contexts/program/modutil.fc b/strict/file_contexts/program/modutil.fc
new file mode 100644
index 0000000..8fd81e1
--- /dev/null
+++ b/strict/file_contexts/program/modutil.fc
@@ -0,0 +1,14 @@
+# module utilities
+/etc/modules\.conf.* -- system_u:object_r:modules_conf_t
+/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t
+/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t
+/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t
+/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t
+/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t
+/sbin/depmod.* -- system_u:object_r:depmod_exec_t
+/sbin/modprobe.* -- system_u:object_r:insmod_exec_t
+/sbin/insmod.* -- system_u:object_r:insmod_exec_t
+/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t
+/sbin/rmmod.* -- system_u:object_r:insmod_exec_t
+/sbin/update-modules -- system_u:object_r:update_modules_exec_t
+/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t
diff --git a/strict/file_contexts/program/monopd.fc b/strict/file_contexts/program/monopd.fc
new file mode 100644
index 0000000..0c00ab6
--- /dev/null
+++ b/strict/file_contexts/program/monopd.fc
@@ -0,0 +1,4 @@
+# monopd
+/etc/monopd\.conf -- system_u:object_r:etc_monopd_t
+/usr/sbin/monopd -- system_u:object_r:monopd_exec_t
+/usr/share/monopd/games(/.*)? system_u:object_r:share_monopd_t
diff --git a/strict/file_contexts/program/mount.fc b/strict/file_contexts/program/mount.fc
new file mode 100644
index 0000000..7b1ca14
--- /dev/null
+++ b/strict/file_contexts/program/mount.fc
@@ -0,0 +1,3 @@
+# mount
+/bin/mount.* -- system_u:object_r:mount_exec_t
+/bin/umount.* -- system_u:object_r:mount_exec_t
diff --git a/strict/file_contexts/program/mozilla.fc b/strict/file_contexts/program/mozilla.fc
new file mode 100644
index 0000000..7a8c13c
--- /dev/null
+++ b/strict/file_contexts/program/mozilla.fc
@@ -0,0 +1,25 @@
+# netscape/mozilla
+HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_home_t
+HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
+/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
+/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t
+/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t
+/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --git a/strict/file_contexts/program/mplayer.fc b/strict/file_contexts/program/mplayer.fc
new file mode 100644
index 0000000..10465aa
--- /dev/null
+++ b/strict/file_contexts/program/mplayer.fc
@@ -0,0 +1,6 @@
+# mplayer
+/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t
+/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t
+
+/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t
+HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t
diff --git a/strict/file_contexts/program/mrtg.fc b/strict/file_contexts/program/mrtg.fc
new file mode 100644
index 0000000..9d00476
--- /dev/null
+++ b/strict/file_contexts/program/mrtg.fc
@@ -0,0 +1,7 @@
+# mrtg - traffic grapher
+/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t
+/var/lib/mrtg(/.*)? system_u:object_r:var_lib_mrtg_t
+/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t
+/etc/mrtg.* system_u:object_r:mrtg_etc_t
+/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t
+/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t
diff --git a/strict/file_contexts/program/mta.fc b/strict/file_contexts/program/mta.fc
new file mode 100644
index 0000000..88aa3f6
--- /dev/null
+++ b/strict/file_contexts/program/mta.fc
@@ -0,0 +1,12 @@
+# types for general mail servers
+/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t
+/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t
+/etc/aliases -- system_u:object_r:etc_aliases_t
+/etc/aliases\.db -- system_u:object_r:etc_aliases_t
+/var/spool/mail(/.*)? system_u:object_r:mail_spool_t
+/var/mail(/.*)? system_u:object_r:mail_spool_t
+ifdef(`postfix.te', `', `
+/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t
+/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t
+')
+
diff --git a/strict/file_contexts/program/mysqld.fc b/strict/file_contexts/program/mysqld.fc
new file mode 100644
index 0000000..0ad8746
--- /dev/null
+++ b/strict/file_contexts/program/mysqld.fc
@@ -0,0 +1,12 @@
+# mysql database server
+/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t
+/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t
+/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t
+/var/log/mysql.* -- system_u:object_r:mysqld_log_t
+/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t
+/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t
+/etc/my\.cnf -- system_u:object_r:mysqld_etc_t
+/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t
+ifdef(`distro_debian', `
+/etc/mysql/debian-start -- system_u:object_r:bin_t
+')
diff --git a/strict/file_contexts/program/nagios.fc b/strict/file_contexts/program/nagios.fc
new file mode 100644
index 0000000..6a8a22d
--- /dev/null
+++ b/strict/file_contexts/program/nagios.fc
@@ -0,0 +1,15 @@
+# nagios - network monitoring server
+/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
+/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
+# nagios
+ifdef(`distro_debian', `
+/usr/sbin/nagios -- system_u:object_r:nagios_exec_t
+/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t
+', `
+/usr/bin/nagios -- system_u:object_r:nagios_exec_t
+/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
+')
+/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
+/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
+/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/named.fc b/strict/file_contexts/program/named.fc
new file mode 100644
index 0000000..b39ec8f
--- /dev/null
+++ b/strict/file_contexts/program/named.fc
@@ -0,0 +1,46 @@
+# named
+ifdef(`distro_redhat', `
+/var/named(/.*)? system_u:object_r:named_zone_t
+/var/named/slaves(/.*)? system_u:object_r:named_cache_t
+/var/named/data(/.*)? system_u:object_r:named_cache_t
+/etc/named\.conf -- system_u:object_r:named_conf_t
+') dnl end distro_redhat
+
+ifdef(`distro_debian', `
+/etc/bind(/.*)? system_u:object_r:named_zone_t
+/etc/bind/named\.conf -- system_u:object_r:named_conf_t
+/etc/bind/rndc\.key -- system_u:object_r:named_conf_t
+/var/cache/bind(/.*)? system_u:object_r:named_cache_t
+') dnl distro_debian
+
+/etc/rndc.* -- system_u:object_r:named_conf_t
+/etc/rndc.key -- system_u:object_r:dnssec_t
+/usr/sbin/named -- system_u:object_r:named_exec_t
+/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t
+/var/run/ndc -s system_u:object_r:named_var_run_t
+/var/run/bind(/.*)? system_u:object_r:named_var_run_t
+/var/run/named(/.*)? system_u:object_r:named_var_run_t
+/usr/sbin/lwresd -- system_u:object_r:named_exec_t
+ifdef(`distro_redhat', `
+/var/named/named\.ca -- system_u:object_r:named_conf_t
+/var/named/chroot(/.*)? system_u:object_r:named_conf_t
+/var/named/chroot/dev/null -c system_u:object_r:null_device_t
+/var/named/chroot/dev/random -c system_u:object_r:random_device_t
+/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t
+/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t
+/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t
+/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t
+/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t
+/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t
+/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t
+/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t
+/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t
+') dnl distro_redhat
+
+ifdef(`distro_gentoo', `
+/etc/bind(/.*)? system_u:object_r:named_zone_t
+/etc/bind/named\.conf -- system_u:object_r:named_conf_t
+/etc/bind/rndc\.key -- system_u:object_r:named_conf_t
+/var/bind(/.*)? system_u:object_r:named_cache_t
+/var/bind/pri(/.*)? system_u:object_r:named_zone_t
+') dnl distro_gentoo
diff --git a/strict/file_contexts/program/nessusd.fc b/strict/file_contexts/program/nessusd.fc
new file mode 100644
index 0000000..adec00b
--- /dev/null
+++ b/strict/file_contexts/program/nessusd.fc
@@ -0,0 +1,6 @@
+# nessusd - network scanning server
+/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t
+/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t
+/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t
+/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t
+/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t
diff --git a/strict/file_contexts/program/netutils.fc b/strict/file_contexts/program/netutils.fc
new file mode 100644
index 0000000..7aa0694
--- /dev/null
+++ b/strict/file_contexts/program/netutils.fc
@@ -0,0 +1,4 @@
+# network utilities
+/sbin/arping -- system_u:object_r:netutils_exec_t
+/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t
+/etc/network/ifstate -- system_u:object_r:etc_runtime_t
diff --git a/strict/file_contexts/program/newrole.fc b/strict/file_contexts/program/newrole.fc
new file mode 100644
index 0000000..5535bde
--- /dev/null
+++ b/strict/file_contexts/program/newrole.fc
@@ -0,0 +1,2 @@
+# newrole
+/usr/bin/newrole -- system_u:object_r:newrole_exec_t
diff --git a/strict/file_contexts/program/nrpe.fc b/strict/file_contexts/program/nrpe.fc
new file mode 100644
index 0000000..be74d33
--- /dev/null
+++ b/strict/file_contexts/program/nrpe.fc
@@ -0,0 +1,7 @@
+# nrpe
+/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t
+/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t
+ifdef(`nagios.te', `', `
+/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t
+/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t
+')
diff --git a/strict/file_contexts/program/nscd.fc b/strict/file_contexts/program/nscd.fc
new file mode 100644
index 0000000..aa24987
--- /dev/null
+++ b/strict/file_contexts/program/nscd.fc
@@ -0,0 +1,6 @@
+# nscd
+/usr/sbin/nscd -- system_u:object_r:nscd_exec_t
+/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t
+/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
+/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
+/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
diff --git a/strict/file_contexts/program/nsd.fc b/strict/file_contexts/program/nsd.fc
new file mode 100644
index 0000000..43b49fe
--- /dev/null
+++ b/strict/file_contexts/program/nsd.fc
@@ -0,0 +1,12 @@
+# nsd
+/etc/nsd(/.*)? system_u:object_r:nsd_conf_t
+/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t
+/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t
+/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t
+/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t
+/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t
+/usr/sbin/nsd -- system_u:object_r:nsd_exec_t
+/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t
+/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t
+/usr/sbin/zonec -- system_u:object_r:nsd_exec_t
+/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t
diff --git a/strict/file_contexts/program/ntpd.fc b/strict/file_contexts/program/ntpd.fc
new file mode 100644
index 0000000..3b178b4
--- /dev/null
+++ b/strict/file_contexts/program/ntpd.fc
@@ -0,0 +1,12 @@
+/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t
+/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t
+/etc/ntp(d)?\.conf(.sv)? -- system_u:object_r:net_conf_t
+/etc/ntp/step-tickers -- system_u:object_r:net_conf_t
+/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t
+/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t
+/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t
+/var/log/ntp.* -- system_u:object_r:ntpd_log_t
+/var/log/xntpd.* -- system_u:object_r:ntpd_log_t
+/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t
+/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t
+/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t
diff --git a/strict/file_contexts/program/oav-update.fc b/strict/file_contexts/program/oav-update.fc
new file mode 100644
index 0000000..5e88a02
--- /dev/null
+++ b/strict/file_contexts/program/oav-update.fc
@@ -0,0 +1,4 @@
+/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t
+/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t
+/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t
+/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t
diff --git a/strict/file_contexts/program/openca-ca.fc b/strict/file_contexts/program/openca-ca.fc
new file mode 100644
index 0000000..99ddefe
--- /dev/null
+++ b/strict/file_contexts/program/openca-ca.fc
@@ -0,0 +1,8 @@
+/etc/openca(/.*)? system_u:object_r:openca_etc_t
+/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
+/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
+/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
+/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
+/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
+/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
+/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t
diff --git a/strict/file_contexts/program/openca-common.fc b/strict/file_contexts/program/openca-common.fc
new file mode 100644
index 0000000..b75952f
--- /dev/null
+++ b/strict/file_contexts/program/openca-common.fc
@@ -0,0 +1,7 @@
+/etc/openca(/.*)? system_u:object_r:openca_etc_t
+/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
+/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
+/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
+/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
+/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
+/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
diff --git a/strict/file_contexts/program/openvpn.fc b/strict/file_contexts/program/openvpn.fc
new file mode 100644
index 0000000..ba84de2
--- /dev/null
+++ b/strict/file_contexts/program/openvpn.fc
@@ -0,0 +1,4 @@
+# OpenVPN
+
+/etc/openvpn(/.*)? -- system_u:object_r:openvpn_etc_t
+/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t
diff --git a/strict/file_contexts/program/pam.fc b/strict/file_contexts/program/pam.fc
new file mode 100644
index 0000000..7209276
--- /dev/null
+++ b/strict/file_contexts/program/pam.fc
@@ -0,0 +1,3 @@
+/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t
+/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t
+/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t
diff --git a/strict/file_contexts/program/pamconsole.fc b/strict/file_contexts/program/pamconsole.fc
new file mode 100644
index 0000000..75c8c55
--- /dev/null
+++ b/strict/file_contexts/program/pamconsole.fc
@@ -0,0 +1,3 @@
+# pam_console_apply
+/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t
+/var/run/console(/.*)? system_u:object_r:pam_var_console_t
diff --git a/strict/file_contexts/program/passwd.fc b/strict/file_contexts/program/passwd.fc
new file mode 100644
index 0000000..e8d3d06
--- /dev/null
+++ b/strict/file_contexts/program/passwd.fc
@@ -0,0 +1,13 @@
+# spasswd
+/usr/bin/passwd -- system_u:object_r:passwd_exec_t
+/usr/bin/chage -- system_u:object_r:passwd_exec_t
+/usr/bin/chsh -- system_u:object_r:chfn_exec_t
+/usr/bin/chfn -- system_u:object_r:chfn_exec_t
+/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t
+/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t
+/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t
+/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t
+/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t
+/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t
+/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t
+/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t
diff --git a/strict/file_contexts/program/perdition.fc b/strict/file_contexts/program/perdition.fc
new file mode 100644
index 0000000..a2d2adb
--- /dev/null
+++ b/strict/file_contexts/program/perdition.fc
@@ -0,0 +1,3 @@
+# perdition POP and IMAP proxy
+/usr/sbin/perdition -- system_u:object_r:perdition_exec_t
+/etc/perdition(/.*)? system_u:object_r:perdition_etc_t
diff --git a/strict/file_contexts/program/ping.fc b/strict/file_contexts/program/ping.fc
new file mode 100644
index 0000000..f37874f
--- /dev/null
+++ b/strict/file_contexts/program/ping.fc
@@ -0,0 +1,3 @@
+# ping
+/bin/ping.* -- system_u:object_r:ping_exec_t
+/usr/sbin/hping2 -- system_u:object_r:ping_exec_t
diff --git a/strict/file_contexts/program/portmap.fc b/strict/file_contexts/program/portmap.fc
new file mode 100644
index 0000000..08802d5
--- /dev/null
+++ b/strict/file_contexts/program/portmap.fc
@@ -0,0 +1,9 @@
+# portmap
+/sbin/portmap -- system_u:object_r:portmap_exec_t
+ifdef(`distro_debian', `
+/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t
+/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t
+', `
+/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t
+/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t
+')
diff --git a/strict/file_contexts/program/portslave.fc b/strict/file_contexts/program/portslave.fc
new file mode 100644
index 0000000..873334d
--- /dev/null
+++ b/strict/file_contexts/program/portslave.fc
@@ -0,0 +1,5 @@
+# portslave
+/usr/sbin/portslave -- system_u:object_r:portslave_exec_t
+/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t
+/etc/portslave(/.*)? system_u:object_r:portslave_etc_t
+/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t
diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc
new file mode 100644
index 0000000..08b3c69
--- /dev/null
+++ b/strict/file_contexts/program/postfix.fc
@@ -0,0 +1,45 @@
+# postfix
+/etc/postfix(/.*)? system_u:object_r:postfix_etc_t
+ifdef(`distro_redhat', `
+/etc/postfix/aliases.* system_u:object_r:etc_aliases_t
+')
+/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t
+/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t
+/usr/lib(exec)?/postfix/.* -- system_u:object_r:postfix_exec_t
+/usr/lib(exec)?/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t
+/usr/lib(exec)?/postfix/local -- system_u:object_r:postfix_local_exec_t
+/usr/lib(exec)?/postfix/master -- system_u:object_r:postfix_master_exec_t
+/usr/lib(exec)?/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t
+/usr/lib(exec)?/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
+/usr/lib(exec)?/postfix/showq -- system_u:object_r:postfix_showq_exec_t
+/usr/lib(exec)?/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
+/usr/lib(exec)?/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
+/usr/lib(exec)?/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
+/usr/lib(exec)?/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
+/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t
+/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t
+/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t
+/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t
+/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t
+/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t
+/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t
+/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t
+/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t
+/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t
+/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t
+/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t
+/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t
+/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t
+/var/spool/postfix/pid -d system_u:object_r:var_run_t
+/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t
+/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t
+/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t
+/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t
+/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t
+/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t
+/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t
+/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t
+/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t
+/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t
+/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t
+/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t
diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc
new file mode 100644
index 0000000..1feef35
--- /dev/null
+++ b/strict/file_contexts/program/postgresql.fc
@@ -0,0 +1,16 @@
+# postgresql - database server
+/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t
+/usr/bin/postgres -- system_u:object_r:postgresql_exec_t
+/usr/bin/initdb -- system_u:object_r:postgresql_exec_t
+
+/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
+/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t
+/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t
+/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t
+/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t
+/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t
+/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t
+/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t
+/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t
+/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t
+/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t
diff --git a/strict/file_contexts/program/postgrey.fc b/strict/file_contexts/program/postgrey.fc
new file mode 100644
index 0000000..89e43fd
--- /dev/null
+++ b/strict/file_contexts/program/postgrey.fc
@@ -0,0 +1,5 @@
+# postgrey - postfix grey-listing server
+/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t
+/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t
+/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t
+/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t
diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc
new file mode 100644
index 0000000..48e5b68
--- /dev/null
+++ b/strict/file_contexts/program/pppd.fc
@@ -0,0 +1,20 @@
+# pppd
+/usr/sbin/pppd -- system_u:object_r:pppd_exec_t
+/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t
+/dev/ppp -c system_u:object_r:ppp_device_t
+/dev/pppox.* -c system_u:object_r:ppp_device_t
+/dev/ippp.* -c system_u:object_r:ppp_device_t
+/var/run/pppd\.tdb -- system_u:object_r:pppd_var_run_t
+/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t
+/etc/ppp -d system_u:object_r:pppd_etc_t
+/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t
+/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t
+/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t
+/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
+/var/log/ppp(/.*)? -- system_u:object_r:pppd_log_t
+/etc/ppp/ip-down.* -- system_u:object_r:bin_t
+/etc/ppp/ip-up.* -- system_u:object_r:bin_t
+/etc/ppp/ipv6-up -- system_u:object_r:bin_t
+/etc/ppp/ipv6-down -- system_u:object_r:bin_t
+/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t
+/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
diff --git a/strict/file_contexts/program/prelink.fc b/strict/file_contexts/program/prelink.fc
new file mode 100644
index 0000000..331e315
--- /dev/null
+++ b/strict/file_contexts/program/prelink.fc
@@ -0,0 +1,8 @@
+# prelink - prelink ELF shared libraries and binaries to speed up startup time
+/usr/sbin/prelink -- system_u:object_r:prelink_exec_t
+ifdef(`distro_debian', `
+/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t
+')
+/etc/prelink\.conf -- system_u:object_r:etc_prelink_t
+/var/log/prelink\.log -- system_u:object_r:prelink_log_t
+/etc/prelink\.cache -- system_u:object_r:prelink_cache_t
diff --git a/strict/file_contexts/program/privoxy.fc b/strict/file_contexts/program/privoxy.fc
new file mode 100644
index 0000000..84427ab
--- /dev/null
+++ b/strict/file_contexts/program/privoxy.fc
@@ -0,0 +1,3 @@
+# privoxy
+/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t
+/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t
diff --git a/strict/file_contexts/program/procmail.fc b/strict/file_contexts/program/procmail.fc
new file mode 100644
index 0000000..543602d
--- /dev/null
+++ b/strict/file_contexts/program/procmail.fc
@@ -0,0 +1,2 @@
+# procmail
+/usr/bin/procmail -- system_u:object_r:procmail_exec_t
diff --git a/strict/file_contexts/program/pump.fc b/strict/file_contexts/program/pump.fc
new file mode 100644
index 0000000..e69de29
diff --git a/strict/file_contexts/program/pxe.fc b/strict/file_contexts/program/pxe.fc
new file mode 100644
index 0000000..165076a
--- /dev/null
+++ b/strict/file_contexts/program/pxe.fc
@@ -0,0 +1,5 @@
+# pxe network boot server
+/usr/sbin/pxe -- system_u:object_r:pxe_exec_t
+/var/log/pxe\.log -- system_u:object_r:pxe_log_t
+/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t
+
diff --git a/strict/file_contexts/program/qmail.fc b/strict/file_contexts/program/qmail.fc
new file mode 100644
index 0000000..510f077
--- /dev/null
+++ b/strict/file_contexts/program/qmail.fc
@@ -0,0 +1,38 @@
+# qmail - Debian locations
+/etc/qmail(/.*)? system_u:object_r:qmail_etc_t
+/var/qmail(/.*)? system_u:object_r:qmail_etc_t
+/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t
+/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t
+/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
+/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
+/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
+/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
+/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
+/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t
+/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
+/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t
+/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
+/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
+/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
+/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
+/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
+/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t
+# qmail - djb's locations
+/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t
+/var/qmail/bin -d system_u:object_r:bin_t
+/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
+/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
+/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
+/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
+/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
+/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
+/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t
+/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
+/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t
+/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
+/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
+/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
+/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t
+/var/qmail/rc -- system_u:object_r:bin_t
+/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t
+/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t
diff --git a/strict/file_contexts/program/quota.fc b/strict/file_contexts/program/quota.fc
new file mode 100644
index 0000000..f91f1a4
--- /dev/null
+++ b/strict/file_contexts/program/quota.fc
@@ -0,0 +1,10 @@
+# quota system
+/var/lib/quota(/.*)? system_u:object_r:quota_flag_t
+/sbin/quota(check|on) -- system_u:object_r:quota_exec_t
+ifdef(`distro_redhat', `
+/usr/sbin/convertquota -- system_u:object_r:quota_exec_t
+', `
+/sbin/convertquota -- system_u:object_r:quota_exec_t
+')
+HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t
+/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t
diff --git a/strict/file_contexts/program/radius.fc b/strict/file_contexts/program/radius.fc
new file mode 100644
index 0000000..bd25d6d
--- /dev/null
+++ b/strict/file_contexts/program/radius.fc
@@ -0,0 +1,15 @@
+# radius
+/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t
+/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t
+/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t
+/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t
+/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t
+/var/log/radius(/.*)? system_u:object_r:radiusd_log_t
+/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t
+/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t
+/var/log/radutmp -- system_u:object_r:radiusd_log_t
+/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t
+/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t
+/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t
+/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t
+/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t
diff --git a/strict/file_contexts/program/radvd.fc b/strict/file_contexts/program/radvd.fc
new file mode 100644
index 0000000..fc8ddcf
--- /dev/null
+++ b/strict/file_contexts/program/radvd.fc
@@ -0,0 +1,4 @@
+# radvd
+/etc/radvd\.conf -- system_u:object_r:radvd_etc_t
+/usr/sbin/radvd -- system_u:object_r:radvd_exec_t
+/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t
diff --git a/strict/file_contexts/program/resmgrd.fc b/strict/file_contexts/program/resmgrd.fc
new file mode 100644
index 0000000..bee4680
--- /dev/null
+++ b/strict/file_contexts/program/resmgrd.fc
@@ -0,0 +1,6 @@
+# resmgrd
+/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t
+/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t
+/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t
+/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t
+
diff --git a/strict/file_contexts/program/restorecon.fc b/strict/file_contexts/program/restorecon.fc
new file mode 100644
index 0000000..6509a11
--- /dev/null
+++ b/strict/file_contexts/program/restorecon.fc
@@ -0,0 +1,2 @@
+# restorecon
+/sbin/restorecon -- system_u:object_r:restorecon_exec_t
diff --git a/strict/file_contexts/program/rhgb.fc b/strict/file_contexts/program/rhgb.fc
new file mode 100644
index 0000000..5f7e63e
--- /dev/null
+++ b/strict/file_contexts/program/rhgb.fc
@@ -0,0 +1,2 @@
+/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
diff --git a/strict/file_contexts/program/rlogind.fc b/strict/file_contexts/program/rlogind.fc
new file mode 100644
index 0000000..bc73319
--- /dev/null
+++ b/strict/file_contexts/program/rlogind.fc
@@ -0,0 +1,4 @@
+# rlogind and telnetd
+/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t
+/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t
+/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t
diff --git a/strict/file_contexts/program/rpcd.fc b/strict/file_contexts/program/rpcd.fc
new file mode 100644
index 0000000..7608974
--- /dev/null
+++ b/strict/file_contexts/program/rpcd.fc
@@ -0,0 +1,11 @@
+# RPC daemons
+/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
+/usr/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
+/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t
+/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t
+/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t
+/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t
+/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t
+/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t
+/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t
+/etc/exports -- system_u:object_r:exports_t
diff --git a/strict/file_contexts/program/rpm.fc b/strict/file_contexts/program/rpm.fc
new file mode 100644
index 0000000..7d60837
--- /dev/null
+++ b/strict/file_contexts/program/rpm.fc
@@ -0,0 +1,25 @@
+# rpm
+/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t
+/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t
+/bin/rpm -- system_u:object_r:rpm_exec_t
+/usr/bin/yum -- system_u:object_r:rpm_exec_t
+/usr/bin/apt-get -- system_u:object_r:rpm_exec_t
+/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t
+/usr/bin/synaptic -- system_u:object_r:rpm_exec_t
+/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t
+/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t
+/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t
+/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t
+/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t
+/var/log/yum\.log -- system_u:object_r:rpm_log_t
+ifdef(`distro_redhat', `
+/usr/sbin/up2date -- system_u:object_r:rpm_exec_t
+/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t
+')
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- system_u:object_r:rpm_exec_t
+/sbin/yast2 -- system_u:object_r:rpm_exec_t
+/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t
+/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t
+')
diff --git a/strict/file_contexts/program/rshd.fc b/strict/file_contexts/program/rshd.fc
new file mode 100644
index 0000000..7f3be6d
--- /dev/null
+++ b/strict/file_contexts/program/rshd.fc
@@ -0,0 +1,3 @@
+# rshd.
+/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t
+/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t
diff --git a/strict/file_contexts/program/rssh.fc b/strict/file_contexts/program/rssh.fc
new file mode 100644
index 0000000..16ec3a3
--- /dev/null
+++ b/strict/file_contexts/program/rssh.fc
@@ -0,0 +1,2 @@
+# rssh
+/usr/bin/rssh -- system_u:object_r:rssh_exec_t
diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc
new file mode 100644
index 0000000..f4539f1
--- /dev/null
+++ b/strict/file_contexts/program/rsync.fc
@@ -0,0 +1,2 @@
+# rsync program
+/usr/bin/rsync -- system_u:object_r:rsync_exec_t
diff --git a/strict/file_contexts/program/samba.fc b/strict/file_contexts/program/samba.fc
new file mode 100644
index 0000000..b8a9439
--- /dev/null
+++ b/strict/file_contexts/program/samba.fc
@@ -0,0 +1,25 @@
+# samba scripts
+/usr/sbin/smbd -- system_u:object_r:smbd_exec_t
+/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t
+/etc/samba(/.*)? system_u:object_r:samba_etc_t
+/var/log/samba(/.*)? system_u:object_r:samba_log_t
+/var/cache/samba(/.*)? system_u:object_r:samba_var_t
+/var/lib/samba(/.*)? system_u:object_r:samba_var_t
+/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t
+/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t
+# samba really wants write access to smbpasswd
+/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t
+/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t
+/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t
+/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t
+/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t
+/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t
+/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t
+/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t
+/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t
+/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t
+/var/spool/samba(/.*)? system_u:object_r:samba_var_t
+ifdef(`mount.te', `
+/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t
+/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t
+')
diff --git a/strict/file_contexts/program/saslauthd.fc b/strict/file_contexts/program/saslauthd.fc
new file mode 100644
index 0000000..7b2460e
--- /dev/null
+++ b/strict/file_contexts/program/saslauthd.fc
@@ -0,0 +1,3 @@
+# saslauthd
+/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t
+/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t
diff --git a/strict/file_contexts/program/scannerdaemon.fc b/strict/file_contexts/program/scannerdaemon.fc
new file mode 100644
index 0000000..a43bf87
--- /dev/null
+++ b/strict/file_contexts/program/scannerdaemon.fc
@@ -0,0 +1,4 @@
+# scannerdaemon
+/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t
+/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t
+/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t
diff --git a/strict/file_contexts/program/screen.fc b/strict/file_contexts/program/screen.fc
new file mode 100644
index 0000000..f1afcf0
--- /dev/null
+++ b/strict/file_contexts/program/screen.fc
@@ -0,0 +1,5 @@
+# screen
+/usr/bin/screen -- system_u:object_r:screen_exec_t
+HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t
+/var/run/screen/S-[^/]+ -d system_u:object_r:screen_dir_t
+/var/run/screen/S-[^/]+/.* <<none>>
diff --git a/strict/file_contexts/program/sendmail.fc b/strict/file_contexts/program/sendmail.fc
new file mode 100644
index 0000000..0fce2ef
--- /dev/null
+++ b/strict/file_contexts/program/sendmail.fc
@@ -0,0 +1,6 @@
+# sendmail
+/etc/mail(/.*)? system_u:object_r:etc_mail_t
+/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t
+/var/log/mail(/.*)? system_u:object_r:sendmail_log_t
+/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t
+/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t
diff --git a/strict/file_contexts/program/setfiles.fc b/strict/file_contexts/program/setfiles.fc
new file mode 100644
index 0000000..c247763
--- /dev/null
+++ b/strict/file_contexts/program/setfiles.fc
@@ -0,0 +1,3 @@
+# setfiles
+/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
+
diff --git a/strict/file_contexts/program/seuser.fc b/strict/file_contexts/program/seuser.fc
new file mode 100644
index 0000000..0c7f71b
--- /dev/null
+++ b/strict/file_contexts/program/seuser.fc
@@ -0,0 +1,4 @@
+# seuser
+/usr/bin/seuser -- system_u:object_r:seuser_exec_t
+/usr/apol/seuser\.conf system_u:object_r:seuser_conf_t
+
diff --git a/strict/file_contexts/program/slapd.fc b/strict/file_contexts/program/slapd.fc
new file mode 100644
index 0000000..956f441
--- /dev/null
+++ b/strict/file_contexts/program/slapd.fc
@@ -0,0 +1,7 @@
+# slapd - ldap server
+/usr/sbin/slapd -- system_u:object_r:slapd_exec_t
+/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t
+/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t
+/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t
+/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t
+/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t
diff --git a/strict/file_contexts/program/slocate.fc b/strict/file_contexts/program/slocate.fc
new file mode 100644
index 0000000..85ea5a4
--- /dev/null
+++ b/strict/file_contexts/program/slocate.fc
@@ -0,0 +1,4 @@
+# locate - file locater
+/usr/bin/slocate -- system_u:object_r:locate_exec_t
+/var/lib/slocate(/.*)? system_u:object_r:var_lib_locate_t
+/etc/updatedb\.conf -- system_u:object_r:locate_etc_t
diff --git a/strict/file_contexts/program/slrnpull.fc b/strict/file_contexts/program/slrnpull.fc
new file mode 100644
index 0000000..4c0d36c
--- /dev/null
+++ b/strict/file_contexts/program/slrnpull.fc
@@ -0,0 +1,3 @@
+# slrnpull
+/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t
+/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t
diff --git a/strict/file_contexts/program/snmpd.fc b/strict/file_contexts/program/snmpd.fc
new file mode 100644
index 0000000..fcad862
--- /dev/null
+++ b/strict/file_contexts/program/snmpd.fc
@@ -0,0 +1,10 @@
+# snmpd
+/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t
+/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t
+/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t
+/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t
+/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t
+/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t
+/var/run/snmpd -d system_u:object_r:snmpd_var_run_t
+/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t
+/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t
diff --git a/strict/file_contexts/program/snort.fc b/strict/file_contexts/program/snort.fc
new file mode 100644
index 0000000..a40670c
--- /dev/null
+++ b/strict/file_contexts/program/snort.fc
@@ -0,0 +1,4 @@
+# SNORT
+/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t
+/etc/snort(/.*)? system_u:object_r:snort_etc_t
+/var/log/snort(/.*)? system_u:object_r:snort_log_t
diff --git a/strict/file_contexts/program/sound-server.fc b/strict/file_contexts/program/sound-server.fc
new file mode 100644
index 0000000..dfa8245
--- /dev/null
+++ b/strict/file_contexts/program/sound-server.fc
@@ -0,0 +1,8 @@
+# sound servers, nas, yiff, etc
+/usr/sbin/yiff -- system_u:object_r:soundd_exec_t
+/usr/bin/nasd -- system_u:object_r:soundd_exec_t
+/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t
+/etc/nas(/.*)? system_u:object_r:etc_soundd_t
+/etc/yiff(/.*)? system_u:object_r:etc_soundd_t
+/var/state/yiff(/.*)? system_u:object_r:soundd_state_t
+/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t
diff --git a/strict/file_contexts/program/sound.fc b/strict/file_contexts/program/sound.fc
new file mode 100644
index 0000000..5e6b0d1
--- /dev/null
+++ b/strict/file_contexts/program/sound.fc
@@ -0,0 +1,3 @@
+# sound
+/bin/aumix-minimal -- system_u:object_r:sound_exec_t
+/etc/\.aumixrc -- system_u:object_r:sound_file_t
diff --git a/strict/file_contexts/program/spamassassin.fc b/strict/file_contexts/program/spamassassin.fc
new file mode 100644
index 0000000..a85b8b1
--- /dev/null
+++ b/strict/file_contexts/program/spamassassin.fc
@@ -0,0 +1,3 @@
+# spamassasin
+/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t
+HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t
diff --git a/strict/file_contexts/program/spamc.fc b/strict/file_contexts/program/spamc.fc
new file mode 100644
index 0000000..bf5d033
--- /dev/null
+++ b/strict/file_contexts/program/spamc.fc
@@ -0,0 +1 @@
+/usr/bin/spamc -- system_u:object_r:spamc_exec_t
diff --git a/strict/file_contexts/program/spamd.fc b/strict/file_contexts/program/spamd.fc
new file mode 100644
index 0000000..c2f6ee6
--- /dev/null
+++ b/strict/file_contexts/program/spamd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/spamd -- system_u:object_r:spamd_exec_t
+/usr/bin/spamd -- system_u:object_r:spamd_exec_t
+/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t
diff --git a/strict/file_contexts/program/speedmgmt.fc b/strict/file_contexts/program/speedmgmt.fc
new file mode 100644
index 0000000..486906e
--- /dev/null
+++ b/strict/file_contexts/program/speedmgmt.fc
@@ -0,0 +1,2 @@
+# speedmgmt
+/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t
diff --git a/strict/file_contexts/program/squid.fc b/strict/file_contexts/program/squid.fc
new file mode 100644
index 0000000..36fb201
--- /dev/null
+++ b/strict/file_contexts/program/squid.fc
@@ -0,0 +1,8 @@
+# squid
+/usr/sbin/squid -- system_u:object_r:squid_exec_t
+/var/cache/squid(/.*)? system_u:object_r:squid_cache_t
+/var/spool/squid(/.*)? system_u:object_r:squid_cache_t
+/var/log/squid(/.*)? system_u:object_r:squid_log_t
+/etc/squid(/.*)? system_u:object_r:squid_conf_t
+/var/run/squid\.pid -- system_u:object_r:squid_var_run_t
+/usr/share/squid(/.*)? system_u:object_r:squid_conf_t
diff --git a/strict/file_contexts/program/ssh-agent.fc b/strict/file_contexts/program/ssh-agent.fc
new file mode 100644
index 0000000..512eb47
--- /dev/null
+++ b/strict/file_contexts/program/ssh-agent.fc
@@ -0,0 +1,2 @@
+# ssh-agent
+/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t
diff --git a/strict/file_contexts/program/ssh.fc b/strict/file_contexts/program/ssh.fc
new file mode 100644
index 0000000..078f8ef
--- /dev/null
+++ b/strict/file_contexts/program/ssh.fc
@@ -0,0 +1,20 @@
+# ssh
+/usr/bin/ssh -- system_u:object_r:ssh_exec_t
+/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t
+# sshd
+/etc/ssh/primes -- system_u:object_r:sshd_key_t
+/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t
+/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t
+/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t
+/usr/sbin/sshd -- system_u:object_r:sshd_exec_t
+/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t
+# subsystems
+/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t
+/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t
+/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t
+ifdef(`distro_suse', `
+/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t
+')
+ifdef(`targeted_policy', `', `
+HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t
+')
diff --git a/strict/file_contexts/program/stunnel.fc b/strict/file_contexts/program/stunnel.fc
new file mode 100644
index 0000000..b48384a
--- /dev/null
+++ b/strict/file_contexts/program/stunnel.fc
@@ -0,0 +1,3 @@
+/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t
+/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t
+/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t
diff --git a/strict/file_contexts/program/su.fc b/strict/file_contexts/program/su.fc
new file mode 100644
index 0000000..1413dfe
--- /dev/null
+++ b/strict/file_contexts/program/su.fc
@@ -0,0 +1,2 @@
+# su
+/bin/su -- system_u:object_r:su_exec_t
diff --git a/strict/file_contexts/program/sudo.fc b/strict/file_contexts/program/sudo.fc
new file mode 100644
index 0000000..3eed3ff
--- /dev/null
+++ b/strict/file_contexts/program/sudo.fc
@@ -0,0 +1,2 @@
+# sudo
+/usr/bin/sudo -- system_u:object_r:sudo_exec_t
diff --git a/strict/file_contexts/program/sulogin.fc b/strict/file_contexts/program/sulogin.fc
new file mode 100644
index 0000000..eb719dc
--- /dev/null
+++ b/strict/file_contexts/program/sulogin.fc
@@ -0,0 +1,2 @@
+# sulogin
+/sbin/sulogin -- system_u:object_r:sulogin_exec_t
diff --git a/strict/file_contexts/program/swat.fc b/strict/file_contexts/program/swat.fc
new file mode 100644
index 0000000..721c229
--- /dev/null
+++ b/strict/file_contexts/program/swat.fc
@@ -0,0 +1,2 @@
+# samba management tool
+/usr/sbin/swat -- system_u:object_r:swat_exec_t
diff --git a/strict/file_contexts/program/sxid.fc b/strict/file_contexts/program/sxid.fc
new file mode 100644
index 0000000..e9126bc
--- /dev/null
+++ b/strict/file_contexts/program/sxid.fc
@@ -0,0 +1,6 @@
+# sxid - ldap server
+/usr/bin/sxid -- system_u:object_r:sxid_exec_t
+/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t
+/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t
+/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t
+/var/log/setuid.* -- system_u:object_r:sxid_log_t
diff --git a/strict/file_contexts/program/syslogd.fc b/strict/file_contexts/program/syslogd.fc
new file mode 100644
index 0000000..7a01720
--- /dev/null
+++ b/strict/file_contexts/program/syslogd.fc
@@ -0,0 +1,11 @@
+# syslogd
+/sbin/syslogd -- system_u:object_r:syslogd_exec_t
+/sbin/minilogd -- system_u:object_r:syslogd_exec_t
+/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t
+/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t
+/dev/log -s system_u:object_r:devlog_t
+/var/run/log -s system_u:object_r:devlog_t
+ifdef(`distro_suse', `
+/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t
+')
+/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t
diff --git a/strict/file_contexts/program/sysstat.fc b/strict/file_contexts/program/sysstat.fc
new file mode 100644
index 0000000..2637b68
--- /dev/null
+++ b/strict/file_contexts/program/sysstat.fc
@@ -0,0 +1,7 @@
+# sysstat and other sar programs
+/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t
+/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t
+/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t
+/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t
+/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t
+/var/log/sa(/.*)? system_u:object_r:sysstat_log_t
diff --git a/strict/file_contexts/program/tcpd.fc b/strict/file_contexts/program/tcpd.fc
new file mode 100644
index 0000000..2e84aa8
--- /dev/null
+++ b/strict/file_contexts/program/tcpd.fc
@@ -0,0 +1,2 @@
+# tcpd
+/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t
diff --git a/strict/file_contexts/program/telnetd.fc b/strict/file_contexts/program/telnetd.fc
new file mode 100644
index 0000000..6b998d1
--- /dev/null
+++ b/strict/file_contexts/program/telnetd.fc
@@ -0,0 +1,3 @@
+# telnetd
+/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t
+/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t
diff --git a/strict/file_contexts/program/tftpd.fc b/strict/file_contexts/program/tftpd.fc
new file mode 100644
index 0000000..f8bf244
--- /dev/null
+++ b/strict/file_contexts/program/tftpd.fc
@@ -0,0 +1,4 @@
+# tftpd
+/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t
+/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t
+/tftpboot(/.*)? system_u:object_r:tftpdir_t
diff --git a/strict/file_contexts/program/timidity.fc b/strict/file_contexts/program/timidity.fc
new file mode 100644
index 0000000..2b44dce
--- /dev/null
+++ b/strict/file_contexts/program/timidity.fc
@@ -0,0 +1,2 @@
+# timidity
+/usr/bin/timidity -- system_u:object_r:timidity_exec_t
diff --git a/strict/file_contexts/program/tinydns.fc b/strict/file_contexts/program/tinydns.fc
new file mode 100644
index 0000000..10ea1a3
--- /dev/null
+++ b/strict/file_contexts/program/tinydns.fc
@@ -0,0 +1,6 @@
+# tinydns
+/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t
+/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t
+/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t
+#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t
+#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t
diff --git a/strict/file_contexts/program/tmpreaper.fc b/strict/file_contexts/program/tmpreaper.fc
new file mode 100644
index 0000000..d8ed96e
--- /dev/null
+++ b/strict/file_contexts/program/tmpreaper.fc
@@ -0,0 +1,3 @@
+# tmpreaper or tmpwatch
+/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t
+/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t
diff --git a/strict/file_contexts/program/traceroute.fc b/strict/file_contexts/program/traceroute.fc
new file mode 100644
index 0000000..6a8b259
--- /dev/null
+++ b/strict/file_contexts/program/traceroute.fc
@@ -0,0 +1,5 @@
+# traceroute
+/bin/traceroute.* -- system_u:object_r:traceroute_exec_t
+/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t
+/usr/bin/lft -- system_u:object_r:traceroute_exec_t
+/usr/bin/nmap -- system_u:object_r:traceroute_exec_t
diff --git a/strict/file_contexts/program/transproxy.fc b/strict/file_contexts/program/transproxy.fc
new file mode 100644
index 0000000..2027eea
--- /dev/null
+++ b/strict/file_contexts/program/transproxy.fc
@@ -0,0 +1,3 @@
+# transproxy - http transperant proxy
+/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t
+/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t
diff --git a/strict/file_contexts/program/tvtime.fc b/strict/file_contexts/program/tvtime.fc
new file mode 100644
index 0000000..0969e96
--- /dev/null
+++ b/strict/file_contexts/program/tvtime.fc
@@ -0,0 +1,3 @@
+# tvtime
+/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t
+
diff --git a/strict/file_contexts/program/udev.fc b/strict/file_contexts/program/udev.fc
new file mode 100644
index 0000000..40f1fd5
--- /dev/null
+++ b/strict/file_contexts/program/udev.fc
@@ -0,0 +1,13 @@
+# udev
+/sbin/udevsend -- system_u:object_r:udev_exec_t
+/sbin/udev -- system_u:object_r:udev_exec_t
+/sbin/udevd -- system_u:object_r:udev_exec_t
+/sbin/start_udev -- system_u:object_r:udev_exec_t
+/usr/bin/udevinfo -- system_u:object_r:udev_exec_t
+/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t
+/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
+/etc/udev/devices/.* system_u:object_r:device_t
+/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
+/dev/udev\.tbl -- system_u:object_r:udev_tbl_t
+/dev/\.udev\.tdb(/.*)? -- system_u:object_r:udev_tdb_t
+/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --git a/strict/file_contexts/program/uml.fc b/strict/file_contexts/program/uml.fc
new file mode 100644
index 0000000..dc1621d
--- /dev/null
+++ b/strict/file_contexts/program/uml.fc
@@ -0,0 +1,4 @@
+# User Mode Linux
+/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t
+/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t
+HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t
diff --git a/strict/file_contexts/program/uml_net.fc b/strict/file_contexts/program/uml_net.fc
new file mode 100644
index 0000000..67aa1f2
--- /dev/null
+++ b/strict/file_contexts/program/uml_net.fc
@@ -0,0 +1,3 @@
+# User Mode Linux
+# WARNING: Do not install this file on any machine that has hostile users.
