[selinux-policy] Sync master with F17
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jun 6 13:26:19 UTC 2012
commit 4a27edfbeb2c137819b824f400fe3c99b90c6155
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jun 6 15:25:27 2012 +0200
Sync master with F17
booleans-targeted.conf | 14 +-
config.tgz | Bin 71680 -> 3402 bytes
policy-F16.patch |74475 +++++++++++++++++++++++++++++++++++++++++++++---
selinux-policy.spec | 572 +-
4 files changed, 71453 insertions(+), 3608 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 877a8ea..5b76aa1 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,5 +1,5 @@
# Turn off the ability for one process to read/modify another processes memory
-deny_ptrace = true
+deny_ptrace = false
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
deny_execmem = false
@@ -11,7 +11,7 @@ allow_execmod = true
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = false
+allow_execstack = true
# Allow ftpd to read cifs directories.
#
@@ -33,6 +33,10 @@ allow_gssd_read_tmp = true
#
allow_httpd_anon_write = false
+# Allow Apache to connect to port 80 for graceful shutdown
+#
+httpd_graceful_shutdown = true
+
# Allow Apache to use mod_auth_pam module
#
allow_httpd_mod_auth_pam = false
@@ -232,7 +236,9 @@ allow_xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
allow_guest_exec_content = false
-allow_xguest_exec_content = false
+
+# xguest now requires to execute content in homedir to allow gnome-shell to work# properly.
+allow_xguest_exec_content = true
# Only allow browser to use the web
#
@@ -264,7 +270,7 @@ unconfined_mozilla_plugin_transition=true
# Allow unconfined domain to transition to confined domain
#
-unconfined_telepathy_transition=true
+unconfined_telepathy_transition=false
# Allow unconfined domain to transition to chrome_sandbox confined domain
#
diff --git a/config.tgz b/config.tgz
index 2e7e5b5..5c3a843 100644
Binary files a/config.tgz and b/config.tgz differ
diff --git a/policy-F16.patch b/policy-F16.patch
index 09afdb9..221a418 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1,5 +1,5 @@
diff --git a/Makefile b/Makefile
-index b8486a0..eadfda5 100644
+index b8486a0..7edc9f0 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -15,7 +15,7 @@ index b8486a0..eadfda5 100644
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -40,22 +40,58068 @@ index 168a14f..c2bf491 100644
@echo "Success."
########################################
+diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8
+new file mode 100644
+index 0000000..74ab63c
+--- /dev/null
++++ b/man/man8/NetworkManager_selinux.8
+@@ -0,0 +1,169 @@
++.TH "NetworkManager_selinux" "8" "NetworkManager" "dwalsh at redhat.com" "NetworkManager SELinux Policy documentation"
++.SH "NAME"
++NetworkManager_selinux \- Security Enhanced Linux Policy for the NetworkManager processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B NetworkManager
++(Manager for dynamically switching between networks)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
++.PP
++The following file types are defined for NetworkManager:
++
++
++.EX
++.PP
++.B NetworkManager_etc_rw_t
++.EE
++
++- Set files with the NetworkManager_etc_rw_t type, if you want to treat the files as NetworkManager etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/NetworkManager/system-connections(/.*)?, /etc/NetworkManager/NetworkManager\.conf
++
++.EX
++.PP
++.B NetworkManager_etc_t
++.EE
++
++- Set files with the NetworkManager_etc_t type, if you want to store NetworkManager files in the /etc directories.
++
++
++.EX
++.PP
++.B NetworkManager_exec_t
++.EE
++
++- Set files with the NetworkManager_exec_t type, if you want to transition an executable to the NetworkManager_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/s?bin/wpa_supplicant, /usr/sbin/wpa_supplicant, /sbin/wpa_supplicant, /usr/sbin/nm-system-settings, /usr/sbin/wicd, /usr/s?bin/NetworkManager, /usr/sbin/NetworkManagerDispatcher
++
++.EX
++.PP
++.B NetworkManager_initrc_exec_t
++.EE
++
++- Set files with the NetworkManager_initrc_exec_t type, if you want to transition an executable to the NetworkManager_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/wicd, /etc/NetworkManager/dispatcher\.d(/.*)?, /usr/libexec/nm-dispatcher.action
++
++.EX
++.PP
++.B NetworkManager_log_t
++.EE
++
++- Set files with the NetworkManager_log_t type, if you want to treat the data as NetworkManager log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/wpa_supplicant.*, /var/log/wicd.*
++
++.EX
++.PP
++.B NetworkManager_tmp_t
++.EE
++
++- Set files with the NetworkManager_tmp_t type, if you want to store NetworkManager temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B NetworkManager_unit_file_t
++.EE
++
++- Set files with the NetworkManager_unit_file_t type, if you want to treat the files as NetworkManager unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/NetworkManager\.service, /lib/systemd/system/NetworkManager\.service
++
++.EX
++.PP
++.B NetworkManager_var_lib_t
++.EE
++
++- Set files with the NetworkManager_var_lib_t type, if you want to store the NetworkManager files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/etc/wicd/wired-settings.conf, /var/lib/wicd(/.*)?, /etc/wicd/manager-settings.conf, /etc/wicd/wireless-settings.conf, /var/lib/NetworkManager(/.*)?