+/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t
diff --git a/strict/file_contexts/program/unconfined.fc b/strict/file_contexts/program/unconfined.fc
new file mode 100644
index 0000000..c3a6c12
--- /dev/null
+++ b/strict/file_contexts/program/unconfined.fc
@@ -0,0 +1,3 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t
diff --git a/strict/file_contexts/program/updfstab.fc b/strict/file_contexts/program/updfstab.fc
new file mode 100644
index 0000000..dec049f
--- /dev/null
+++ b/strict/file_contexts/program/updfstab.fc
@@ -0,0 +1,3 @@
+# updfstab
+/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t
+/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t
diff --git a/strict/file_contexts/program/uptimed.fc b/strict/file_contexts/program/uptimed.fc
new file mode 100644
index 0000000..e33489c
--- /dev/null
+++ b/strict/file_contexts/program/uptimed.fc
@@ -0,0 +1,4 @@
+# uptimed
+/etc/uptimed\.conf -- system_u:object_r:etc_uptimed_t
+/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t
+/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t
diff --git a/strict/file_contexts/program/usbmodules.fc b/strict/file_contexts/program/usbmodules.fc
new file mode 100644
index 0000000..52e03a4
--- /dev/null
+++ b/strict/file_contexts/program/usbmodules.fc
@@ -0,0 +1,3 @@
+# usbmodules
+/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t
+/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t
diff --git a/strict/file_contexts/program/useradd.fc b/strict/file_contexts/program/useradd.fc
new file mode 100644
index 0000000..b29351b
--- /dev/null
+++ b/strict/file_contexts/program/useradd.fc
@@ -0,0 +1,10 @@
+#useradd
+/usr/sbin/usermod -- system_u:object_r:useradd_exec_t
+/usr/sbin/useradd -- system_u:object_r:useradd_exec_t
+/usr/sbin/userdel -- system_u:object_r:useradd_exec_t
+#groupadd
+/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t
+/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t
+/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t
+/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t
+/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t
diff --git a/strict/file_contexts/program/userhelper.fc b/strict/file_contexts/program/userhelper.fc
new file mode 100644
index 0000000..8623456
--- /dev/null
+++ b/strict/file_contexts/program/userhelper.fc
@@ -0,0 +1,2 @@
+/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t
+/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t
diff --git a/strict/file_contexts/program/usernetctl.fc b/strict/file_contexts/program/usernetctl.fc
new file mode 100644
index 0000000..b9ef00f
--- /dev/null
+++ b/strict/file_contexts/program/usernetctl.fc
@@ -0,0 +1,2 @@
+# usernetctl
+/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t
diff --git a/strict/file_contexts/program/utempter.fc b/strict/file_contexts/program/utempter.fc
new file mode 100644
index 0000000..4e6670a
--- /dev/null
+++ b/strict/file_contexts/program/utempter.fc
@@ -0,0 +1,2 @@
+# utempter
+/usr/sbin/utempter -- system_u:object_r:utempter_exec_t
diff --git a/strict/file_contexts/program/uwimapd.fc b/strict/file_contexts/program/uwimapd.fc
new file mode 100644
index 0000000..00f9073
--- /dev/null
+++ b/strict/file_contexts/program/uwimapd.fc
@@ -0,0 +1,2 @@
+# uw-imapd and uw-imapd-ssl
+/usr/sbin/imapd -- system_u:object_r:imapd_exec_t
diff --git a/strict/file_contexts/program/vmware.fc b/strict/file_contexts/program/vmware.fc
new file mode 100644
index 0000000..d015988
--- /dev/null
+++ b/strict/file_contexts/program/vmware.fc
@@ -0,0 +1,42 @@
+#
+# File contexts for VMWare.
+# Contributed by Mark Westerman (mark.westerman at westcam.com)
+# Changes made by NAI Labs.
+# Tested with VMWare 3.1
+#
+/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t
+/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t
+/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t
+/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t
+
+/dev/vmmon -c system_u:object_r:vmware_device_t
+/dev/vmnet.* -c system_u:object_r:vmware_device_t
+/dev/plex86 -c system_u:object_r:vmware_device_t
+
+/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t
+/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t
+
+/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t
+/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t
+
+#
+# This is only an example of how to protect vmware session configuration
+# files. A general user can execute vmware and start a vmware session
+# but the user can not modify the session configuration information
+#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t
+#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t
+
+# The rules below assume that the user VMWare virtual disks are in the
+# ~/vmware, and the preferences and license files are in ~/.vmware.
+#
+HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
+HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t
diff --git a/strict/file_contexts/program/vpnc.fc b/strict/file_contexts/program/vpnc.fc
new file mode 100644
index 0000000..497bc20
--- /dev/null
+++ b/strict/file_contexts/program/vpnc.fc
@@ -0,0 +1,3 @@
+# vpnc
+/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t
+/sbin/vpnc -- system_u:object_r:vpnc_exec_t
diff --git a/strict/file_contexts/program/watchdog.fc b/strict/file_contexts/program/watchdog.fc
new file mode 100644
index 0000000..d7a8c7f
--- /dev/null
+++ b/strict/file_contexts/program/watchdog.fc
@@ -0,0 +1,5 @@
+# watchdog
+/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t
+/dev/watchdog -c system_u:object_r:watchdog_device_t
+/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t
+/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t
diff --git a/strict/file_contexts/program/webalizer.fc b/strict/file_contexts/program/webalizer.fc
new file mode 100644
index 0000000..792d600
--- /dev/null
+++ b/strict/file_contexts/program/webalizer.fc
@@ -0,0 +1 @@
+#
diff --git a/strict/file_contexts/program/winbind.fc b/strict/file_contexts/program/winbind.fc
new file mode 100644
index 0000000..adfbe8e
--- /dev/null
+++ b/strict/file_contexts/program/winbind.fc
@@ -0,0 +1,10 @@
+/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t
+/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t
+ifdef(`samba.te', `', `
+/var/log/samba(/.*)? system_u:object_r:samba_log_t
+/etc/samba(/.*)? system_u:object_r:samba_etc_t
+/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t
+/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t
+/var/cache/samba(/.*)? system_u:object_r:samba_var_t
+')
+/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t
diff --git a/strict/file_contexts/program/xauth.fc b/strict/file_contexts/program/xauth.fc
new file mode 100644
index 0000000..935715e
--- /dev/null
+++ b/strict/file_contexts/program/xauth.fc
@@ -0,0 +1,3 @@
+# xauth
+/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t
+HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t
diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc
new file mode 100644
index 0000000..5026407
--- /dev/null
+++ b/strict/file_contexts/program/xdm.fc
@@ -0,0 +1,39 @@
+# X Display Manager
+/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
+/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
+/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t
+/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
+/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
+/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
+/var/log/gdm(/.*)? system_u:object_r:xserver_log_t
+/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t
+/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t
+/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t
+/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t
+/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t
+/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t
+/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t
+/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t
+/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t
+/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t
+/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t
+ifdef(`distro_suse', `
+/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t
+')
+
+#
+# Additional Xsession scripts
+#
+/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t
+/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t
+/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t
+/etc/X11/xinit(/.*)? system_u:object_r:bin_t
+#
+# Rules for kde login
+#
+/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t
+/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t
diff --git a/strict/file_contexts/program/xfs.fc b/strict/file_contexts/program/xfs.fc
new file mode 100644
index 0000000..9edae3f
--- /dev/null
+++ b/strict/file_contexts/program/xfs.fc
@@ -0,0 +1,5 @@
+# xfs
+/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t
+/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t
+/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t
+/usr/bin/xfstt -- system_u:object_r:xfs_exec_t
diff --git a/strict/file_contexts/program/xprint.fc b/strict/file_contexts/program/xprint.fc
new file mode 100644
index 0000000..3c72a77
--- /dev/null
+++ b/strict/file_contexts/program/xprint.fc
@@ -0,0 +1 @@
+/usr/bin/Xprt -- system_u:object_r:xprint_exec_t
diff --git a/strict/file_contexts/program/xserver.fc b/strict/file_contexts/program/xserver.fc
new file mode 100644
index 0000000..3ef0263
--- /dev/null
+++ b/strict/file_contexts/program/xserver.fc
@@ -0,0 +1,17 @@
+# X server
+/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t
+/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t
+/var/lib/xkb(/.*)? system_u:object_r:var_lib_xkb_t
+/usr/X11R6/lib/X11/xkb -d system_u:object_r:var_lib_xkb_t
+/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:var_lib_xkb_t
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
+/var/log/XFree86.* -- system_u:object_r:xserver_log_t
+/var/log/Xorg.* -- system_u:object_r:xserver_log_t
+/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t
+/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t
+/tmp/\.X11-unix/.* -s <<none>>
+/tmp/\.ICE-unix -d system_u:object_r:xdm_xserver_tmp_t
+/tmp/\.ICE-unix/.* -s <<none>>
diff --git a/strict/file_contexts/program/ypbind.fc b/strict/file_contexts/program/ypbind.fc
new file mode 100644
index 0000000..c700d92
--- /dev/null
+++ b/strict/file_contexts/program/ypbind.fc
@@ -0,0 +1,2 @@
+# ypbind
+/sbin/ypbind -- system_u:object_r:ypbind_exec_t
diff --git a/strict/file_contexts/program/ypserv.fc b/strict/file_contexts/program/ypserv.fc
new file mode 100644
index 0000000..5622afb
--- /dev/null
+++ b/strict/file_contexts/program/ypserv.fc
@@ -0,0 +1,3 @@
+# ypserv
+/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
+/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --git a/strict/file_contexts/program/zebra.fc b/strict/file_contexts/program/zebra.fc
new file mode 100644
index 0000000..e524355
--- /dev/null
+++ b/strict/file_contexts/program/zebra.fc
@@ -0,0 +1,13 @@
+# Zebra - BGP daemon
+/usr/sbin/zebra -- system_u:object_r:zebra_exec_t
+/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t
+/var/log/zebra(/.*)? system_u:object_r:zebra_log_t
+/etc/zebra(/.*)? system_u:object_r:zebra_conf_t
+/var/run/\.zserv -s system_u:object_r:zebra_var_run_t
+/var/run/\.zebra -s system_u:object_r:zebra_var_run_t
+# Quagga
+/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t
+/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t
+/etc/quagga(/.*)? system_u:object_r:zebra_conf_t
+/var/log/quagga(/.*)? system_u:object_r:zebra_log_t
+/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t
diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc
new file mode 100644
index 0000000..4708e08
--- /dev/null
+++ b/strict/file_contexts/types.fc
@@ -0,0 +1,480 @@
+#
+# This file describes the security contexts to be applied to files
+# when the security policy is installed. The setfiles program
+# reads this file and labels files accordingly.
+#
+# Each specification has the form:
+# regexp [ -type ] ( context | <<none>> )
+#
+# By default, the regexp is an anchored match on both ends (i.e. a
+# caret (^) is prepended and a dollar sign ($) is appended automatically).
+# This default may be overridden by using .* at the beginning and/or
+# end of the regular expression.
+#
+# The optional type field specifies the file type as shown in the mode
+# field by ls, e.g. use -d to match only directories or -- to match only
+# regular files.
+#
+# The value of <<none> may be used to indicate that matching files
+# should not be relabeled.
+#
+# The last matching specification is used.
+#
+# If there are multiple hard links to a file that match
+# different specifications and those specifications indicate
+# different security contexts, then a warning is displayed
+# but the file is still labeled based on the last matching
+# specification other than <<none>>.
+#
+# Some of the files listed here get re-created during boot and therefore
+# need type transition rules to retain the correct type. These files are
+# listed here anyway so that if the setfiles program is used on a running
+# system it does not relabel them to something we do not want. An example of
+# this is /var/run/utmp.
+#
+
+#
+# The security context for all files not otherwise specified.
+#
+/.* system_u:object_r:default_t
+
+#
+# The root directory.
+#
+/ -d system_u:object_r:root_t
+
+#
+# Ordinary user home directories.
+# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
+# HOME_DIR expands to each user's home directory,
+# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
+# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
+#
+HOME_ROOT -d system_u:object_r:home_root_t
+HOME_DIR -d system_u:object_r:ROLE_home_dir_t
+HOME_DIR/.+ system_u:object_r:ROLE_home_t
+
+/root/\.default_contexts -- system_u:object_r:default_context_t
+
+#
+# Mount points; do not relabel subdirectories, since
+# we don't want to change any removable media by default.
+/mnt(/[^/]*)? -d system_u:object_r:mnt_t
+/mnt/[^/]*/.* <<none>>
+/media(/[^/]*)? -d system_u:object_r:mnt_t
+/media/[^/]*/.* <<none>>
+
+#
+# /var
+#
+/var(/.*)? system_u:object_r:var_t
+/var/catman(/.*)? system_u:object_r:catman_t
+/var/cache/man(/.*)? system_u:object_r:catman_t
+/var/yp(/.*)? system_u:object_r:var_yp_t
+/var/lib(/.*)? system_u:object_r:var_lib_t
+/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t
+/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t
+/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t
+/var/lock(/.*)? system_u:object_r:var_lock_t
+/var/tmp -d system_u:object_r:tmp_t
+/var/tmp/.* <<none>>
+/var/tmp/vi\.recover -d system_u:object_r:tmp_t
+/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
+/var/mailman/bin(/.*)? system_u:object_r:bin_t
+/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t
+
+#
+# /var/ftp
+#
+/var/ftp/bin(/.*)? system_u:object_r:bin_t
+/var/ftp/bin/ls -- system_u:object_r:ls_exec_t
+/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t
+/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
+/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/var/ftp/etc(/.*)? system_u:object_r:etc_t
+
+#
+# /bin
+#
+/bin(/.*)? system_u:object_r:bin_t
+/bin/tcsh -- system_u:object_r:shell_exec_t
+/bin/bash -- system_u:object_r:shell_exec_t
+/bin/bash2 -- system_u:object_r:shell_exec_t
+/bin/sash -- system_u:object_r:shell_exec_t
+/bin/d?ash -- system_u:object_r:shell_exec_t
+/bin/zsh.* -- system_u:object_r:shell_exec_t
+/usr/sbin/sesh -- system_u:object_r:shell_exec_t
+/bin/ls -- system_u:object_r:ls_exec_t
+
+#
+# /boot
+#
+/boot(/.*)? system_u:object_r:boot_t
+/boot/System\.map-.* -- system_u:object_r:system_map_t
+
+#
+# /dev
+#
+/dev(/.*)? system_u:object_r:device_t
+/dev/pts(/.*)? <<none>>
+/dev/cpu/.* -c system_u:object_r:cpu_device_t
+/dev/microcode -c system_u:object_r:cpu_device_t
+/dev/MAKEDEV -- system_u:object_r:sbin_t
+/dev/null -c system_u:object_r:null_device_t
+/dev/full -c system_u:object_r:null_device_t
+/dev/zero -c system_u:object_r:zero_device_t
+/dev/console -c system_u:object_r:console_device_t
+/dev/xconsole -p system_u:object_r:xconsole_device_t
+/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t
+/dev/nvram -c system_u:object_r:memory_device_t
+/dev/random -c system_u:object_r:random_device_t
+/dev/urandom -c system_u:object_r:urandom_device_t
+/dev/capi.* -c system_u:object_r:tty_device_t
+/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
+/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
+/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t
+/dev/isdn.* -c system_u:object_r:tty_device_t
+/dev/.*tty[^/]* -c system_u:object_r:tty_device_t
+/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t
+/dev/cu.* -c system_u:object_r:tty_device_t
+/dev/vcs[^/]* -c system_u:object_r:tty_device_t
+/dev/ip2[^/]* -c system_u:object_r:tty_device_t
+/dev/hvc.* -c system_u:object_r:tty_device_t
+/dev/hvsi.* -c system_u:object_r:tty_device_t
+/dev/ttySG.* -c system_u:object_r:tty_device_t
+/dev/tty -c system_u:object_r:devtty_t
+/dev/lp.* -c system_u:object_r:printer_device_t
+/dev/par.* -c system_u:object_r:printer_device_t
+/dev/usb/lp.* -c system_u:object_r:printer_device_t
+/dev/usblp.* -c system_u:object_r:printer_device_t
+ifdef(`distro_redhat', `
+/dev/root -b system_u:object_r:fixed_disk_device_t
+')
+/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t
+/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t
+/dev/rd.* -b system_u:object_r:fixed_disk_device_t
+/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t
+/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t
+/dev/loop.* -b system_u:object_r:fixed_disk_device_t
+/dev/net/.* -c system_u:object_r:tun_tap_device_t
+/dev/ram.* -b system_u:object_r:fixed_disk_device_t
+/dev/rawctl -c system_u:object_r:fixed_disk_device_t
+/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t
+/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t
+/dev/initrd -b system_u:object_r:fixed_disk_device_t
+/dev/jsfd -b system_u:object_r:fixed_disk_device_t
+/dev/js.* -c system_u:object_r:mouse_device_t
+/dev/jsflash -c system_u:object_r:fixed_disk_device_t
+/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t
+/dev/usb/rio500 -c system_u:object_r:removable_device_t
+/dev/fd[^/]+ -b system_u:object_r:removable_device_t
+# I think a parallel port disk is a removable device...
+/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t
+/dev/p[fg][0-3] -b system_u:object_r:removable_device_t
+/dev/aztcd -b system_u:object_r:removable_device_t
+/dev/bpcd -b system_u:object_r:removable_device_t
+/dev/gscd -b system_u:object_r:removable_device_t
+/dev/hitcd -b system_u:object_r:removable_device_t
+/dev/pcd[0-3] -b system_u:object_r:removable_device_t
+/dev/mcdx? -b system_u:object_r:removable_device_t
+/dev/cdu.* -b system_u:object_r:removable_device_t
+/dev/cm20.* -b system_u:object_r:removable_device_t
+/dev/optcd -b system_u:object_r:removable_device_t
+/dev/sbpcd.* -b system_u:object_r:removable_device_t
+/dev/sjcd -b system_u:object_r:removable_device_t
+/dev/sonycd -b system_u:object_r:removable_device_t
+# parallel port ATAPI generic device
+/dev/pg[0-3] -c system_u:object_r:removable_device_t
+/dev/rtc -c system_u:object_r:clock_device_t
+/dev/psaux -c system_u:object_r:mouse_device_t
+/dev/atibm -c system_u:object_r:mouse_device_t
+/dev/logibm -c system_u:object_r:mouse_device_t
+/dev/.*mouse.* -c system_u:object_r:mouse_device_t
+/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t
+/dev/input/event.* -c system_u:object_r:event_device_t
+/dev/input/mice -c system_u:object_r:mouse_device_t
+/dev/input/js.* -c system_u:object_r:mouse_device_t
+/dev/ptmx -c system_u:object_r:ptmx_t
+/dev/sequencer -c system_u:object_r:misc_device_t
+/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t
+/dev/apm_bios -c system_u:object_r:apm_bios_t
+/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t
+/dev/pmu -c system_u:object_r:power_device_t
+/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t
+/dev/winradio. -c system_u:object_r:v4l_device_t
+/dev/vttuner -c system_u:object_r:v4l_device_t
+/dev/tlk[0-3] -c system_u:object_r:v4l_device_t
+/dev/adsp -c system_u:object_r:sound_device_t
+/dev/mixer.* -c system_u:object_r:sound_device_t
+/dev/dsp.* -c system_u:object_r:sound_device_t
+/dev/audio.* -c system_u:object_r:sound_device_t
+/dev/r?midi.* -c system_u:object_r:sound_device_t
+/dev/sequencer2 -c system_u:object_r:sound_device_t
+/dev/smpte.* -c system_u:object_r:sound_device_t
+/dev/sndstat -c system_u:object_r:sound_device_t
+/dev/beep -c system_u:object_r:sound_device_t
+/dev/patmgr[01] -c system_u:object_r:sound_device_t
+/dev/mpu401.* -c system_u:object_r:sound_device_t
+/dev/srnd[0-7] -c system_u:object_r:sound_device_t
+/dev/aload.* -c system_u:object_r:sound_device_t
+/dev/amidi.* -c system_u:object_r:sound_device_t
+/dev/amixer.* -c system_u:object_r:sound_device_t
+/dev/snd/.* -c system_u:object_r:sound_device_t
+/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t
+/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t
+/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t
+/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t
+/dev/ht[0-1] -b system_u:object_r:tape_device_t
+/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t
+/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t
+/dev/tape.* -c system_u:object_r:tape_device_t
+ifdef(`distro_suse', `
+/dev/usbscanner -c system_u:object_r:scanner_device_t
+')
+/dev/usb/scanner.* -c system_u:object_r:scanner_device_t
+/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t
+/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t
+/dev/usb/tty.* -c system_u:object_r:usbtty_device_t
+/dev/mmetfgrab -c system_u:object_r:scanner_device_t
+/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t
+/dev/dri/.+ -c system_u:object_r:dri_device_t
+/dev/radeon -c system_u:object_r:dri_device_t
+/dev/agpgart -c system_u:object_r:agp_device_t
+
+#
+# Misc
+#
+/proc(/.*)? <<none>>
+/sys(/.*)? <<none>>
+/selinux(/.*)? <<none>>
+
+#
+# /opt
+#
+/opt(/.*)? system_u:object_r:usr_t
+/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t
+/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/opt/.*/libexec(/.*)? system_u:object_r:bin_t
+/opt/.*/bin(/.*)? system_u:object_r:bin_t
+/opt/.*/sbin(/.*)? system_u:object_r:sbin_t
+/opt/.*/man(/.*)? system_u:object_r:man_t
+/opt/.*/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
+
+#
+# /etc
+#
+/etc(/.*)? system_u:object_r:etc_t
+/var/db/.*\.db -- system_u:object_r:etc_t
+/etc/\.pwd\.lock -- system_u:object_r:shadow_t
+/etc/passwd\.lock -- system_u:object_r:shadow_t
+/etc/group\.lock -- system_u:object_r:shadow_t
+/etc/shadow.* -- system_u:object_r:shadow_t
+/etc/gshadow.* -- system_u:object_r:shadow_t
+/var/db/shadow.* -- system_u:object_r:shadow_t
+/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t
+/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t
+/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t
+/etc/HOSTNAME -- system_u:object_r:etc_runtime_t
+/etc/ioctl\.save -- system_u:object_r:etc_runtime_t
+/etc/mtab -- system_u:object_r:etc_runtime_t
+/etc/motd -- system_u:object_r:etc_runtime_t
+/etc/issue -- system_u:object_r:etc_runtime_t
+/etc/issue\.net -- system_u:object_r:etc_runtime_t
+/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t
+/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t
+/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t
+/etc/asound\.state -- system_u:object_r:etc_runtime_t
+/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t
+ifdef(`distro_gentoo', `
+/etc/profile\.env -- system_u:object_r:etc_runtime_t
+/etc/csh\.env -- system_u:object_r:etc_runtime_t
+/etc/env\.d/.* -- system_u:object_r:etc_runtime_t
+')
+/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t
+/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t
+/etc/yp\.conf.* -- system_u:object_r:net_conf_t
+/etc/resolv\.conf.* -- system_u:object_r:net_conf_t
+
+/etc/selinux(/.*)? system_u:object_r:selinux_config_t
+/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t
+/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t
+/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t
+/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t
+
+
+#
+# /lib(64)?
+#
+/lib(64)?(/.*)? system_u:object_r:lib_t
+/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
+
+#
+# /sbin
+#
+/sbin(/.*)? system_u:object_r:sbin_t
+
+#
+# /tmp
+#
+/tmp -d system_u:object_r:tmp_t
+/tmp/.* <<none>>
+
+#
+# /usr
+#
+/usr(/.*)? system_u:object_r:usr_t
+/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t
+/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/usr/lib/win32/.* -- system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t
+/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
+/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
+/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
+/usr/etc(/.*)? system_u:object_r:etc_t
+/usr/inclu.e(/.*)? system_u:object_r:usr_t
+/usr/libexec(/.*)? system_u:object_r:bin_t
+/usr/src(/.*)? system_u:object_r:src_t
+/usr/tmp -d system_u:object_r:tmp_t
+/usr/tmp/.* <<none>>
+/usr/man(/.*)? system_u:object_r:man_t
+/usr/share/man(/.*)? system_u:object_r:man_t
+/usr/share/mc/extfs/.* -- system_u:object_r:bin_t
+/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t
+
+# nvidia share libraries
+/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
+
+# libGL
+/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t
+
+ifdef(`distro_debian', `
+/usr/share/selinux(/.*)? system_u:object_r:policy_src_t
+')
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
+')
+
+#
+# /usr/lib(64)?
+#
+/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t
+/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
+/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t
+
+#
+# /usr/local
+#
+/usr/local/etc(/.*)? system_u:object_r:etc_t
+/usr/local/src(/.*)? system_u:object_r:src_t
+/usr/local/man(/.*)? system_u:object_r:man_t
+
+#
+# /usr/X11R6/man
+#
+/usr/X11R6/man(/.*)? system_u:object_r:man_t
+
+#
+# Fonts dir
+#
+/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t
+ifdef(`distro_debian', `
+/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t
+')
+/usr/share/fonts(/.*)? system_u:object_r:fonts_t
+/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t
+/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t
+
+#
+# /var/run
+#
+/var/run(/.*)? system_u:object_r:var_run_t
+/var/run/.*\.*pid <<none>>
+
+#
+# /var/spool
+#
+/var/spool(/.*)? system_u:object_r:var_spool_t
+/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t
+/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t
+
+#
+# /var/log
+#
+/var/log(/.*)? system_u:object_r:var_log_t
+/var/log/wtmp.* -- system_u:object_r:wtmp_t
+/var/log/btmp.* -- system_u:object_r:faillog_t
+/var/log/faillog -- system_u:object_r:faillog_t
+/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t
+/var/log/dmesg -- system_u:object_r:var_log_t
+/var/log/lastlog -- system_u:object_r:lastlog_t
+/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t
+/var/log/syslog -- system_u:object_r:var_log_t
+
+#
+# Journal files
+#
+/\.journal <<none>>
+/usr/\.journal <<none>>
+/boot/\.journal <<none>>
+HOME_ROOT/\.journal <<none>>
+/var/\.journal <<none>>
+/tmp/\.journal <<none>>
+/usr/local/\.journal <<none>>
+
+#
+# Lost and found directories.
+#
+/lost\+found(/.*)? system_u:object_r:lost_found_t
+/usr/lost\+found(/.*)? system_u:object_r:lost_found_t
+/boot/lost\+found(/.*)? system_u:object_r:lost_found_t
+HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
+/var/lost\+found(/.*)? system_u:object_r:lost_found_t
+/tmp/lost\+found(/.*)? system_u:object_r:lost_found_t
+/usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t
+
+#
+# system localization
+#
+/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t
+/usr/share/locale(/.*)? system_u:object_r:locale_t
+/usr/lib/locale(/.*)? system_u:object_r:locale_t
+/etc/localtime -- system_u:object_r:locale_t
+/etc/localtime -l system_u:object_r:etc_t
+
+#
+# Gnu Cash
+#
+/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t
+/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
+
+#
+# initrd mount point, only used during boot
+#
+/initrd -d system_u:object_r:root_t
+
+#
+# The krb5.conf file is always being tested for writability, so
+# we defined a type to dontaudit
+#
+/etc/krb5\.conf -- system_u:object_r:krb5_conf_t
+
+#
+# Thunderbird
+#
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
diff --git a/strict/flask/Makefile b/strict/flask/Makefile
new file mode 100644
index 0000000..970b9fe
--- /dev/null
+++ b/strict/flask/Makefile
@@ -0,0 +1,41 @@
+# flask needs to know where to export the libselinux headers.
+LIBSEL ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUXDIR ?= ../../../linux-2.6
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ else if [ -x /bin/bash ]; then echo /bin/bash; \
+ else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = security_classes initial_sids
+AV_H_DEPEND = access_vectors
+
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+all: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+ $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+tolib: all
+ install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
+ install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
+
+tokern: all
+ install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:
+ rm -f $(FLASK_H_FILES)
+ rm -f $(AV_H_FILES)
diff --git a/strict/flask/access_vectors b/strict/flask/access_vectors
new file mode 100644
index 0000000..22e1358
--- /dev/null
+++ b/strict/flask/access_vectors
@@ -0,0 +1,599 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+}
+
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class drawable
+{
+ create
+ destroy
+ draw
+ copy
+ getattr
+}
+
+class gc
+{
+ create
+ free
+ getattr
+ setattr
+}
+
+class window
+{
+ addchild
+ create
+ destroy
+ map
+ unmap
+ chstack
+ chproplist
+ chprop
+ listprop
+ getattr
+ setattr
+ setfocus
+ move
+ chselection
+ chparent
+ ctrllife
+ enumerate
+ transparent
+ mousemotion
+ clientcomevent
+ inputevent
+ drawevent
+ windowchangeevent
+ windowchangerequest
+ serverchangeevent
+ extensionevent
+}
+
+class font
+{
+ load
+ free
+ getattr
+ use
+}
+
+class colormap
+{
+ create
+ free
+ install
+ uninstall
+ list
+ read
+ store
+ getattr
+ setattr
+}
+
+class property
+{
+ create
+ free
+ read
+ write
+}
+
+class cursor
+{
+ create
+ createglyph
+ free
+ assign
+ setattr
+}
+
+class xclient
+{
+ kill
+}
+
+class xinput
+{
+ lookup
+ getattr
+ setattr
+ setfocus
+ warppointer
+ activegrab
+ passivegrab
+ ungrab
+ bell
+ mousemotion
+ relabelinput
+}
+
+class xserver
+{
+ screensaver
+ gethostlist
+ sethostlist
+ getfontpath
+ setfontpath
+ getattr
+ grab
+ ungrab
+}
+
+class xextension
+{
+ query
+ use
+}
+
+#
+# Define the access vector interpretation for controlling
+# PaX flags
+#
+class pax
+{
+ pageexec # Paging based non-executable pages
+ emutramp # Emulate trampolines
+ mprotect # Restrict mprotect()
+ randmmap # Randomize mmap() base
+ randexec # Randomize ET_EXEC base
+ segmexec # Segmentation based non-executable pages
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+}
diff --git a/strict/flask/initial_sids b/strict/flask/initial_sids
new file mode 100644
index 0000000..95894eb
--- /dev/null
+++ b/strict/flask/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/strict/flask/mkaccess_vector.sh b/strict/flask/mkaccess_vector.sh
new file mode 100644
index 0000000..b5da734
--- /dev/null
+++ b/strict/flask/mkaccess_vector.sh
@@ -0,0 +1,227 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="av_permissions.h"
+av_inherit="av_inherit.h"
+common_perm_to_string="common_perm_to_string.h"
+av_perm_to_string="av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$av_permissions\"
+ inheritfile = \"$av_inherit\"
+ cpermfile = \"$common_perm_to_string\"
+ avpermfile = \"$av_perm_to_string\"
+ "'
+ nextstate = "COMMON_OR_AV";
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
+;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "common" {
+ if (nextstate != "COMMON_OR_AV")
+ {
+ printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in common_defined)
+ {
+ printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ common_defined[$2] = 1;
+
+ tclass = $2;
+ common_name = $2;
+ permission = 1;
+
+ printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
+
+ nextstate = "COMMON-OPENBRACKET";
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "COMMON_OR_AV" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ tclass = $2;
+
+ if (tclass in av_defined)
+ {
+ printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
+ next;
+ }
+ av_defined[tclass] = 1;
+
+ inherits = "";
+ permission = 1;
+
+ nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "inherits" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
+ next;
+ }
+
+ if (!($2 in common_defined))
+ {
+ printf("COMMON %s is not defined (line %d).\n", $2, NR);
+ next;
+ }
+
+ inherits = $2;
+ permission = common_base[$2];
+
+ for (combined in common_perms)
+ {
+ split(combined,separate, SUBSEP);
+ if (separate[1] == inherits)
+ {
+ inherited_perms[common_perms[combined]] = separate[2];
+ }
+ }
+
+ j = 1;
+ for (i in inherited_perms) {
+ ind[j] = i + 0;
+ j++;
+ }
+ n = asort(ind);
+ for (i = 1; i <= n; i++) {
+ perm = inherited_perms[ind[i]];
+ printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
+ spaces = 40 - (length(perm) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+ for (j = 0; j < spaces; j++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", ind[i]) > outfile;
+ }
+ printf("\n") > outfile;
+ for (i in ind) delete ind[i];
+ for (i in inherited_perms) delete inherited_perms[i];
+
+ printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
+
+ nextstate = "CLASS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "{" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "COMMON-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected { on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "COMMON-OPENBRACKET")
+ nextstate = "COMMON-CLOSEBRACKET";
+ }
+/[a-z][a-z_]*/ {
+ if (nextstate != "COMMON-CLOSEBRACKET" &&
+ nextstate != "CLASS-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ if ((common_name,$1) in common_perms)
+ {
+ printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
+ next;
+ }
+
+ common_perms[common_name,$1] = permission;
+
+ printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
+
+ printf(" S_(\"%s\")\n", $1) > cpermfile;
+ }
+ else
+ {
+ if ((tclass,$1) in av_perms)
+ {
+ printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
+ next;
+ }
+
+ av_perms[tclass,$1] = permission;
+
+ if (inherits != "")
+ {
+ if ((inherits,$1) in common_perms)
+ {
+ printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
+ next;
+ }
+ }
+
+ printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
+
+ printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
+ }
+
+ spaces = 40 - (length($1) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+
+ for (i = 0; i < spaces; i++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", permission) > outfile;
+ permission = permission * 2;
+ }
+$1 == "}" {
+ if (nextstate != "CLASS-CLOSEBRACKET" &&
+ nextstate != "COMMON-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected } on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ common_base[common_name] = permission;
+ printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
+ }
+
+ printf("\n") > outfile;
+
+ nextstate = "COMMON_OR_AV";
+ }
+END {
+ if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ printf("Parse error: Unexpected end of file\n");
+
+ }'
+
+# FLASK
diff --git a/strict/flask/mkflask.sh b/strict/flask/mkflask.sh
new file mode 100644
index 0000000..9c84754
--- /dev/null
+++ b/strict/flask/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="flask.h"
+debug_file="class_to_string.h"
+debug_file2="initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$output_file\"
+ debugfile = \"$debug_file\"
+ debugfile2 = \"$debug_file2\"
+ "'
+ nextstate = "CLASS";
+
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+
+ printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+ printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("\n/*\n * Security object class definitions\n */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
+ printf("/*\n * Security object class definitions\n */\n") > debugfile;
+ printf(" S_(\"null\")\n") > debugfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
+ printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
+ printf(" \"null\",\n") > debugfile2;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "CLASS")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in class_found)
+ {
+ printf("Duplicate class definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ class_found[$2] = 1;
+
+ class_value++;
+
+ printf("#define SECCLASS_%s", toupper($2)) > outfile;
+ for (i = 0; i < 40 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", class_value) > outfile;
+
+ printf(" S_(\"%s\")\n", $2) > debugfile;
+ }
+$1 == "sid" {
+ if (nextstate == "CLASS")
+ {
+ nextstate = "SID";
+ printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
+ }
+
+ if ($2 in sid_found)
+ {
+ printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ sid_found[$2] = 1;
+ sid_value++;
+
+ printf("#define SECINITSID_%s", toupper($2)) > outfile;
+ for (i = 0; i < 37 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf(" \"%s\",\n", $2) > debugfile2;
+ }
+END {
+ if (nextstate != "SID")
+ printf("Parse error: Unexpected end of file\n");
+
+ printf("\n#define SECINITSID_NUM") > outfile;
+ for (i = 0; i < 34; i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf("\n#endif\n") > outfile;
+ printf("};\n\n") > debugfile2;
+ }'
+
+# FLASK
diff --git a/strict/flask/security_classes b/strict/flask/security_classes
new file mode 100644
index 0000000..b370522
--- /dev/null
+++ b/strict/flask/security_classes
@@ -0,0 +1,83 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd
+
+# SE-X Windows stuff
+class drawable
+class window
+class gc
+class font
+class colormap
+class property
+class cursor
+class xclient
+class xinput
+class xserver
+class xextension
+
+# pax flags
+class pax
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus
+class nscd
+
+# IPSec association
+class association
+
+# FLASK
diff --git a/strict/fs_use b/strict/fs_use
new file mode 100644
index 0000000..8f167a7
--- /dev/null
+++ b/strict/fs_use
@@ -0,0 +1,31 @@
+#
+# Define the labeling behavior for inodes in particular filesystem types.
+# This information was formerly hardcoded in the SELinux module.
+
+# Use xattrs for the following filesystem types.
+# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ext2 system_u:object_r:fs_t;
+fs_use_xattr ext3 system_u:object_r:fs_t;
+fs_use_xattr xfs system_u:object_r:fs_t;
+fs_use_xattr jfs system_u:object_r:fs_t;
+
+# Use the allocating task SID to label inodes in the following filesystem
+# types, and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems that represent objects
+# like pipes and sockets, so that these objects are labeled with the same
+# type as the creating task.
+fs_use_task pipefs system_u:object_r:fs_t;
+fs_use_task sockfs system_u:object_r:fs_t;
+
+# Use a transition SID based on the allocating task SID and the
+# filesystem SID to label inodes in the following filesystem types,
+# and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems like devpts and tmpfs
+# where we want to label objects with a derived type.
+fs_use_trans devpts system_u:object_r:devpts_t;
+fs_use_trans tmpfs system_u:object_r:tmpfs_t;
+fs_use_trans shm system_u:object_r:tmpfs_t;
+
+# The separate genfs_contexts configuration can be used for filesystem
+# types that cannot support persistent label mappings or use
+# one of the fixed label schemes specified here.
diff --git a/strict/genfs_contexts b/strict/genfs_contexts
new file mode 100644
index 0000000..3c2438b
--- /dev/null
+++ b/strict/genfs_contexts
@@ -0,0 +1,105 @@
+# FLASK
+
+#
+# Security contexts for files in filesystems that
+# cannot support xattr or use one of the fixed labeling schemes
+# specified in fs_use.
+#
+# Each specifications has the form:
+# genfscon fstype pathname-prefix [ -type ] context
+#
+# The entry with the longest matching pathname prefix is used.
+# / refers to the root directory of the file system, and
+# everything is specified relative to this root directory.
+# If there is no entry with a matching pathname prefix, then
+# the unlabeled initial SID is used.
+#
+# The optional type field specifies the file type as shown in the mode
+# field by ls, e.g. use -c to match only character device files, -b
+# to match only block device files.
+#
+# Except for proc, in 2.6 other filesystems are limited to a single entry (/)
+# that covers all entries in the filesystem with a default file context.
+# For proc, a pathname can be reliably generated from the proc_dir_entry
+# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
+# calls. /proc/PID entries are automatically labeled based on the associated
+# process.
+#
+# Support for other filesystem types requires corresponding code to be
+# added to the kernel, either as an xattr handler in the filesystem
+# implementation (preferred, and necessary if you want to access the labels
+# from userspace) or as logic in the SELinux module.
+
+# proc (excluding /proc/PID)
+genfscon proc / system_u:object_r:proc_t
+genfscon proc /kmsg system_u:object_r:proc_kmsg_t
+genfscon proc /kcore system_u:object_r:proc_kcore_t
+genfscon proc /mdstat system_u:object_r:proc_mdstat_t
+genfscon proc /mtrr system_u:object_r:mtrr_device_t
+genfscon proc /net system_u:object_r:proc_net_t
+genfscon proc /sysvipc system_u:object_r:proc_t
+genfscon proc /sys system_u:object_r:sysctl_t
+genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t
+genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t
+genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t
+genfscon proc /sys/net system_u:object_r:sysctl_net_t
+genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t
+genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
+genfscon proc /sys/dev system_u:object_r:sysctl_dev_t
+genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t
+genfscon proc /irq system_u:object_r:sysctl_irq_t
+
+# rootfs
+genfscon rootfs / system_u:object_r:root_t
+
+# sysfs
+genfscon sysfs / system_u:object_r:sysfs_t
+
+# selinuxfs
+genfscon selinuxfs / system_u:object_r:security_t
+
+# autofs
+genfscon autofs / system_u:object_r:autofs_t
+genfscon automount / system_u:object_r:autofs_t
+
+# usbdevfs
+genfscon usbdevfs / system_u:object_r:usbdevfs_t
+
+# iso9660
+genfscon iso9660 / system_u:object_r:iso9660_t
+genfscon udf / system_u:object_r:iso9660_t
+
+# romfs
+genfscon romfs / system_u:object_r:romfs_t
+genfscon cramfs / system_u:object_r:romfs_t
+
+# ramfs
+genfscon ramfs / system_u:object_r:ramfs_t
+
+# vfat, msdos
+genfscon vfat / system_u:object_r:dosfs_t
+genfscon msdos / system_u:object_r:dosfs_t
+genfscon fat / system_u:object_r:dosfs_t
+genfscon ntfs / system_u:object_r:dosfs_t
+
+# samba
+genfscon cifs / system_u:object_r:cifs_t
+genfscon smbfs / system_u:object_r:cifs_t
+
+# nfs
+genfscon nfs / system_u:object_r:nfs_t
+genfscon nfs4 / system_u:object_r:nfs_t
+genfscon afs / system_u:object_r:nfs_t
+
+# reiserfs - until xattr security support works properly
+genfscon reiserfs / system_u:object_r:nfs_t
+
+# needs more work
+genfscon eventpollfs / system_u:object_r:eventpollfs_t
+genfscon futexfs / system_u:object_r:futexfs_t
+genfscon bdev / system_u:object_r:bdev_t
+genfscon usbfs / system_u:object_r:usbfs_t
+genfscon nfsd / system_u:object_r:nfsd_fs_t
+genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t
+genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t
+
diff --git a/strict/initial_sid_contexts b/strict/initial_sid_contexts
new file mode 100644
index 0000000..e276f3f
--- /dev/null
+++ b/strict/initial_sid_contexts
@@ -0,0 +1,46 @@
+# FLASK
+
+#
+# Define the security context for each initial SID
+# sid sidname context
+
+sid kernel system_u:system_r:kernel_t
+sid security system_u:object_r:security_t
+sid unlabeled system_u:object_r:unlabeled_t
+sid fs system_u:object_r:fs_t
+sid file system_u:object_r:file_t
+# Persistent label mapping is gone. This initial SID can be removed.
+sid file_labels system_u:object_r:unlabeled_t
+# init_t is still used, but an initial SID is no longer required.
+sid init system_u:object_r:unlabeled_t
+# any_socket is no longer used.
+sid any_socket system_u:object_r:unlabeled_t
+sid port system_u:object_r:port_t
+sid netif system_u:object_r:netif_t
+# netmsg is no longer used.
+sid netmsg system_u:object_r:unlabeled_t
+sid node system_u:object_r:node_t
+# These sockets are now labeled with the kernel SID,
+# and do not require their own initial SIDs.
+sid igmp_packet system_u:object_r:unlabeled_t
+sid icmp_socket system_u:object_r:unlabeled_t
+sid tcp_socket system_u:object_r:unlabeled_t
+# Most of the sysctl SIDs are now computed at runtime
+# from genfs_contexts, so the corresponding initial SIDs
+# are no longer required.
+sid sysctl_modprobe system_u:object_r:unlabeled_t
+# But we still need the base sysctl initial SID as a default.
+sid sysctl system_u:object_r:sysctl_t
+sid sysctl_fs system_u:object_r:unlabeled_t
+sid sysctl_kernel system_u:object_r:unlabeled_t
+sid sysctl_net system_u:object_r:unlabeled_t
+sid sysctl_net_unix system_u:object_r:unlabeled_t
+sid sysctl_vm system_u:object_r:unlabeled_t
+sid sysctl_dev system_u:object_r:unlabeled_t
+# No longer used, can be removed.
+sid kmod system_u:object_r:unlabeled_t
+sid policy system_u:object_r:unlabeled_t
+sid scmp_packet system_u:object_r:unlabeled_t
+sid devnull system_u:object_r:null_device_t
+
+# FLASK
diff --git a/strict/local.users b/strict/local.users
new file mode 100644
index 0000000..6dd04d6
--- /dev/null
+++ b/strict/local.users
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the system.users file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if
+# MLS was enabled in the policy.
+
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r system_r };
+
+# sample for regular user
+#user jdoe roles { user_r };
diff --git a/strict/macros/admin_macros.te b/strict/macros/admin_macros.te
new file mode 100644
index 0000000..ebd92a9
--- /dev/null
+++ b/strict/macros/admin_macros.te
@@ -0,0 +1,207 @@
+#
+# Macros for all admin domains.
+#
+
+#
+# admin_domain(domain_prefix)
+#
+# Define derived types and rules for an administrator domain.
+#
+# The type declaration and role authorization for the domain must be
+# provided separately. Likewise, domain transitions into this domain
+# must be specified separately. If the every_domain() rules are desired,
+# then these rules must also be specified separately.
+#
+undefine(`admin_domain')
+define(`admin_domain',`
+# Type for home directory.
+attribute $1_file_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
+type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
+
+# Type and access for pty devices.
+can_create_pty($1)
+
+tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }')
+
+# Type for tty devices.
+type $1_tty_device_t, sysadmfile, ttyfile, dev_fs;
+
+# Inherit rules for ordinary users.
+base_user_domain($1)
+
+allow $1_t self:capability setuid;
+
+ifdef(`su.te', `su_domain($1)')
+ifdef(`userhelper.te', `userhelper_domain($1)')
+ifdef(`sudo.te', `sudo_domain($1)')
+
+# Violates the goal of limiting write access to checkpolicy.
+# But presently necessary for installing the file_contexts file.
+create_dir_file($1_t, policy_config_t)
+r_dir_file($1_t, selinux_config_t)
+
+# Let admin stat the shadow file.
+allow $1_t shadow_t:file getattr;
+
+ifdef(`crond.te', `
+allow $1_crond_t var_log_t:file r_file_perms;
+')
+
+# Allow system log read
+allow $1_t kernel_t:system syslog_read;
+
+# Use capabilities other than sys_module.
+allow $1_t self:capability ~sys_module;
+
+# Get security policy decisions.
+can_getsecurity($1_t)
+
+# Use system operations.
+allow $1_t kernel_t:system *;
+
+# Set password information for other users.
+allow $1_t self:passwd { passwd chfn chsh };
+
+# Skip authentication when pam_rootok is specified.
+allow $1_t self:passwd rootok;
+
+# Manipulate other user crontab.
+allow $1_t self:passwd crontab;
+can_getsecurity(sysadm_crontab_t)
+
+# Change system parameters.
+can_sysctl($1_t)
+
+# Create and use all files that have the sysadmfile attribute.
+allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
+allow $1_t sysadmfile:lnk_file create_lnk_perms;
+allow $1_t sysadmfile:dir create_dir_perms;
+
+# for lsof
+allow $1_t mtrr_device_t:file getattr;
+allow $1_t fs_type:dir getattr;
+
+# Set an exec context, e.g. for runcon.
+can_setexec($1_t)
+
+# Set a context other than the default one for newly created files.
+can_setfscreate($1_t)
+
+# Access removable devices.
+allow $1_t removable_device_t:devfile_class_set rw_file_perms;
+
+# Communicate with the init process.
+allow $1_t initctl_t:fifo_file rw_file_perms;
+
+# Examine all processes.
+can_ps($1_t, domain)
+
+# allow renice
+allow $1_t domain:process setsched;
+
+# Send signals to all processes.
+allow $1_t { domain unlabeled_t }:process signal_perms;
+
+# Access all user terminals.
+allow $1_t tty_device_t:chr_file rw_file_perms;
+allow $1_t ttyfile:chr_file rw_file_perms;
+allow $1_t ptyfile:chr_file rw_file_perms;
+allow $1_t serial_device:chr_file setattr;
+
+# allow setting up tunnels
+allow $1_t tun_tap_device_t:chr_file rw_file_perms;
+
+# run ls -l /dev
+allow $1_t device_t:dir r_dir_perms;
+allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
+allow $1_t ptyfile:chr_file getattr;
+
+# Run programs from staff home directories.
+# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
+can_exec($1_t, staff_home_t)
+
+# Run programs from /usr/src.
+can_exec($1_t, src_t)
+
+# Run admin programs that require different permissions in their own domain.
+# These rules were moved into the appropriate program domain file.
+
+# added by mayerf at tresys.com
+# The following rules are temporary until such time that a complete
+# policy management infrastructure is in place so that an administrator
+# cannot directly manipulate policy files with arbitrary programs.
+#
+allow $1_t policy_src_t:file create_file_perms;
+allow $1_t policy_src_t:lnk_file create_lnk_perms;
+allow $1_t policy_src_t:dir create_dir_perms;
+
+# Relabel all files.
+# Actually this will not allow relabeling ALL files unless you change
+# sysadmfile to file_type (and change the assertion in assert.te that
+# only auth_write can relabel shadow_t)
+allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
+allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
+
+ifdef(`startx.te', `
+ifdef(`xserver.te', `
+# Create files in /tmp/.X11-unix with our X servers derived
+# tmp type rather than user_xserver_tmp_t.
+file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
+')dnl end xserver.te
+')dnl end startx.te
+
+ifdef(`xdm.te', `
+ifdef(`xauth.te', `
+if (xdm_sysadm_login) {
+allow xdm_t $1_home_t:lnk_file read;
+allow xdm_t $1_home_t:dir search;
+}
+allow $1_t xdm_t:fifo_file rw_file_perms;
+')dnl end ifdef xauth.te
+')dnl end ifdef xdm.te
+
+#
+# A user who is authorized for sysadm_t may nonetheless have
+# a home directory labeled with user_home_t if the user is expected
+# to login in either user_t or sysadm_t. Hence, the derived domains
+# for programs need to be able to access user_home_t.
+#
+
+# Allow our gph domain to write to .xsession-errors.
+ifdef(`gnome-pty-helper.te', `
+allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
+allow $1_gph_t user_home_type:file create_file_perms;
+')
+
+# Allow our crontab domain to unlink a user cron spool file.
+ifdef(`crontab.te',
+`allow $1_crontab_t user_cron_spool_t:file unlink;')
+
+# for the administrator to run TCP servers directly
+can_tcp_connect($1_t, $1_t)
+allow $1_t port_t:tcp_socket name_bind;
+
+# Connect data port to ftpd.
+ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
+
+# Connect second port to rshd.
+ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
+
+#
+# Allow sysadm to execute quota commands against filesystems and files.
+#
+allow $1_t fs_type:filesystem quotamod;
+
+# Grant read and write access to /dev/console.
+allow $1_t console_device_t:chr_file rw_file_perms;
+
+# Allow MAKEDEV to work
+allow $1_t device_t:dir rw_dir_perms;
+allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+allow $1_t device_t:lnk_file { create read };
+
+# for lsof
+allow $1_t domain:socket_class_set getattr;
+allow $1_t eventpollfs_t:file getattr;
+')
diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te
new file mode 100644
index 0000000..06bd8b3
--- /dev/null
+++ b/strict/macros/base_user_macros.te
@@ -0,0 +1,378 @@
+#
+# Macros for all user login domains.
+#
+
+define(`network_home_dir', `
+create_dir_file($1, $2)
+can_exec($1, $2)
+allow $1 $2:{ sock_file fifo_file } create_file_perms;
+')
+
+#
+# base_user_domain(domain_prefix)
+#
+# Define derived types and rules for an ordinary user domain.
+#
+# The type declaration and role authorization for the domain must be
+# provided separately. Likewise, domain transitions into this domain
+# must be specified separately.
+#
+
+# base_user_domain() is also called by the admin_domain() macro
+undefine(`base_user_domain')
+define(`base_user_domain', `
+
+allow $1_t self:capability { setgid chown fowner };
+dontaudit $1_t self:capability { sys_nice fsetid };
+
+# $1_r is authorized for $1_t for the initial login domain.
+role $1_r types $1_t;
+allow system_r $1_r;
+
+r_dir_file($1_t, usercanread)
+
+# Grant permissions within the domain.
+general_domain_access($1_t)
+
+if (allow_execmem) {
+# Allow loading DSOs that require executable stack.
+allow $1_t self:process execmem;
+}
+
+if (allow_execmod) {
+# Allow text relocations on system shared libraries, e.g. libGL.
+allow $1_t texrel_shlib_t:file execmod;
+}
+
+#
+# kdeinit wants this access
+#
+allow $1_t device_t:dir { getattr search };
+
+# Find CDROM devices
+r_dir_file($1_t, sysctl_dev_t)
+# for eject
+allow $1_t fixed_disk_device_t:blk_file getattr;
+
+allow $1_t fs_type:dir getattr;
+
+allow $1_t event_device_t:chr_file { getattr read ioctl };
+
+# open office is looking for the following
+allow $1_t dri_device_t:chr_file getattr;
+dontaudit $1_t dri_device_t:chr_file rw_file_perms;
+
+file_browse_domain($1_t)
+
+# allow ptrace
+can_ptrace($1_t, $1_t)
+
+# Create, access, and remove files in home directory.
+file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
+allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
+can_setfscreate($1_t)
+
+allow $1_t autofs_t:dir { search getattr };
+
+if (use_nfs_home_dirs) {
+network_home_dir($1_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+network_home_dir($1_t, cifs_t)
+}
+
+can_exec($1_t, { removable_t noexattrfile } )
+if (user_rw_noexattrfile) {
+create_dir_file($1_t, noexattrfile)
+create_dir_file($1_t, removable_t)
+# Write floppies
+allow $1_t removable_device_t:blk_file rw_file_perms;
+allow $1_t usbtty_device_t:chr_file write;
+} else {
+r_dir_file($1_t, noexattrfile)
+r_dir_file($1_t, removable_t)
+allow $1_t removable_device_t:blk_file r_file_perms;
+}
+allow $1_t usbtty_device_t:chr_file read;
+
+# GNOME checks for usb and other devices
+rw_dir_file($1_t,usbfs_t)
+
+can_exec($1_t, noexattrfile)
+# Bind to a Unix domain socket in /tmp.
+allow $1_t $1_tmp_t:unix_stream_socket name_bind;
+
+# Access ttys.
+allow $1_t privfd:fd use;
+allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+
+# Use the type when relabeling terminal devices.
+type_change $1_t tty_device_t:chr_file $1_tty_device_t;
+
+# read localization information
+read_locale($1_t)
+
+# Debian login is from shadow utils and does not allow resetting the perms.
+# have to fix this!
+type_change $1_t ttyfile:chr_file $1_tty_device_t;
+
+# for running TeX programs
+r_dir_file($1_t, tetex_data_t)
+can_exec($1_t, tetex_data_t)
+
+# Use the type when relabeling pty devices.
+type_change $1_t server_pty:chr_file $1_devpts_t;
+
+tmpfs_domain($1)
+
+ifdef(`cardmgr.te', `
+# to allow monitoring of pcmcia status
+allow $1_t cardmgr_var_run_t:file { getattr read };
+')
+
+# Read and write /var/catman.
+allow $1_t catman_t:dir rw_dir_perms;
+allow $1_t catman_t:file create_file_perms;
+
+# Modify mail spool file.
+allow $1_t mail_spool_t:dir r_dir_perms;
+allow $1_t mail_spool_t:file rw_file_perms;
+allow $1_t mail_spool_t:lnk_file read;
+
+#
+# Allow graphical boot to check battery lifespan
+#
+ifdef(`apmd.te', `
+allow $1_t apmd_t:unix_stream_socket connectto;
+allow $1_t apmd_var_run_t:sock_file write;
+')
+
+#
+# Allow the query of filesystem quotas
+#
+allow $1_t fs_type:filesystem quotaget;
+
+# Run helper programs.
+can_exec_any($1_t)
+# Run programs developed by other users in the same domain.
+can_exec($1_t, $1_home_t)
+can_exec($1_t, $1_tmp_t)
+
+# Run user programs that require different permissions in their own domain.
+# These rules were moved into the individual program domains.
+
+# Instantiate derived domains for a number of programs.
+# These derived domains encode both information about the calling
+# user domain and the program, and allow us to maintain separation
+# between different instances of the program being run by different
+# user domains.
+ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
+ifdef(`chkpwd.te', `chkpwd_domain($1)')
+ifdef(`fingerd.te', `fingerd_macro($1)')
+ifdef(`mta.te', `mail_domain($1)')
+ifdef(`crontab.te', `crontab_domain($1)')
+
+ifdef(`screen.te', `screen_domain($1)')
+ifdef(`tvtime.te', `tvtime_domain($1)')
+ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`samba.te', `samba_domain($1)')
+ifdef(`games.te', `games_domain($1)')
+ifdef(`gpg.te', `gpg_domain($1)')
+ifdef(`xauth.te', `xauth_domain($1)')
+ifdef(`startx.te', `xserver_domain($1)')
+ifdef(`lpr.te', `lpr_domain($1)')
+ifdef(`ssh.te', `ssh_domain($1)')
+ifdef(`irc.te', `irc_domain($1)')
+ifdef(`using_spamassassin', `spamassassin_domain($1)')
+ifdef(`uml.te', `uml_domain($1)')
+ifdef(`cdrecord.te', `cdrecord_domain($1)')
+ifdef(`mplayer.te', `mplayer_domains($1)')
+ifdef(`gift.te', `gift_domains($1)')
+
+# Instantiate a derived domain for user cron jobs.
+ifdef(`crond.te', `crond_domain($1)')
+
+ifdef(`vmware.te', `vmware_domain($1)')
+
+if (user_direct_mouse) {
+# Read the mouse.
+allow $1_t mouse_device_t:chr_file r_file_perms;
+}
+# Access other miscellaneous devices.
+allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
+allow $1_t device_t:lnk_file { getattr read };
+
+can_resmgrd_connect($1_t)
+
+#
+# evolution and gnome-session try to create a netlink socket
+#
+dontaudit $1_t self:netlink_socket create_socket_perms;
+dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
+
+# Use the network.
+can_network($1_t)
+can_ypbind($1_t)
+
+ifdef(`pamconsole.te', `
+allow $1_t pam_var_console_t:dir search;
+')
+
+allow $1_t var_lock_t:dir search;
+
+# Grant permissions to access the system DBus
+ifdef(`dbusd.te', `
+dbusd_client(system, $1)
+can_network_server_tcp($1_dbusd_t)
+allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
+
+allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+dbusd_client($1, $1)
+allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
+dbusd_domain($1)
+ifdef(`hald.te', `
+allow $1_t hald_t:dbus send_msg;
+allow hald_t $1_t:dbus send_msg;
+') dnl end ifdef hald.te
+') dnl end ifdef dbus.te
+
+# allow port_t name binding for UDP because it is not very usable otherwise
+allow $1_t port_t:udp_socket name_bind;
+
+# Gnome pannel binds to the following
+ifdef(`cups.te', `
+allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
+')
+
+# for perl
+dontaudit $1_t net_conf_t:file ioctl;
+
+# Communicate within the domain.
+can_udp_send($1_t, self)
+
+# Connect to inetd.
+ifdef(`inetd.te', `
+can_tcp_connect($1_t, inetd_t)
+can_udp_send($1_t, inetd_t)
+can_udp_send(inetd_t, $1_t)
+')
+
+# Connect to portmap.
+ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
+
+# Inherit and use sockets from inetd
+ifdef(`inetd.te', `
+allow $1_t inetd_t:fd use;
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')
+
+# Very permissive allowing every domain to see every type.
+allow $1_t kernel_t:system ipc_info;
+
+# When the user domain runs ps, there will be a number of access
+# denials when ps tries to search /proc. Do not audit these denials.
+dontaudit $1_t domain:dir r_dir_perms;
+dontaudit $1_t domain:notdevfile_class_set r_file_perms;
+dontaudit $1_t domain:process { getattr getsession };
+#
+# Cups daemon running as user tries to write /etc/printcap
+#
+dontaudit $1_t usr_t:file setattr;
+
+ifdef(`xserver.te', `
+# for /tmp/.ICE-unix
+file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
+')
+
+ifdef(`xdm.te', `
+# Connect to the X server run by the X Display Manager.
+can_unix_connect($1_t, xdm_t)
+allow $1_t xdm_tmp_t:sock_file rw_file_perms;
+allow $1_t xdm_tmp_t:dir r_dir_perms;
+allow $1_t xdm_tmp_t:file { getattr read };
+allow $1_t xdm_xserver_tmp_t:sock_file { read write };
+allow $1_t xdm_xserver_tmp_t:dir search;
+allow $1_t xdm_xserver_t:unix_stream_socket connectto;
+# certain apps want to read xdm.pid file
+r_dir_file($1_t, xdm_var_run_t)
+allow $1_t xdm_var_lib_t:file { getattr read };
+allow xdm_t $1_home_dir_t:dir getattr;
+ifdef(`xauth.te', `
+file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
+')
+
+# for shared memory
+allow xdm_xserver_t $1_tmpfs_t:file { read write };
+
+')dnl end ifdef xdm.te
+
+# Access the sound device.
+allow $1_t sound_device_t:chr_file { getattr read write ioctl };
+
+# Access the power device.
+allow $1_t power_device_t:chr_file { getattr read write ioctl };
+
+allow $1_t var_log_t:dir { getattr search };
+dontaudit $1_t logfile:file getattr;
+
+# Check to see if cdrom is mounted
+allow $1_t mnt_t:dir { getattr search };
+
+# Get attributes of file systems.
+allow $1_t fs_type:filesystem getattr;
+allow $1_t removable_t:filesystem getattr;
+
+# Read and write /dev/tty and /dev/null.
+allow $1_t devtty_t:chr_file rw_file_perms;
+allow $1_t null_device_t:chr_file rw_file_perms;
+allow $1_t zero_device_t:chr_file { rw_file_perms execute };
+allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+#
+# Added to allow reading of cdrom
+#
+allow $1_t rpc_pipefs_t:dir getattr;
+allow $1_t nfsd_fs_t:dir getattr;
+allow $1_t binfmt_misc_fs_t:dir getattr;
+
+# /initrd is left mounted, various programs try to look at it
+dontaudit $1_t ramfs_t:dir getattr;
+
+#
+# Emacs wants this access
+#
+allow $1_t wtmp_t:file r_file_perms;
+dontaudit $1_t wtmp_t:file write;
+
+# Read the devpts root directory.
+allow $1_t devpts_t:dir r_dir_perms;
+
+allow $1_t src_t:dir r_dir_perms;
+allow $1_t src_t:notdevfile_class_set r_file_perms;
+
+if (read_default_t) {
+allow $1_t default_t:dir r_dir_perms;
+allow $1_t default_t:notdevfile_class_set r_file_perms;
+}
+
+read_sysctl($1_t);
+
+#
+# Caused by su - init scripts
+#
+dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
+
+#
+# Running ifconfig as a user generates the following
+#
+dontaudit $1_t self:socket create;
+dontaudit $1_t sysctl_net_t:dir search;
+
+dontaudit $1_t default_context_t:dir search;
+
+ifdef(`rpcd.te', `
+create_dir_file($1_t, nfsd_rw_t)
+')
+
+')dnl end base_user_domain macro
+
diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te
new file mode 100644
index 0000000..6b4e5be
--- /dev/null
+++ b/strict/macros/core_macros.te
@@ -0,0 +1,696 @@
+
+##############################
+#
+# core macros for the type enforcement (TE) configuration.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil>, Timothy Fraser
+# Howard Holm (NSA) <hdholm at epoch.ncsc.mil>
+# Russell Coker <russell at coker.com.au>
+#
+
+#################################
+#
+# Macros for groups of classes and
+# groups of permissions.
+#
+
+#
+# All directory and file classes
+#
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# All non-directory file classes.
+#
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# Non-device file classes.
+#
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+
+#
+# Device file classes.
+#
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+#
+# All socket classes.
+#
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }')
+
+
+#
+# Datagram socket classes.
+#
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+
+#
+# Stream socket classes.
+#
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+
+#
+# Permissions for getting file attributes.
+#
+define(`stat_file_perms', `{ getattr }')
+
+#
+# Permissions for executing files.
+#
+define(`x_file_perms', `{ getattr execute }')
+
+#
+# Permissions for reading files and their attributes.
+#
+define(`r_file_perms', `{ read getattr lock ioctl }')
+
+#
+# Permissions for reading and executing files.
+#
+define(`rx_file_perms', `{ read getattr lock execute ioctl }')
+
+#
+# Permissions for reading and writing files and their attributes.
+#
+define(`rw_file_perms', `{ ioctl read getattr lock write append }')
+
+#
+# Permissions for reading and appending to files.
+#
+define(`ra_file_perms', `{ ioctl read getattr lock append }')
+
+#
+# Permissions for linking, unlinking and renaming files.
+#
+define(`link_file_perms', `{ getattr link unlink rename }')
+
+#
+# Permissions for creating lnk_files.
+#
+define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
+
+#
+# Permissions for creating and using files.
+#
+define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
+
+#
+# Permissions for reading directories and their attributes.
+#
+define(`r_dir_perms', `{ read getattr lock search ioctl }')
+
+#
+# Permissions for reading and writing directories and their attributes.
+#
+define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
+
+#
+# Permissions for reading and adding names to directories.
+#
+define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
+
+
+#
+# Permissions for creating and using directories.
+#
+define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
+
+#
+# Permissions to mount and unmount file systems.
+#
+define(`mount_fs_perms', `{ mount remount unmount getattr }')
+
+#
+# Permissions for using sockets.
+#
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`create_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for using stream sockets.
+#
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+#
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+
+#
+# Permissions for creating and using netlink sockets.
+#
+define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that modify state.
+#
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that observe state.
+#
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+
+#
+# Permissions for sending all signals.
+#
+define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
+
+#
+# Permissions for sending and receiving network packets.
+#
+define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
+
+#
+# Permissions for using System V IPC
+#
+define(`r_sem_perms', `{ associate getattr read unix_read }')
+define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`r_msgq_perms', `{ associate getattr read unix_read }')
+define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`r_shm_perms', `{ associate getattr read unix_read }')
+define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+
+#################################
+#
+# Macros for type transition rules and
+# access vector rules.
+#
+
+#
+# Simple combinations for reading and writing both
+# directories and files.
+#
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:file r_file_perms;
+allow $1 $2:lnk_file { getattr read };
+')
+
+define(`rw_dir_file', `
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:file rw_file_perms;
+allow $1 $2:lnk_file { getattr read };
+')
+
+define(`ra_dir_file', `
+allow $1 $2:dir ra_dir_perms;
+allow $1 $2:file ra_file_perms;
+allow $1 $2:lnk_file { getattr read };
+')
+
+define(`ra_dir_create_file', `
+allow $1 $2:dir ra_dir_perms;
+allow $1 $2:file { create ra_file_perms };
+allow $1 $2:lnk_file { create read getattr };
+')
+
+define(`rw_dir_create_file', `
+allow $1 $2:dir rw_dir_perms;
+allow $1 $2:file create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+')
+
+define(`create_dir_file', `
+allow $1 $2:dir create_dir_perms;
+allow $1 $2:file create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+')
+
+define(`create_dir_notdevfile', `
+allow $1 $2:dir create_dir_perms;
+allow $1 $2:{ file sock_file fifo_file } create_file_perms;
+allow $1 $2:lnk_file create_lnk_perms;
+')
+
+define(`create_append_log_file', `
+allow $1 $2:dir { read getattr search add_name write };
+allow $1 $2:file { create ioctl getattr setattr append link };
+')
+
+##################################
+#
+# can_ps(domain1, domain2)
+#
+# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
+#
+define(`can_ps',`
+allow $1 $2:dir { search getattr read };
+allow $1 $2:{ file lnk_file } { read getattr };
+allow $1 $2:process getattr;
+# We need to suppress this denial because procps tries to access
+# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+# (2.4 and 2.6). Might want to change procps to not do this, or only if
+# running in a privileged domain.
+dontaudit $1 $2:process ptrace;
+')
+
+##################################
+#
+# can_getsecurity(domain)
+#
+# Authorize a domain to get security policy decisions.
+#
+define(`can_getsecurity',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } { getattr read };
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
+')
+
+##################################
+#
+# can_setenforce(domain)
+#
+# Authorize a domain to set the enforcing flag.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setenforce',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security setenforce;
+auditallow $1 security_t:security setenforce;
+')
+
+##################################
+#
+# can_setbool(domain)
+#
+# Authorize a domain to set a policy boolean.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setbool',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security setbool;
+auditallow $1 security_t:security setbool;
+')
+
+##################################
+#
+# can_setsecparam(domain)
+#
+# Authorize a domain to set security parameters.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setsecparam',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security setsecparam;
+auditallow $1 security_t:security setsecparam;
+')
+
+##################################
+#
+# can_loadpol(domain)
+#
+# Authorize a domain to load a policy configuration.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_loadpol',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security load_policy;
+auditallow $1 security_t:security load_policy;
+')
+
+#################################
+#
+# domain_trans(parent_domain, program_type, child_domain)
+#
+# Permissions for transitioning to a new domain.
+#
+
+define(`domain_trans',`
+
+#
+# Allow the process to transition to the new domain.
+#
+allow $1 $3:process transition;
+
+#
+# Do not audit when glibc secure mode is enabled upon the transition.
+#
+dontaudit $1 $3:process noatsecure;
+
+#
+# Do not audit when signal-related state is cleared upon the transition.
+#
+dontaudit $1 $3:process siginh;
+
+#
+# Do not audit when resource limits are reset upon the transition.
+#
+dontaudit $1 $3:process rlimitinh;
+
+#
+# Allow the process to execute the program.
+#
+allow $1 $2:file { read x_file_perms };
+
+#
+# Allow the process to reap the new domain.
+#
+allow $3 $1:process sigchld;
+
+#
+# Allow the new domain to inherit and use file
+# descriptions from the creating process and vice versa.
+#
+allow $3 $1:fd use;
+allow $1 $3:fd use;
+
+#
+# Allow the new domain to write back to the old domain via a pipe.
+#
+allow $3 $1:fifo_file rw_file_perms;
+
+#
+# Allow the new domain to read and execute the program.
+#
+allow $3 $2:file rx_file_perms;
+
+#
+# Allow the new domain to be entered via the program.
+#
+allow $3 $2:file entrypoint;
+')
+
+#################################
+#
+# domain_auto_trans(parent_domain, program_type, child_domain)
+#
+# Define a default domain transition and allow it.
+#
+define(`domain_auto_trans',`
+domain_trans($1,$2,$3)
+type_transition $1 $2:process $3;
+')
+
+#################################
+#
+# can_ptrace(domain, domain)
+#
+# Permissions for running ptrace (strace or gdb) on another domain
+#
+define(`can_ptrace',`
+allow $1 $2:process ptrace;
+allow $2 $1:process sigchld;
+')
+
+#################################
+#
+# can_exec(domain, type)
+#
+# Permissions for executing programs with
+# a specified type without changing domains.
+#
+define(`can_exec',`
+allow $1 $2:file { rx_file_perms execute_no_trans };
+')
+
+# this is an internal macro used by can_create
+define(`can_create_internal', `
+ifelse(`$3', `dir', `
+allow $1 $2:$3 create_dir_perms;
+', `$3', `lnk_file', `
+allow $1 $2:$3 create_lnk_perms;
+', `
+allow $1 $2:$3 create_file_perms;
+')dnl end if dir
+')dnl end can_create_internal
+
+
+#################################
+#
+# can_create(domain, file_type, object_class)
+#
+# Permissions for creating files of the specified type and class
+#
+define(`can_create', `
+ifelse(regexp($3, `\w'), -1, `', `
+can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))
+
+can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
+')
+')
+#################################
+#
+# file_type_trans(domain, dir_type, file_type)
+#
+# Permissions for transitioning to a new file type.
+#
+
+define(`file_type_trans',`
+
+#
+# Allow the process to modify the directory.
+#
+allow $1 $2:dir rw_dir_perms;
+
+#
+# Allow the process to create the file.
+#
+ifelse(`$4', `', `
+can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
+', `
+can_create($1, $3, $4)
+')dnl end if param 4 specified
+
+')
+
+#################################
+#
+# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
+#
+# the object class will default to notdevfile_class_set if not specified as
+# the fourth parameter
+#
+# Define a default file type transition and allow it.
+#
+define(`file_type_auto_trans',`
+ifelse(`$4', `', `
+file_type_trans($1,$2,$3)
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+', `
+file_type_trans($1,$2,$3,$4)
+type_transition $1 $2:$4 $3;
+')dnl end ifelse
+
+')
+
+
+#################################
+#
+# can_unix_connect(client, server)
+#
+# Permissions for establishing a Unix stream connection.
+#
+define(`can_unix_connect',`
+allow $1 $2:unix_stream_socket connectto;
+')
+
+#################################
+#
+# can_unix_send(sender, receiver)
+#
+# Permissions for sending Unix datagrams.
+#
+define(`can_unix_send',`
+allow $1 $2:unix_dgram_socket sendto;
+')
+
+#################################
+#
+# can_tcp_connect(client, server)
+#
+# Permissions for establishing a TCP connection.
+# Irrelevant until we have labeled networking.
+#
+define(`can_tcp_connect',`
+#allow $1 $2:tcp_socket { connectto recvfrom };
+#allow $2 $1:tcp_socket { acceptfrom recvfrom };
+#allow $2 kernel_t:tcp_socket recvfrom;
+#allow $1 kernel_t:tcp_socket recvfrom;
+')
+
+#################################
+#
+# can_udp_send(sender, receiver)
+#
+# Permissions for sending/receiving UDP datagrams.
+# Irrelevant until we have labeled networking.
+#
+define(`can_udp_send',`
+#allow $1 $2:udp_socket sendto;
+#allow $2 $1:udp_socket recvfrom;
+')
+
+
+##################################
+#
+# base_pty_perms(domain_prefix)
+#
+# Base permissions used for can_create_pty() and can_create_other_pty()
+#
+define(`base_pty_perms', `
+# Access the pty master multiplexer.
+allow $1_t ptmx_t:chr_file rw_file_perms;
+
+allow $1_t devpts_t:filesystem getattr;
+
+# allow searching /dev/pts
+allow $1_t devpts_t:dir { getattr read search };
+
+# ignore old BSD pty devices
+dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
+')
+
+
+##################################
+#
+# pty_slave_label(domain_prefix, attributes)
+#
+# give access to a slave pty but do not allow creating new ptys
+#
+define(`pty_slave_label', `
+type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
+
+# Allow the pty to be associated with the file system.
+allow $1_devpts_t devpts_t:filesystem associate;
+
+# Label pty files with a derived type.
+type_transition $1_t devpts_t:chr_file $1_devpts_t;
+
+# Read and write my pty files.
+allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+')
+
+
+##################################
+#
+# can_create_pty(domain_prefix, attributes)
+#
+# Permissions for creating ptys.
+#
+define(`can_create_pty',`
+base_pty_perms($1)
+pty_slave_label($1, `$2')
+')
+
+
+##################################
+#
+# can_create_other_pty(domain_prefix,other_domain)
+#
+# Permissions for creating ptys for another domain.
+#
+define(`can_create_other_pty',`
+base_pty_perms($1)
+# Label pty files with a derived type.
+type_transition $1_t devpts_t:chr_file $2_devpts_t;
+
+# Read and write pty files.
+allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
+')
+
+
+#
+# general_domain_access(domain)
+#
+# Grant permissions within the domain.
+# This includes permissions to processes, /proc/PID files,
+# file descriptors, pipes, Unix sockets, and System V IPC objects
+# labeled with the domain.
+#
+define(`general_domain_access',`
+# Access other processes in the same domain.
+# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem.
+# These must be granted separately if desired.
+allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
+
+# Access /proc/PID files for processes in the same domain.
+allow $1 self:dir r_dir_perms;
+allow $1 self:notdevfile_class_set r_file_perms;
+
+# Access file descriptions, pipes, and sockets
+# created by processes in the same domain.
+allow $1 self:fd *;
+allow $1 self:fifo_file rw_file_perms;
+allow $1 self:unix_dgram_socket create_socket_perms;
+allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+# Allow the domain to communicate with other processes in the same domain.
+allow $1 self:unix_dgram_socket sendto;
+allow $1 self:unix_stream_socket connectto;
+
+# Access System V IPC objects created by processes in the same domain.
+allow $1 self:sem create_sem_perms;
+allow $1 self:msg { send receive };
+allow $1 self:msgq create_msgq_perms;
+allow $1 self:shm create_shm_perms;
+allow $1 unpriv_userdomain:fd use;
+#
+# Every app is asking for ypbind so I am adding this here,
+# eventually this should become can_nsswitch
+#
+can_ypbind($1)
+allow $1 autofs_t:dir { search getattr };
+')dnl end general_domain_access
diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te
new file mode 100644
index 0000000..cfb47cd
--- /dev/null
+++ b/strict/macros/global_macros.te
@@ -0,0 +1,739 @@
+##############################
+#
+# Global macros for the type enforcement (TE) configuration.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Howard Holm (NSA) <hdholm at epoch.ncsc.mil>
+# Russell Coker <russell at coker.com.au>
+#
+#
+#
+
+##################################
+#
+# can_setexec(domain)
+#
+# Authorize a domain to set its exec context
+# (via /proc/pid/attr/exec).
+#
+define(`can_setexec',`
+allow $1 self:process setexec;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read write };
+')
+
+##################################
+#
+# can_getcon(domain)
+#
+# Authorize a domain to get its context
+# (via /proc/pid/attr/current).
+#
+define(`can_getcon',`
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+allow $1 self:process getattr;
+')
+
+##################################
+#
+# can_setcon(domain)
+#
+# Authorize a domain to set its current context
+# (via /proc/pid/attr/current).
+#
+define(`can_setcon',`
+allow $1 self:process setcurrent;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read write };
+')
+
+##################################
+# read_sysctl(domain)
+#
+# Permissions for reading sysctl variables.
+# If the second parameter is 'full', allow
+# reading of any sysctl variables, else only
+# sysctl_kernel_t.
+#
+define(`read_sysctl', `
+# Read system variables in /sys.
+ifelse($2,`full', `
+allow $1 sysctl_type:dir r_dir_perms;
+allow $1 sysctl_type:file r_file_perms;
+', `
+allow $1 sysctl_t:dir search;
+allow $1 sysctl_kernel_t:dir search;
+allow $1 sysctl_kernel_t:file { getattr read };
+')
+
+')dnl read_sysctl
+
+##################################
+#
+# can_setfscreate(domain)
+#
+# Authorize a domain to set its fscreate context
+# (via /proc/pid/attr/fscreate).
+#
+define(`can_setfscreate',`
+allow $1 self:process setfscreate;
+allow $1 proc_t:dir search;
+allow $1 proc_t:{ file lnk_file } read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read write };
+')
+
+#################################
+#
+# uses_shlib(domain)
+#
+# Permissions for using shared libraries.
+#
+define(`uses_shlib',`
+allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
+allow $1 lib_t:lnk_file r_file_perms;
+allow $1 ld_so_t:file rx_file_perms;
+#allow $1 ld_so_t:file execute_no_trans;
+allow $1 ld_so_t:lnk_file r_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+allow $1 ld_so_cache_t:file r_file_perms;
+allow $1 device_t:dir search;
+allow $1 null_device_t:chr_file rw_file_perms;
+')
+
+#################################
+#
+# can_exec_any(domain)
+#
+# Permissions for executing a variety
+# of executable types.