++
++.EX
++.PP
++.B NetworkManager_var_run_t
++.EE
++
++- Set files with the NetworkManager_var_run_t type, if you want to store the NetworkManager files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/nm-dhclient.*, /var/run/wpa_supplicant(/.*)?, /var/run/NetworkManager\.pid, /var/run/wpa_supplicant-global, /var/run/nm-dns-dnsmasq\.conf, /var/run/NetworkManager(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
++.PP
++The following process types are defined for NetworkManager:
++
++.EX
++.B NetworkManager_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8
+new file mode 100644
+index 0000000..1acfb1b
+--- /dev/null
++++ b/man/man8/abrt_selinux.8
+@@ -0,0 +1,250 @@
++.TH "abrt_selinux" "8" "abrt" "dwalsh at redhat.com" "abrt SELinux Policy documentation"
++.SH "NAME"
++abrt_selinux \- Security Enhanced Linux Policy for the abrt processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B abrt
++(ABRT - automated bug-reporting tool)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible.
++
++
++.PP
++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event script, you must turn on the abrt_handle_event boolean.
++
++.EX
++.B setsebool -P abrt_handle_event 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow abrt servers to read the /var/abrt directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/abrt(/.*)?"
++.br
++.B restorecon -F -R -v /var/abrt
++.pp
++.TP
++Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrt_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/abrt/incoming
++
++
++.PP
++If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean.
++
++.EX
++.B setsebool -P abrt_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
++.PP
++The following file types are defined for abrt:
++
++
++.EX
++.PP
++.B abrt_dump_oops_exec_t
++.EE
++
++- Set files with the abrt_dump_oops_exec_t type, if you want to transition an executable to the abrt_dump_oops_t domain.
++
++
++.EX
++.PP
++.B abrt_etc_t
++.EE
++
++- Set files with the abrt_etc_t type, if you want to store abrt files in the /etc directories.
++
++
++.EX
++.PP
++.B abrt_exec_t
++.EE
++
++- Set files with the abrt_exec_t type, if you want to transition an executable to the abrt_t domain.
++
++
++.EX
++.PP
++.B abrt_handle_event_exec_t
++.EE
++
++- Set files with the abrt_handle_event_exec_t type, if you want to transition an executable to the abrt_handle_event_t domain.
++
++
++.EX
++.PP
++.B abrt_helper_exec_t
++.EE
++
++- Set files with the abrt_helper_exec_t type, if you want to transition an executable to the abrt_helper_t domain.
++
++
++.EX
++.PP
++.B abrt_initrc_exec_t
++.EE
++
++- Set files with the abrt_initrc_exec_t type, if you want to transition an executable to the abrt_initrc_t domain.
++
++
++.EX
++.PP
++.B abrt_retrace_cache_t
++.EE
++
++- Set files with the abrt_retrace_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/retrace-server(/.*)?, /var/cache/abrt-retrace(/.*)?
++
++.EX
++.PP
++.B abrt_retrace_coredump_exec_t
++.EE
++
++- Set files with the abrt_retrace_coredump_exec_t type, if you want to transition an executable to the abrt_retrace_coredump_t domain.
++
++
++.EX
++.PP
++.B abrt_retrace_spool_t
++.EE
++
++- Set files with the abrt_retrace_spool_t type, if you want to store the abrt retrace files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/retrace-server(/.*)?, /var/spool/abrt-retrace(/.*)?
++
++.EX
++.PP
++.B abrt_retrace_worker_exec_t
++.EE
++
++- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/retrace-server-worker, /usr/bin/abrt-retrace-worker
++
++.EX
++.PP
++.B abrt_tmp_t
++.EE
++
++- Set files with the abrt_tmp_t type, if you want to store abrt temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B abrt_unit_file_t
++.EE
++
++- Set files with the abrt_unit_file_t type, if you want to treat the files as abrt unit content.