+#
+define(`can_exec_any',`
+allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
+allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
+uses_shlib($1)
+can_exec($1, etc_t)
+can_exec($1, lib_t)
+can_exec($1, bin_t)
+can_exec($1, sbin_t)
+can_exec($1, exec_type)
+can_exec($1, ld_so_t)
+')
+
+
+#################################
+#
+# can_sysctl(domain)
+#
+# Permissions for modifying sysctl parameters.
+#
+define(`can_sysctl',`
+allow $1 sysctl_type:dir r_dir_perms;
+allow $1 sysctl_type:file { setattr rw_file_perms };
+')
+
+
+##################################
+#
+# read_locale(domain)
+#
+# Permissions for reading the locale data,
+# /etc/localtime and the files that it links to
+#
+define(`read_locale', `
+allow $1 etc_t:lnk_file read;
+allow $1 lib_t:file r_file_perms;
+r_dir_file($1, locale_t)
+')
+
+
+###################################
+#
+# access_terminal(domain, typeprefix)
+#
+# Permissions for accessing the terminal
+#
+define(`access_terminal', `
+allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
+allow $1 devtty_t:chr_file { read write getattr ioctl };
+allow $1 devpts_t:dir { read search getattr };
+allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
+')
+
+#
+# general_proc_read_access(domain)
+#
+# Grant read/search permissions to most of /proc, excluding
+# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
+# The general_domain_access macro grants access to the domain /proc/PID
+# directories, but not to other domains. Only permissions to stat
+# are granted for /proc/kmsg and /proc/kcore, since these files are more
+# sensitive.
+#
+define(`general_proc_read_access',`
+# Read system information files in /proc.
+r_dir_file($1, proc_t)
+r_dir_file($1, proc_net_t)
+allow $1 proc_mdstat_t:file r_file_perms;
+
+# Stat /proc/kmsg and /proc/kcore.
+allow $1 proc_fs:file stat_file_perms;
+
+# Read system variables in /proc/sys.
+read_sysctl($1)
+')
+
+#
+# base_file_read_access(domain)
+#
+# Grant read/search permissions to a few system file types.
+#
+define(`base_file_read_access',`
+# Read /.
+allow $1 root_t:dir r_dir_perms;
+allow $1 root_t:notdevfile_class_set r_file_perms;
+
+# Read /home.
+allow $1 home_root_t:dir r_dir_perms;
+
+# Read /usr.
+allow $1 usr_t:dir r_dir_perms;
+allow $1 usr_t:notdevfile_class_set r_file_perms;
+
+# Read bin and sbin directories.
+allow $1 bin_t:dir r_dir_perms;
+allow $1 bin_t:notdevfile_class_set r_file_perms;
+allow $1 sbin_t:dir r_dir_perms;
+allow $1 sbin_t:notdevfile_class_set r_file_perms;
+read_sysctl($1)
+
+r_dir_file($1, selinux_config_t)
+
+if (read_default_t) {
+#
+# Read default_t
+#.
+allow $1 default_t:dir r_dir_perms;
+allow $1 default_t:notdevfile_class_set r_file_perms;
+}
+
+')
+
+#######################
+# daemon_core_rules(domain_prefix, attribs)
+#
+# Define the core rules for a daemon, used by both daemon_base_domain() and
+# init_service_domain().
+# Attribs is the list of attributes which must start with "," if it is not empty
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+define(`daemon_core_rules', `
+type $1_t, domain, privlog, daemon $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+dontaudit $1_t self:capability sys_tty_config;
+
+role system_r types $1_t;
+
+# Inherit and use descriptors from init.
+allow $1_t init_t:fd use;
+allow $1_t init_t:process sigchld;
+allow $1_t self:process { signal_perms fork };
+
+uses_shlib($1_t)
+
+allow $1_t { self proc_t }:dir r_dir_perms;
+allow $1_t { self proc_t }:lnk_file read;
+
+allow $1_t device_t:dir r_dir_perms;
+ifdef(`udev.te', `
+allow $1_t udev_tdb_t:file r_file_perms;
+')dnl end if udev.te
+allow $1_t null_device_t:chr_file rw_file_perms;
+dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;
+
+r_dir_file($1_t, sysfs_t)
+
+allow $1_t autofs_t:dir { search getattr };
+ifdef(`targeted_policy', `
+dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
+dontaudit $1_t root_t:file { getattr read };
+')dnl end if targeted_policy
+
+')dnl end macro daemon_core_rules
+
+#######################
+# init_service_domain(domain_prefix, attribs)
+#
+# Define a domain for a program that is run from init
+# Attribs is the list of attributes which must start with "," if it is not empty
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+define(`init_service_domain', `
+daemon_core_rules($1, `$2')
+
+domain_auto_trans(init_t, $1_exec_t, $1_t)
+')dnl
+
+#######################
+# daemon_base_domain(domain_prefix, attribs)
+#
+# Define a daemon domain with a base set of type declarations
+# and permissions that are common to most daemons.
+# attribs is the list of attributes which must start with "," if it is not empty
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+define(`daemon_base_domain', `
+daemon_core_rules($1, `$2')
+
+rhgb_domain($1_t)
+
+read_sysctl($1_t)
+
+ifdef(`direct_sysadm_daemon', `
+dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
+')
+
+#
+# Allows user to define a tunable to disable domain transition
+#
+ifelse(index(`$2',`transitionbool'), -1, `', `
+bool $1_disable_trans false;
+if ($1_disable_trans) {
+can_exec(initrc_t, $1_exec_t)
+can_exec(sysadm_t, $1_exec_t)
+} else {
+') dnl transitionbool
+domain_auto_trans(initrc_t, $1_exec_t, $1_t)
+allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
+ifdef(`direct_sysadm_daemon', `
+ifelse(`$3', `nosysadm', `', `
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
+')dnl end direct_sysadm_daemon
+')dnl end nosysadm
+ifelse(index(`$2', `transitionbool'), -1, `', `
+}
+') dnl end transitionbool
+ifdef(`direct_sysadm_daemon', `
+ifelse(`$3', `nosysadm', `', `
+role_transition sysadm_r $1_exec_t system_r;
+')dnl end nosysadm
+')dnl end direct_sysadm_daemon
+
+allow $1_t privfd:fd use;
+ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
+allow $1_t initrc_devpts_t:chr_file rw_file_perms;
+')dnl
+
+# allow a domain to create its own files under /var/run and to create files
+# in directories that are created for it. $2 is an optional list of
+# classes to use; default is file.
+define(`var_run_domain', `
+type $1_var_run_t, file_type, sysadmfile, pidfile;
+
+ifelse(`$2', `', `
+file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
+', `
+file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
+')
+allow $1_t var_t:dir search;
+allow $1_t $1_var_run_t:dir rw_dir_perms;
+')
+define(`daemon_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `$2, transitionbool', $3)
+', `
+daemon_base_domain($1, `$2', $3)
+')
+# Create pid file.
+allow $1_t var_t:dir { getattr search };
+var_run_domain($1)
+
+allow $1_t devtty_t:chr_file rw_file_perms;
+
+# for daemons that look at /root on startup
+dontaudit $1_t sysadm_home_dir_t:dir search;
+
+# for df
+allow $1_t fs_type:filesystem getattr;
+allow $1_t removable_t:filesystem getattr;
+
+read_locale($1_t)
+
+# for localization
+allow $1_t lib_t:file { getattr read };
+')dnl end daemon_domain macro
+
+define(`uses_authbind',
+`domain_auto_trans($1, authbind_exec_t, authbind_t)
+allow authbind_t $1:process sigchld;
+allow authbind_t $1:fd use;
+allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+')
+
+# define a sub-domain, $1_t is the parent domain, $2 is the name
+# of the sub-domain.
+#
+define(`daemon_sub_domain', `
+# $1 is the parent domain (or domains), $2_t is the child domain,
+# and $3 is any attributes to apply to the child
+type $2_t, domain, privlog, daemon $3;
+type $2_exec_t, file_type, sysadmfile, exec_type;
+
+role system_r types $2_t;
+
+domain_auto_trans($1, $2_exec_t, $2_t)
+
+# Inherit and use descriptors from parent.
+allow $2_t $1:fd use;
+allow $2_t $1:process sigchld;
+
+allow $2_t self:process signal_perms;
+
+uses_shlib($2_t)
+
+allow $2_t { self proc_t }:dir r_dir_perms;
+allow $2_t { self proc_t }:lnk_file read;
+
+allow $2_t device_t:dir getattr;
+')
+
+# grant access to /tmp
+# by default, only plain files and dirs may be stored there.
+# This can be overridden with a third parameter
+define(`tmp_domain', `
+type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
+ifelse($3, `',
+`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
+`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
+')
+
+define(`tmpfs_domain', `
+type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
+# Use this type when creating tmpfs/shm objects.
+file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
+allow $1_tmpfs_t tmpfs_t:filesystem associate;
+')
+
+define(`var_lib_domain', `
+type $1_var_lib_t, file_type, sysadmfile;
+typealias $1_var_lib_t alias var_lib_$1_t;
+file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
+allow $1_t $1_var_lib_t:dir rw_dir_perms;
+')
+
+define(`log_domain', `
+type $1_log_t, file_type, sysadmfile, logfile;
+file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
+')
+
+define(`logdir_domain', `
+log_domain($1)
+allow $1_t $1_log_t:dir { setattr rw_dir_perms };
+')
+
+define(`etc_domain', `
+type $1_etc_t, file_type, sysadmfile, usercanread;
+allow $1_t $1_etc_t:file r_file_perms;
+')
+
+define(`etcdir_domain', `
+etc_domain($1)
+allow $1_t $1_etc_t:dir r_dir_perms;
+allow $1_t $1_etc_t:lnk_file { getattr read };
+')
+
+define(`append_log_domain', `
+type $1_log_t, file_type, sysadmfile, logfile;
+allow $1_t var_log_t:dir ra_dir_perms;
+allow $1_t $1_log_t:file { create ra_file_perms };
+type_transition $1_t var_log_t:file $1_log_t;
+')
+
+define(`append_logdir_domain', `
+append_log_domain($1)
+allow $1_t $1_log_t:dir { setattr ra_dir_perms };
+')
+
+define(`lock_domain', `
+type $1_lock_t, file_type, sysadmfile, lockfile;
+file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
+')
+
+####################################################################
+# home_domain_ro_access(source, user, app)
+#
+# Gives source access to the read-only home
+# domain of app for the given user type
+#
+
+define(`home_domain_ro_access', `
+
+allow $1 home_root_t:dir search;
+
+if (use_nfs_home_dirs) {
+r_dir_file($1, nfs_t)
+}
+if (use_samba_home_dirs) {
+r_dir_file($1, cifs_t)
+}
+allow $1 autofs_t:dir { search getattr };
+
+r_dir_file($1, $2_$3_ro_home_t)
+
+') dnl home_domain_ro_access
+
+####################################################################
+# home_domain_access(source, user, app)
+#
+# Gives source full access to the home
+# domain of app for the given user type
+#
+
+define(`home_domain_access', `
+
+allow $1 home_root_t:dir search;
+
+if (use_nfs_home_dirs) {
+create_dir_file($1, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1, cifs_t)
+}
+allow $1 autofs_t:dir { search getattr };
+
+file_type_auto_trans($1, $2_home_dir_t, $2_$3_home_t)
+
+') dnl home_domain_access
+
+####################################################################
+# home_domain (prefix, app)
+#
+# Creates a domain in the prefix home where an application can
+# store its settings. It's accessible by the prefix domain.
+#
+
+define(`home_domain', `
+
+# Declare home domain
+# FIXME: the second alias is problematic because
+# home_domain and home_domain_ro cannot be used in parallel
+# Remove the second alias when compatibility is no longer an issue
+
+type $1_$2_home_t, file_type, $1_file_type, sysadmfile;
+typealias $1_$2_home_t alias $1_$2_rw_t;
+typealias $1_$2_home_t alias $1_home_$2_t;
+
+# User side access
+create_dir_file($1_t, $1_$2_home_t)
+allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+# App side access
+home_domain_access($1_$2_t, $1, $2)
+')
+
+####################################################################
+# home_domain_ro (user, app)
+#
+# Creates a read-only domain in the user home where an application can
+# store its settings. It's fully accessible by the user, but
+# it's read-only for the application.
+#
+
+define(`home_domain_ro', `
+
+# Declare home domain
+# FIXME: the second alias is problematic because
+# home_domain and home_domain_ro cannot be used in parallel
+# Remove the second alias when compatibility is no longer an issue
+
+type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
+typealias $1_$2_ro_home_t alias $1_$2_ro_t;
+typealias $1_$2_ro_home_t alias $1_home_$2_t;
+
+# User side access
+create_dir_file($1_t, $1_$2_ro_home_t)
+allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+# App side access
+home_domain_ro_access($1_$2_t, $1, $2)
+')
+
+#######################
+# application_domain(domain_prefix)
+#
+# Define a domain with a base set of type declarations
+# and permissions that are common to simple applications.
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+define(`application_domain', `
+type $1_t, domain, privlog $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+role sysadm_r types $1_t;
+domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+uses_shlib($1_t)
+')
+
+define(`user_application_domain', `
+application_domain($1, `$2')
+in_user_role($1_t)
+domain_auto_trans(userdomain, $1_exec_t, $1_t)
+')
+
+define(`system_domain', `
+type $1_t, domain, privlog $2;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+role system_r types $1_t;
+uses_shlib($1_t)
+allow $1_t etc_t:dir r_dir_perms;
+')
+
+# Do not flood message log, if the user does a browse
+define(`file_browse_domain', `
+
+# Regular files/directories that are not security sensitive
+dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
+dontaudit $1 file_type - secure_file_type:dir { read search };
+
+# /dev
+dontaudit $1 dev_fs:dir_file_class_set getattr;
+dontaudit $1 dev_fs:dir { read search };
+
+# /proc
+dontaudit $1 sysctl_t:dir_file_class_set getattr;
+dontaudit $1 proc_fs:dir { read search };
+
+')dnl end file_browse_domain
+
+
+# Define legacy_domain for legacy binaries (java)
+# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
+# toolchain. They cause the kernel to automatically start translating all
+# read protection requests to read|execute for backward compatibility on
+# x86. They will all need execmem and execmod, including execmod to
+# shlib_t and ld_so_t unlike non-legacy binaries.
+
+define(`legacy_domain', `
+allow $1_t self:process { execmem };
+allow $1_t { texrel_shlib_t shlib_t }:file execmod;
+allow $1_t ld_so_t:file execmod;
+allow $1_t ld_so_cache_t:file execute;
+')
+
+#
+# Define a domain that can do anything, so that it is
+# effectively unconfined by the SELinux policy. This
+# means that it is only restricted by the normal Linux
+# protections. Note that you may need to add further rules
+# to allow other domains to interact with this domain as expected,
+# since this macro only allows the specified domain to act upon
+# all other domains and types, not vice versa.
+#
+define(`unconfined_domain', `
+
+typeattribute $1 unrestricted;
+
+# Mount/unmount any filesystem.
+allow $1 fs_type:filesystem *;
+
+# Mount/unmount any filesystem with the context= option.
+allow $1 file_type:filesystem *;
+
+# Create/access any file in a labeled filesystem;
+allow $1 file_type:{ file chr_file } ~execmod;
+allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+allow $1 sysctl_t:{ dir file } *;
+allow $1 device_type:devfile_class_set *;
+allow $1 mtrr_device_t:file *;
+
+# Create/access other files. fs_type is to pick up various
+# pseudo filesystem types that are applied to both the filesystem
+# and its files.
+allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
+allow $1 proc_fs:{ dir file } *;
+
+# For /proc/pid
+r_dir_file($1,domain)
+# Write access is for setting attributes under /proc/self/attr.
+allow $1 self:file rw_file_perms;
+
+# Read and write sysctls.
+can_sysctl($1)
+
+# Access the network.
+allow $1 node_type:node *;
+allow $1 netif_type:netif *;
+allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
+
+# Bind to any network address.
+allow $1 port_type:{ tcp_socket udp_socket } name_bind;
+allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+# Use/sendto/connectto sockets created by any domain.
+allow $1 domain:{ socket_class_set socket key_socket } *;
+
+# Use descriptors and pipes created by any domain.
+allow $1 domain:fd use;
+allow $1 domain:fifo_file rw_file_perms;
+
+# Act upon any other process.
+allow $1 domain:process ~{ transition dyntransition execmem };
+# Transition to myself, to make get_ordered_context_list happy.
+allow $1 self:process transition;
+
+if (allow_execmem) {
+# Allow loading DSOs that require executable stack.
+allow $1 self:process execmem;
+}
+
+if (allow_execmod) {
+# Allow text relocations on system shared libraries, e.g. libGL.
+allow $1 texrel_shlib_t:file execmod;
+}
+
+# Create/access any System V IPC objects.
+allow $1 domain:{ sem msgq shm } *;
+allow $1 domain:msg { send receive };
+
+# Access the security API.
+allow $1 security_t:security *;
+auditallow $1 security_t:security { load_policy setenforce setbool };
+
+# Perform certain system operations that lacked individual capabilities.
+allow $1 kernel_t:system *;
+
+# Use any Linux capability.
+allow $1 self:capability *;
+
+# Set user information and skip authentication.
+allow $1 self:passwd *;
+
+# Communicate via dbusd.
+allow $1 self:dbus *;
+ifdef(`dbusd.te', `
+allow $1 system_dbusd_t:dbus *;
+')
+
+# Get info via nscd.
+allow $1 self:nscd *;
+ifdef(`nscd.te', `
+allow $1 nscd_t:nscd *;
+')
+
+')dnl end unconfined_domain
diff --git a/strict/macros/mini_user_macros.te b/strict/macros/mini_user_macros.te
new file mode 100644
index 0000000..9f7d994
--- /dev/null
+++ b/strict/macros/mini_user_macros.te
@@ -0,0 +1,57 @@
+#
+# Macros for all user login domains.
+#
+
+#
+# mini_user_domain(domain_prefix)
+#
+# Define derived types and rules for a minimal privs user domain named
+# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
+#
+undefine(`mini_user_domain')
+define(`mini_user_domain',`
+# user_t/$1_t is an unprivileged users domain.
+type $1_mini_t, domain, user_mini_domain;
+
+# for ~/.bash_profile and other files that the mini domain should be allowed
+# to read (but not write)
+type $1_home_mini_t, file_type, sysadmfile;
+allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
+allow $1_mini_t $1_home_mini_t:file r_file_perms;
+
+# $1_r is authorized for $1_mini_t for the initial login domain.
+role $1_r types $1_mini_t;
+uses_shlib($1_mini_t)
+pty_slave_label($1_mini, `, userpty_type, mini_pty_type')
+
+allow $1_mini_t devtty_t:chr_file rw_file_perms;
+allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
+dontaudit $1_mini_t proc_t:dir { getattr search };
+allow $1_mini_t self:unix_stream_socket create_socket_perms;
+allow $1_mini_t self:fifo_file rw_file_perms;
+allow $1_mini_t self:process { fork sigchld setpgid };
+dontaudit $1_mini_t var_t:dir search;
+allow $1_mini_t { bin_t sbin_t }:dir search;
+
+dontaudit $1_mini_t device_t:dir { getattr read };
+dontaudit $1_mini_t devpts_t:dir { getattr read };
+dontaudit $1_mini_t proc_t:lnk_file read;
+
+can_exec($1_mini_t, bin_t)
+allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
+dontaudit $1_mini_t home_root_t:dir getattr;
+dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
+dontaudit $1_mini_t $1_home_t:file { append getattr read write };
+
+dontaudit $1_mini_t fs_t:filesystem getattr;
+
+type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
+# uncomment this if using mini domains for console logins
+#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;
+
+type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
+type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;
+
+domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
+')dnl end mini_user_domain definition
+
diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te
new file mode 100644
index 0000000..bf6761f
--- /dev/null
+++ b/strict/macros/network_macros.te
@@ -0,0 +1,168 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:$2_socket { send_msg recv_msg };
+', `
+allow $1 $3:$2_socket { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type. Remove once
+# individual rules have been added to all domains that
+# bind sockets.
+allow $1 node_type:$2_socket node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_network_server_tcp(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_server_tcp',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_network_client_tcp(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_client_tcp',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { connect };
+')
+
+#################################
+#
+# can_network_tcp(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_tcp',`
+
+can_network_server_tcp($1, `$2')
+can_network_client_tcp($1, `$2')
+
+')
+
+#################################
+#
+# can_network_udp(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_udp',`
+base_can_network($1, udp, `$2')
+allow $1 self:udp_socket { connect };
+')
+
+#################################
+#
+# can_network_server(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_server',`
+
+can_network_server_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+')dnl end can_network_server definition
+
+
+#################################
+#
+# can_network_client(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_client',`
+
+can_network_client_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+')dnl end can_network_client definition
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_network_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+ifdef(`mount.te', `
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+')
+
+')dnl end can_network definition
+
+define(`can_resolve',`
+ifdef(`use_dns',`
+can_network_udp($1, `dns_port_t')
+')
+')
+
+define(`can_ldap',`
+ifdef(`slapd.te',`
+can_network_client_tcp($1, `ldap_port_t')
+')
+')
+
diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te
new file mode 100644
index 0000000..7e3521a
--- /dev/null
+++ b/strict/macros/program/apache_macros.te
@@ -0,0 +1,197 @@
+
+define(`apache_domain', `
+
+#This type is for webpages
+#
+type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
+ifelse($1, sys, `
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+')
+
+# This type is used for .htaccess files
+#
+type httpd_$1_htaccess_t, file_type, sysadmfile;
+
+# This type is used for executable scripts files
+#
+type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
+
+# Type that CGI scripts run as
+type httpd_$1_script_t, domain, privmail, nscd_client_domain;
+role system_r types httpd_$1_script_t;
+uses_shlib(httpd_$1_script_t)
+
+if (httpd_enable_cgi) {
+domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
+
+allow httpd_$1_script_t httpd_t:fd use;
+allow httpd_$1_script_t httpd_t:process sigchld;
+
+can_network(httpd_$1_script_t)
+allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
+allow httpd_$1_script_t usr_t:lnk_file { getattr read };
+
+allow httpd_$1_script_t self:process { fork signal_perms };
+
+allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
+allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
+allow httpd_$1_script_t etc_runtime_t:file { getattr read };
+read_locale(httpd_$1_script_t)
+allow httpd_$1_script_t fs_t:filesystem getattr;
+allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_$1_script_t { self proc_t }:file { getattr read };
+allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
+allow httpd_$1_script_t { self proc_t }:lnk_file read;
+
+allow httpd_$1_script_t device_t:dir { getattr search };
+allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
+}
+ifdef(`ypbind.te', `
+if (httpd_enable_cgi && allow_ypbind) {
+uncond_can_ypbind(httpd_$1_script_t)
+}
+')
+# The following are the only areas that
+# scripts can read, read/write, or append to
+#
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
+file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
+
+ifdef(`slocate.te', `
+ifelse($1, `sys', `', `
+allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
+allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
+')dnl end ifelse
+')dnl end slocate.te
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
+
+domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+allow httpd_$1_script_t httpd_t:fifo_file write;
+
+allow httpd_$1_script_t self:fifo_file rw_file_perms;
+
+allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+# for nscd
+dontaudit httpd_$1_script_t var_t:dir search;
+
+###########################################################################
+# Allow the script interpreters to run the scripts. So
+# the perl executable will be able to run a perl script
+#########################################################################
+can_exec_any(httpd_$1_script_t)
+allow httpd_$1_script_t etc_t:file { getattr read };
+dontaudit httpd_$1_script_t selinux_config_t:dir search;
+
+############################################################################
+# Allow the script process to search the cgi directory, and users directory
+##############################################################################
+allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+allow httpd_$1_script_t home_root_t:dir { getattr search };
+allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
+
+#############################################################################
+# Allow the scripts to read, read/write, append to the specified directories
+# or files
+############################################################################
+r_dir_file(httpd_$1_script_t, fonts_t)
+r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
+ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ifelse($1, sys, `
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+can_exec(httpd_t, httpdcontent )
+', `
+can_exec(httpd_$1_script_t, httpdcontent )
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+')
+create_dir_file(httpd_$1_script_t, httpdcontent)
+}
+
+ifelse($1, sys, `
+#
+# If a user starts a script by hand it gets the proper context
+#
+if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+}
+role sysadm_r types httpd_$1_script_t;
+', `
+
+if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+# If a user starts a script by hand it gets the proper context
+domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+}
+role $1_r types httpd_$1_script_t;
+
+#######################################
+# Allow user to create or edit web content
+#########################################
+
+create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
+create_dir_file($1_crond_t, httpd_$1_content_t)
+allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
+ifdef(`mozilla.te', `
+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
+')
+
+######################################################################
+# Allow the user to create htaccess files
+#####################################################################
+
+allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
+
+#########################################################################
+# Allow user to create files or directories
+# that scripts are able to read, write, or append to
+###########################################################################
+
+create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
+allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
+
+# allow accessing files/dirs below the users home dir
+if (httpd_enable_homedirs) {
+allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
+ifdef(`nfs_home_dirs', `
+r_dir_file(httpd_$1_script_t, nfs_t)
+')dnl end if nfs_home_dirs
+}
+')dnl end ifelse sys
+
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+r_dir_file(httpd_t, httpd_$1_content_t)
+
+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
+
+r_dir_file(httpd_t, httpd_$1_script_rw_t)
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+# apache should set close-on-exec
+dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+')
diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te
new file mode 100644
index 0000000..6af7ddc
--- /dev/null
+++ b/strict/macros/program/cdrecord_macros.te
@@ -0,0 +1,54 @@
+# macros for the cdrecord domain
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+
+define(`cdrecord_domain', `
+type $1_cdrecord_t, domain, privlog;
+
+domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_cdrecord_t;
+
+uses_shlib($1_cdrecord_t)
+read_locale($1_cdrecord_t)
+
+# allow ps to show cdrecord and allow the user to kill it
+can_ps($1_t, $1_cdrecord_t)
+allow $1_t $1_cdrecord_t:process signal;
+
+# write to the user domain tty.
+access_terminal($1_cdrecord_t, $1)
+allow $1_cdrecord_t privfd:fd use;
+
+allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
+
+allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+can_resmgrd_connect($1_cdrecord_t)
+
+allow $1_cdrecord_t { tmp_t home_root_t }:dir search;
+
+# allow cdrecord to read user files
+r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
+if (use_nfs_home_dirs) {
+r_dir_file($1_cdrecord_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+r_dir_file($1_cdrecord_t, cifs_t)
+}
+allow $1_cdrecord_t etc_t:file { getattr read };
+
+# allow searching for cdrom-drive
+allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:lnk_file { getattr read };
+
+# allow cdrecord to write the CD
+allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
+allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
+
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
+allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
+
+')
+
diff --git a/strict/macros/program/chkpwd_macros.te b/strict/macros/program/chkpwd_macros.te
new file mode 100644
index 0000000..806a9cd
--- /dev/null
+++ b/strict/macros/program/chkpwd_macros.te
@@ -0,0 +1,79 @@
+#
+# Macros for chkpwd domains.
+#
+
+#
+# chkpwd_domain(domain_prefix)
+#
+# Define a derived domain for the *_chkpwd program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/su.te.
+#
+undefine(`chkpwd_domain')
+ifdef(`chkpwd.te', `
+define(`chkpwd_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
+
+# is_selinux_enabled
+allow $1_chkpwd_t proc_t:file read;
+can_getcon($1_chkpwd_t)
+can_ypbind($1_chkpwd_t)
+can_kerberos($1_chkpwd_t)
+can_ldap($1_chkpwd_t)
+can_resolve($1_chkpwd_t)
+# Transition from the user domain to this domain.
+ifelse($1, system, `
+domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
+role system_r types system_chkpwd_t;
+dontaudit auth_chkpwd shadow_t:file { getattr read };
+allow auth_chkpwd sbin_t:dir search;
+dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+can_ypbind(auth_chkpwd)
+can_kerberos(auth_chkpwd)
+can_ldap(auth_chkpwd)
+can_resolve(auth_chkpwd)
+', `
+domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+allow $1_t sbin_t:dir search;
+
+# The user role is authorized for this domain.
+role $1_r types $1_chkpwd_t;
+
+# Write to the user domain tty.
+access_terminal($1_chkpwd_t, $1)
+
+allow $1_chkpwd_t privfd:fd use;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors from newrole.
+ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
+')
+
+uses_shlib($1_chkpwd_t)
+allow $1_chkpwd_t etc_t:file { getattr read };
+allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
+allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
+read_locale($1_chkpwd_t)
+
+# Use capabilities.
+allow $1_chkpwd_t self:capability setuid;
+r_dir_file($1_chkpwd_t, selinux_config_t)
+
+# for nscd
+ifdef(`nscd.te', `', `
+dontaudit $1_chkpwd_t var_t:dir search;
+')
+
+dontaudit $1_chkpwd_t fs_t:filesystem getattr;
+')
+
+', `
+
+define(`chkpwd_domain',`')
+
+')
diff --git a/strict/macros/program/chroot_macros.te b/strict/macros/program/chroot_macros.te
new file mode 100644
index 0000000..d06e6f1
--- /dev/null
+++ b/strict/macros/program/chroot_macros.te
@@ -0,0 +1,130 @@
+
+# macro for chroot environments
+# Author Russell Coker
+
+# chroot(initial_domain, basename, role, tty_device_type)
+define(`chroot', `
+
+ifelse(`$1', `initrc', `
+define(`chroot_role', `system_r')
+define(`chroot_tty_device', `{ console_device_t admin_tty_type }')
+define(`chroot_mount_domain', `mount_t')
+define(`chroot_fd_use', `{ privfd init_t }')
+', `
+define(`chroot_role', `$1_r')
+define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
+define(`chroot_fd_use', `privfd')
+
+# allow mounting /proc and /dev
+ifdef(`$1_mount_def', `', `
+mount_domain($1, $1_mount)
+role chroot_role types $1_mount_t;
+')
+define(`chroot_mount_domain', `$1_mount_t')
+ifdef(`ssh.te', `
+can_tcp_connect($1_ssh_t, $2_t)
+')dnl end ssh
+')dnl end ifelse initrc
+
+# types for read-only and read-write files in the chroot
+type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
+type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
+# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
+# when you execute it
+type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
+
+allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
+allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
+
+# entry point for $2_super_t
+type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
+# $2_t is the base domain, has full access to $2_rw_t files
+type $2_t, domain;
+# $2_super_t is the super-chroot domain, can also write to $2_ro_t
+# but still can not access outside the chroot
+type $2_super_t, domain;
+allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
+
+ifdef(`$1_chroot_def', `', `
+dnl can not have this defined twice
+define(`$1_chroot_def')
+
+allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
+
+# $1_chroot_t is the domain for /usr/sbin/chroot
+type $1_chroot_t, domain;
+
+# allow $1_chroot_t to write to the tty device
+allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
+allow $1_chroot_t chroot_fd_use:fd use;
+allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
+
+role chroot_role types $1_chroot_t;
+uses_shlib($1_chroot_t)
+allow $1_chroot_t self:capability sys_chroot;
+allow $1_t $1_chroot_t:dir { search getattr read };
+allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
+domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
+allow $1_chroot_t fs_t:filesystem getattr;
+')dnl End conditional
+
+role chroot_role types { $2_t $2_super_t };
+
+# allow ps to show processes and allow killing them
+allow $1_t { $2_super_t $2_t }:dir { search getattr read };
+allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
+allow $1_t { $2_super_t $2_t }:process signal_perms;
+allow $2_super_t $2_t:dir { search getattr read };
+allow $2_super_t $2_t:{ file lnk_file } { read getattr };
+allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
+allow $1_t $2_super_t:process { signal_perms ptrace };
+allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
+
+allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
+allow { $2_super_t $2_t } device_t:dir { search getattr };
+allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
+allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
+allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
+allow $2_super_t self:capability sys_ptrace;
+
+can_tcp_connect($2_super_t, $2_t)
+allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
+
+# quiet ps and killall
+dontaudit { $2_super_t $2_t } domain:dir { search getattr };
+
+# allow $2_t to write to the owner tty device (should remove this)
+allow $2_t chroot_tty_device:chr_file { read write };
+
+r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
+create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+# $2_super_t transitions to $2_t when it executes
+# any file that $2_t can write
+domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
+allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
+r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
+create_dir_notdevfile($2_t, $2_rw_t)
+allow $2_t $2_rw_t:fifo_file create_file_perms;
+allow $2_t $2_ro_t:fifo_file rw_file_perms;
+allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
+create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($1_t, { $2_ro_t $2_dropdown_t })
+domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
+domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t)
+allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
+general_proc_read_access({ $2_t $2_super_t })
+general_domain_access({ $2_t $2_super_t })
+can_create_pty($2)
+can_create_pty($2_super)
+can_network({ $2_t $2_super_t })
+allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
+allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
+allow { $2_t $2_super_t } self:capability { dac_override kill };
+
+undefine(`chroot_role')
+undefine(`chroot_tty_device')
+undefine(`chroot_mount_domain')
+undefine(`chroot_fd_use')
+')
diff --git a/strict/macros/program/clamav_macros.te b/strict/macros/program/clamav_macros.te
new file mode 100644
index 0000000..e5a4a37
--- /dev/null
+++ b/strict/macros/program/clamav_macros.te
@@ -0,0 +1,57 @@
+#
+# Macros for clamscan
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+#
+
+#
+# can_clamd_connect(domain_prefix)
+#
+# Define a domain that can access clamd
+#
+define(`can_clamd_connect',`
+allow $1_t clamd_var_run_t:dir search;
+allow $1_t clamd_var_run_t:sock_file write;
+can_unix_connect($1_t, clamd_t)
+')
+
+# clamscan_domain(domain_prefix)
+#
+# Define a derived domain for the clamscan program when executed
+#
+define(`clamscan_domain', `
+# Derived domain based on the calling user domain and the program.
+type $1_clamscan_t, domain, privlog;
+
+# Uses shared librarys
+uses_shlib($1_clamscan_t)
+allow $1_clamscan_t fs_t:filesystem getattr;
+r_dir_file($1_clamscan_t, etc_t)
+read_locale($1_clamscan_t)
+
+# Access virus signatures
+allow $1_clamscan_t var_lib_t:dir search;
+r_dir_file($1_clamscan_t, clamav_var_lib_t)
+
+# Allow temp files
+tmp_domain($1_clamscan)
+
+# Why is this required?
+allow $1_clamscan_t proc_t:dir r_dir_perms;
+allow $1_clamscan_t proc_t:file r_file_perms;
+read_sysctl($1_clamscan_t)
+allow $1_clamscan_t self:unix_stream_socket { connect create read write };
+')
+
+define(`user_clamscan_domain',`
+clamscan_domain($1)
+role $1_r types $1_clamscan_t;
+domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t)
+access_terminal($1_clamscan_t, $1)
+r_dir_file($1_clamscan_t,$1_home_t);
+r_dir_file($1_clamscan_t,$1_home_dir_t);
+allow $1_clamscan_t $1_home_t:file r_file_perms;
+allow $1_clamscan_t privfd:fd use;
+ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;')
+')
+
diff --git a/strict/macros/program/crond_macros.te b/strict/macros/program/crond_macros.te
new file mode 100644
index 0000000..8cd7deb
--- /dev/null
+++ b/strict/macros/program/crond_macros.te
@@ -0,0 +1,125 @@
+#
+# Macros for crond domains.
+#
+
+#
+# Authors: Jonathan Crowley (MITRE) <jonathan at mitre.org>,
+# Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <rcoker at redhat.com>
+#
+
+#
+# crond_domain(domain_prefix)
+#
+# Define a derived domain for cron jobs executed by crond on behalf
+# of a user domain. These domains are separate from the top-level domain
+# defined for the crond daemon and the domain defined for system cron jobs,
+# which are specified in domains/program/crond.te.
+#
+undefine(`crond_domain')
+define(`crond_domain',`
+# Derived domain for user cron jobs, user user_crond_domain if not system
+ifelse(`system', `$1', `
+type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
+', `
+type $1_crond_t, domain, user_crond_domain;
+
+# Access user files and dirs.
+allow $1_crond_t home_root_t:dir search;
+file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
+
+# Run scripts in user home directory and access shared libs.
+can_exec($1_crond_t, $1_home_t)
+
+file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
+')
+r_dir_file($1_crond_t, selinux_config_t)
+
+# Type of user crontabs once moved to cron spool.
+type $1_cron_spool_t, file_type, sysadmfile;
+
+ifdef(`fcron.te', `
+allow crond_t $1_cron_spool_t:file create_file_perms;
+')
+
+allow $1_crond_t urandom_device_t:chr_file { getattr read };
+
+allow $1_crond_t usr_t:file { getattr ioctl read };
+allow $1_crond_t usr_t:lnk_file read;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via execve_secure. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+domain_trans(crond_t, shell_exec_t, $1_crond_t)
+
+ifdef(`mta.te', `
+domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
+allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
+
+# $1_mail_t should only be reading from the cron fifo not needing to write
+dontaudit $1_mail_t crond_t:fifo_file write;
+allow mta_user_agent $1_crond_t:fd use;
+')
+
+# The user role is authorized for this domain.
+role $1_r types $1_crond_t;
+
+# This domain is granted permissions common to most domains.
+can_network($1_crond_t)
+can_ypbind($1_crond_t)
+r_dir_file($1_crond_t, self)
+allow $1_crond_t self:fifo_file rw_file_perms;
+allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_crond_t self:unix_dgram_socket create_socket_perms;
+allow $1_crond_t etc_runtime_t:file { getattr read };
+allow $1_crond_t self:process { fork signal_perms setsched };
+allow $1_crond_t proc_t:dir r_dir_perms;
+allow $1_crond_t proc_t:file { getattr read ioctl };
+read_locale($1_crond_t)
+read_sysctl($1_crond_t)
+allow $1_crond_t var_spool_t:dir search;
+allow $1_crond_t fs_type:filesystem getattr;
+
+allow $1_crond_t devtty_t:chr_file { read write };
+allow $1_crond_t var_t:dir r_dir_perms;
+allow $1_crond_t var_t:file { getattr read ioctl };
+allow $1_crond_t var_log_t:dir search;
+
+# Use capabilities.
+allow $1_crond_t self:capability dac_override;
+
+# Inherit and use descriptors from initrc - I think this is wrong
+#allow $1_crond_t initrc_t:fd use;
+
+#
+# Since crontab files are not directly executed,
+# crond must ensure that the crontab file has
+# a type that is appropriate for the domain of
+# the user cron job. It performs an entrypoint
+# permission check for this purpose.
+#
+allow $1_crond_t $1_cron_spool_t:file entrypoint;
+
+# Run helper programs.
+can_exec_any($1_crond_t)
+
+# ps does not need to access /boot when run from cron
+dontaudit $1_crond_t boot_t:dir search;
+# quiet other ps operations
+dontaudit $1_crond_t domain:dir { getattr search };
+# for nscd
+dontaudit $1_crond_t var_run_t:dir search;
+')
+
+# When system_crond_t domain executes a type $1 executable then transition to
+# domain $2, allow $2 to interact with crond_t as well.
+define(`system_crond_entry', `
+ifdef(`crond.te', `
+domain_auto_trans(system_crond_t, $1, $2)
+allow $2 crond_t:fifo_file { getattr read write ioctl };
+# a rule for privfd may make this obsolete
+allow $2 crond_t:fd use;
+allow $2 crond_t:process sigchld;
+')dnl end ifdef
+')dnl end system_crond_entry
diff --git a/strict/macros/program/crontab_macros.te b/strict/macros/program/crontab_macros.te
new file mode 100644
index 0000000..352fbe9
--- /dev/null
+++ b/strict/macros/program/crontab_macros.te
@@ -0,0 +1,99 @@
+#
+# Macros for crontab domains.
+#
+
+#
+# Authors: Jonathan Crowley (MITRE) <jonathan at mitre.org>
+# Revised by Stephen Smalley <sds at epoch.ncsc.mil>
+#
+
+#
+# crontab_domain(domain_prefix)
+#
+# Define a derived domain for the crontab program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/crontab.te.
+#
+undefine(`crontab_domain')
+define(`crontab_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_crontab_t, domain, privlog;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
+
+can_ps($1_t, $1_crontab_t)
+
+# for ^Z
+allow $1_t $1_crontab_t:process signal;
+
+# The user role is authorized for this domain.
+role $1_r types $1_crontab_t;
+
+uses_shlib($1_crontab_t)
+allow $1_crontab_t etc_t:file { getattr read };
+allow $1_crontab_t self:unix_stream_socket create_socket_perms;
+allow $1_crontab_t self:unix_dgram_socket create_socket_perms;
+read_locale($1_crontab_t)
+
+# Use capabilities dac_override is to create the file in the directory
+# under /tmp
+allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
+dontaudit $1_crontab_t proc_t:dir search;
+dontaudit $1_crontab_t selinux_config_t:dir search;
+
+# Type for temporary files.
+file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
+
+# Use the type when creating files in /var/spool/cron.
+allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
+allow $1_crontab_t { var_t var_spool_t }:dir { getattr search };
+file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
+allow $1_crontab_t self:process { fork signal_perms };
+ifdef(`fcron.te', `
+# fcron wants an instant update of a crontab change for the administrator
+# also crontab does a security check for crontab -u
+ifelse(`$1', `sysadm', `
+allow $1_crontab_t crond_t:process signal;
+can_setfscreate($1_crontab_t)
+', `
+dontaudit $1_crontab_t crond_t:process signal;
+')dnl end ifelse
+')dnl end ifdef fcron
+
+# for the checks used by crontab -u
+dontaudit $1_crontab_t security_t:dir search;
+
+# crontab signals crond by updating the mtime on the spooldir
+allow $1_crontab_t cron_spool_t:dir setattr;
+# Allow crond to read those crontabs in cron spool.
+allow crond_t $1_cron_spool_t:file r_file_perms;
+
+# Run helper programs as $1_t
+allow $1_crontab_t { bin_t sbin_t }:dir search;
+allow $1_crontab_t bin_t:lnk_file read;
+domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
+
+# Read user crontabs
+allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
+allow $1_crontab_t $1_home_t:file r_file_perms;
+dontaudit $1_crontab_t $1_home_dir_t:dir write;
+
+# Access the cron log file.
+allow $1_crontab_t crond_log_t:file r_file_perms;
+allow $1_crontab_t crond_log_t:file append;
+
+# Access terminals.
+allow $1_crontab_t device_t:dir search;
+access_terminal($1_crontab_t, $1);
+
+allow $1_crontab_t fs_t:filesystem getattr;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
+allow $1_crontab_t privfd:fd use;
+
+dontaudit $1_crontab_t var_run_t:dir search;
+')
diff --git a/strict/macros/program/dbusd_macros.te b/strict/macros/program/dbusd_macros.te
new file mode 100644
index 0000000..c11784c
--- /dev/null
+++ b/strict/macros/program/dbusd_macros.te
@@ -0,0 +1,88 @@
+#
+# Macros for Dbus
+#
+# Author: Colin Walters <walters at redhat.com>
+
+# dbusd_domain(domain_prefix)
+#
+# Define a derived domain for the DBus daemon.
+
+define(`dbusd_domain', `
+ifelse(`system', `$1',`
+daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
+# For backwards compatibility
+typealias system_dbusd_t alias dbusd_t;
+type etc_dbusd_t, file_type, sysadmfile;
+',`
+type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
+role $1_r types $1_dbusd_t;
+domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
+read_locale($1_dbusd_t)
+allow $1_t $1_dbusd_t:process { sigkill signal };
+allow $1_dbusd_t self:process { sigkill signal };
+dontaudit $1_dbusd_t var_t:dir { getattr search };
+')dnl end ifelse system
+
+base_file_read_access($1_dbusd_t)
+uses_shlib($1_dbusd_t)
+allow $1_dbusd_t etc_t:file { getattr read };
+r_dir_file($1_dbusd_t, etc_dbusd_t)
+tmp_domain($1_dbusd)
+allow $1_dbusd_t self:process fork;
+ifdef(`xdm.te', `
+allow $1_dbusd_t xdm_t:fd use;
+allow $1_dbusd_t xdm_t:fifo_file write;
+')
+
+allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+
+allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
+allow $1_dbusd_t self:file { getattr read };
+allow $1_dbusd_t proc_t:file read;
+
+ifdef(`pamconsole.te', `
+r_dir_file($1_dbusd_t, pam_var_console_t)
+')
+
+allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+
+')dnl end dbusd_domain definition
+
+# dbusd_client(dbus_type, domain_prefix)
+# Example: dbusd_client_domain(system, user)
+#
+# Define a new derived domain for connecting to dbus_type
+# from domain_prefix_t.
+undefine(`dbusd_client')
+define(`dbusd_client',`
+
+ifdef(`dbusd.te',`
+# Derived type used for connection
+type $2_dbusd_$1_t;
+type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
+
+# SE-DBus specific permissions
+allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+
+# For connecting to the bus
+allow $2_t $1_dbusd_t:unix_stream_socket connectto;
+
+') dnl endif dbusd.te
+ifelse(`system', `$1', `
+allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
+allow { $2_t } system_dbusd_var_run_t:sock_file write;
+',`') dnl endif system
+')
+
+# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
+# Example: can_dbusd_converse(system, hald, updfstab)
+# Example: can_dbusd_converse(session, user, user)
+define(`can_dbusd_converse',`')
+ifdef(`dbusd.te',`
+undefine(`can_dbusd_converse')
+define(`can_dbusd_converse',`
+allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
+allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
+') dnl endif dbusd.te
+')
diff --git a/strict/macros/program/fingerd_macros.te b/strict/macros/program/fingerd_macros.te
new file mode 100644
index 0000000..fd56ca7
--- /dev/null
+++ b/strict/macros/program/fingerd_macros.te
@@ -0,0 +1,15 @@
+#
+# Macro for fingerd
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#
+# fingerd_macro(domain_prefix)
+#
+# allow fingerd to create a fingerlog file in the user home dir
+#
+define(`fingerd_macro', `
+type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type;
+file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
+')
diff --git a/strict/macros/program/games_domain.te b/strict/macros/program/games_domain.te
new file mode 100644
index 0000000..9816896
--- /dev/null
+++ b/strict/macros/program/games_domain.te
@@ -0,0 +1,58 @@
+#DESC games
+#
+# Macros for games
+#
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+#
+# games_domain(domain_prefix)
+#
+#
+define(`games_domain', `
+x_client_domain($1, `games', `, transitionbool')
+
+allow $1_games_t var_t:dir { search getattr };
+rw_dir_create_file($1_games_t, games_data_t)
+allow $1_games_t sound_device_t:chr_file rw_file_perms;
+r_dir_file($1_games_t, usr_t)
+can_udp_send($1_games_t, $1_games_t)
+can_tcp_connect($1_games_t, $1_games_t)
+
+# Access /home/user/.gnome2
+create_dir_file($1_games_t, $1_home_t)
+allow $1_games_t $1_home_dir_t:dir search;
+allow $1_games_t $1_home_t:dir { read getattr };
+
+create_dir_file($1_games_t, $1_tmp_t)
+allow $1_games_t $1_tmp_t:sock_file create_file_perms;
+
+dontaudit $1_games_t sysctl_t:dir search;
+
+tmp_domain($1_games)
+allow $1_games_t urandom_device_t:chr_file { getattr ioctl read };
+ifdef(`xdm.te', `
+allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
+allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
+allow $1_games_t xdm_var_lib_t:file { getattr read };
+')dnl end if xdm.te
+
+can_unix_connect($1_t, $1_games_t)
+can_unix_connect($1_games_t, $1_t)
+
+allow $1_games_t var_lib_t:dir search;
+r_dir_file($1_games_t, man_t)
+allow $1_games_t proc_t:file { read getattr };
+ifdef(`mozilla.te', `
+dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
+')
+allow $1_games_t event_device_t:chr_file getattr;
+allow $1_games_t mouse_device_t:chr_file getattr;
+allow $1_games_t self:file { getattr read };
+
+# kpat spews errors
+dontaudit $1_games_t bin_t:dir getattr;
+dontaudit $1_games_t var_run_t:dir search;
+
+')dnl end macro definition
+
diff --git a/strict/macros/program/gift_macros.te b/strict/macros/program/gift_macros.te
new file mode 100644
index 0000000..3589c05
--- /dev/null
+++ b/strict/macros/program/gift_macros.te
@@ -0,0 +1,113 @@
+#
+# Macros for giFT
+#
+# Author: Ivan Gyurdiev <ivg2 at cornell.edu>
+#
+# gift_domains(domain_prefix)
+# declares a domain for giftui and giftd
+
+#########################
+# gift_domain(user) #
+#########################
+
+define(`gift_domain', `
+
+# Connect to X
+x_client_domain($1, gift, `')
+
+# Transition
+domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
+can_exec($1_gift_t, gift_exec_t)
+role $1_r types $1_gift_t;
+
+# Self permissions
+allow $1_gift_t self:process getsched;
+
+# Home files
+home_domain($1, gift)
+
+# Fonts, icons
+r_dir_file($1_gift_t, usr_t)
+r_dir_file($1_gift_t, fonts_t)
+
+# Launch gift daemon
+allow $1_gift_t self:process fork;
+domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
+
+# Connect to gift daemon
+can_network($1_gift_t)
+
+# Read /proc/meminfo
+allow $1_gift_t proc_t:dir search;
+allow $1_gift_t proc_t:file { getattr read };
+
+# Tmp/ORBit
+tmp_domain($1_gift)
+file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
+can_unix_connect($1_t, $1_gift_t)
+can_unix_connect($1_gift_t, $1_t)
+allow $1_t $1_gift_tmp_t:sock_file write;
+allow $1_gift_t $1_tmp_t:file { getattr read write lock };
+allow $1_gift_t $1_tmp_t:sock_file { read write };
+dontaudit $1_gift_t $1_tmp_t:dir setattr;
+
+# Access random device
+allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl };
+
+# giftui looks in .icons, .themes, .fonts-cache.
+dontaudit $1_gift_t $1_home_t:dir { getattr read search };
+dontaudit $1_gift_t $1_home_t:file { getattr read };
+
+') dnl gift_domain
+
+##########################
+# giftd_domain(user) #
+##########################
+
+define(`giftd_domain', `
+
+type $1_giftd_t, domain;
+
+# Transition from user type
+domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
+role $1_r types $1_giftd_t;
+
+# Self permissions, allow fork
+allow $1_giftd_t self:process { fork signal sigchld setsched };
+allow $1_giftd_t self:unix_stream_socket create_socket_perms;
+
+read_sysctl($1_giftd_t)
+read_locale($1_giftd_t)
+uses_shlib($1_giftd_t)
+
+# Access home domain
+home_domain_access($1_giftd_t, $1, gift)
+
+# Allow networking
+allow $1_giftd_t port_t:tcp_socket name_bind;
+allow $1_giftd_t port_t:udp_socket name_bind;
+can_network_server($1_giftd_t)
+can_network_client($1_giftd_t)
+
+# FIXME: ???
+dontaudit $1_giftd_t self:udp_socket listen;
+
+# Plugins
+r_dir_file($1_giftd_t, usr_t)
+
+# Connect to xdm
+ifdef(`xdm.te', `
+allow $1_giftd_t xdm_t:fd use;
+allow $1_giftd_t xdm_t:fifo_file write;
+')
+
+') dnl giftd_domain
+
+##########################
+# gift_domains(user) #
+##########################
+
+define(`gift_domains', `
+gift_domain($1)
+giftd_domain($1)
+') dnl gift_domains
diff --git a/strict/macros/program/gpg_agent_macros.te b/strict/macros/program/gpg_agent_macros.te
new file mode 100644
index 0000000..21a8768
--- /dev/null
+++ b/strict/macros/program/gpg_agent_macros.te
@@ -0,0 +1,127 @@
+#
+# Macros for gpg agent
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+#
+#
+# gpg_agent_domain(domain_prefix)
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/gpg-agent.te.
+#
+define(`gpg_agent_domain',`
+# Define a derived domain for the gpg-agent program when executed
+# by a user domain.
+# Derived domain based on the calling user domain and the program.
+type $1_gpg_agent_t, domain;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_gpg_agent_t;
+
+allow $1_gpg_agent_t privfd:fd use;
+allow $1_gpg_agent_t xdm_t:fd use;
+
+# Write to the user domain tty.
+access_terminal($1_gpg_agent_t, $1)
+
+# Allow the user shell to signal the gpg-agent program.
+allow $1_t $1_gpg_agent_t:process { signal sigkill };
+# allow ps to show gpg-agent
+can_ps($1_t, $1_gpg_agent_t)
+
+uses_shlib($1_gpg_agent_t)
+read_locale($1_gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow $1_gpg_agent_t self:process { setrlimit fork sigchld };
+
+allow $1_gpg_agent_t { self proc_t }:dir search;
+allow $1_gpg_agent_t { self proc_t }:lnk_file read;
+
+allow $1_gpg_agent_t device_t:dir { getattr read };
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
+create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
+if (use_nfs_home_dirs) {
+create_dir_file($1_gpg_agent_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_agent_t, cifs_t)
+}
+
+allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_gpg_agent_t self:fifo_file { getattr read write };
+
+# create /tmp files
+tmp_domain($1_gpg_agent, `', `{ file dir sock_file }')
+
+# gpg connect
+allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
+can_unix_connect($1_gpg_t, $1_gpg_agent_t)
+
+# policy for pinentry
+# ===================
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+# Please note that I didnt use the x_client_domain-macro as it gives too
+# much permissions
+type $1_gpg_pinentry_t, domain;
+role $1_r types $1_gpg_pinentry_t;
+
+allow $1_gpg_agent_t bin_t:dir search;
+domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
+
+uses_shlib($1_gpg_pinentry_t)
+read_locale($1_gpg_pinentry_t)
+
+allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
+
+ifdef(`xdm.te', `
+allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
+allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
+can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
+allow $1_gpg_pinentry_t xdm_t:fd use;
+')dnl end ig xdm.te
+
+r_dir_file($1_gpg_pinentry_t, fonts_t)
+# read kde font cache
+allow $1_gpg_pinentry_t usr_t:file { getattr read };
+
+allow $1_gpg_pinentry_t { proc_t self }:dir search;
+allow $1_gpg_pinentry_t { proc_t self }:lnk_file read;
+# read /proc/meminfo
+allow $1_gpg_pinentry_t proc_t:file read;
+
+allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
+
+# for .Xauthority
+allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
+allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
+# wants to put some lock files into the user home dir, seems to work fine without
+dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
+dontaudit $1_gpg_pinentry_t $1_home_t:file write;
+if (use_nfs_home_dirs) {
+allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
+allow $1_gpg_pinentry_t nfs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t nfs_t:file write;
+}
+if (use_samba_home_dirs) {
+allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t cifs_t:file write;
+}
+
+# read /etc/X11/qtrc
+allow $1_gpg_pinentry_t etc_t:file { getattr read };
+
+dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search };
+
+')dnl end if gpg_agent
diff --git a/strict/macros/program/gpg_macros.te b/strict/macros/program/gpg_macros.te
new file mode 100644
index 0000000..124d6e8
--- /dev/null
+++ b/strict/macros/program/gpg_macros.te
@@ -0,0 +1,144 @@
+#
+# Macros for gpg and pgp
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+# based on the work of:
+# Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# gpg_domain(domain_prefix)
+#
+# Define a derived domain for the gpg/pgp program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/gpg.te.
+#
+define(`gpg_domain', `
+# Derived domain based on the calling user domain and the program.
+type $1_gpg_t, domain, privlog;
+type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
+
+can_network($1_gpg_t)
+can_ypbind($1_gpg_t)
+
+# for a bug in kmail
+dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
+
+# The user role is authorized for this domain.
+role $1_r types $1_gpg_t;
+
+# Legacy
+if (allow_gpg_execstack) {
+legacy_domain($1_gpg)
+allow $1_gpg_t locale_t:file execute;
+
+# Not quite sure why this is needed...
+allow $1_gpg_t gpg_exec_t:file execmod;
+}
+
+allow $1_t $1_gpg_secret_t:file getattr;
+
+allow $1_gpg_t device_t:dir r_dir_perms;
+allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+allow $1_gpg_t etc_t:file r_file_perms;
+
+allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
+
+access_terminal($1_gpg_t, $1)
+ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors
+allow $1_gpg_t { privfd $1_t }:fd use;
+allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
+
+# setrlimit is for ulimit -c 0
+allow $1_gpg_t self:process { setrlimit setcap };
+
+# allow ps to show gpg
+can_ps($1_t, $1_gpg_t)
+
+uses_shlib($1_gpg_t)
+
+# should not need read access...
+allow $1_gpg_t home_root_t:dir { read search };
+
+# use $1_gpg_secret_t for files it creates
+# NB we are doing the type transition for directory creation only!
+# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
+# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
+# a file and write output to your home directory it will use user_home_t.
+file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
+rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
+
+file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
+create_dir_file($1_gpg_t, $1_home_t)
+
+# allow the usual access to /tmp
+file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
+
+if (use_nfs_home_dirs) {
+create_dir_file($1_gpg_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_t, cifs_t)
+}
+
+allow $1_gpg_t self:capability { ipc_lock setuid };
+rw_dir_create_file($1_gpg_t, $1_file_type)
+
+allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
+allow $1_gpg_t fs_t:filesystem getattr;
+allow $1_gpg_t usr_t:file r_file_perms;
+read_locale($1_gpg_t)
+allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
+
+dontaudit $1_gpg_t var_t:dir search;
+
+ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+type $1_gpg_helper_t, domain;
+role $1_r types $1_gpg_helper_t;
+
+domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
+uses_shlib($1_gpg_helper_t)
+
+# allow gpg to fork so it can call the helpers
+allow $1_gpg_t self:process { fork sigchld };
+allow $1_gpg_t self:fifo_file { getattr read write };
+
+dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+if (use_nfs_home_dirs) {
+dontaudit $1_gpg_helper_t nfs_t:file { read write };
+}
+if (use_samba_home_dirs) {
+dontaudit $1_gpg_helper_t cifs_t:file { read write };
+}
+
+# communicate with the user
+allow $1_gpg_helper_t $1_t:fd use;
+allow $1_gpg_helper_t $1_t:fifo_file write;
+# get keys from the network
+can_network_client($1_gpg_helper_t)
+allow $1_gpg_helper_t etc_t:file { getattr read };
+allow $1_gpg_helper_t urandom_device_t:chr_file read;
+allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+# for nscd
+dontaudit $1_gpg_helper_t var_t:dir search;
+
+ifdef(`xdm.te', `
+dontaudit $1_gpg_t xdm_t:fd use;
+dontaudit $1_gpg_t xdm_t:fifo_file read;
+')
+
+')dnl end gpg_domain definition
diff --git a/strict/macros/program/gph_macros.te b/strict/macros/program/gph_macros.te
new file mode 100644
index 0000000..d784fcc
--- /dev/null
+++ b/strict/macros/program/gph_macros.te
@@ -0,0 +1,85 @@
+#
+# Macros for gnome-pty-helper domains.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# gph_domain(domain_prefix, role_prefix)
+#
+# Define a derived domain for the gnome-pty-helper program when
+# executed by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/gnome-pty-helper.te.
+#
+# The *_gph_t domains are for the gnome_pty_helper program.
+# This program is executed by gnome-terminal to handle
+# updates to utmp and wtmp. In this regard, it is similar
+# to utempter. However, unlike utempter, gnome-pty-helper
+# also creates the pty file for the terminal program.
+# There is one *_gph_t domain for each user domain.
+#
+undefine(`gph_domain')
+define(`gph_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_gph_t, domain, gphdomain, nscd_client_domain;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
+
+# The user role is authorized for this domain.
+role $2_r types $1_gph_t;
+
+# This domain is granted permissions common to most domains.
+uses_shlib($1_gph_t)
+
+# Use capabilities.
+allow $1_gph_t self:capability { chown fsetid setgid setuid };
+
+# Update /var/run/utmp and /var/log/wtmp.
+allow $1_gph_t { var_t var_run_t }:dir search;
+allow $1_gph_t initrc_var_run_t:file rw_file_perms;
+allow $1_gph_t wtmp_t:file rw_file_perms;
+
+# Allow gph to rw to stream sockets of appropriate user type.
+# (Need this so gnome-pty-helper can pass pty fd to parent
+# gnome-terminal which is running in a user domain.)
+allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;
+
+allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow user domain to use pty fd from gnome-pty-helper.
+allow $1_t $1_gph_t:fd use;
+
+# Use the network, e.g. for NIS lookups.
+can_resolve($1_gph_t)
+can_ypbind($1_gph_t)
+
+allow $1_gph_t etc_t:file { getattr read };
+
+# Added by David A. Wheeler:
+# Allow gnome-pty-helper to update /var/log/lastlog
+# (the gnome-pty-helper in Red Hat Linux 7.1 does this):
+allow $1_gph_t lastlog_t:file rw_file_perms;
+allow $1_gph_t var_log_t:dir search;
+allow $1_t $1_gph_t:process signal;
+
+ifelse($2, `system', `
+# Create ptys for the system
+can_create_other_pty($1_gph, initrc)
+', `
+# Create ptys for the user domain.
+can_create_other_pty($1_gph, $1)
+
+# Read and write the users tty.
+allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;
+
+# Allow gnome-pty-helper to write the .xsession-errors file.
+allow $1_gph_t home_root_t:dir search;
+allow $1_gph_t $1_home_t:dir { search add_name };
+allow $1_gph_t $1_home_t:file { create write };
+')dnl end ifelse system
+')dnl end macro
diff --git a/strict/macros/program/inetd_macros.te b/strict/macros/program/inetd_macros.te
new file mode 100644
index 0000000..1cdaa39
--- /dev/null
+++ b/strict/macros/program/inetd_macros.te
@@ -0,0 +1,98 @@
+#################################
+#
+# Rules for the $1_t domain.
+#
+# $1_t is a general domain for daemons started
+# by inetd that do not have their own individual domains yet.
+# $1_exec_t is the type of the corresponding
+# programs.
+#
+define(`inetd_child_domain', `
+type $1_t, domain, privlog, nscd_client_domain;
+role system_r types $1_t;
+
+#
+# Allows user to define a tunable to disable domain transition
+#
+bool $1_disable_trans false;
+if ($1_disable_trans) {
+can_exec(initrc_t, $1_exec_t)
+can_exec(sysadm_t, $1_exec_t)
+} else {
+domain_auto_trans(inetd_t, $1_exec_t, $1_t)
+allow inetd_t $1_t:process sigkill;
+}
+
+can_network_server($1_t)
+can_ypbind($1_t)
+uses_shlib($1_t)
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t self:fifo_file rw_file_perms;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+read_locale($1_t)
+allow $1_t device_t:dir search;
+allow $1_t proc_t:dir search;
+allow $1_t proc_t:{ file lnk_file } { getattr read };
+allow $1_t self:process { fork signal_perms };
+allow $1_t fs_t:filesystem getattr;
+
+read_sysctl($1_t)
+
+allow $1_t etc_t:file { getattr read };
+
+tmp_domain($1)
+allow $1_t var_t:dir search;
+var_run_domain($1)
+
+# Inherit and use descriptors from inetd.
+allow $1_t inetd_t:fd use;
+
+# for identd
+allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow $1_t self:capability { setuid setgid };
+allow $1_t home_root_t:dir search;
+allow $1_t self:dir search;
+allow $1_t self:{ lnk_file file } { getattr read };
+can_kerberos($1_t)
+allow $1_t urandom_device_t:chr_file r_file_perms;
+type $1_port_t, port_type, reserved_port_type;
+# Use sockets inherited from inetd.
+ifelse($2, `', `
+allow inetd_t $1_port_t:udp_socket name_bind;
+allow $1_t inetd_t:udp_socket rw_socket_perms;
+allow inetd_t $1_port_t:tcp_socket name_bind;
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+')
+ifelse($2, tcp, `
+allow inetd_t $1_port_t:tcp_socket name_bind;
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+')
+ifelse($2, udp, `
+allow inetd_t $1_port_t:udp_socket name_bind;
+allow $1_t inetd_t:udp_socket rw_socket_perms;
+')
+r_dir_file($1_t, proc_net_t)
+')
+define(`remote_login_daemon', `
+inetd_child_domain($1)
+
+# Execute /bin/login on a new PTY
+allow $1_t { bin_t sbin_t }:dir search;
+domain_auto_trans($1_t, login_exec_t, remote_login_t)
+can_create_pty($1, `, server_pty, userpty_type')
+allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
+
+# Append to /var/log/wtmp.
+allow $1_t var_log_t:dir search;
+allow $1_t wtmp_t:file rw_file_perms;
+allow $1_t initrc_var_run_t:file rw_file_perms;
+
+# Allow reading of /etc/issue.net
+allow $1_t etc_runtime_t:file r_file_perms;
+
+# Allow krb5 $1 to use fork and open /dev/tty for use
+allow $1_t userpty_type:chr_file setattr;
+allow $1_t devtty_t:chr_file rw_file_perms;
+dontaudit $1_t selinux_config_t:dir search;
+')
diff --git a/strict/macros/program/irc_macros.te b/strict/macros/program/irc_macros.te
new file mode 100644
index 0000000..8c9c876
--- /dev/null
+++ b/strict/macros/program/irc_macros.te
@@ -0,0 +1,83 @@
+#
+# Macros for irc domains.
+#
+
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#
+# irc_domain(domain_prefix)
+#
+# Define a derived domain for the irc program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/irc.te.
+#
+undefine(`irc_domain')
+ifdef(`irc.te', `
+define(`irc_domain',`
+
+# Home domain
+home_domain($1, irc)
+
+# Derived domain based on the calling user domain and the program.
+type $1_irc_t, domain;
+type $1_irc_exec_t, file_type, sysadmfile, $1_file_type;
+
+allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_irc_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors from newrole.
+ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;')
+
+# allow ps to show irc
+can_ps($1_t, $1_irc_t)
+allow $1_t $1_irc_t:process signal;
+
+# Use the network.
+can_network_client($1_irc_t)
+can_ypbind($1_irc_t)
+
+allow $1_irc_t usr_t:file { getattr read };
+
+access_terminal($1_irc_t, $1)
+uses_shlib($1_irc_t)
+allow $1_irc_t etc_t:file { read getattr };
+read_locale($1_irc_t)
+allow $1_irc_t fs_t:filesystem getattr;
+allow $1_irc_t var_t:dir search;
+allow $1_irc_t device_t:dir search;
+allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_irc_t privfd:fd use;
+allow $1_irc_t proc_t:dir search;
+allow $1_irc_t { self proc_t }:lnk_file read;
+allow $1_irc_t self:dir search;
+dontaudit $1_irc_t var_run_t:dir search;
+
+# allow utmp access
+allow $1_irc_t initrc_var_run_t:file read;
+dontaudit $1_irc_t initrc_var_run_t:file lock;
+
+# access files under /tmp
+file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t)
+
+ifdef(`ircd.te', `
+can_tcp_connect($1_irc_t, ircd_t)
+')dnl end ifdef irc.te
+')dnl end macro definition
+
+', `
+
+define(`irc_domain',`')
+
+')dnl end ifdef irc.te
diff --git a/strict/macros/program/java_macros.te b/strict/macros/program/java_macros.te
new file mode 100644
index 0000000..b7c2be4
--- /dev/null
+++ b/strict/macros/program/java_macros.te
@@ -0,0 +1,113 @@
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+# Macros for javaplugin (java plugin) domains.
+#
+#
+# javaplugin_domain(domain_prefix, user)
+#
+# Define a derived domain for the javaplugin program when executed by
+# a web browser.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/java.te.
+#
+define(`javaplugin_domain',`
+type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool;
+
+# The user role is authorized for this domain.
+role $2_r types $1_javaplugin_t;
+domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
+
+allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms;
+# Unrestricted inheritance from the caller.
+allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh };
+allow $1_javaplugin_t $1_t:process signull;
+
+can_unix_connect($1_javaplugin_t, $1_t)
+allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
+
+# This domain is granted permissions common to most domains (including can_net)
+can_network_client($1_javaplugin_t)
+can_ypbind($1_javaplugin_t)
+allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
+allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow $1_javaplugin_t self:fifo_file rw_file_perms;
+allow $1_javaplugin_t etc_runtime_t:file { getattr read };
+allow $1_javaplugin_t fs_t:filesystem getattr;
+r_dir_file($1_javaplugin_t, { proc_t proc_net_t })
+allow $1_javaplugin_t self:dir search;
+allow $1_javaplugin_t self:lnk_file read;
+allow $1_javaplugin_t self:file { getattr read };
+
+read_sysctl($1_javaplugin_t)
+
+tmp_domain($1_javaplugin)
+r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
+
+# Search bin directory under javaplugin for javaplugin executable
+allow $1_javaplugin_t bin_t:dir search;
+can_exec($1_javaplugin_t, java_exec_t)
+
+# Allow connections to X server.
+ifdef(`xserver.te', `
+
+ifdef(`xdm.te', `
+# for when /tmp/.X11-unix is created by the system
+allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
+allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
+allow $1_javaplugin_t xdm_tmp_t:dir search;
+allow $1_javaplugin_t xdm_tmp_t:sock_file write;
+')
+
+ifdef(`startx.te', `
+# for when /tmp/.X11-unix is created by the X server
+allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
+
+# for /tmp/.X0-lock
+allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
+
+allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
+can_unix_connect($1_javaplugin_t, $2_xserver_t)
+')dnl end startx
+
+can_unix_connect($1_javaplugin_t, xdm_xserver_t)
+allow xdm_xserver_t $1_javaplugin_t:fd use;
+allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
+dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
+
+')dnl end xserver
+
+allow $1_javaplugin_t self:shm create_shm_perms;
+
+uses_shlib($1_javaplugin_t)
+read_locale($1_javaplugin_t)
+rw_dir_file($1_javaplugin_t, $1_home_t)
+
+if (allow_java_execstack) {
+legacy_domain($1_javaplugin)
+allow $1_javaplugin_t lib_t:file execute;
+allow $1_javaplugin_t locale_t:file execute;
+allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
+allow $1_javaplugin_t fonts_t:file execute;
+allow $1_javaplugin_t sound_device_t:chr_file execute;
+}
+
+allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
+
+allow $1_javaplugin_t home_root_t:dir { getattr search };
+file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t)
+allow $1_javaplugin_t $2_xauth_home_t:file { getattr read };
+allow $1_javaplugin_t $2_tmp_t:sock_file write;
+allow $1_javaplugin_t $2_t:fd use;
+
+allow $1_javaplugin_t var_t:dir getattr;
+allow $1_javaplugin_t var_lib_t:dir { getattr search };
+
+dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write };
+dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write };
+dontaudit $1_javaplugin_t devtty_t:chr_file { read write };
+dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
+dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
+
+')
diff --git a/strict/macros/program/kerberos_macros.te b/strict/macros/program/kerberos_macros.te
new file mode 100644
index 0000000..0be8bee
--- /dev/null
+++ b/strict/macros/program/kerberos_macros.te
@@ -0,0 +1,10 @@
+define(`can_kerberos',`
+ifdef(`kerberos.te',`
+if (allow_kerberos) {
+can_network_client($1, `kerberos_port_t')
+can_resolve($1)
+}
+') dnl kerberos.te
+dontaudit $1 krb5_conf_t:file write;
+allow $1 krb5_conf_t:file { getattr read };
+')
diff --git a/strict/macros/program/lockdev_macros.te b/strict/macros/program/lockdev_macros.te
new file mode 100644
index 0000000..28f7c01
--- /dev/null
+++ b/strict/macros/program/lockdev_macros.te
@@ -0,0 +1,46 @@
+#
+# Macros for lockdev domains.
+#
+
+#
+# Authors: Daniel Walsh <dwalsh at redhat.com>
+#
+
+#
+# lockdev_domain(domain_prefix)
+#
+# Define a derived domain for the lockdev programs when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/lockdev.te.
+#
+undefine(`lockdev_domain')
+define(`lockdev_domain',`
+# Derived domain based on the calling user domain and the program
+type $1_lockdev_t, domain, privlog;
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_lockdev_t;
+# Use capabilities.
+allow $1_lockdev_t self:capability setgid;
+allow $1_lockdev_t $1_t:process signull;
+
+allow $1_lockdev_t var_t:dir search;
+
+lock_domain($1_lockdev)
+
+r_dir_file($1_lockdev_t, lockfile)
+
+allow $1_lockdev_t device_t:dir search;
+allow $1_lockdev_t null_device_t:chr_file rw_file_perms;
+access_terminal($1_lockdev_t, $1)
+dontaudit $1_lockdev_t root_t:dir search;
+
+uses_shlib($1_lockdev_t)
+allow $1_lockdev_t fs_t:filesystem getattr;
+
+')dnl end macro definition
+
diff --git a/strict/macros/program/login_macros.te b/strict/macros/program/login_macros.te
new file mode 100644
index 0000000..0d0993c
--- /dev/null
+++ b/strict/macros/program/login_macros.te
@@ -0,0 +1,11 @@
+# Macros for login type programs (/bin/login, sshd, etc).
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+define(`login_spawn_domain', `
+domain_trans($1_t, shell_exec_t, $2)
+
+# Signal the user domains.
+allow $1_t $2:process signal;
+')
diff --git a/strict/macros/program/lpr_macros.te b/strict/macros/program/lpr_macros.te
new file mode 100644
index 0000000..beb6ca2
--- /dev/null
+++ b/strict/macros/program/lpr_macros.te
@@ -0,0 +1,134 @@
+#
+# Macros for lpr domains.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# lpr_domain(domain_prefix)
+#
+# Define a derived domain for the lpr/lpq/lprm programs when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/lpr.te.
+#
+undefine(`lpr_domain')
+define(`lpr_domain',`
+# Derived domain based on the calling user domain and the program
+type $1_lpr_t, domain, privlog, nscd_client_domain;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
+
+allow $1_t $1_lpr_t:process signull;
+
+# allow using shared objects, accessing root dir, etc
+uses_shlib($1_lpr_t)
+
+read_locale($1_lpr_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_lpr_t;
+
+# This domain is granted permissions common to most domains (including can_net)
+can_network_client($1_lpr_t)
+can_ypbind($1_lpr_t)
+
+# Use capabilities.
+allow $1_lpr_t $1_lpr_t:capability { setuid dac_override net_bind_service chown };
+
+allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
+
+# for lpd config files (should have a new type)
+r_dir_file($1_lpr_t, etc_t)
+
+# for test print
+r_dir_file($1_lpr_t, usr_t)
+ifdef(`lpd.te', `
+r_dir_file($1_lpr_t, printconf_t)
+')
+
+tmp_domain($1_lpr)
+r_dir_file($1_lpr_t, $1_tmp_t)
+
+# Type for spool files.
+type $1_print_spool_t, file_type, sysadmfile;
+# Use this type when creating files in /var/spool/lpd and /var/spool/cups.
+file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
+allow $1_lpr_t var_spool_t:dir search;
+
+# for /dev/null
+allow $1_lpr_t device_t:dir search;
+
+# Access the terminal.
+access_terminal($1_lpr_t, $1)
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
+allow $1_lpr_t privfd:fd use;
+
+# Read user files.
+allow sysadm_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;
+allow sysadm_lpr_t $1_home_t:{ file lnk_file } r_file_perms;
+allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;
+allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms;
+
+if (use_nfs_home_dirs) {
+r_dir_file($1_lpr_t, nfs_t)
+}
+
+if (use_samba_home_dirs) {
+r_dir_file($1_lpr_t, cifs_t)
+}
+
+# Read and write shared files in the spool directory.
+allow $1_lpr_t print_spool_t:file rw_file_perms;
+
+# lpr can run in lightweight mode, without a local print spooler. If the
+# lpd policy is present, grant some permissions for this domain and the lpd
+# domain to interact.
+ifdef(`lpd.te', `
+allow $1_lpr_t { var_t var_run_t }:dir search;
+allow $1_lpr_t lpd_var_run_t:dir search;
+allow $1_lpr_t lpd_var_run_t:sock_file write;
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t $1_print_spool_t:file r_file_perms;
+allow lpd_t $1_print_spool_t:file link_file_perms;
+
+# Connect to lpd via a Unix domain socket.
+allow $1_lpr_t printer_t:sock_file rw_file_perms;
+can_unix_connect($1_lpr_t, lpd_t)
+dontaudit $1_lpr_t $1_t:unix_stream_socket { read write };
+
+# Connect to lpd via a TCP socket.
+can_tcp_connect($1_lpr_t, lpd_t)
+
+allow $1_lpr_t fs_t:filesystem getattr;
+# Send SIGHUP to lpd.
+allow $1_lpr_t lpd_t:process signal;
+
+')dnl end if lpd.te
+
+ifdef(`xdm.te', `
+allow $1_lpr_t xdm_t:fd use;
+allow $1_lpr_t xdm_t:fifo_file write;
+')
+
+ifdef(`cups.te', `
+allow { $1_lpr_t $1_t } cupsd_etc_t:dir search;
+allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read };
+can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
+')dnl end ifdef cups.te
+
+ifdef(`hide_broken_symptoms', `
+# thunderbird causes these
+dontaudit $1_lpr_t $1_t:tcp_socket { read write };
+dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write;
+')
+
+')dnl end macro definition
+
diff --git a/strict/macros/program/mount_macros.te b/strict/macros/program/mount_macros.te
new file mode 100644
index 0000000..0aa0577
--- /dev/null
+++ b/strict/macros/program/mount_macros.te
@@ -0,0 +1,90 @@
+#
+# Macros for mount
+#
+# Author: Brian May <bam at snoopy.apana.org.au>
+# Extended by Russell Coker <russell at coker.com.au>
+#
+
+#
+# mount_domain(domain_prefix,dst_domain_prefix)
+#
+# Define a derived domain for the mount program for anyone.
+#
+define(`mount_domain', `
+#
+# Rules for the $2_t domain, used by the $1_t domain.
+#
+# $2_t is the domain for the mount process.
+#
+# This macro will not be included by all users and it may be included twice if
+# called from other macros, so we need protection for this do not call this
+# macro if $2_def is defined
+define(`$2_def', `')
+#
+type $2_t, domain, privlog $3, nscd_client_domain;
+
+allow $2_t sysfs_t:dir search;
+
+uses_shlib($2_t)
+
+role $1_r types $2_t;
+# when mount is run by $1 goto $2_t domain
+domain_auto_trans($1_t, mount_exec_t, $2_t)
+
+allow $2_t proc_t:dir search;
+allow $2_t proc_t:file { getattr read };
+
+#
+# Allow mounting of cdrom by user
+#
+allow $2_t device_type:blk_file getattr;
+
+tmp_domain($2)
+
+# Use capabilities.
+allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+allow $2_t self:unix_stream_socket create_socket_perms;
+
+# Create and modify /etc/mtab.
+file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
+
+allow $2_t etc_t:file { getattr read };
+
+read_locale($2_t)
+
+allow $2_t home_root_t:dir search;
+allow $2_t $1_home_dir_t:dir search;
+allow $2_t noexattrfile:filesystem { mount unmount };
+allow $2_t fs_t:filesystem getattr;
+allow $2_t removable_t:filesystem { mount unmount };
+allow $2_t mnt_t:dir { mounton search };
+allow $2_t sbin_t:dir search;
+
+# Access the terminal.
+access_terminal($2_t, $1)
+ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
+allow $2_t var_t:dir search;
+allow $2_t var_run_t:dir search;
+
+ifdef(`distro_redhat',`
+ifdef(`pamconsole.te',`
+r_dir_file($2_t,pam_var_console_t)
+# mount config by default sets fscontext=removable_t
+allow $2_t dosfs_t:filesystem relabelfrom;
+') dnl end pamconsole.te
+') dnl end distro_redhat
+') dnl end mount_domain
+
+# mount_loopback_privs(domain_prefix,dst_domain_prefix)
+#
+# Add loopback mounting privileges to a particular derived
+# mount domain.
+#
+define(`mount_loopback_privs',`
+type $1_$2_source_t, file_type, sysadmfile, $1_file_type;
+allow $1_t $1_$2_source_t:file create_file_perms;
+allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
+allow $2_t $1_$2_source_t:file rw_file_perms;
+')
+
diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te
new file mode 100644
index 0000000..c53ab4f
--- /dev/null
+++ b/strict/macros/program/mozilla_macros.te
@@ -0,0 +1,137 @@
+#
+# Macros for mozilla/mozilla (or other browser) domains.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# mozilla_domain(domain_prefix)
+#
+# Define a derived domain for the mozilla/mozilla program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/mozilla.te.
+#
+define(`mozilla_domain',`
+x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
+
+# Configuration
+home_domain($1, mozilla)
+
+# Allow mozilla to browse files
+file_browse_domain($1_mozilla_t)
+
+allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
+
+# Unrestricted inheritance from the caller.
+allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
+allow $1_mozilla_t $1_t:process signull;
+
+# Set resource limits and scheduling info.
+allow $1_mozilla_t self:process { setrlimit setsched };
+
+allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
+allow $1_mozilla_t var_lib_t:file { getattr read };
+allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
+allow $1_mozilla_t self:socket create_socket_perms;
+allow $1_mozilla_t self:file { getattr read };
+
+# for bash
+allow $1_mozilla_t device_t:dir r_dir_perms;
+allow $1_mozilla_t devpts_t:dir r_dir_perms;
+allow $1_mozilla_t proc_t:file { getattr read };
+r_dir_file($1_mozilla_t, proc_net_t)
+
+allow $1_mozilla_t { var_t var_lib_t }:dir search;
+
+# interacting with gstreamer
+r_dir_file($1_mozilla_t, var_t)
+
+# Write files to tmp
+tmp_domain($1_mozilla)
+
+# Execute downloaded programs.