++
++
++.EX
++.PP
++.B abrt_var_cache_t
++.EE
++
++- Set files with the abrt_var_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/abrt(/.*)?, /var/spool/abrt(/.*)?, /var/cache/abrt-di(/.*)?
++
++.EX
++.PP
++.B abrt_var_log_t
++.EE
++
++- Set files with the abrt_var_log_t type, if you want to treat the data as abrt var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B abrt_var_run_t
++.EE
++
++- Set files with the abrt_var_run_t type, if you want to store the abrt files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/abrtd?\.socket, /var/run/abrtd?\.lock, /var/run/abrt(/.*)?, /var/run/abrt\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt:
++
++.EX
++.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), abrt(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8
+new file mode 100644
+index 0000000..4fe880f
+--- /dev/null
++++ b/man/man8/accountsd_selinux.8
+@@ -0,0 +1,93 @@
++.TH "accountsd_selinux" "8" "accountsd" "dwalsh at redhat.com" "accountsd SELinux Policy documentation"
++.SH "NAME"
++accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B accountsd
++(AccountsService and daemon for manipulating user account information via D-Bus)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
++.PP
++The following file types are defined for accountsd:
++
++
++.EX
++.PP
++.B accountsd_exec_t
++.EE
++
++- Set files with the accountsd_exec_t type, if you want to transition an executable to the accountsd_t domain.
++
++
++.EX
++.PP
++.B accountsd_unit_file_t
++.EE
++
++- Set files with the accountsd_unit_file_t type, if you want to treat the files as accountsd unit content.
++
++
++.EX
++.PP
++.B accountsd_var_lib_t
++.EE
++
++- Set files with the accountsd_var_lib_t type, if you want to store the accountsd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
++.PP
++The following process types are defined for accountsd:
++
++.EX
++.B accountsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8
+new file mode 100644
+index 0000000..323cee4
+--- /dev/null
++++ b/man/man8/acct_selinux.8
+@@ -0,0 +1,93 @@
++.TH "acct_selinux" "8" "acct" "dwalsh at redhat.com" "acct SELinux Policy documentation"
++.SH "NAME"
++acct_selinux \- Security Enhanced Linux Policy for the acct processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B acct
++(Berkeley process accounting)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
++.PP
++The following file types are defined for acct:
++
++
++.EX
++.PP
++.B acct_data_t
++.EE
++
++- Set files with the acct_data_t type, if you want to treat the files as acct content.
++
++.br
++.TP 5
++Paths:
++/var/log/account(/.*)?, /var/account(/.*)?
++
++.EX
++.PP
++.B acct_exec_t
++.EE
++
++- Set files with the acct_exec_t type, if you want to transition an executable to the acct_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/accton, /sbin/accton, /etc/cron\.(daily|monthly)/acct
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
++.PP
++The following process types are defined for acct:
++
++.EX
++.B acct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), acct(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8
+new file mode 100644
+index 0000000..7832fa4
+--- /dev/null
++++ b/man/man8/afs_selinux.8
+@@ -0,0 +1,294 @@
++.TH "afs_selinux" "8" "afs" "dwalsh at redhat.com" "afs SELinux Policy documentation"
++.SH "NAME"
++afs_selinux \- Security Enhanced Linux Policy for the afs processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B afs
++(Andrew Filesystem server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
++.PP
++The following file types are defined for afs:
++
++
++.EX
++.PP
++.B afs_bosserver_exec_t
++.EE
++
++- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain.
++
++
++.EX
++.PP
++.B afs_cache_t
++.EE
++
++- Set files with the afs_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/afs(/.*)?, /usr/vice/cache(/.*)?
++
++.EX
++.PP
++.B afs_config_t
++.EE
++
++- Set files with the afs_config_t type, if you want to treat the files as afs configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/usr/afs/local(/.*)?, /usr/afs/etc(/.*)?
++
++.EX
++.PP
++.B afs_dbdir_t
++.EE
++
++- Set files with the afs_dbdir_t type, if you want to treat the files as afs dbdir data.
++
++
++.EX
++.PP
++.B afs_exec_t
++.EE
++
++- Set files with the afs_exec_t type, if you want to transition an executable to the afs_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/vice/etc/afsd, /usr/sbin/afsd
++
++.EX
++.PP
++.B afs_files_t
++.EE
++
++- Set files with the afs_files_t type, if you want to treat the files as afs content.