+can_exec($1_mozilla_t, $1_mozilla_tmp_t)
+
+# Use printer
+ifdef(`lpr.te', `
+domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
+
+# Print document
+allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
+
+# Suppress history.fop denial
+dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
+
+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
+')
+
+# ORBit sockets
+file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
+can_unix_connect($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_tmp_t:sock_file write;
+allow $1_mozilla_t $1_tmp_t:file { read write lock };
+allow $1_mozilla_t $1_tmp_t:sock_file { read write };
+dontaudit $1_mozilla_t $1_tmp_t:dir setattr;
+
+# Allow mozilla to read user home content
+if (mozilla_readhome || mozilla_writehome) {
+r_dir_file($1_mozilla_t, $1_home_t)
+} else {
+dontaudit $1_mozilla_t $1_home_t:dir setattr;
+dontaudit $1_mozilla_t $1_home_t:file setattr;
+}
+
+if (mozilla_writehome) {
+file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_home_t)
+allow $1_mozilla_t $1_home_t:dir setattr;
+allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
+} dnl end if writehome
+
+allow $1_mozilla_t $1_t:unix_stream_socket connectto;
+allow $1_mozilla_t sysctl_net_t:dir search;
+allow $1_mozilla_t sysctl_t:dir search;
+ifdef(`cups.te', `
+allow $1_mozilla_t cupsd_etc_t:dir search;
+allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
+')
+allow $1_mozilla_t $1_t:tcp_socket { read write };
+
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
+dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
+# Mozilla tries to delete .fonts.cache-1
+dontaudit $1_mozilla_t $1_home_t:file unlink;
+allow $1_mozilla_t self:sem create_sem_perms;
+
+# Java plugin
+ifdef(`java.te', `
+javaplugin_domain($1_mozilla, $1)
+')
+
+# Mplayer plugin
+ifdef(`mplayer.te', `
+domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+
+# Read mozilla content in /tmp
+r_dir_file($1_mplayer_t, $1_mozilla_tmp_t);
+
+# FIXME: why does it need this?
+dontaudit $1_mplayer_t $1_mozilla_home_t:file write;
+allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+')dnl end if mplayer.te
+
+if (allow_execmem) {
+allow $1_mozilla_t self:process { execmem };
+}
+if (allow_execmod) {
+allow $1_mozilla_t texrel_shlib_t:file execmod;
+}
+dbusd_client(system, $1_mozilla)
+
+')dnl end mozilla macro
+
diff --git a/strict/macros/program/mplayer_macros.te b/strict/macros/program/mplayer_macros.te
new file mode 100644
index 0000000..323edca
--- /dev/null
+++ b/strict/macros/program/mplayer_macros.te
@@ -0,0 +1,125 @@
+#
+# Macros for mplayer
+#
+# Author: Ivan Gyurdiev <ivg2 at cornell.edu>
+#
+# mplayer_domains(user) declares domains for mplayer, gmplayer,
+# and mencoder
+
+##############################################
+# mplayer_common(user, mplayer domain) #
+##############################################
+
+define(`mplayer_common',`
+
+# Read global config
+r_dir_file($1_$2_t, mplayer_etc_t)
+
+# Read data in /usr/share (fonts, icons..)
+r_dir_file($1_$2_t, usr_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+allow $1_$2_t proc_t:dir search;
+allow $1_$2_t proc_t:file { getattr read };
+
+# Sysctl on kernel version
+read_sysctl($1_$2_t)
+
+# Allow ps, shared libs, locale, terminal access
+can_ps($1_t, $1_$2_t)
+uses_shlib($1_$2_t)
+read_locale($1_$2_t)
+access_terminal($1_$2_t, $1)
+
+# Required for win32 binary loader
+allow $1_$2_t zero_device_t:chr_file { read write execute };
+if (allow_execmem) {
+allow $1_$2_t self:process execmem;
+}
+
+if (allow_execmod) {
+allow $1_$2_t zero_device_t:chr_file execmod;
+allow $1_$2_t texrel_shlib_t:file execmod;
+}
+
+# Access to DVD/CD/V4L
+allow $1_$2_t device_t:dir r_dir_perms;
+allow $1_$2_t device_t:lnk_file { getattr read };
+allow $1_$2_t removable_device_t:blk_file { getattr read };
+allow $1_$2_t v4l_device_t:chr_file { getattr read };
+
+# Legacy domain issues
+if (allow_mplayer_execstack) {
+legacy_domain($1_$2)
+allow $1_$2_t lib_t:file execute;
+allow $1_$2_t locale_t:file execute;
+allow $1_$2_t sound_device_t:chr_file execute;
+}
+')
+
+############################
+# mplayer_domain(user) #
+############################
+
+define(`mplayer_domain',`
+
+# Derive from X client domain
+x_client_domain($1, `mplayer', `')
+
+# Mplayer configuration here
+home_domain($1, mplayer)
+
+# Allow mplayer to browse files
+file_browse_domain($1_mplayer_t)
+
+# Mplayer common stuff
+mplayer_common($1, mplayer)
+
+# Audio
+allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+
+# RTC clock
+allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
+
+# Read home directory content
+r_dir_file($1_mplayer_t, $1_home_t);
+
+# Legacy domain issues
+if (allow_mplayer_execstack) {
+allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
+}
+
+') dnl end mplayer_domain
+
+############################
+# mencoder_domain(user) #
+############################
+
+define(`mencoder_domain',`
+
+# FIXME: privhome temporarily removed...
+type $1_mencoder_t, domain;
+
+# Transition
+domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
+can_exec($1_mencoder_t, mencoder_exec_t)
+role $1_r types $1_mencoder_t;
+
+# Read home config
+home_domain_access($1_mencoder_t, $1, mplayer)
+
+# Mplayer common stuff
+mplayer_common($1, mencoder)
+
+') dnl end mencoder_domain
+
+#############################
+# mplayer_domains(user) #
+#############################
+
+define(`mplayer_domains', `
+mplayer_domain($1)
+mencoder_domain($1)
+') dnl end mplayer_domains
+
diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te
new file mode 100644
index 0000000..6778d6e
--- /dev/null
+++ b/strict/macros/program/mta_macros.te
@@ -0,0 +1,120 @@
+# Macros for MTA domains.
+#
+
+#
+# Author: Russell Coker <russell at coker.com.au>
+# Based on the work of: Stephen Smalley <sds at epoch.ncsc.mil>
+# Timothy Fraser
+#
+
+#
+# mail_domain(domain_prefix)
+#
+# Define a derived domain for the sendmail program when executed by
+# a user domain to send outgoing mail. These domains are separate and
+# independent of the domain used for the sendmail daemon process.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/mta.te.
+#
+undefine(`mail_domain')
+define(`mail_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
+
+ifdef(`sendmail.te', `
+sendmail_user_domain($1)
+')
+
+can_exec($1_mail_t, sendmail_exec_t)
+allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
+
+# The user role is authorized for this domain.
+role $1_r types $1_mail_t;
+
+uses_shlib($1_mail_t)
+can_network_client_tcp($1_mail_t)
+can_resolve($1_mail_t)
+can_ypbind($1_mail_t)
+allow $1_mail_t self:unix_dgram_socket create_socket_perms;
+allow $1_mail_t self:unix_stream_socket create_socket_perms;
+
+read_locale($1_mail_t)
+read_sysctl($1_mail_t)
+allow $1_mail_t device_t:dir search;
+allow $1_mail_t { var_t var_spool_t }:dir search;
+allow $1_mail_t self:process { fork signal_perms setrlimit };
+allow $1_mail_t sbin_t:dir search;
+
+# It wants to check for nscd
+dontaudit $1_mail_t var_run_t:dir search;
+
+# Use capabilities
+allow $1_mail_t self:capability { setuid setgid chown };
+
+# Execute procmail.
+can_exec($1_mail_t, bin_t)
+ifdef(`procmail.te',`
+can_exec($1_mail_t, procmail_exec_t)')
+
+ifelse(`$1', `system', `
+# Transition from a system domain to the derived domain.
+domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
+allow privmail sendmail_exec_t:lnk_file { getattr read };
+
+ifdef(`crond.te', `
+# Read cron temporary files.
+allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
+allow mta_user_agent system_crond_tmp_t:file { read getattr };
+')
+allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
+
+', `
+# For when the user wants to send mail via port 25 localhost
+can_tcp_connect($1_t, mail_server_domain)
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
+allow $1_t sendmail_exec_t:lnk_file { getattr read };
+
+# Read user temporary files.
+allow $1_mail_t $1_tmp_t:file r_file_perms;
+dontaudit $1_mail_t $1_tmp_t:file append;
+ifdef(`postfix.te', `
+# postfix seems to need write access if the file handle is opened read/write
+allow $1_mail_t $1_tmp_t:file write;
+')dnl end if postfix
+
+allow mta_user_agent $1_tmp_t:file { read getattr };
+
+# Write to the user domain tty.
+access_terminal(mta_user_agent, $1)
+access_terminal($1_mail_t, $1)
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
+allow $1_mail_t privfd:fd use;
+
+# Create dead.letter in user home directories.
+file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
+
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_mail_t, cifs_t)
+}
+
+# if you do not want to allow dead.letter then use the following instead
+#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
+#allow $1_mail_t $1_home_t:file r_file_perms;
+
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
+')dnl end if system
+
+allow $1_mail_t etc_t:file { getattr read };
+ifdef(`qmail.te', `
+allow $1_mail_t qmail_etc_t:dir search;
+allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+')dnl end if qmail
+
+')
diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te
new file mode 100644
index 0000000..b19e2de
--- /dev/null
+++ b/strict/macros/program/newrole_macros.te
@@ -0,0 +1,96 @@
+# Authors: Anthony Colatrella (NSA) Stephen Smalley <sds at epoch.ncsc.mil>
+# Russell Coker <russell at coker.com.au>
+
+# This macro defines the rules for a newrole like program, it is used by
+# newrole.te and sudo.te, but may be used by other policy at some later time.
+
+define(`newrole_domain', `
+# Rules for the $1_t domain.
+#
+# $1_t is the domain for the program.
+# $1_exec_t is the type of the executable.
+#
+type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
+in_user_role($1_t)
+role sysadm_r types $1_t;
+
+general_domain_access($1_t);
+
+uses_shlib($1_t)
+read_locale($1_t)
+read_sysctl($1_t)
+
+# for when the user types "exec newrole" at the command line
+allow $1_t privfd:process sigchld;
+
+# Inherit descriptors from the current session.
+allow $1_t privfd:fd use;
+
+# Execute /sbin/pwdb_chkpwd to check the password.
+allow $1_t sbin_t:dir r_dir_perms;
+
+# Execute shells
+allow $1_t bin_t:dir r_dir_perms;
+allow $1_t bin_t:lnk_file read;
+allow $1_t shell_exec_t:file r_file_perms;
+
+allow $1_t urandom_device_t:chr_file { getattr read };
+
+# Allow $1_t to transition to user domains.
+domain_trans($1_t, shell_exec_t, unpriv_userdomain)
+if(!secure_mode)
+{
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans($1_t, shell_exec_t, sysadm_t)
+}
+
+can_setexec($1_t)
+
+allow $1_t autofs_t:dir search;
+
+# Use capabilities.
+allow $1_t self:capability { setuid setgid net_bind_service dac_override };
+
+# Read the devpts root directory.
+allow $1_t devpts_t:dir r_dir_perms;
+
+# Read the /etc/security/default_type file
+r_dir_file($1_t, default_context_t)
+r_dir_file($1_t, selinux_config_t)
+allow $1_t etc_t:file r_file_perms;
+
+# Read /var.
+allow $1_t var_t:dir r_dir_perms;
+allow $1_t var_t:notdevfile_class_set r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow $1_t device_t:dir r_dir_perms;
+
+# Relabel terminals.
+allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Access terminals.
+allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
+
+ifdef(`distro_debian', `
+# for /etc/alternatives
+allow $1_t etc_t:lnk_file read;
+')
+
+#
+# Allow newrole to obtain contexts to relabel TTYs
+#
+can_getsecurity($1_t)
+
+allow $1_t fs_t:filesystem getattr;
+
+# for some PAM modules and for cwd
+dontaudit $1_t { home_root_t home_type }:dir search;
+
+allow $1_t proc_t:dir search;
+allow $1_t proc_t:file { getattr read };
+
+# for when the network connection is killed
+dontaudit unpriv_userdomain $1_t:process signal;
+')
diff --git a/strict/macros/program/resmgrd_macros.te b/strict/macros/program/resmgrd_macros.te
new file mode 100644
index 0000000..ec0ac60
--- /dev/null
+++ b/strict/macros/program/resmgrd_macros.te
@@ -0,0 +1,11 @@
+# Macro for resmgrd
+
+define(`can_resmgrd_connect', `
+ifdef(`resmgrd.te', `
+allow $1 resmgrd_t:unix_stream_socket connectto;
+allow $1 { var_t var_run_t }:dir search;
+allow $1 resmgrd_var_run_t:sock_file write;
+allow $1 resmgrd_t:fd use;
+')
+')
+
diff --git a/strict/macros/program/rhgb_macros.te b/strict/macros/program/rhgb_macros.te
new file mode 100644
index 0000000..9700fba
--- /dev/null
+++ b/strict/macros/program/rhgb_macros.te
@@ -0,0 +1,8 @@
+
+define(`rhgb_domain', `
+ifdef(`rhgb.te', `
+allow $1 rhgb_t:process sigchld;
+allow $1 rhgb_t:fd use;
+allow $1 rhgb_t:fifo_file { read write };
+')dnl end ifdef
+')
diff --git a/strict/macros/program/rssh_macros.te b/strict/macros/program/rssh_macros.te
new file mode 100644
index 0000000..33fbdb5
--- /dev/null
+++ b/strict/macros/program/rssh_macros.te
@@ -0,0 +1,58 @@
+#
+# Macros for Rssh domains
+#
+# Author: Colin Walters <walters at verbum.org>
+#
+
+#
+# rssh_domain(domain_prefix)
+#
+# Define a specific rssh domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/rssh.te.
+#
+undefine(`rssh_domain')
+ifdef(`rssh.te', `
+define(`rssh_domain',`
+type rssh_$1_t, domain, userdomain, privlog, privfd;
+role rssh_$1_r types rssh_$1_t;
+allow system_r rssh_$1_r;
+
+type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type;
+type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type;
+
+general_domain_access(rssh_$1_t);
+uses_shlib(rssh_$1_t);
+base_file_read_access(rssh_$1_t);
+allow rssh_$1_t var_t:dir r_dir_perms;
+r_dir_file(rssh_$1_t, etc_t);
+allow rssh_$1_t etc_runtime_t:file { getattr read };
+r_dir_file(rssh_$1_t, locale_t);
+can_exec(rssh_$1_t, bin_t);
+
+allow rssh_$1_t proc_t:dir { getattr search };
+allow rssh_$1_t proc_t:lnk_file { getattr read };
+
+r_dir_file(rssh_$1_t, rssh_$1_ro_t);
+create_dir_file(rssh_$1_t, rssh_$1_rw_t);
+
+can_create_pty(rssh_$1, `, userpty_type, user_tty_type')
+# Use the type when relabeling pty devices.
+type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t;
+
+ifdef(`ssh.te',`
+allow rssh_$1_t sshd_t:fd use;
+allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms;
+allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+# For reading /home/user/.ssh
+r_dir_file(sshd_t, rssh_$1_ro_t);
+domain_trans(sshd_t, rssh_exec_t, rssh_$1_t);
+')
+')
+
+', `
+
+define(`rssh_domain',`')
+
+')
diff --git a/strict/macros/program/run_program_macros.te b/strict/macros/program/run_program_macros.te
new file mode 100644
index 0000000..c98bbee
--- /dev/null
+++ b/strict/macros/program/run_program_macros.te
@@ -0,0 +1,73 @@
+
+# $1 is the source domain (or domains), $2 is the source role (or roles) and $3
+# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is
+# normally sysadm_r. $4 is the type of program to run and $5 is the domain to
+# transition to.
+# sample usage:
+# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t)
+#
+# if you have several users who run the same run_init type program for
+# different purposes (think of a run_db program used by several database
+# administrators to start several databases) then you can list all the source
+# domains in $1, all the source roles in $2, but you may not want to list all
+# types of programs to run in $4 and target domains in $5 (as that may permit
+# entering a domain from the wrong type). In such a situation just specify
+# one value for each of $4 and $5 and have some rules such as the following:
+# domain_trans(run_whatever_t, whatever_exec_t, whatever_t)
+
+define(`run_program', `
+type run_$3_exec_t, file_type, exec_type, sysadmfile;
+
+# domain for program to run in, needs to change role (priv_system_role), change
+# identity to system_u (privuser), log failures to syslog (privlog) and
+# authenticate users
+type run_$3_t, domain, priv_system_role, privuser, privlog;
+domain_auto_trans($1, run_$3_exec_t, run_$3_t)
+role $2 types run_$3_t;
+
+domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t)
+dontaudit run_$3_t shadow_t:file getattr;
+
+# for utmp
+allow run_$3_t initrc_var_run_t:file rw_file_perms;
+allow run_$3_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit run_$3_t devpts_t:dir { getattr read };
+dontaudit run_$3_t device_t:dir read;
+
+# for auth_chkpwd
+dontaudit run_$3_t shadow_t:file read;
+allow run_$3_t self:process { fork sigchld };
+allow run_$3_t self:fifo_file rw_file_perms;
+allow run_$3_t self:capability setuid;
+allow run_$3_t self:lnk_file read;
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_$3_t file_type:dir search;
+dontaudit run_$3_t self:capability { dac_override dac_read_search };
+
+allow run_$3_t bin_t:lnk_file read;
+can_exec(run_$3_t, { bin_t shell_exec_t })
+ifdef(`chkpwd.te', `
+can_exec(run_$3_t, chkpwd_exec_t)
+')
+
+domain_trans(run_$3_t, $4, $5)
+can_setexec(run_$3_t)
+
+allow run_$3_t privfd:fd use;
+uses_shlib(run_$3_t)
+allow run_$3_t lib_t:file { getattr read };
+can_getsecurity(run_$3_t)
+r_dir_file(run_$3_t,selinux_config_t)
+r_dir_file(run_$3_t,default_context_t)
+allow run_$3_t self:unix_stream_socket create_socket_perms;
+allow run_$3_t self:unix_dgram_socket create_socket_perms;
+allow run_$3_t etc_t:file { getattr read };
+read_locale(run_$3_t)
+allow run_$3_t fs_t:filesystem getattr;
+allow run_$3_t { bin_t sbin_t }:dir search;
+dontaudit run_$3_t device_t:dir { getattr search };
+')
diff --git a/strict/macros/program/samba_macros.te b/strict/macros/program/samba_macros.te
new file mode 100644
index 0000000..d766784
--- /dev/null
+++ b/strict/macros/program/samba_macros.te
@@ -0,0 +1,30 @@
+#
+# Macros for samba domains.
+#
+
+#
+# Authors: Dan Walsh <dwalsh at redhat.com>
+#
+
+#
+# samba_domain(domain_prefix)
+#
+# Define a derived domain for the samba program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/samba.te.
+#
+undefine(`samba_domain')
+ifdef(`samba.te', `
+define(`samba_domain',`
+if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir r_dir_perms;
+file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
+dontaudit smbd_t $1_file_type:dir_file_class_set getattr;
+}
+')
+', `
+define(`samba_domain',`')
+
+')dnl end if samba.te
diff --git a/strict/macros/program/screen_macros.te b/strict/macros/program/screen_macros.te
new file mode 100644
index 0000000..ebfc619
--- /dev/null
+++ b/strict/macros/program/screen_macros.te
@@ -0,0 +1,112 @@
+#
+# Macros for screen domains.
+#
+
+#
+# Author: Russell Coker <russell at coker.com.au>
+# Based on the work of Stephen Smalley <sds at epoch.ncsc.mil>
+# and Timothy Fraser
+#
+
+#
+# screen_domain(domain_prefix)
+#
+# Define a derived domain for the screen program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/screen.te.
+#
+undefine(`screen_domain')
+ifdef(`screen.te', `
+define(`screen_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_screen_t, domain, privlog, privfd;
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
+
+tmp_domain($1_screen, `', `{ dir file fifo_file }')
+base_file_read_access($1_screen_t)
+# The user role is authorized for this domain.
+role $1_r types $1_screen_t;
+
+uses_shlib($1_screen_t)
+
+# for SSP
+allow $1_screen_t urandom_device_t:chr_file read;
+
+# Revert to the user domain when a shell is executed.
+domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t)
+domain_auto_trans($1_screen_t, $1_home_t, $1_t)
+if (use_nfs_home_dirs) {
+domain_auto_trans($1_screen_t, nfs_t, $1_t)
+}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_screen_t, cifs_t, $1_t)
+}
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
+
+home_domain_ro($1, screen)
+
+allow $1_screen_t privfd:fd use;
+
+# Write to utmp.
+allow $1_screen_t initrc_var_run_t:file rw_file_perms;
+ifdef(`utempter.te', `
+dontaudit $1_screen_t utempter_exec_t:file execute;
+')
+
+# create pty devices
+can_create_other_pty($1_screen, $1)
+allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_screen_t device_t:dir { getattr read };
+
+allow $1_screen_t fs_t:filesystem getattr;
+
+# Create fifo
+allow $1_screen_t var_t:dir search;
+file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
+type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
+file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
+
+allow $1_screen_t self:process { fork signal_perms };
+allow $1_t $1_screen_t:process signal;
+allow $1_screen_t $1_t:process signal;
+allow $1_screen_t self:capability { setuid setgid fsetid };
+
+dontaudit $1_screen_t shadow_t:file read;
+
+allow $1_screen_t tmp_t:dir search;
+can_network($1_screen_t)
+can_ypbind($1_screen_t)
+
+# get stats
+allow $1_screen_t proc_t:dir search;
+allow $1_screen_t proc_t:file { getattr read };
+allow $1_screen_t proc_t:lnk_file read;
+allow $1_screen_t etc_t:{ file lnk_file } { read getattr };
+allow $1_screen_t self:dir { search read };
+allow $1_screen_t self:lnk_file read;
+allow $1_screen_t device_t:dir search;
+allow $1_screen_t { home_root_t $1_home_dir_t }:dir search;
+
+# Internal screen networking
+allow $1_screen_t self:fd use;
+allow $1_screen_t self:unix_stream_socket create_socket_perms;
+allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+allow $1_screen_t bin_t:dir search;
+allow $1_screen_t bin_t:lnk_file read;
+read_locale($1_screen_t)
+
+dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
+')dnl end screen_domain
+
+', `
+
+define(`screen_domain',`')
+
+')
diff --git a/strict/macros/program/sendmail_macros.te b/strict/macros/program/sendmail_macros.te
new file mode 100644
index 0000000..540e0a2
--- /dev/null
+++ b/strict/macros/program/sendmail_macros.te
@@ -0,0 +1,56 @@
+#
+# Macros for sendmail domains.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+# Russell Coker <russell at coker.com.au>
+#
+
+#
+# sendmail_user_domain(domain_prefix)
+#
+# Define a derived domain for the sendmail program when executed by
+# a user domain to send outgoing mail. These domains are separate and
+# independent of the domain used for the sendmail daemon process.
+#
+undefine(`sendmail_user_domain')
+define(`sendmail_user_domain', `
+
+# Use capabilities
+allow $1_mail_t self:capability net_bind_service;
+
+tmp_domain($1_mail)
+
+# Write to /var/spool/mail and /var/spool/mqueue.
+allow $1_mail_t mail_spool_t:dir rw_dir_perms;
+allow $1_mail_t mail_spool_t:file create_file_perms;
+allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
+allow $1_mail_t mqueue_spool_t:file create_file_perms;
+
+# Write to /var/log/sendmail.st
+file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
+
+allow $1_mail_t etc_mail_t:dir { getattr search };
+
+allow $1_mail_t { var_t var_spool_t }:dir getattr;
+
+allow $1_mail_t etc_runtime_t:file { getattr read };
+
+# Check available space.
+allow $1_mail_t fs_t:filesystem getattr;
+
+allow $1_mail_t sysctl_kernel_t:dir search;
+
+ifelse(`$1', `sysadm', `
+allow $1_mail_t proc_t:dir { getattr search };
+allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
+dontaudit $1_mail_t proc_net_t:dir search;
+allow $1_mail_t sysctl_kernel_t:file { getattr read };
+allow $1_mail_t etc_runtime_t:file { getattr read };
+', `
+dontaudit $1_mail_t proc_t:dir search;
+dontaudit $1_mail_t sysctl_kernel_t:file read;
+')dnl end if sysadm
+')
+
diff --git a/strict/macros/program/slocate_macros.te b/strict/macros/program/slocate_macros.te
new file mode 100644
index 0000000..acd6195
--- /dev/null
+++ b/strict/macros/program/slocate_macros.te
@@ -0,0 +1,64 @@
+#
+# Macros for locate domains.
+#
+
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#
+# locate_domain(domain_prefix)
+#
+# Define a derived domain for the locate program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/locate.te.
+#
+undefine(`locate_domain')
+ifdef(`slocate.te', `
+define(`locate_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_locate_t, domain;
+
+allow $1_locate_t self:process signal;
+
+allow $1_locate_t etc_t:file { getattr read };
+allow $1_locate_t self:unix_stream_socket create_socket_perms;
+r_dir_file($1_locate_t,var_lib_locate_t)
+allow $1_locate_t var_lib_t:dir search;
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, locate_exec_t, $1_locate_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_locate_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `
+allow $1_locate_t $1_gph_t:fd use;
+')
+
+allow $1_locate_t privfd:fd use;
+
+# allow ps to show locate
+can_ps($1_t, $1_locate_t)
+allow $1_t $1_locate_t:process signal;
+
+uses_shlib($1_locate_t)
+access_terminal($1_locate_t, $1)
+
+allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search };
+allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read };
+
+base_file_read_access($1_locate_t)
+r_dir_file($1_locate_t, { etc_t lib_t var_t })
+dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms;
+dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read };
+')
+
+', `
+
+define(`locate_domain',`')
+
+')
diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te
new file mode 100644
index 0000000..2ded42a
--- /dev/null
+++ b/strict/macros/program/spamassassin_macros.te
@@ -0,0 +1,122 @@
+#
+# Macros for spamassassin domains.
+#
+# Author: Colin Walters <walters at verbum.org>
+
+# spamassassin_domain(domain_prefix)
+#
+# Define derived domains for various spamassassin tools when executed
+# by a user domain.
+#
+# The type declarations for the executable types of these programs are
+# provided separately in domains/program/spamassassin.te and
+# domains/program/spamc.te.
+#
+undefine(`spamassassin_domain')
+ifdef(`spamassassin.te', `define(`using_spamassassin', `')')
+ifdef(`spamd.te', `define(`using_spamassassin', `')')
+ifdef(`spamc.te', `define(`using_spamassassin', `')')
+
+ifdef(`using_spamassassin',`
+
+#######
+# Macros used internally in these spamassassin macros.
+#
+
+###
+# Define a domain for a spamassassin-like program (spamc/spamassassin).
+#
+# Note: most of this should really be in a generic macro like
+# base_user_program($1, foo)
+define(`spamassassin_program_domain',`
+type $1_$2_t, domain, privlog;
+domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
+
+role $1_r types $1_$2_t;
+general_domain_access($1_$2_t)
+
+base_file_read_access($1_$2_t)
+r_dir_file($1_$2_t, etc_t)
+ifdef(`sendmail.te', `
+r_dir_file($1_$2_t, etc_mail_t)
+')
+allow $1_$2_t etc_runtime_t:file r_file_perms;
+uses_shlib($1_$2_t)
+read_locale($1_$2_t)
+dontaudit $1_$2_t var_t:dir search;
+allow $1_$2_t $1_home_dir_t:dir r_dir_perms;
+tmp_domain($1_$2)
+allow $1_$2_t privfd:fd use;
+allow $1_$2_t userpty_type:chr_file rw_file_perms;
+') dnl end spamassassin_program_domain
+
+###
+# Give privileges to a domain for accessing ~/.spamassassin
+# and a few other misc things like /dev/random.
+# This is granted to /usr/bin/spamassassin and
+# /usr/sbin/spamd, but NOT spamc (because it does not need it).
+#
+define(`spamassassin_agent_privs',`
+allow $1 home_root_t:dir r_dir_perms;
+file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t)
+create_dir_file($1, $2_spamassassin_home_t)
+
+allow $1 urandom_device_t:chr_file r_file_perms;
+')
+
+#######
+# Define the main spamassassin macro. This itself creates a
+# domain for /usr/bin/spamassassin, and also spamc/spamd if
+# applicable.
+#
+define(`spamassassin_domain',`
+spamassassin_program_domain($1, spamassassin)
+
+# For perl libraries.
+allow $1_spamassassin_t lib_t:file rx_file_perms;
+# Ignore perl digging in /proc and /var.
+dontaudit $1_spamassassin_t proc_t:dir search;
+dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
+
+# For ~/.spamassassin
+home_domain($1, spamassassin)
+
+spamassassin_agent_privs($1_spamassassin_t, $1)
+
+# set tunable if you have spamassassin do DNS lookups
+if (spamassasin_can_network) {
+can_network($1_spamassassin_t)
+}
+if (spamassasin_can_network && allow_ypbind) {
+uncond_can_ypbind($1_spamassassin_t)
+}
+###
+# Define the domain for /usr/bin/spamc
+#
+ifdef(`spamc.te',`
+spamassassin_program_domain($1, spamc)
+can_network($1_spamc_t)
+can_ypbind($1_spamc_t)
+
+# Allow connecting to a local spamd
+ifdef(`spamd.te',`
+can_tcp_connect($1_spamc_t, spamd_t)
+') dnl endif spamd.te
+') dnl endif spamc.te
+
+###
+# Define the domain for /usr/sbin/spamd
+#
+ifdef(`spamd.te',`
+
+spamassassin_agent_privs(spamd_t, $1)
+
+') dnl endif spamd.te
+
+') dnl end spamassassin_domain
+
+', `
+
+define(`spamassassin_domain',`')
+
+')
diff --git a/strict/macros/program/ssh_agent_macros.te b/strict/macros/program/ssh_agent_macros.te
new file mode 100644
index 0000000..0accc1b
--- /dev/null
+++ b/strict/macros/program/ssh_agent_macros.te
@@ -0,0 +1,117 @@
+#
+# Macros for ssh agent
+#
+
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+#
+
+#
+# ssh_agent_domain(domain_prefix)
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/ssh-agent.te.
+#
+define(`ssh_agent_domain',`
+# Define a derived domain for the ssh-agent program when executed
+# by a user domain.
+# Derived domain based on the calling user domain and the program.
+type $1_ssh_agent_t, domain, privlog;
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_ssh_agent_t;
+
+allow $1_ssh_agent_t privfd:fd use;
+
+# Write to the user domain tty.
+access_terminal($1_ssh_agent_t, $1)
+
+# Allow the user shell to signal the ssh program.
+allow $1_t $1_ssh_agent_t:process signal;
+# allow ps to show ssh
+can_ps($1_t, $1_ssh_agent_t)
+
+can_ypbind($1_ssh_agent_t)
+if (use_nfs_home_dirs) {
+allow $1_ssh_agent_t autofs_t:dir { search getattr };
+rw_dir_create_file($1_ssh_agent_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_ssh_agent_t, cifs_t)
+}
+
+uses_shlib($1_ssh_agent_t)
+read_locale($1_ssh_agent_t)
+
+allow $1_ssh_agent_t proc_t:dir search;
+dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
+dontaudit $1_ssh_agent_t selinux_config_t:dir search;
+read_sysctl($1_ssh_agent_t)
+
+# Access the ssh temporary files. Should we have an own type here
+# to which only ssh, ssh-agent and ssh-add have access?
+allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
+file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
+allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms;
+
+allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
+allow $1_ssh_agent_t self:capability setgid;
+
+# access the random devices
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
+
+# for ssh-add
+can_unix_connect($1_t, $1_ssh_agent_t)
+
+# transition back to normal privs upon exec
+domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
+if (use_nfs_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
+}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
+}
+allow $1_ssh_agent_t bin_t:dir search;
+
+# allow reading of /usr/bin/X11 (is a symlink)
+allow $1_ssh_agent_t bin_t:lnk_file read;
+
+allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;
+
+allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search;
+
+allow $1_ssh_t $1_tmp_t:sock_file write;
+allow $1_ssh_t $1_t:unix_stream_socket connectto;
+allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
+
+ifdef(`xdm.te', `
+allow $1_ssh_agent_t xdm_t:fd use;
+allow $1_ssh_agent_t xdm_t:fifo_file { read write };
+
+# kdm: sigchld
+allow $1_ssh_agent_t xdm_t:process sigchld;
+')
+
+#
+# Allow command to ssh-agent > ~/.ssh_agent
+#
+allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
+allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
+
+allow $1_ssh_agent_t etc_runtime_t:file { getattr read };
+allow $1_ssh_agent_t etc_t:file { getattr read };
+allow $1_ssh_agent_t lib_t:file { getattr read };
+
+allow $1_ssh_agent_t self:dir search;
+allow $1_ssh_agent_t self:file { getattr read };
+
+# Allow the ssh program to communicate with ssh-agent.
+allow $1_ssh_t $1_tmp_t:sock_file write;
+allow $1_ssh_t $1_t:unix_stream_socket connectto;
+allow $1_ssh_t sshd_t:unix_stream_socket connectto;
+')dnl end if ssh_agent
+
diff --git a/strict/macros/program/ssh_macros.te b/strict/macros/program/ssh_macros.te
new file mode 100644
index 0000000..473b273
--- /dev/null
+++ b/strict/macros/program/ssh_macros.te
@@ -0,0 +1,171 @@
+#
+# Macros for ssh domains.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil>
+# Russell Coker <russell at coker.com.au>
+# Thomas Bleher <ThomasBleher at gmx.de>
+#
+
+#
+# ssh_domain(domain_prefix)
+#
+# Define a derived domain for the ssh program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/ssh.te.
+#
+undefine(`ssh_domain')
+ifdef(`ssh.te', `
+define(`ssh_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_ssh_t, domain, privlog, nscd_client_domain;
+type $1_home_ssh_t, file_type, $1_file_type, sysadmfile;
+
+allow $1_ssh_t autofs_t:dir { search getattr };
+if (use_nfs_home_dirs) {
+create_dir_file($1_ssh_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_ssh_t, cifs_t)
+}
+
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_ssh_t;
+
+# Grant permissions within the domain.
+general_domain_access($1_ssh_t)
+
+# Use descriptors created by sshd
+allow $1_ssh_t privfd:fd use;
+
+uses_shlib($1_ssh_t)
+read_locale($1_ssh_t)
+
+# Get attributes of file systems.
+allow $1_ssh_t fs_type:filesystem getattr;
+
+base_file_read_access($1_ssh_t)
+
+# Read /var.
+allow $1_ssh_t var_t:dir r_dir_perms;
+allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
+
+# Read /var/run, /var/log.
+allow $1_ssh_t var_run_t:dir r_dir_perms;
+allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
+allow $1_ssh_t var_log_t:dir r_dir_perms;
+allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
+
+# Read /etc.
+allow $1_ssh_t etc_t:dir r_dir_perms;
+allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms;
+allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow $1_ssh_t device_t:dir r_dir_perms;
+allow $1_ssh_t device_t:lnk_file r_file_perms;
+
+# Read /dev/urandom.
+allow $1_ssh_t urandom_device_t:chr_file r_file_perms;
+
+# Read and write /dev/null.
+allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
+
+# Grant permissions needed to create TCP and UDP sockets and
+# to access the network.
+can_network_client_tcp($1_ssh_t)
+can_resolve($1_ssh_t)
+can_ypbind($1_ssh_t)
+can_kerberos($1_ssh_t)
+
+# for port forwarding
+if (user_tcp_server) {
+allow $1_ssh_t port_t:tcp_socket name_bind;
+}
+
+# Use capabilities.
+allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+
+# run helper programs - needed eg for x11-ssh-askpass
+can_exec($1_ssh_t, { shell_exec_t bin_t })
+
+# Read the ssh key file.
+allow $1_ssh_t sshd_key_t:file r_file_perms;
+
+# Access the ssh temporary files.
+file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t)
+allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
+
+# for rsync
+allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms;
+
+# Access the users .ssh directory.
+file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
+file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
+allow $1_t $1_home_ssh_t:sock_file create_file_perms;
+allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms;
+allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read };
+dontaudit $1_ssh_t $1_home_t:dir { getattr search };
+r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
+rw_dir_create_file($1_t, $1_home_ssh_t)
+
+# for /bin/sh used to execute xauth
+dontaudit $1_ssh_t proc_t:dir search;
+dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
+
+# Write to the user domain tty.
+access_terminal($1_ssh_t, $1)
+
+# Allow the user shell to signal the ssh program.
+allow $1_t $1_ssh_t:process signal;
+# allow ps to show ssh
+can_ps($1_t, $1_ssh_t)
+
+ifdef(`xserver.te', `
+# Communicate with the X server.
+ifdef(`startx.te', `
+can_unix_connect($1_ssh_t, $1_xserver_t)
+allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
+allow $1_ssh_t $1_xserver_tmp_t:dir search;
+')dnl end if startx
+ifdef(`xdm.te', `
+allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
+allow $1_ssh_t { xdm_tmp_t }:sock_file write;
+')
+')dnl end if xserver
+
+ifdef(`ssh-agent.te', `
+ssh_agent_domain($1)
+')dnl end if ssh_agent.te
+
+#allow ssh to access keys stored on removable media
+# Should we have a boolean around this?
+allow $1_ssh_t mnt_t:dir search;
+r_dir_file($1_ssh_t, removable_t)
+
+ifdef(`xdm.te', `
+# should be able to remove these two later
+allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
+allow $1_ssh_t xdm_xserver_tmp_t:dir search;
+allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
+allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
+allow $1_ssh_t xdm_xserver_t:fd use;
+allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
+allow $1_ssh_t xdm_t:fd use;
+')dnl end if xdm.te
+')dnl end macro definition
+
+', `
+
+define(`ssh_domain',`')
+
+')dnl end if ssh.te
diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te
new file mode 100644
index 0000000..7426b4e
--- /dev/null
+++ b/strict/macros/program/su_macros.te
@@ -0,0 +1,169 @@
+#
+# Macros for su domains.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#
+# su_domain(domain_prefix)
+#
+# Define a derived domain for the su program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/su.te.
+#
+
+undefine(`su_restricted_domain')
+undefine(`su_mini_domain')
+undefine(`su_domain')
+ifdef(`su.te', `
+
+define(`su_restricted_domain', `
+# Derived domain based on the calling user domain and the program.
+type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
+
+# for SSP
+allow $1_su_t urandom_device_t:chr_file { getattr read };
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, su_exec_t, $1_su_t)
+
+allow $1_su_t sbin_t:dir search;
+domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
+
+uses_shlib($1_su_t)
+allow $1_su_t etc_t:file { getattr read };
+read_locale($1_su_t)
+read_sysctl($1_su_t)
+allow $1_su_t self:unix_dgram_socket { connect create write };
+allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_su_t self:fifo_file rw_file_perms;
+allow $1_su_t proc_t:dir search;
+allow $1_su_t proc_t:lnk_file read;
+r_dir_file($1_su_t, self)
+allow $1_su_t proc_t:file read;
+allow $1_su_t self:process { setsched setrlimit };
+allow $1_su_t device_t:dir search;
+allow $1_su_t self:process { fork sigchld };
+can_ypbind($1_su_t)
+r_dir_file($1_su_t, selinux_config_t)
+
+dontaudit $1_su_t shadow_t:file { getattr read };
+dontaudit $1_su_t home_root_t:dir search;
+dontaudit $1_su_t init_t:fd use;
+allow $1_su_t var_lib_t:dir search;
+allow $1_t $1_su_t:process signal;
+
+ifdef(`crond.te', `
+allow $1_su_t crond_t:fifo_file read;
+')
+
+# Use capabilities.
+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+dontaudit $1_su_t self:capability sys_tty_config;
+#
+# Caused by su - init scripts
+#
+dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+
+# By default, revert to the calling domain when a shell is executed.
+domain_auto_trans($1_su_t, shell_exec_t, $1_t)
+allow $1_su_t bin_t:dir search;
+allow $1_su_t bin_t:lnk_file read;
+
+# But also allow transitions to unprivileged user domains.
+domain_trans($1_su_t, shell_exec_t, unpriv_userdomain)
+can_setexec($1_su_t)
+
+# Get security decisions
+can_getsecurity($1_su_t)
+r_dir_file($1_su_t, default_context_t)
+
+allow $1_su_t privfd:fd use;
+
+# Write to utmp.
+allow $1_su_t { var_t var_run_t }:dir search;
+allow $1_su_t initrc_var_run_t:file rw_file_perms;
+can_kerberos($1_su_t)
+') dnl end su_restricted_domain
+
+define(`su_mini_domain', `
+su_restricted_domain($1,$1)
+if(!secure_mode)
+{
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans($1_su_t, shell_exec_t, sysadm_t)
+}
+
+# Relabel ttys and ptys.
+allow $1_su_t device_t:dir { getattr read search };
+allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Close and re-open ttys and ptys to get the fd into the correct domain.
+allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
+
+')dnl end su_mini_domain
+
+define(`su_domain', `
+su_mini_domain($1)
+ifdef(`chkpwd.te', `
+# Run chkpwd.