++
++.br
++.TP 5
++Paths:
++/vicepc, /vicepb, /vicepa
++
++.EX
++.PP
++.B afs_fsserver_exec_t
++.EE
++
++- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/afs/bin/volserver, /usr/afs/bin/fileserver, /usr/afs/bin/salvager
++
++.EX
++.PP
++.B afs_initrc_exec_t
++.EE
++
++- Set files with the afs_initrc_exec_t type, if you want to transition an executable to the afs_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/afs, /etc/rc\.d/init\.d/openafs-client
++
++.EX
++.PP
++.B afs_ka_db_t
++.EE
++
++- Set files with the afs_ka_db_t type, if you want to treat the files as afs ka database content.
++
++
++.EX
++.PP
++.B afs_kaserver_exec_t
++.EE
++
++- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain.
++
++
++.EX
++.PP
++.B afs_logfile_t
++.EE
++
++- Set files with the afs_logfile_t type, if you want to treat the files as afs logfile data.
++
++
++.EX
++.PP
++.B afs_pt_db_t
++.EE
++
++- Set files with the afs_pt_db_t type, if you want to treat the files as afs pt database content.
++
++
++.EX
++.PP
++.B afs_ptserver_exec_t
++.EE
++
++- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain.
++
++
++.EX
++.PP
++.B afs_vl_db_t
++.EE
++
++- Set files with the afs_vl_db_t type, if you want to treat the files as afs vl database content.
++
++
++.EX
++.PP
++.B afs_vlserver_exec_t
++.EE
++
++- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
++.PP
++The following port types are defined for afs:
++
++.EX
++.TP 5
++.B afs_bos_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B afs_client_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B afs_fs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B afs_ka_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B afs_pt_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B afs_vl_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
++.PP
++The following process types are defined for afs:
++
++.EX
++.B afs_kaserver_t, afs_t, afs_fsserver_t, afs_bosserver_t, afs_vlserver_t, afs_ptserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), afs(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8
+new file mode 100644
+index 0000000..efc06eb
+--- /dev/null
++++ b/man/man8/aiccu_selinux.8
+@@ -0,0 +1,101 @@
++.TH "aiccu_selinux" "8" "aiccu" "dwalsh at redhat.com" "aiccu SELinux Policy documentation"
++.SH "NAME"
++aiccu_selinux \- Security Enhanced Linux Policy for the aiccu processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B aiccu
++(Automatic IPv6 Connectivity Client Utility)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
++.PP
++The following file types are defined for aiccu:
++
++
++.EX
++.PP
++.B aiccu_etc_t
++.EE
++
++- Set files with the aiccu_etc_t type, if you want to store aiccu files in the /etc directories.
++
++
++.EX
++.PP
++.B aiccu_exec_t
++.EE
++
++- Set files with the aiccu_exec_t type, if you want to transition an executable to the aiccu_t domain.
++
++
++.EX
++.PP
++.B aiccu_initrc_exec_t
++.EE
++
++- Set files with the aiccu_initrc_exec_t type, if you want to transition an executable to the aiccu_initrc_t domain.
++
++
++.EX
++.PP
++.B aiccu_var_run_t
++.EE
++
++- Set files with the aiccu_var_run_t type, if you want to store the aiccu files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
++.PP
++The following process types are defined for aiccu:
++
++.EX
++.B aiccu_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
+new file mode 100644
+index 0000000..0863697
+--- /dev/null
++++ b/man/man8/aide_selinux.8
+@@ -0,0 +1,97 @@
++.TH "aide_selinux" "8" "aide" "dwalsh at redhat.com" "aide SELinux Policy documentation"
++.SH "NAME"
++aide_selinux \- Security Enhanced Linux Policy for the aide processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B aide
++(Aide filesystem integrity checker)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
++.PP
++The following file types are defined for aide:
++
++
++.EX
++.PP
++.B aide_db_t
++.EE
++
++- Set files with the aide_db_t type, if you want to treat the files as aide database content.
++
++
++.EX
++.PP
++.B aide_exec_t
++.EE
++
++- Set files with the aide_exec_t type, if you want to transition an executable to the aide_t domain.
++
++
++.EX
++.PP
++.B aide_log_t
++.EE
++
++- Set files with the aide_log_t type, if you want to treat the data as aide log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/aide\.log, /var/log/aide(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
++.PP
++The following process types are defined for aide:
++
++.EX
++.B aide_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), aide(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8
+new file mode 100644
+index 0000000..8d4a539
+--- /dev/null
++++ b/man/man8/aisexec_selinux.8
+@@ -0,0 +1,125 @@
++.TH "aisexec_selinux" "8" "aisexec" "dwalsh at redhat.com" "aisexec SELinux Policy documentation"
++.SH "NAME"
++aisexec_selinux \- Security Enhanced Linux Policy for the aisexec processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B aisexec
++(Aisexec Cluster Engine)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
++.PP
++The following file types are defined for aisexec:
++
++
++.EX
++.PP
++.B aisexec_exec_t
++.EE
++
++- Set files with the aisexec_exec_t type, if you want to transition an executable to the aisexec_t domain.