+can_exec($1_su_t, chkpwd_exec_t)
+')
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
+
+# The user role is authorized for this domain.
+role $1_r types $1_su_t;
+
+# Write to the user domain tty.
+access_terminal($1_su_t, $1)
+
+allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
+allow $1_su_t $1_home_t:file create_file_perms;
+ifdef(`user_canbe_sysadm', `
+allow $1_su_t home_dir_type:dir { search write };
+', `
+dontaudit $1_su_t home_dir_type:dir { search write };
+')
+
+allow $1_su_t autofs_t:dir { search getattr };
+if (use_nfs_home_dirs) {
+allow $1_su_t nfs_t:dir search;
+}
+if (use_samba_home_dirs) {
+allow $1_su_t cifs_t:dir search;
+}
+
+# Modify .Xauthority file (via xauth program).
+ifdef(`xauth.te', `
+file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+')
+
+ifdef(`cyrus.te', `
+allow $1_su_t cyrus_var_lib_t:dir search;
+')
+ifdef(`ssh.te', `
+# Access sshd cookie files.
+allow $1_su_t sshd_tmp_t:dir rw_dir_perms;
+allow $1_su_t sshd_tmp_t:file rw_file_perms;
+file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+')
+
+allow $1_su_t var_lib_t:dir search;
+dontaudit $1_su_t init_t:fd use;
+')dnl end su_domain
+
+', `
+
+define(`su_domain',`')
+
+')
+
diff --git a/strict/macros/program/sudo_macros.te b/strict/macros/program/sudo_macros.te
new file mode 100644
index 0000000..b2b4e1c
--- /dev/null
+++ b/strict/macros/program/sudo_macros.te
@@ -0,0 +1,34 @@
+# Authors: Dan Walsh, Russell Coker
+# Maintained by Dan Walsh <dwalsh at redhat.com>
+define(`sudo_domain',`
+newrole_domain($1_sudo, `, privuser')
+
+# By default, revert to the calling domain when a shell is executed.
+domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)
+
+ifdef(`mta.te', `
+domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
+')
+
+allow $1_sudo_t self:capability sys_resource;
+
+allow $1_sudo_t self:process setrlimit;
+
+ifdef(`pam.te', `
+allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
+allow $1_sudo_t pam_var_run_t:file create_file_perms;
+')
+
+allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
+allow $1_sudo_t sysctl_t:dir search;
+allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
+allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
+read_sysctl($1_sudo_t)
+
+allow $1_sudo_t var_run_t:dir search;
+r_dir_file($1_sudo_t, default_context_t)
+rw_dir_create_file($1_sudo_t, $1_tmp_t)
+rw_dir_create_file($1_sudo_t, $1_home_t)
+domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
+')
diff --git a/strict/macros/program/tvtime_macros.te b/strict/macros/program/tvtime_macros.te
new file mode 100644
index 0000000..acb45b1
--- /dev/null
+++ b/strict/macros/program/tvtime_macros.te
@@ -0,0 +1,43 @@
+#
+# Macros for tvtime domains.
+#
+
+#
+# Author: Dan Walsh <dwalsh at redhat.com>
+#
+
+#
+# tvtime_domain(domain_prefix)
+#
+# Define a derived domain for the tvtime program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/tvtime.te.
+#
+undefine(`tvtime_domain')
+ifdef(`tvtime.te', `
+define(`tvtime_domain',`
+
+home_domain($1, tvtime)
+x_client_domain($1, tvtime)
+
+allow $1_tvtime_t urandom_device_t:chr_file read;
+allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
+allow $1_tvtime_t kernel_t:system ipc_info;
+allow $1_tvtime_t sound_device_t:chr_file read;
+allow $1_tvtime_t $1_home_t:dir { getattr read search };
+allow $1_tvtime_t $1_home_t:file { getattr read };
+tmp_domain($1_tvtime)
+allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+allow $1_tvtime_t self:process setsched;
+allow $1_tvtime_t usr_t:file { getattr read };
+
+')dnl end tvtime_domain
+
+', `
+
+define(`tvtime_domain',`')
+
+')
+
diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te
new file mode 100644
index 0000000..654b794
--- /dev/null
+++ b/strict/macros/program/uml_macros.te
@@ -0,0 +1,136 @@
+#
+# Macros for uml domains.
+#
+
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#
+# uml_domain(domain_prefix)
+#
+# Define a derived domain for the uml program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/uml.te.
+#
+undefine(`uml_domain')
+ifdef(`uml.te', `
+define(`uml_domain',`
+
+# Derived domain based on the calling user domain and the program.
+type $1_uml_t, domain;
+type $1_uml_exec_t, file_type, sysadmfile, $1_file_type;
+type $1_uml_ro_t, file_type, sysadmfile, $1_file_type;
+type $1_uml_rw_t, file_type, sysadmfile, $1_file_type;
+
+# for X
+ifdef(`startx.te', `
+ifelse($1, sysadm, `', `
+ifdef(`xdm.te', `
+allow $1_uml_t xdm_xserver_tmp_t:dir search;
+')dnl end if xdm.te
+allow $1_uml_t $1_xserver_tmp_t:sock_file write;
+can_unix_connect($1_uml_t, $1_xserver_t)
+')dnl end ifelse sysadm
+')dnl end ifdef startx
+
+allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
+allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
+allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
+allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
+r_dir_file($1_t, uml_ro_t)
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
+can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
+
+# The user role is authorized for this domain.
+role $1_r types $1_uml_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;')
+
+# Inherit and use descriptors from newrole.
+ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;')
+
+# allow ps, ptrace, signal
+can_ps($1_t, $1_uml_t)
+can_ptrace($1_t, $1_uml_t)
+allow $1_t $1_uml_t:process signal_perms;
+
+# allow the UML thing to happen
+allow $1_uml_t self:process { fork signal_perms ptrace };
+can_create_pty($1_uml)
+allow $1_uml_t root_t:dir search;
+tmp_domain($1_uml)
+can_exec($1_uml_t, $1_uml_tmp_t)
+tmpfs_domain($1_uml)
+can_exec($1_uml_t, $1_uml_tmpfs_t)
+create_dir_file($1_t, $1_uml_tmp_t)
+allow $1_t $1_uml_tmp_t:sock_file create_file_perms;
+allow $1_uml_t self:fifo_file rw_file_perms;
+allow $1_uml_t fs_t:filesystem getattr;
+
+allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl };
+
+ifdef(`uml_net.te', `
+# for uml_net
+domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
+allow uml_net_t $1_uml_t:unix_stream_socket { read write };
+allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
+dontaudit uml_net_t privfd:fd use;
+allow uml_net_t $1_uml_devpts_t:chr_file { read write };
+dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
+')dnl end ifdef uml_net.te
+
+# for mconsole
+allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
+allow $1_uml_t $1_t:unix_dgram_socket sendto;
+
+# Use the network.
+can_network($1_uml_t)
+can_ypbind($1_uml_t)
+
+# for xterm
+uses_shlib($1_uml_t)
+can_exec($1_uml_t, { bin_t sbin_t lib_t })
+allow $1_uml_t { bin_t sbin_t }:dir search;
+allow $1_uml_t etc_t:file { getattr read };
+dontaudit $1_uml_t etc_runtime_t:file read;
+can_tcp_connect($1_uml_t, sshd_t)
+ifdef(`xauth.te', `
+allow $1_uml_t $1_xauth_home_t:file { getattr read };
+')
+allow $1_uml_t var_run_t:dir search;
+allow $1_uml_t initrc_var_run_t:file { getattr read };
+dontaudit $1_uml_t initrc_var_run_t:file { write lock };
+
+allow $1_uml_t device_t:dir search;
+allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_uml_t self:unix_dgram_socket create_socket_perms;
+allow $1_uml_t privfd:fd use;
+allow $1_uml_t proc_t:dir search;
+allow $1_uml_t proc_t:file { getattr read };
+
+# for SKAS - need something better
+allow $1_uml_t proc_t:file write;
+
+# Write to the user domain tty.
+access_terminal($1_uml_t, $1)
+
+# access config files
+allow $1_uml_t home_root_t:dir search;
+file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t)
+r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t })
+
+# putting uml data under /var is usual...
+allow $1_uml_t var_t:dir search;
+')dnl end macro definition
+
+', `
+
+define(`uml_domain',`')
+
+')
diff --git a/strict/macros/program/userhelper_macros.te b/strict/macros/program/userhelper_macros.te
new file mode 100644
index 0000000..109b973
--- /dev/null
+++ b/strict/macros/program/userhelper_macros.te
@@ -0,0 +1,144 @@
+#DESC Userhelper - SELinux utility to run a shell with a new role
+#
+# Authors: Dan Walsh (Red Hat)
+# Maintained by Dan Walsh <dwalsh at redhat.com>
+#
+
+#
+# userhelper_domain(domain_prefix)
+#
+# Define a derived domain for the userhelper/userhelper program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/userhelper.te.
+#
+define(`userhelper_domain',`
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
+
+in_user_role($1_userhelper_t)
+role sysadm_r types $1_userhelper_t;
+
+ifelse($1, sysadm, `
+typealias sysadm_userhelper_t alias userhelper_t;
+domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+general_domain_access($1_userhelper_t);
+
+uses_shlib($1_userhelper_t)
+read_locale($1_userhelper_t)
+read_sysctl($1_userhelper_t)
+
+# for when the user types "exec userhelper" at the command line
+allow $1_userhelper_t privfd:process sigchld;
+
+domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t)
+
+# Inherit descriptors from the current session.
+allow $1_userhelper_t { init_t privfd }:fd use;
+
+can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t })
+
+# Execute shells
+allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms;
+allow $1_userhelper_t { sbin_t bin_t }:lnk_file read;
+allow $1_userhelper_t shell_exec_t:file r_file_perms;
+
+# By default, revert to the calling domain when a program is executed.
+domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t)
+
+# Allow $1_userhelper_t to transition to user domains.
+domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain)
+if (!secure_mode) {
+ # if we are not in secure mode then we can transition to sysadm_t
+ domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t)
+}
+can_setexec($1_userhelper_t)
+
+ifdef(`distro_redhat', `
+ifdef(`rpm.te', `
+# Allow transitioning to rpm_t, for up2date
+allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure };
+')
+')
+
+# Use capabilities.
+allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+
+# Write to utmp.
+file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file)
+
+# Read the devpts root directory.
+allow $1_userhelper_t devpts_t:dir r_dir_perms;
+
+# Read the /etc/security/default_type file
+allow $1_userhelper_t etc_t:file r_file_perms;
+
+# Read /var.
+allow $1_userhelper_t var_t:dir r_dir_perms;
+allow $1_userhelper_t var_t:notdevfile_class_set r_file_perms;
+
+# Read /dev directories and any symbolic links.
+allow $1_userhelper_t device_t:dir r_dir_perms;
+
+# Relabel terminals.
+allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
+
+# Access terminals.
+allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
+ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;')
+
+#
+# Allow $1_userhelper to obtain contexts to relabel TTYs
+#
+can_getsecurity($1_userhelper_t)
+
+allow $1_userhelper_t fs_t:filesystem getattr;
+
+# for some PAM modules and for cwd
+dontaudit $1_userhelper_t { home_root_t home_type }:dir search;
+
+allow $1_userhelper_t proc_t:dir search;
+allow $1_userhelper_t proc_t:file { getattr read };
+
+# for when the network connection is killed
+dontaudit unpriv_userdomain $1_userhelper_t:process signal;
+
+allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
+allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+
+ifdef(`pam.te', `
+allow $1_userhelper_t pam_var_run_t:dir create_dir_perms;
+allow $1_userhelper_t pam_var_run_t:file create_file_perms;
+')
+
+allow $1_userhelper_t urandom_device_t:chr_file { getattr read };
+
+allow $1_userhelper_t autofs_t:dir search;
+role system_r types $1_userhelper_t;
+r_dir_file($1_userhelper_t, nfs_t)
+
+ifdef(`xdm.te', `
+allow $1_userhelper_t xdm_t:fd use;
+allow $1_userhelper_t xdm_t:fifo_file rw_file_perms;
+allow $1_userhelper_t xdm_var_run_t:dir search;
+')
+
+r_dir_file($1_userhelper_t, selinux_config_t)
+r_dir_file($1_userhelper_t, default_context_t)
+
+ifdef(`xauth.te', `
+domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
+allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
+')
+
+ifdef(`pamconsole.te', `
+allow $1_userhelper_t pam_var_console_t:dir { search };
+')
+
+ifdef(`mozilla.te', `
+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+')
+
+')dnl end userhelper macro
diff --git a/strict/macros/program/vmware_macros.te b/strict/macros/program/vmware_macros.te
new file mode 100644
index 0000000..b306f08
--- /dev/null
+++ b/strict/macros/program/vmware_macros.te
@@ -0,0 +1,133 @@
+# Macro for vmware
+#
+# Based on work contributed by Mark Westerman (mark.westerman at westcam.com),
+# modifications by NAI Labs.
+#
+# Turned into a macro by Thomas Bleher <ThomasBleher at gmx.de>
+#
+# vmware_domain(domain_prefix)
+#
+# Define a derived domain for the vmware program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/vmware.te. This file also
+# implements a separate domain vmware_t.
+#
+
+define(`vmware_domain', `
+
+# Domain for the user applications to run in.
+type $1_vmware_t, domain, privmem;
+
+role $1_r types $1_vmware_t;
+
+# The user file type is for files created when the user is running VMWare
+type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
+
+# The user file type for the VMWare configuration files
+type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
+
+# for compatibility with older policy versions
+typealias $1_vmware_t alias vmware_$1_t;
+typealias $1_vmware_file_t alias vmware_$1_file_t;
+typealias $1_vmware_conf_t alias vmware_$1_conf_t;
+
+#############################################################
+# User rules for running VMWare
+#
+# Transition to VMWare user domain
+domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
+can_exec($1_vmware_t, vmware_user_exec_t)
+uses_shlib($1_vmware_t)
+var_run_domain($1_vmware)
+
+general_domain_access($1_vmware_t);
+
+# Capabilities needed by VMWare for the user execution. This seems a
+# bit too much, so be careful.
+allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
+
+# Access to ttys
+allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
+allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_vmware_t privfd:fd use;
+
+# Access /proc
+r_dir_file($1_vmware_t, proc_t)
+allow $1_vmware_t proc_net_t:dir search;
+allow $1_vmware_t proc_net_t:file { getattr read };
+
+# Access to some files in the user home directory
+r_dir_file($1_vmware_t, $1_home_t)
+
+# Access to runtime files for user
+allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
+allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
+allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
+
+# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
+r_dir_file($1_vmware_t, vmware_sys_conf_t)
+
+# Allow $1_vmware_t to read/write files in the tmp dir
+tmp_domain($1_vmware)
+allow $1_vmware_t $1_vmware_tmp_t:file execute;
+
+# Allow read access to several paths
+r_dir_file($1_vmware_t, etc_t)
+allow $1_vmware_t etc_runtime_t:file r_file_perms;
+allow $1_vmware_t device_t:dir r_dir_perms;
+allow $1_vmware_t var_t:dir r_dir_perms;
+allow $1_vmware_t tmpfs_t:file rw_file_perms;
+
+# Allow vmware to write to ~/.vmware
+rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
+
+#
+# This is bad; VMWare needs execute permission to the .cfg file for the
+# configuration to run.
+#
+allow $1_vmware_t $1_vmware_conf_t:file execute;
+
+# Access X11 config files
+allow $1_vmware_t lib_t:file r_file_perms;
+
+# Access components of VMWare in /usr/lib/vmware/bin by default
+allow $1_vmware_t bin_t:dir r_dir_perms;
+
+# Allow access to lp port (Need to create an lp device domain )
+allow $1_vmware_t device_t:chr_file r_file_perms;
+
+# Allow access to /dev/mem
+allow $1_vmware_t memory_device_t:chr_file { read write };
+
+# Allow access to mouse
+allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
+
+# Allow access the sound device
+allow $1_vmware_t sound_device_t:chr_file { ioctl write };
+
+# Allow removable media and devices
+allow $1_vmware_t removable_device_t:blk_file r_file_perms;
+allow $1_vmware_t device_t:lnk_file read;
+
+# Allow access to the real time clock device
+allow $1_vmware_t clock_device_t:chr_file read;
+
+# Allow to attach to Xserver, and Xserver to attach back
+ifdef(`gnome-pty-helper.te', `
+allow $1_vmware_t $1_gph_t:fd use;
+')
+ifdef(`startx.te', `
+allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
+allow $1_vmware_t $1_xserver_tmp_t:dir search;
+allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
+allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
+allow $1_xserver_t $1_vmware_t:fd use;
+')
+
+# Allow filesystem read access
+allow $1_vmware_t fs_t:filesystem getattr;
+
+')
+
diff --git a/strict/macros/program/x_client_macros.te b/strict/macros/program/x_client_macros.te
new file mode 100644
index 0000000..aef31ad
--- /dev/null
+++ b/strict/macros/program/x_client_macros.te
@@ -0,0 +1,161 @@
+#
+# Macros for X client programs ($2 etc)
+#
+
+#
+# Author: Russell Coker <russell at coker.com.au>
+# Based on the work of Stephen Smalley <sds at epoch.ncsc.mil>
+# and Timothy Fraser
+#
+
+define(`xsession_domain', `
+
+# Connect to xserver
+can_unix_connect($1_t, $2_xserver_t)
+
+# /tmp/.ICE_unix
+allow $1_t $2_xserver_tmp_t:dir search;
+allow $1_t $2_xserver_tmp_t:sock_file rw_file_perms;
+
+# Stat /tmp/.X0-lock
+allow $1_t $2_xserver_tmp_t:file getattr;
+
+# Signal Xserver
+allow $1_t $2_xserver_t:process signal;
+
+# Use file descriptors created by each other.
+allow $1_t $2_xserver_t:fd use;
+allow $2_xserver_t $1_t:fd use;
+
+# Xserver read/write parent shm
+allow $2_xserver_t $1_t:shm rw_shm_perms;
+allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
+
+# Parent read xserver shm
+allow $1_t $2_xserver_t:shm r_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+')
+
+#
+# x_client_domain(domain_prefix)
+#
+# Define a derived domain for an X program when executed by
+# a user domain.
+#
+# The type declaration for the executable type for this program ($2_exec_t)
+# must be provided separately!
+#
+# The first parameter is the base name for the domain/role (EG user or sysadm)
+# The second parameter is the program name (EG $2)
+# The third parameter is the attributes for the domain (if any)
+#
+define(`x_client_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_$2_t, domain, nscd_client_domain $3;
+
+ifelse(index(`$3', `transitionbool'), -1, `
+domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
+can_exec($1_$2_t, $2_exec_t)
+', `
+# Only do it once
+ifelse($1, user, `
+bool disable_$2 false;
+')
+# Transition from the user domain to the derived domain.
+if (! disable_$2) {
+domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
+can_exec($1_$2_t, $2_exec_t)
+}
+')
+
+# The user role is authorized for this domain.
+role $1_r types $1_$2_t;
+
+# This domain is granted permissions common to most domains (including can_net)
+can_network($1_$2_t)
+can_ypbind($1_$2_t)
+allow $1_$2_t self:process { fork signal_perms getsched };
+allow $1_$2_t self:unix_dgram_socket create_socket_perms;
+allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow $1_$2_t self:fifo_file rw_file_perms;
+allow $1_$2_t etc_runtime_t:file { getattr read };
+allow $1_$2_t etc_t:lnk_file read;
+allow $1_$2_t fs_t:filesystem getattr;
+access_terminal($1_$2_t, $1)
+read_locale($1_$2_t)
+r_dir_file($1_$2_t, readable_t)
+allow $1_$2_t proc_t:dir search;
+allow $1_$2_t proc_t:lnk_file read;
+allow $1_$2_t self:dir search;
+allow $1_$2_t self:lnk_file read;
+read_sysctl($1_$2_t)
+
+ifdef(`xauth.te',`
+allow $1_$2_t $1_xauth_home_t:file { getattr read };
+')
+
+# Allow the user domain to send any signal to the $2 process.
+allow $1_t $1_$2_t:process signal_perms;
+
+# Allow the user domain to read the /proc/PID directory for
+# the $2 process.
+allow $1_t $1_$2_t:dir r_dir_perms;
+allow $1_t $1_$2_t:notdevfile_class_set r_file_perms;
+
+# Allow use of /dev/zero by ld.so.
+allow $1_$2_t device_t:dir search;
+allow $1_$2_t zero_device_t:chr_file rw_file_perms;
+allow $1_$2_t zero_device_t:chr_file x_file_perms;
+
+# allow using shared libraries and running programs
+uses_shlib($1_$2_t)
+allow $1_$2_t { bin_t sbin_t }:dir search;
+allow $1_$2_t bin_t:lnk_file read;
+can_exec($1_$2_t, { shell_exec_t bin_t })
+allow $1_$2_t etc_t:file { getattr read };
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;')
+allow $1_$2_t privfd:fd use;
+
+# for .xsession-errors
+dontaudit $1_$2_t $1_home_t:file write;
+
+# for X over a ssh tunnel
+ifdef(`ssh.te', `
+can_tcp_connect($1_$2_t, sshd_t)
+')
+
+# Read the home directory, e.g. for .Xauthority and to get to config files
+allow $1_$2_t home_root_t:dir { search getattr };
+
+# Use a separate type for tmpfs/shm pseudo files.
+tmpfs_domain($1_$2)
+
+allow $1_$2_t self:shm create_shm_perms;
+
+# allow X client to read all font files
+r_dir_file($1_$2_t, fonts_t)
+
+# Allow connections to X server.
+ifdef(`xserver.te', `
+allow $1_$2_t tmp_t:dir search;
+
+ifdef(`xdm.te', `
+xsession_domain($1_$2, xdm)
+
+# for when /tmp/.X11-unix is created by the system
+allow $1_$2_t xdm_t:fifo_file rw_file_perms;
+allow $1_$2_t xdm_tmp_t:dir search;
+allow $1_$2_t xdm_tmp_t:sock_file { read write };
+allow $1_$2_t xdm_t:fd use;
+dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+')
+
+ifdef(`startx.te', `
+xsession_domain($1_$2, $1)
+')dnl end startx
+
+')dnl end xserver
+
+')dnl end x_client macro
diff --git a/strict/macros/program/xauth_macros.te b/strict/macros/program/xauth_macros.te
new file mode 100644
index 0000000..405f151
--- /dev/null
+++ b/strict/macros/program/xauth_macros.te
@@ -0,0 +1,82 @@
+#
+# Macros for xauth domains.
+#
+
+#
+# Author: Russell Coker <russell at coker.com.au>
+#
+
+#
+# xauth_domain(domain_prefix)
+#
+# Define a derived domain for the xauth program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/xauth.te.
+#
+undefine(`xauth_domain')
+ifdef(`xauth.te', `
+define(`xauth_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_xauth_t, domain;
+
+allow $1_xauth_t self:process signal;
+
+home_domain($1, xauth)
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
+ifdef(`ssh.te', `
+domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
+allow $1_xauth_t sshd_t:fifo_file { getattr read };
+dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
+allow $1_xauth_t sshd_t:process sigchld;
+')dnl end if ssh
+
+# The user role is authorized for this domain.
+role $1_r types $1_xauth_t;
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `
+allow $1_xauth_t $1_gph_t:fd use;
+')
+
+allow $1_xauth_t privfd:fd use;
+allow $1_xauth_t ptmx_t:chr_file { read write };
+
+# allow ps to show xauth
+can_ps($1_t, $1_xauth_t)
+allow $1_t $1_xauth_t:process signal;
+
+uses_shlib($1_xauth_t)
+
+# allow DNS lookups...
+can_resolve($1_xauth_t)
+can_ypbind($1_xauth_t)
+ifdef(`named.te', `
+can_udp_send($1_xauth_t, named_t)
+can_udp_send(named_t, $1_xauth_t)
+')dnl end if named.te
+
+allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_xauth_t etc_t:file { getattr read };
+allow $1_xauth_t fs_t:filesystem getattr;
+
+# Write to the user domain tty.
+access_terminal($1_xauth_t, $1)
+
+# Scan /var/run.
+allow $1_xauth_t var_t:dir search;
+allow $1_xauth_t var_run_t:dir search;
+
+tmp_domain($1_xauth)
+allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
+
+')dnl end xauth_domain macro
+
+', `
+
+define(`xauth_domain',`')
+
+')dnl end if xauth.te
diff --git a/strict/macros/program/xserver_macros.te b/strict/macros/program/xserver_macros.te
new file mode 100644
index 0000000..adbe7f7
--- /dev/null
+++ b/strict/macros/program/xserver_macros.te
@@ -0,0 +1,272 @@
+#
+# Macros for X server domains.
+#
+
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#################################
+#
+# xserver_domain(domain_prefix)
+#
+# Define a derived domain for the X server when executed
+# by a user domain (e.g. via startx). See the xdm_t domain
+# in domains/program/xdm.te if using an X Display Manager.
+#
+# The type declarations for the executable type for this program
+# and the log type are provided separately in domains/program/xserver.te.
+#
+# FIXME! The X server requires far too many privileges.
+#
+undefine(`xserver_domain')
+ifdef(`xserver.te', `
+
+define(`xserver_domain',`
+# Derived domain based on the calling user domain and the program.
+ifdef(`distro_redhat', `
+type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
+allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
+allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
+allow $1_xserver_t rpm_tmpfs_t:file { read write };
+allow $1_xserver_t rpm_t:fd use;
+')
+
+', `
+type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
+')
+
+# for SSP
+allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };
+
+# Transition from the user domain to this domain.
+ifelse($1, xdm, `
+ifdef(`xdm.te', `
+domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
+')
+', `
+domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
+')dnl end ifelse xdm
+can_exec($1_xserver_t, xserver_exec_t)
+
+uses_shlib($1_xserver_t)
+
+if (allow_execmod) {
+allow $1_xserver_t texrel_shlib_t:file execmod;
+}
+
+can_network($1_xserver_t)
+can_ypbind($1_xserver_t)
+allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
+
+# for access within the domain
+general_domain_access($1_xserver_t)
+
+if (allow_execmem) {
+allow $1_xserver_t self:process execmem;
+}
+
+allow $1_xserver_t etc_runtime_t:file { getattr read };
+
+ifelse($1, xdm, `
+# The system role is authorised for the xdm and initrc domains
+role system_r types xdm_xserver_t;
+
+allow xdm_xserver_t init_t:fd use;
+
+dontaudit xdm_xserver_t home_dir_type:dir { read search };
+', `
+# The user role is authorized for this domain.
+role $1_r types $1_xserver_t;
+
+allow $1_xserver_t getty_t:fd use;
+allow $1_xserver_t local_login_t:fd use;
+allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+
+allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
+allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
+
+can_unix_connect($1_t, $1_xserver_t)
+
+# Access the home directory.
+allow $1_xserver_t home_root_t:dir search;
+allow $1_xserver_t $1_home_dir_t:dir { getattr search };
+if (allow_xserver_home_fonts) {
+r_dir_file($1_xserver_t, $1_home_t)
+}
+ifdef(`xauth.te', `
+domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
+allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+', `
+allow $1_xserver_t $1_home_t:file { getattr read };
+')dnl end ifdef xauth
+ifdef(`userhelper.te', `
+allow $1_xserver_t userhelper_conf_t:dir search;
+')dnl end ifdef userhelper
+')dnl end ifelse xdm
+
+allow $1_xserver_t self:process setsched;
+
+allow $1_xserver_t fs_t:filesystem getattr;
+
+# Xorg wants to check if kernel is tainted
+read_sysctl($1_xserver_t)
+
+# Use capabilities.
+# allow setuid/setgid for the wrapper program to change UID
+# sys_rawio is for iopl access - should not be needed for frame-buffer
+# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
+# admin of APM bios?
+# sys_nice is so that the X server can set a negative nice value
+allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow $1_xserver_t nfs_t:dir { getattr search };
+
+# memory_device_t access is needed if not using the frame buffer
+#dontaudit $1_xserver_t memory_device_t:chr_file read;
+allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
+# net_bind_service is needed if you want your X server to allow TCP connections
+# from other hosts, EG an XDM serving a network of X terms
+# if you want good security you do not want this
+# not sure why some people want chown, fsetid, and sys_tty_config.
+#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
+dontaudit $1_xserver_t self:capability chown;
+
+# for nscd
+dontaudit $1_xserver_t var_run_t:dir search;
+
+allow $1_xserver_t mtrr_device_t:file rw_file_perms;
+allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
+allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
+allow $1_xserver_t device_t:lnk_file { getattr read };
+allow $1_xserver_t devtty_t:chr_file rw_file_perms;
+allow $1_xserver_t zero_device_t:chr_file { read write execute };
+
+# Type for temporary files.
+tmp_domain($1_xserver, `', `{ dir file sock_file }')
+file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
+
+ifelse($1, xdm, `
+ifdef(`xdm.te', `
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+allow xdm_t $1_xserver_t:process signal;
+can_unix_connect(xdm_t, xdm_xserver_t)
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow xdm_xserver_t xdm_t:process signal;
+allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
+')
+', `
+allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
+allow $1_t xdm_xserver_t:unix_stream_socket connectto;
+allow $1_t $1_xserver_t:process signal;
+
+# Allow the user domain to connect to the X server.
+can_unix_connect($1_t, $1_xserver_t)
+allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
+allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
+ifdef(`xdm.te', `
+allow $1_t xdm_tmp_t:sock_file unlink;
+allow $1_xserver_t xdm_var_run_t:dir search;
+# for /tmp/.ICE-unix
+file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+')
+
+# Signal the user domain.
+allow $1_xserver_t $1_t:process signal;
+
+# Communicate via System V shared memory.
+allow $1_xserver_t $1_t:shm rw_shm_perms;
+allow $1_t $1_xserver_t:shm rw_shm_perms;
+allow $1_xserver_t initrc_t:shm rw_shm_perms;
+
+')dnl end ifelse xdm
+
+# Create files in /var/log with the xserver_log_t type.
+allow $1_xserver_t var_t:dir search;
+file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
+allow $1_xserver_t xserver_log_t:dir r_dir_perms;
+
+# Access AGP device.
+allow $1_xserver_t agp_device_t:chr_file rw_file_perms;
+
+# for other device nodes such as the NVidia binary-only driver
+allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;
+
+# Access /proc/mtrr
+allow $1_xserver_t proc_t:file rw_file_perms;
+allow $1_xserver_t proc_t:lnk_file { getattr read };
+
+# Access /proc/sys/dev
+allow $1_xserver_t sysctl_dev_t:dir search;
+allow $1_xserver_t sysctl_dev_t:file { getattr read };
+# Access /proc/bus/pci
+allow $1_xserver_t proc_t:dir r_dir_perms;
+
+# Create and access /dev/dri devices.
+allow $1_xserver_t device_t:dir { create setattr };
+file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
+# brought on by rhgb
+allow $1_xserver_t mnt_t:dir search;
+
+allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
+
+# Run helper programs in $1_xserver_t.
+allow $1_xserver_t { bin_t sbin_t }:dir search;
+allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
+allow $1_xserver_t bin_t:lnk_file read;
+can_exec($1_xserver_t, { bin_t shell_exec_t })
+
+# Connect to xfs.
+ifdef(`xfs.te', `
+can_unix_connect($1_xserver_t, xfs_t)
+allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
+allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
+
+# Bind to the X server socket in /tmp.
+allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
+')
+
+read_locale($1_xserver_t)
+
+# Type for tmpfs/shm files.
+tmpfs_domain($1_xserver)
+ifelse($1, xdm, `
+ifdef(`xdm.te', `
+allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
+')
+', `
+allow $1_xserver_t $1_t:shm rw_shm_perms;
+rw_dir_file($1_xserver_t, $1_tmpfs_t)
+')dnl end ifelse xdm
+
+
+r_dir_file($1_xserver_t,sysfs_t)
+
+# Use the mouse.
+allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;
+# Allow xserver to read events - the synaptics touchpad
+# driver reads raw events
+allow $1_xserver_t event_device_t:chr_file rw_file_perms;
+ifdef(`pamconsole.te', `
+allow $1_xserver_t pam_var_console_t:dir search;
+')
+dontaudit $1_xserver_t selinux_config_t:dir search;
+
+allow $1_xserver_t var_lib_t:dir search;
+rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
+
+# for fonts
+r_dir_file($1_xserver_t, fonts_t)
+')dnl end macro definition
+
+', `
+
+define(`xserver_domain',`')
+
+')
+
diff --git a/strict/macros/program/ypbind_macros.te b/strict/macros/program/ypbind_macros.te
new file mode 100644
index 0000000..2157995
--- /dev/null
+++ b/strict/macros/program/ypbind_macros.te
@@ -0,0 +1,18 @@
+
+define(`uncond_can_ypbind', `
+dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_network($1)
+r_dir_file($1,var_yp_t)
+allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+dontaudit $1 self:capability net_bind_service;
+')
+
+define(`can_ypbind', `
+ifdef(`ypbind.te', `
+if (allow_ypbind) {
+uncond_can_ypbind($1)
+} else {
+dontaudit $1 var_yp_t:dir search;
+}
+') dnl ypbind.te
+') dnl can_ypbind
diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te
new file mode 100644
index 0000000..d6f34f2
--- /dev/null
+++ b/strict/macros/user_macros.te
@@ -0,0 +1,225 @@
+#
+# Macros for all user login domains.
+#
+
+#
+# user_domain(domain_prefix)
+#
+# Define derived types and rules for an ordinary user domain.
+#
+# The type declaration and role authorization for the domain must be
+# provided separately. Likewise, domain transitions into this domain
+# must be specified separately.
+#
+
+# user_domain() is also called by the admin_domain() macro
+undefine(`user_domain')
+define(`user_domain', `
+# Use capabilities
+
+# Type for home directory.
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type;
+
+tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
+
+# Type and access for pty devices.
+can_create_pty($1, `, userpty_type, user_tty_type')
+
+#Type for tty devices.
+type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
+
+base_user_domain($1)
+
+# do not allow privhome access to sysadm_home_dir_t
+file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
+
+allow $1_t boot_t:dir { getattr search };
+dontaudit $1_t boot_t:lnk_file read;
+dontaudit $1_t boot_t:file read;
+allow $1_t system_map_t:file { getattr read };
+
+# Instantiate derived domains for a number of programs.
+# These derived domains encode both information about the calling
+# user domain and the program, and allow us to maintain separation
+# between different instances of the program being run by different
+# user domains.
+ifdef(`apache.te', `apache_domain($1)')
+ifdef(`slocate.te', `locate_domain($1)')
+ifdef(`lockdev.te', `lockdev_domain($1)')
+
+can_kerberos($1_t)
+# allow port_t name binding for UDP because it is not very usable otherwise
+allow $1_t port_t:udp_socket name_bind;
+
+#
+# Need the following rule to allow users to run vpnc
+#
+ifdef(`xserver.te', `
+allow $1_t xserver_port_t:tcp_socket name_bind;
+')
+
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users) disabling this forces FTP passive mode
+# and may change other protocols
+if (user_tcp_server) {
+allow $1_t port_t:tcp_socket name_bind;
+}
+# port access is audited even if dac would not have allowed it, so dontaudit it here
+dontaudit $1_t reserved_port_type:tcp_socket name_bind;
+
+# Allow system log read
+if (user_dmesg) {
+allow $1_t kernel_t:system syslog_read;
+} else {
+# else do not log it
+dontaudit $1_t kernel_t:system syslog_read;
+}
+
+# Allow read access to utmp.
+allow $1_t initrc_var_run_t:file { getattr read lock };
+# The library functions always try to open read-write first,
+# then fall back to read-only if it fails.
+# Do not audit write denials to utmp to avoid the noise.
+dontaudit $1_t initrc_var_run_t:file write;
+
+
+# do not audit read on disk devices
+dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
+
+ifdef(`xdm.te', `
+allow xdm_t $1_home_t:lnk_file read;
+allow xdm_t $1_home_t:dir search;
+#
+# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
+#
+dontaudit xdm_t $1_home_t:file rw_file_perms;
+')dnl end ifdef xdm.te
+
+ifdef(`ftpd.te', `
+if (ftp_home_dir) {
+file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+}
+')dnl end ifdef ftpd
+
+
+')dnl end user_domain macro
+
+
+###########################################################################
+#
+# Domains for ordinary users.
+#
+undefine(`full_user_role')
+define(`full_user_role', `
+
+# user_t/$1_t is an unprivileged users domain.
+type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
+
+attribute $1_file_type;
+# Grant read/search permissions to some of /proc.
+r_dir_file($1_t, proc_t)
+r_dir_file($1_t, proc_net_t)
+
+base_file_read_access($1_t)
+
+can_exec($1_t, usr_t)
+
+# Read directories and files with the readable_t type.
+# This type is a general type for "world"-readable files.
+allow $1_t readable_t:dir r_dir_perms;
+allow $1_t readable_t:notdevfile_class_set r_file_perms;
+
+# Stat lost+found.
+allow $1_t lost_found_t:dir getattr;
+
+# Read /var, /var/spool, /var/run.
+allow $1_t var_t:dir r_dir_perms;
+allow $1_t var_t:notdevfile_class_set r_file_perms;
+allow $1_t var_spool_t:dir r_dir_perms;
+allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
+allow $1_t var_run_t:dir r_dir_perms;
+allow $1_t var_run_t:{ file lnk_file } r_file_perms;
+allow $1_t var_lib_t:dir r_dir_perms;
+allow $1_t var_lib_t:file { getattr read };
+
+read_sysctl($1_t)
+
+# Read /etc.
+allow $1_t etc_t:dir r_dir_perms;
+allow $1_t etc_t:notdevfile_class_set r_file_perms;
+allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
+
+# for running depmod as part of the kernel packaging process
+allow $1_t modules_conf_t:file { getattr read };
+
+# Read man directories and files.
+allow $1_t man_t:dir r_dir_perms;
+allow $1_t man_t:notdevfile_class_set r_file_perms;
+
+# Allow users to rw usb devices
+if (user_rw_usb) {
+rw_dir_create_file($1_t,usbdevfs_t)
+} else {
+r_dir_file($1_t,usbdevfs_t)
+}
+
+r_dir_file($1_t,sysfs_t)
+
+# Read /dev directories and any symbolic links.
+allow $1_t device_t:dir r_dir_perms;
+allow $1_t device_t:lnk_file r_file_perms;
+
+# Do not audit write denials to /etc/ld.so.cache.
+dontaudit $1_t ld_so_cache_t:file write;
+
+# Execute from the system shared libraries.
+uses_shlib($1_t);
+
+# $1_t is also granted permissions specific to user domains.
+user_domain($1)
+
+dontaudit $1_t sysadm_home_t:file { read append };
+
+ifdef(`syslogd.te', `
+# Some programs that are left in $1_t will try to connect
+# to syslogd, but we do not want to let them generate log messages.
+# Do not audit.
+dontaudit $1_t devlog_t:sock_file { read write };
+dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
+')
+
+# Stop warnings about access to /dev/console
+dontaudit $1_t init_t:fd use;
+dontaudit $1_t initrc_t:fd use;
+allow $1_t initrc_t:fifo_file write;
+ifdef(`user_can_mount', `
+#
+# Allow users to mount file systems like floppies and cdrom
+#
+mount_domain($1, $1_mount, `, fs_domain')
+r_dir_file($1_t, mnt_t)
+allow $1_mount_t device_t:lnk_file read;
+allow $1_mount_t removable_device_t:blk_file read;
+allow $1_mount_t iso9660_t:filesystem relabelfrom;
+allow $1_mount_t removable_t:filesystem { mount relabelto };
+allow $1_mount_t removable_t:dir mounton;
+ifdef(`xdm.te', `
+allow $1_mount_t xdm_t:fd use;
+allow $1_mount_t xdm_t:fifo_file { read write };
+')
+')
+
+#
+# Rules used to associate a homedir as a mountpoint
+#
+allow $1_home_t self:filesystem associate;
+allow $1_file_type $1_home_t:filesystem associate;
+')
+
+undefine(`in_user_role')
+define(`in_user_role', `
+role user_r types $1;
+role staff_r types $1;
+')
+
diff --git a/strict/mls b/strict/mls
new file mode 100644
index 0000000..3126db6
--- /dev/null
+++ b/strict/mls
@@ -0,0 +1,742 @@
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+sensitivity s3;
+sensitivity s4;
+sensitivity s5;
+sensitivity s6;
+sensitivity s7;
+sensitivity s8;
+sensitivity s9;
+
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0 . c127;
+level s1:c0 . c127;
+level s2:c0 . c127;
+level s3:c0 . c127;
+level s4:c0 . c127;
+level s5:c0 . c127;
+level s6:c0 . c127;
+level s7:c0 . c127;
+level s8:c0 . c127;
+level s9:c0 . c127;
+
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MLS policy for the file classes
+#
+
+# make sure these file classes are "single level"
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+ ( l2 eq h2 );
+
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+ ( h1 dom h2 );
+
+# the file "read" ops (note the check is dominance of the low level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir search
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# the "ranged" file "write" ops
+mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir { add_name remove_name reparent rmdir }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
+#
+# file { execute_no_trans entrypoint }
+
+# the file upgrade/downgrade rule
+mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
+ ((( l1 eq l2 ) or
+ (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( h1 eq h2 ) or
+ (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
+
+# create can also require the upgrade/downgrade checks if the creating process
+# has used setfscreate (note that both the high and low level of the object
+# default to the process' sensitivity level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
+ ((( l1 eq l2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( l1 eq h2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
+
+
+
+
+#
+# MLS policy for the filesystem class
+#
+
+# new filesystem labels must be dominated by the relabeling subject's clearance
+mlsconstrain filesystem relabelto
+ ( h1 dom h2 );
+
+# the filesystem "read" ops (implicit single level)
+mlsconstrain filesystem { getattr quotaget }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ));
+
+# all the filesystem "write" ops (implicit single level)
+mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ));
+
+# these access vectors have no MLS restrictions
+# filesystem { transition associate }
+
+
+
+
+#
+# MLS policy for the socket classes
+#
+
+# new socket labels must be dominated by the relabeling subject's clearance
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+ ( h1 dom h2 );
+
+# the socket "read" ops (note the check is dominance of the low level)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+# the socket "write" ops
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+# these access vectors have no MLS restrictions
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
+#
+# { tcp_socket udp_socket rawip_socket } node_bind
+#
+# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
+#
+
+
+
+
+#
+# MLS policy for the ipc classes
+#
+
+# the ipc "read" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+mlsconstrain msg receive
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+# the ipc "write" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msgq enqueue
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain shm lock
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msg send
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+# these access vectors have no MLS restrictions
+# { ipc sem msgq shm } associate
+
+
+
+
+#
+# MLS policy for the fd class
+#
+
+# these access vectors have no MLS restrictions
+# fd use
+
+
+
+
+#
+# MLS policy for the node class
+#
+
+# these access vectors have no MLS restrictions
+# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+
+
+
+
+#
+# MLS policy for the netif class
+#
+
+# these access vectors have no MLS restrictions
+# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+
+
+
+
+#
+# MLS policy for the process class
+#
+
+# new process labels must be dominated by the relabeling subject's clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+ (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
+
+# all the process "read" ops
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (( l1 dom l2 ) or
+ (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsprocread ));
+
+# all the process "write" ops (note the check is equality on the low level)
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
+ (( l1 eq l2 ) or
+ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsprocwrite ));
+
+# these access vectors have no MLS restrictions
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
+
+
+
+
+#
+# MLS policy for the security class
+#
+
+# these access vectors have no MLS restrictions
+# security *
+
+
+
+
+#
+# MLS policy for the system class
+#
+
+# these access vectors have no MLS restrictions
+# system *
+
+
+
+
+#
+# MLS policy for the capability class
+#
+
+# these access vectors have no MLS restrictions
+# capability *
+
+
+
+
+#
+# MLS policy for the passwd class
+#
+
+# these access vectors have no MLS restrictions
+# passwd *
+
+
+
+
+#
+# MLS policy for the drawable class
+#
+
+# the drawable "read" ops (implicit single level)
+mlsconstrain drawable { getattr copy }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the drawable "write" ops (implicit single level)
+mlsconstrain drawable { create destroy draw copy }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the gc class
+#
+
+# the gc "read" ops (implicit single level)
+mlsconstrain gc getattr
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the gc "write" ops (implicit single level)
+mlsconstrain gc { create free setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the window class
+#
+
+# the window "read" ops (implicit single level)
+mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the window "write" ops (implicit single level)
+mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# window { map unmap }
+
+
+
+
+#
+# MLS policy for the font class
+#
+
+# the font "read" ops (implicit single level)
+mlsconstrain font { load getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the font "write" ops (implicit single level)
+mlsconstrain font free
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# font use
+
+
+
+
+#
+# MLS policy for the colormap class
+#
+
+# the colormap "read" ops (implicit single level)
+mlsconstrain colormap { list read getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the colormap "write" ops (implicit single level)
+mlsconstrain colormap { create free install uninstall store setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the property class
+#
+
+# the property "read" ops (implicit single level)
+mlsconstrain property { read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the property "write" ops (implicit single level)
+mlsconstrain property { create free write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the cursor class
+#
+
+# the cursor "write" ops (implicit single level)
+mlsconstrain cursor { create createglyph free assign setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xclient class
+#
+
+# the xclient "write" ops (implicit single level)
+mlsconstrain xclient kill
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xinput class
+#
+
+# the xinput "read" ops (implicit single level)
+mlsconstrain xinput { lookup getattr mousemotion }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the xinput "write" ops (implicit single level)
+mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xserver class
+#
+
+# the xserver "read" ops (implicit single level)
+mlsconstrain xserver { gethostlist getfontpath getattr screensaver }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the xserver "write" ops (implicit single level)
+mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xextension class
+#
+
+# the xextension "read" ops (implicit single level)
+mlsconstrain xextension query
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the xextension "write" ops (implicit single level)
+mlsconstrain xextension use
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the pax class
+#
+
+# these access vectors have no MLS restrictions
+# pax { pageexec emutramp mprotect randmmap randexec segmexec }
+
+
+
+
+#
+# MLS policy for the dbus class
+#
+
+# these access vectors have no MLS restrictions
+# dbus { acquire_svc send_msg }
+
+
+
+
+#
+# MLS policy for the nscd class
+#
+
+# these access vectors have no MLS restrictions
+# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
+
+
+
+
+#
+# MLS policy for the association class
+#
+
+# these access vectors have no MLS restrictions
+# association { sendto recvfrom }
+
diff --git a/strict/net_contexts b/strict/net_contexts
new file mode 100644
index 0000000..acf0301
--- /dev/null
+++ b/strict/net_contexts
@@ -0,0 +1,262 @@
+# FLASK
+
+#
+# Security contexts for network entities
+# If no context is specified, then a default initial SID is used.
+#
+
+# Modified by Reino Wallin <reino at oribium.com>
+# Multi NIC, and IPSEC features
+
+# Modified by Russell Coker
+# ifdefs to encapsulate domains, and many additional port contexts
+
+#
+# Port numbers (default = initial SID "port")
+#
+# protocol number context
+# protocol low-high context
+#
+ifdef(`inetd.te', `
+portcon tcp 7 system_u:object_r:inetd_child_port_t
+portcon udp 7 system_u:object_r:inetd_child_port_t
+portcon tcp 9 system_u:object_r:inetd_child_port_t
+portcon udp 9 system_u:object_r:inetd_child_port_t
+portcon tcp 13 system_u:object_r:inetd_child_port_t
+portcon udp 13 system_u:object_r:inetd_child_port_t
+portcon tcp 19 system_u:object_r:inetd_child_port_t
+portcon udp 19 system_u:object_r:inetd_child_port_t
+portcon tcp 37 system_u:object_r:inetd_child_port_t
+portcon udp 37 system_u:object_r:inetd_child_port_t
+portcon tcp 113 system_u:object_r:inetd_child_port_t
+portcon tcp 512 system_u:object_r:inetd_child_port_t
+portcon tcp 543 system_u:object_r:inetd_child_port_t
+portcon tcp 544 system_u:object_r:inetd_child_port_t
+portcon tcp 891 system_u:object_r:inetd_child_port_t
+portcon udp 891 system_u:object_r:inetd_child_port_t
+portcon tcp 892 system_u:object_r:inetd_child_port_t
+portcon udp 892 system_u:object_r:inetd_child_port_t
+portcon tcp 2105 system_u:object_r:inetd_child_port_t
+')
+ifdef(`ftpd.te', `
+portcon tcp 20 system_u:object_r:ftp_data_port_t
+portcon tcp 21 system_u:object_r:ftp_port_t
+')
+ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
+ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
+ifdef(`mta.te', `
+portcon tcp 25 system_u:object_r:smtp_port_t
+portcon tcp 465 system_u:object_r:smtp_port_t
+portcon tcp 587 system_u:object_r:smtp_port_t
+')
+ifdef(`use_dns', `
+portcon udp 53 system_u:object_r:dns_port_t
+portcon tcp 53 system_u:object_r:dns_port_t
+')
+ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t')
+ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
+ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
+ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
+ifdef(`apache.te', `
+portcon tcp 80 system_u:object_r:http_port_t
+portcon tcp 443 system_u:object_r:http_port_t
+')
+ifdef(`use_pop', `
+portcon tcp 106 system_u:object_r:pop_port_t
+portcon tcp 109 system_u:object_r:pop_port_t
+portcon tcp 110 system_u:object_r:pop_port_t
+')
+ifdef(`portmap.te', `
+portcon udp 111 system_u:object_r:portmap_port_t
+portcon tcp 111 system_u:object_r:portmap_port_t
+')
+ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
+ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
+ifdef(`samba.te', `
+portcon tcp 137 system_u:object_r:smbd_port_t
+portcon udp 137 system_u:object_r:nmbd_port_t
+portcon tcp 138 system_u:object_r:smbd_port_t
+portcon udp 138 system_u:object_r:nmbd_port_t
+portcon tcp 139 system_u:object_r:smbd_port_t
+portcon udp 139 system_u:object_r:nmbd_port_t
+portcon tcp 445 system_u:object_r:smbd_port_t
+')
+ifdef(`use_pop', `
+portcon tcp 143 system_u:object_r:pop_port_t
+portcon tcp 220 system_u:object_r:pop_port_t
+')
+ifdef(`snmpd.te', `
+portcon udp 161 system_u:object_r:snmp_port_t
+portcon udp 162 system_u:object_r:snmp_port_t
+portcon tcp 199 system_u:object_r:snmp_port_t
+')
+ifdef(`comsat.te', `
+portcon udp 512 system_u:object_r:comsat_port_t
+')
+ifdef(`slapd.te', `
+portcon tcp 389 system_u:object_r:ldap_port_t
+portcon udp 389 system_u:object_r:ldap_port_t
+portcon tcp 636 system_u:object_r:ldap_port_t
+portcon udp 636 system_u:object_r:ldap_port_t
+')
+ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
+ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
+ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
+ifdef(`syslogd.te', `
+portcon udp 514 system_u:object_r:syslogd_port_t
+')
+ifdef(`ktalkd.te', `
+portcon udp 517 system_u:object_r:ktalkd_port_t
+portcon udp 518 system_u:object_r:ktalkd_port_t
+')
+ifdef(`cups.te', `
+portcon tcp 631 system_u:object_r:ipp_port_t
+portcon udp 631 system_u:object_r:ipp_port_t
+')
+portcon tcp 88 system_u:object_r:kerberos_port_t
+portcon udp 88 system_u:object_r:kerberos_port_t
+portcon tcp 464 system_u:object_r:kerberos_admin_port_t
+portcon udp 464 system_u:object_r:kerberos_admin_port_t
+portcon tcp 749 system_u:object_r:kerberos_admin_port_t
+portcon tcp 750 system_u:object_r:kerberos_port_t
+portcon udp 750 system_u:object_r:kerberos_port_t
+portcon tcp 4444 system_u:object_r:kerberos_master_port_t
+portcon udp 4444 system_u:object_r:kerberos_master_port_t
+ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`rsync.te', `
+portcon tcp 873 system_u:object_r:rsync_port_t
+portcon udp 873 system_u:object_r:rsync_port_t
+')
+ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
+ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
+ifdef(`use_pop', `
+portcon tcp 993 system_u:object_r:pop_port_t
+portcon tcp 995 system_u:object_r:pop_port_t
+portcon tcp 1109 system_u:object_r:pop_port_t
+')
+ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
+ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
+ifdef(`radius.te', `
+portcon udp 1645 system_u:object_r:radius_port_t
+portcon udp 1646 system_u:object_r:radacct_port_t
+portcon udp 1812 system_u:object_r:radius_port_t
+portcon udp 1813 system_u:object_r:radacct_port_t
+')
+ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
+ifdef(`gatekeeper.te', `
+portcon udp 1718 system_u:object_r:gatekeeper_port_t
+portcon udp 1719 system_u:object_r:gatekeeper_port_t
+portcon tcp 1721 system_u:object_r:gatekeeper_port_t
+portcon tcp 7000 system_u:object_r:gatekeeper_port_t
+')
+ifdef(`asterisk.te', `
+portcon tcp 1720 system_u:object_r:asterisk_port_t
+portcon udp 2427 system_u:object_r:asterisk_port_t
+portcon udp 2727 system_u:object_r:asterisk_port_t
+portcon udp 4569 system_u:object_r:asterisk_port_t
+portcon udp 5060 system_u:object_r:asterisk_port_t
+')
+portcon tcp 2000 system_u:object_r:mail_port_t
+ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
+ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
+ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
+ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t')
+ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t')
+ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t')
+ifdef(`imazesrv.te',`
+portcon tcp 5323 system_u:object_r:imaze_port_t
+portcon udp 5323 system_u:object_r:imaze_port_t
+')
+ifdef(`howl.te', `
+portcon tcp 5335 system_u:object_r:howl_port_t
+portcon udp 5353 system_u:object_r:howl_port_t
+')
+ifdef(`jabberd.te', `
+portcon tcp 5222 system_u:object_r:jabber_client_port_t
+portcon tcp 5223 system_u:object_r:jabber_client_port_t
+portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
+')
+ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
+ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
+ifdef(`xdm.te', `
+portcon tcp 5900 system_u:object_r:vnc_port_t
+')
+ifdef(`use_x_ports', `
+portcon tcp 6000 system_u:object_r:xserver_port_t
+portcon tcp 6001 system_u:object_r:xserver_port_t
+portcon tcp 6002 system_u:object_r:xserver_port_t
+portcon tcp 6003 system_u:object_r:xserver_port_t
+portcon tcp 6004 system_u:object_r:xserver_port_t
+portcon tcp 6005 system_u:object_r:xserver_port_t
+portcon tcp 6006 system_u:object_r:xserver_port_t
+portcon tcp 6007 system_u:object_r:xserver_port_t
+portcon tcp 6008 system_u:object_r:xserver_port_t
+portcon tcp 6009 system_u:object_r:xserver_port_t
+portcon tcp 6010 system_u:object_r:xserver_port_t
+portcon tcp 6011 system_u:object_r:xserver_port_t
+portcon tcp 6012 system_u:object_r:xserver_port_t
+portcon tcp 6013 system_u:object_r:xserver_port_t
+portcon tcp 6014 system_u:object_r:xserver_port_t
+portcon tcp 6015 system_u:object_r:xserver_port_t
+portcon tcp 6016 system_u:object_r:xserver_port_t
+portcon tcp 6017 system_u:object_r:xserver_port_t
+portcon tcp 6018 system_u:object_r:xserver_port_t
+portcon tcp 6019 system_u:object_r:xserver_port_t
+')
+ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
+ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t')
+ifdef(`sound-server.te', `
+portcon tcp 8000 system_u:object_r:soundd_port_t
+# 9433 is for YIFF
+portcon tcp 9433 system_u:object_r:soundd_port_t
+')
+ifdef(`use_http_cache', `
+portcon tcp 3128 system_u:object_r:http_cache_port_t
+portcon tcp 8080 system_u:object_r:http_cache_port_t
+portcon udp 3130 system_u:object_r:http_cache_port_t
+')
+ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
+ifdef(`amanda.te', `
+portcon udp 10080 system_u:object_r:amanda_port_t
+portcon tcp 10080 system_u:object_r:amanda_port_t
+portcon udp 10081 system_u:object_r:amanda_port_t
+portcon tcp 10081 system_u:object_r:amanda_port_t
+portcon tcp 10082 system_u:object_r:amanda_port_t
+portcon tcp 10083 system_u:object_r:amanda_port_t
+')
+ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
+
+# Defaults for reserved ports. Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise
+# declared or omitted due to removal of a domain.
+portcon tcp 1-1023 system_u:object_r:reserved_port_t
+portcon udp 1-1023 system_u:object_r:reserved_port_t
+
+# Network interfaces (default = initial SID "netif" and "netmsg")
+#
+# interface netif_context default_msg_context
+#
+netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
+netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
+netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
+netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
+netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
+netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
+netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
+netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
+
+# Nodes (default = initial SID "node")
+#
+# address mask context
+#
+nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t
+nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t
+nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t
+nodecon ff00:: ff00:: system_u:object_r:node_multicast_t
+nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t
+nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t
+nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t
+nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t
+
+# FLASK
diff --git a/strict/rbac b/strict/rbac
new file mode 100644
index 0000000..708f70d
--- /dev/null
+++ b/strict/rbac
@@ -0,0 +1,33 @@
+################################################
+#
+# Role-based access control (RBAC) configuration.
+#
+
+# The RBAC configuration was originally centralized in this
+# file, but has been decomposed into individual role declarations,
+# role allow rules, and role transition rules throughout the TE
+# configuration to support easy removal or adding of domains without
+# modifying a centralized file each time. This also allowed the macros
+# to properly instantiate role declarations and rules for domains.
+# Hence, this file is largely unused, except for miscellaneous
+# role allow rules.
+
+########################################
+#
+# Role allow rules.
+#
+# A role allow rule specifies the allowable
+# transitions between roles on an execve.
+# If no rule is specified, then the change in
+# roles will not be permitted. Additional
+# controls over role transitions based on the
+# type of the process may be specified through
+# the constraints file.
+#
+# The syntax of a role allow rule is:
+# allow current_role new_role ;
+#
+# Allow the admin role to transition to the system
+# role for run_init.
+#
+allow sysadm_r system_r;
diff --git a/strict/tunables/distro.tun b/strict/tunables/distro.tun
new file mode 100644
index 0000000..00b6eca
--- /dev/null
+++ b/strict/tunables/distro.tun
@@ -0,0 +1,14 @@
+# Distro-specific customizations.
+
+# Comment out all but the one that matches your distro.
+# The policy .te files can then wrap distro-specific customizations with
+# appropriate ifdefs.
+
+
+define(`distro_redhat')
+
+dnl define(`distro_suse')
+
+dnl define(`distro_gentoo')
+
+dnl define(`distro_debian')
diff --git a/strict/tunables/tunable.tun b/strict/tunables/tunable.tun
new file mode 100644
index 0000000..bd8b797
--- /dev/null
+++ b/strict/tunables/tunable.tun
@@ -0,0 +1,31 @@
+# Allow users to execute the mount command
+define(`user_can_mount')
+
+# Allow rpm to run unconfined.
+#define(`unlimitedRPM')
+
+# Allow privileged utilities like hotplug and insmod to run unconfined.
+#define(`unlimitedUtils')
+
+# Allow rc scripts to run unconfined, including any daemon
+# started by an rc script that does not have a domain transition
+# explicitly defined.
+#define(`unlimitedRC')
+
+# Allow sysadm_t to directly start daemons
+define(`direct_sysadm_daemon')
+
+# Do not audit things that we know to be broken but which
+# are not security risks
+define(`hide_broken_symptoms')
+
+# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
+# Otherwise, only staff_r can do so.
+define(`user_canbe_sysadm')
+
+# Allow xinetd to run unconfined, including any services it starts
+# that do not have a domain transition explicitly defined.
+dnl define(`unlimitedInetd')
+
+# for ndc_t to be used for restart shell scripts
+dnl define(`ndc_shell_script')
diff --git a/strict/types/device.te b/strict/types/device.te
new file mode 100644
index 0000000..35836e2
--- /dev/null
+++ b/strict/types/device.te
@@ -0,0 +1,156 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Device types
+#
+
+#
+# device_t is the type of /dev.
+#
+type device_t, file_type, dev_fs;
+
+#
+# null_device_t is the type of /dev/null.
+#
+type null_device_t, device_type, dev_fs, mlstrustedobject;
+
+#
+# zero_device_t is the type of /dev/zero.
+#
+type zero_device_t, device_type, dev_fs, mlstrustedobject;
+
+#
+# console_device_t is the type of /dev/console.
+#
+type console_device_t, device_type, dev_fs;
+
+#
+# xconsole_device_t is the type of /dev/xconsole
+type xconsole_device_t, file_type, dev_fs;
+
+#
+# memory_device_t is the type of /dev/kmem,
+# /dev/mem, and /dev/port.
+#
+type memory_device_t, device_type, dev_fs;
+
+#
+# random_device_t is the type of /dev/random
+# urandom_device_t is the type of /dev/urandom
+#
+type random_device_t, device_type, dev_fs;
+type urandom_device_t, device_type, dev_fs;
+
+#
+# devtty_t is the type of /dev/tty.
+#
+type devtty_t, device_type, dev_fs, mlstrustedobject;
+
+#
+# tty_device_t is the type of /dev/*tty*
+#
+type tty_device_t, serial_device, device_type, dev_fs;
+
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t, device_type, dev_fs;
+
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t, serial_device, device_type, dev_fs;
+
+#
+# printer_device_t is the type for printer devices
+#
+type printer_device_t, device_type, dev_fs;
+
+#
+# fixed_disk_device_t is the type of
+# /dev/hd* and /dev/sd*.
+#
+type fixed_disk_device_t, device_type, dev_fs;
+
+#
+# scsi_generic_device_t is the type of /dev/sg*
+# it gives access to ALL SCSI devices (both fixed and removable)
+#
+type scsi_generic_device_t, device_type, dev_fs;
+
+#
+# removable_device_t is the type of
+# /dev/scd* and /dev/fd*.
+#
+type removable_device_t, device_type, dev_fs;
+
+#
+# clock_device_t is the type of
+# /dev/rtc.
+#
+type clock_device_t, device_type, dev_fs;
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t, device_type, dev_fs;
+
+#
+# misc_device_t is the type of miscellaneous devices.
+# XXX: FIXME! Appropriate access to these devices need to be identified.
+#
+type misc_device_t, device_type, dev_fs;
+
+#
+# A more general type for mouse devices.
+#
+type mouse_device_t, device_type, dev_fs;
+
+#
+# For generic /dev/input/event* event devices
+#
+type event_device_t, device_type, dev_fs;
+
+#
+# Not sure what these devices are for, but X wants access to them.
+#
+type agp_device_t, device_type, dev_fs;
+type dri_device_t, device_type, dev_fs;
+
+# Type for sound devices.
+type sound_device_t, device_type, dev_fs;
+
+# Type for /dev/ppp.
+type ppp_device_t, device_type, dev_fs;
+
+# Type for frame buffer /dev/fb/*
+type framebuf_device_t, device_type, dev_fs;
+
+# Type for /dev/.devfsd
+type devfs_control_t, device_type, dev_fs;
+
+# Type for /dev/cpu/mtrr
+type mtrr_device_t, device_type, dev_fs;
+
+# Type for /dev/pmu
+type power_device_t, device_type, dev_fs;
+
+# Type for /dev/apm_bios
+type apm_bios_t, device_type, dev_fs;
+
+# Type for v4l
+type v4l_device_t, device_type, dev_fs;
+
+# tape drives
+type tape_device_t, device_type, dev_fs;
+
+# scanners
+type scanner_device_t, device_type, dev_fs;
+
+# cpu control devices /dev/cpu/0/*
+type cpu_device_t, device_type, dev_fs;
+
+# for other device nodes such as the NVidia binary-only driver
+type xserver_misc_device_t, device_type, dev_fs;
diff --git a/strict/types/devpts.te b/strict/types/devpts.te
new file mode 100644
index 0000000..b50cd55
--- /dev/null
+++ b/strict/types/devpts.te
@@ -0,0 +1,21 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Devpts types
+#
+
+#
+# ptmx_t is the type for /dev/ptmx.
+#
+type ptmx_t, sysadmfile, device_type, dev_fs;
+
+#
+# devpts_t is the type of the devpts file system and
+# the type of the root directory of the file system.
+#
+type devpts_t, fs_type;
+
+
diff --git a/strict/types/file.te b/strict/types/file.te
new file mode 100644
index 0000000..0df034a
--- /dev/null
+++ b/strict/types/file.te
@@ -0,0 +1,321 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#######################################
+#
+# General file-related types
+#
+
+#
+# unlabeled_t is the type of unlabeled objects.
+# Objects that have no known labeling information or that
+# have labels that are no longer valid are treated as having this type.
+#
+type unlabeled_t, sysadmfile;
+
+#
+# fs_t is the default type for conventional filesystems.
+#
+type fs_t, fs_type;
+
+# needs more work
+type eventpollfs_t, fs_type;
+type futexfs_t, fs_type;
+type bdev_t, fs_type;
+type usbfs_t, fs_type;
+type nfsd_fs_t, fs_type;
+type rpc_pipefs_t, fs_type;
+type binfmt_misc_fs_t, fs_type;
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t, file_type, sysadmfile;
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t, file_type, sysadmfile;
+
+#
+# root_t is the type for the root directory.
+#
+type root_t, file_type, sysadmfile;
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+type mnt_t, file_type, sysadmfile;
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t, file_type, sysadmfile;
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t, file_type, sysadmfile;
+
+#
+# boot_t is the type for files in /boot,
+# including the kernel.
+#
+type boot_t, file_type, sysadmfile;
+# system_map_t is for the system.map files in /boot
+type system_map_t, file_type, sysadmfile;
+
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for red hat
+type boot_runtime_t, file_type, sysadmfile;
+
+#
+# tmp_t is the type of /tmp and /var/tmp.
+#
+type tmp_t, file_type, sysadmfile, tmpfile;
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t, file_type, sysadmfile;
+
+#
+# shadow_t is the type of the /etc/shadow file
+#
+type shadow_t, file_type, secure_file_type;
+allow auth shadow_t:file { getattr read };
+
+#
+# ld_so_cache_t is the type of /etc/ld.so.cache.
+#
+type ld_so_cache_t, file_type, sysadmfile;
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t, file_type, sysadmfile;
+
+#
+# fonts_runtime_t is the type of various
+# fonts files in /usr that are automatically
+# generated during initialization.
+#
+type fonts_t, file_type, sysadmfile, usercanread;
+
+#
+# etc_aliases_t is the type of the aliases database.
+#
+type etc_aliases_t, file_type, sysadmfile;
+
+# net_conf_t is the type of the /etc/resolv.conf file.
+# all DHCP clients and PPP need write access to this file.
+type net_conf_t, file_type, sysadmfile;
+
+#
+# lib_t is the type of files in the system lib directories.
+#
+type lib_t, file_type, sysadmfile;
+
+#
+# shlib_t is the type of shared objects in the system lib
+# directories.
+#
+ifdef(`targeted_policy', `
+typealias lib_t alias shlib_t;
+', `
+type shlib_t, file_type, sysadmfile;
+')
+
+#
+# texrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+type texrel_shlib_t, file_type, sysadmfile;
+
+# ld_so_t is the type of the system dynamic loaders.
+#
+type ld_so_t, file_type, sysadmfile;
+
+#
+# bin_t is the type of files in the system bin directories.
+#
+type bin_t, file_type, sysadmfile;
+
+#
+# cert_t is the type of files in the system certs directories.
+#
+type cert_t, file_type, sysadmfile, secure_file_type;
+
+#
+# ls_exec_t is the type of the ls program.
+#
+type ls_exec_t, file_type, exec_type, sysadmfile;
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t, file_type, exec_type, sysadmfile;
+
+#
+# sbin_t is the type of files in the system sbin directories.
+#
+type sbin_t, file_type, sysadmfile;
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t, file_type, sysadmfile;
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t, file_type, sysadmfile;
+
+#
+# var_t is the type for /var.
+#
+type var_t, file_type, sysadmfile;
+
+#
+# Types for subdirectories of /var.
+#
+type var_run_t, file_type, sysadmfile;
+type var_log_t, file_type, sysadmfile, logfile;
+type faillog_t, file_type, sysadmfile, logfile;
+type var_lock_t, file_type, sysadmfile, lockfile;
+type var_lib_t, file_type, sysadmfile;
+# for /var/{spool,lib}/texmf index files
+type tetex_data_t, file_type, sysadmfile, tmpfile;
+type var_spool_t, file_type, sysadmfile, tmpfile;
+type var_yp_t, file_type, sysadmfile;
+
+# Type for /var/log/ksyms.
+type var_log_ksyms_t, file_type, sysadmfile, logfile;
+
+# Type for /var/log/lastlog.
+type lastlog_t, file_type, sysadmfile, logfile;
+
+# Type for /var/lib/nfs.
+type var_lib_nfs_t, file_type, sysadmfile, usercanread;
+
+#
+# wtmp_t is the type of /var/log/wtmp.
+#
+type wtmp_t, file_type, sysadmfile, logfile;
+
+#
+# catman_t is the type for /var/catman.
+#
+type catman_t, file_type, sysadmfile, tmpfile;
+
+#
+# cron_spool_t is the type for /var/spool/cron.
+#
+type cron_spool_t, file_type, sysadmfile;
+
+#
+# print_spool_t is the type for /var/spool/lpd and /var/spool/cups.
+#
+type print_spool_t, file_type, sysadmfile, tmpfile;
+
+#
+# mail_spool_t is the type for /var/spool/mail.
+#
+type mail_spool_t, file_type, sysadmfile;
+
+#
+# mqueue_spool_t is the type for /var/spool/mqueue.
+#
+type mqueue_spool_t, file_type, sysadmfile;
+
+#
+# man_t is the type for the man directories.
+#
+type man_t, file_type, sysadmfile;
+
+#
+# readable_t is a general type for
+# files that are readable by all domains.
+#
+type readable_t, file_type, sysadmfile;
+
+#
+# Base type for the tests directory.
+#
+type test_file_t, file_type, sysadmfile;
+
+#
+# poly_t is the type for the polyinstantiated directories.
+#
+type poly_t, file_type, sysadmfile;
+
+#
+# swapfile_t is for swap files
+#
+type swapfile_t, file_type, sysadmfile;
+
+#
+# locale_t is the type for system localization
+#
+type locale_t, file_type, sysadmfile;
+
+#
+# Allow each file type to be associated with
+# the default file system type.
+#
+allow { file_type device_type ttyfile } fs_t:filesystem associate;
+ifdef(`distro_redhat', `
+allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
+')
+
+# Allow the pty to be associated with the file system.
+allow devpts_t self:filesystem associate;
+
+type tmpfs_t, file_type, sysadmfile, fs_type;
+allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
+
+type autofs_t, fs_type, noexattrfile, sysadmfile;
+allow autofs_t self:filesystem associate;
+
+type usbdevfs_t, fs_type, noexattrfile, sysadmfile;
+allow usbdevfs_t self:filesystem associate;
+
+type sysfs_t, fs_type, sysadmfile;
+allow sysfs_t self:filesystem associate;
+
+type iso9660_t, fs_type, noexattrfile, sysadmfile;
+allow iso9660_t self:filesystem associate;
+
+type romfs_t, fs_type, sysadmfile;
+allow romfs_t self:filesystem associate;
+
+type ramfs_t, fs_type, sysadmfile;
+allow ramfs_t self:filesystem associate;
+
+type dosfs_t, fs_type, noexattrfile, sysadmfile;
+allow dosfs_t self:filesystem associate;
+
+# udev_runtime_t is the type of the udev table file
+type udev_runtime_t, file_type, sysadmfile;
+
+# krb5_conf_t is the type of the /etc/krb5.conf file
+type krb5_conf_t, file_type, sysadmfile;
+
+type cifs_t, fs_type, noexattrfile, sysadmfile;
+allow cifs_t self:filesystem associate;
+typealias cifs_t alias sambafs_t;
+
+# removable_t is the default type of all removable media
+type removable_t, file_type, sysadmfile, usercanread;
+allow removable_t self:filesystem associate;
+allow file_type removable_t:filesystem associate;
+allow file_type noexattrfile:filesystem associate;
+
+
diff --git a/strict/types/network.te b/strict/types/network.te
new file mode 100644
index 0000000..39666ee
--- /dev/null
+++ b/strict/types/network.te
@@ -0,0 +1,122 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+# Modified by Reino Wallin <reino at oribium.com>
+# Multi NIC, and IPSEC features
+
+# Modified by Russell Coker
+# Move port types to their respective domains, add ifdefs, other cleanups.
+
+# generally we do not want to define port types in this file, but some things
+# are insanely difficult to do elsewhere, xserver_port_t is a good example
+# getting the type defined is the easy part for X, conditional code for many
+# other domains (including one that starts with a) is the hard part.
+ifdef(`xdm.te', `define(`use_x_ports')')
+ifdef(`startx.te', `define(`use_x_ports')')
+ifdef(`xauth.te', `define(`use_x_ports')')
+ifdef(`xserver.te', `define(`use_x_ports')')
+ifdef(`use_x_ports', `
+type xserver_port_t, port_type;
+')
+#
+# Defines used by the te files need to be defined outside of net_constraints
+#
+ifdef(`named.te', `define(`use_dns')')
+ifdef(`nsd.te', `define(`use_dns')')
+ifdef(`tinydns.te', `define(`use_dns')')
+ifdef(`dnsmasq.te', `define(`use_dns')')
+ifdef(`use_dns', `
+type dns_port_t, port_type;
+')
+
+ifdef(`dhcpd.te', `define(`use_dhcpd')')
+ifdef(`dnsmasq.te', `define(`use_dhcpd')')
+ifdef(`use_dhcpd', `
+type dhcpd_port_t, port_type;
+')
+
+ifdef(`cyrus.te', `define(`use_pop')')
+ifdef(`courier.te', `define(`use_pop')')
+ifdef(`perdition.te', `define(`use_pop')')
+ifdef(`dovecot.te', `define(`use_pop')')
+ifdef(`uwimapd.te', `define(`use_pop')')
+ifdef(`use_pop', `
+type pop_port_t, port_type, reserved_port_type;
+')
+ifdef(`apache.te', `define(`use_http_cache')')
+ifdef(`squid.te', `define(`use_http_cache')')
+ifdef(`use_http_cache', `
+type http_cache_port_t, port_type;
+')
+
+ifdef(`dhcpd.te', `define(`use_pxe')')
+ifdef(`pxe.te', `define(`use_pxe')')
+
+############################################
+#
+# Network types
+#
+
+#
+# mail_port_t is for generic mail ports shared by different mail servers
+#
+type mail_port_t, port_type;
+
+#
+# Ports used to communicate with kerberos server
+#
+type kerberos_port_t, port_type, reserved_port_type;
+type kerberos_admin_port_t, port_type, reserved_port_type;
+type kerberos_master_port_t, port_type;
+
+#
+# port_t is the default type of INET port numbers.
+# The *_port_t types are used for specific port
+# numbers in net_contexts or net_contexts.mls.
+#
+type port_t, port_type;
+
+# reserved_port_t is the default type for INET reserved ports
+# that are not otherwise mapped to a specific port type.
+type reserved_port_t, port_type;
+
+#
+# netif_t is the default type of network interfaces.
+# The netif_*_t types are used for specific network
+# interfaces in net_contexts or net_contexts.mls.
+#
+type netif_t, netif_type;
+type netif_eth0_t, netif_type;
+type netif_eth1_t, netif_type;
+type netif_eth2_t, netif_type;
+type netif_lo_t, netif_type;
+type netif_ippp0_t, netif_type;
+
+type netif_ipsec0_t, netif_type;
+type netif_ipsec1_t, netif_type;
+type netif_ipsec2_t, netif_type;
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+type node_lo_t, node_type;
+type node_internal_t, node_type;
+type node_inaddr_any_t, node_type;
+type node_unspec_t, node_type;
+type node_link_local_t, node_type;
+type node_site_local_t, node_type;
+type node_multicast_t, node_type;
+type node_mapped_ipv4_t, node_type;
+type node_compat_ipv4_t, node_type;
+
+# Kernel-generated traffic, e.g. ICMP replies.
+allow kernel_t netif_type:netif { rawip_send rawip_recv };
+allow kernel_t node_type:node { rawip_send rawip_recv };
+
+# Kernel-generated traffic, e.g. TCP resets.
+allow kernel_t netif_type:netif { tcp_send tcp_recv };
+allow kernel_t node_type:node { tcp_send tcp_recv };
diff --git a/strict/types/nfs.te b/strict/types/nfs.te
new file mode 100644
index 0000000..154a65b
--- /dev/null
+++ b/strict/types/nfs.te
@@ -0,0 +1,22 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+#############################################
+#
+# NFS types
+#
+
+#
+# nfs_t is the default type for NFS file systems
+# and their files.
+# The nfs_*_t types are used for specific NFS
+# servers in net_contexts or net_contexts.mls.
+#
+type nfs_t, fs_type;
+
+#
+# Allow NFS files to be associated with an NFS file system.
+#
+allow nfs_t self:filesystem associate;
+allow file_type nfs_t:filesystem associate;
diff --git a/strict/types/procfs.te b/strict/types/procfs.te
new file mode 100644
index 0000000..0cab0fa
--- /dev/null
+++ b/strict/types/procfs.te
@@ -0,0 +1,50 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Procfs types
+#
+
+#
+# proc_t is the type of /proc.
+# proc_kmsg_t is the type of /proc/kmsg.
+# proc_kcore_t is the type of /proc/kcore.
+# proc_mdstat_t is the type of /proc/mdstat.
+# proc_net_t is the type of /proc/net.
+#
+type proc_t, fs_type, proc_fs;
+type proc_kmsg_t, proc_fs;
+type proc_kcore_t, proc_fs;
+type proc_mdstat_t, proc_fs;
+type proc_net_t, proc_fs;
+
+#
+# sysctl_t is the type of /proc/sys.
+# sysctl_fs_t is the type of /proc/sys/fs.
+# sysctl_kernel_t is the type of /proc/sys/kernel.
+# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe.
+# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug.
+# sysctl_net_t is the type of /proc/sys/net.
+# sysctl_net_unix_t is the type of /proc/sys/net/unix.
+# sysctl_vm_t is the type of /proc/sys/vm.
+# sysctl_dev_t is the type of /proc/sys/dev.
+# sysctl_rpc_t is the type of /proc/net/rpc.
+#
+# These types are applied to both the entries in
+# /proc/sys and the corresponding sysctl parameters.
+#
+type sysctl_t, sysctl_type;
+type sysctl_fs_t, sysctl_type;
+type sysctl_kernel_t, sysctl_type;
+type sysctl_modprobe_t, sysctl_type;
+type sysctl_hotplug_t, sysctl_type;
+type sysctl_net_t, sysctl_type;
+type sysctl_net_unix_t, sysctl_type;
+type sysctl_vm_t, sysctl_type;
+type sysctl_dev_t, sysctl_type;
+type sysctl_rpc_t, sysctl_type;
+type sysctl_irq_t, sysctl_type;
+
+
diff --git a/strict/types/security.te b/strict/types/security.te
new file mode 100644
index 0000000..7bfd0bc
--- /dev/null
+++ b/strict/types/security.te
@@ -0,0 +1,54 @@
+#
+# Authors: Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
+#
+
+############################################
+#
+# Security types
+#
+
+#
+# security_t is the target type when checking
+# the permissions in the security class. It is also
+# applied to selinuxfs inodes.
+#
+type security_t, fs_type;
+
+#
+# policy_config_t is the type of /etc/security/selinux/*
+# the security server policy configuration.
+#
+type policy_config_t, file_type;
+
+#
+# policy_src_t is the type of the policy source
+# files.
+#
+type policy_src_t, file_type, sysadmfile;
+
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t, file_type, sysadmfile, login_contexts;
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t, file_type, sysadmfile;
+
+#
+# no_access_t is the type for objects that should
+# only be accessed administratively.
+#
+type no_access_t, file_type, sysadmfile;
+
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+type selinux_config_t, file_type, sysadmfile;
+
+
diff --git a/strict/types/x.te b/strict/types/x.te
new file mode 100644
index 0000000..0cee314
--- /dev/null
+++ b/strict/types/x.te
@@ -0,0 +1,32 @@
+#
+# Authors: Eamon Walsh <ewalsh at epoch.ncsc.mil>
+#
+
+#######################################
+#
+# Types for the SELinux-enabled X Window System
+#
+
+#
+# X protocol extension types. The SELinux extension in the X server
+# has a hardcoded table that maps actual extension names to these types.
+#
+type accelgraphics_ext_t, xextension;
+type debug_ext_t, xextension;
+type font_ext_t, xextension;
+type input_ext_t, xextension;
+type screensaver_ext_t, xextension;
+type security_ext_t, xextension;
+type shmem_ext_t, xextension;
+type std_ext_t, xextension;
+type sync_ext_t, xextension;
+type unknown_ext_t, xextension;
+type video_ext_t, xextension;
+type windowmgr_ext_t, xextension;
+
+#
+# X property types. The SELinux extension in the X server has a
+# hardcoded table that maps actual extension names to these types.
+#
+type wm_property_t, xproperty;
+type unknown_property_t, xproperty;
diff --git a/strict/users b/strict/users
new file mode 100644
index 0000000..dac2092
--- /dev/null
+++ b/strict/users
@@ -0,0 +1,50 @@
+##################################
+#
+# User configuration.
+#
+# This file defines each user recognized by the system security policy.
+# Only the user identities defined in this file may be used as the
+# user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if
+# MLS was enabled in the policy.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system_u,
+# and a user process should never be assigned the system_u user
+# identity.
+#
+user system_u roles system_r;
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined. The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user. If you do not want to
+# permit any access to such users, then remove this entry.
+#
+user user_u roles { user_r };
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell. Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+
+# The sysadm_r user also needs to be permitted system_r if we are to allow
+# direct execution of daemons
+user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
+
+# sample for administrative user
+#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
+
+# sample for regular user
+#user jdoe roles { user_r };
More information about the scm-commits
mailing list