++
++
++.EX
++.PP
++.B aisexec_initrc_exec_t
++.EE
++
++- Set files with the aisexec_initrc_exec_t type, if you want to transition an executable to the aisexec_initrc_t domain.
++
++
++.EX
++.PP
++.B aisexec_tmp_t
++.EE
++
++- Set files with the aisexec_tmp_t type, if you want to store aisexec temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B aisexec_tmpfs_t
++.EE
++
++- Set files with the aisexec_tmpfs_t type, if you want to store aisexec files on a tmpfs file system.
++
++
++.EX
++.PP
++.B aisexec_var_lib_t
++.EE
++
++- Set files with the aisexec_var_lib_t type, if you want to store the aisexec files under the /var/lib directory.
++
++
++.EX
++.PP
++.B aisexec_var_log_t
++.EE
++
++- Set files with the aisexec_var_log_t type, if you want to treat the data as aisexec var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B aisexec_var_run_t
++.EE
++
++- Set files with the aisexec_var_run_t type, if you want to store the aisexec files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
++.PP
++The following process types are defined for aisexec:
++
++.EX
++.B aisexec_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8
+new file mode 100644
+index 0000000..3ff7f95
+--- /dev/null
++++ b/man/man8/ajaxterm_selinux.8
+@@ -0,0 +1,119 @@
++.TH "ajaxterm_selinux" "8" "ajaxterm" "dwalsh at redhat.com" "ajaxterm SELinux Policy documentation"
++.SH "NAME"
++ajaxterm_selinux \- Security Enhanced Linux Policy for the ajaxterm processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ajaxterm
++(policy for ajaxterm)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
++.PP
++The following file types are defined for ajaxterm:
++
++
++.EX
++.PP
++.B ajaxterm_exec_t
++.EE
++
++- Set files with the ajaxterm_exec_t type, if you want to transition an executable to the ajaxterm_t domain.
++
++
++.EX
++.PP
++.B ajaxterm_initrc_exec_t
++.EE
++
++- Set files with the ajaxterm_initrc_exec_t type, if you want to transition an executable to the ajaxterm_initrc_t domain.
++
++
++.EX
++.PP
++.B ajaxterm_var_run_t
++.EE
++
++- Set files with the ajaxterm_var_run_t type, if you want to store the ajaxterm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
++.PP
++The following port types are defined for ajaxterm:
++
++.EX
++.TP 5
++.B ajaxterm_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
++.PP
++The following process types are defined for ajaxterm:
++
++.EX
++.B ajaxterm_ssh_t, ajaxterm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8
+new file mode 100644
+index 0000000..9a8a29d
+--- /dev/null
++++ b/man/man8/alsa_selinux.8
+@@ -0,0 +1,125 @@
++.TH "alsa_selinux" "8" "alsa" "dwalsh at redhat.com" "alsa SELinux Policy documentation"
++.SH "NAME"
++alsa_selinux \- Security Enhanced Linux Policy for the alsa processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B alsa
++(Ainit ALSA configuration tool)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
++.PP
++The following file types are defined for alsa:
++
++
++.EX
++.PP
++.B alsa_etc_rw_t
++.EE
++
++- Set files with the alsa_etc_rw_t type, if you want to treat the files as alsa etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/alsa/pcm(/.*)?, /etc/alsa/asound\.state, /usr/share/alsa/pcm(/.*)?, /etc/asound\.state, /etc/asound(/.*)?, /usr/share/alsa/alsa\.conf
++
++.EX
++.PP
++.B alsa_exec_t
++.EE
++
++- Set files with the alsa_exec_t type, if you want to transition an executable to the alsa_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/salsa, /sbin/alsactl, /usr/bin/ainit, /usr/bin/alsaunmute, /sbin/salsa, /usr/sbin/alsactl, /bin/alsaunmute
++
++.EX
++.PP
++.B alsa_home_t
++.EE
++
++- Set files with the alsa_home_t type, if you want to store alsa files in the users home directory.
++
++
++.EX
++.PP
++.B alsa_tmp_t
++.EE
++
++- Set files with the alsa_tmp_t type, if you want to store alsa temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B alsa_unit_file_t
++.EE
++
++- Set files with the alsa_unit_file_t type, if you want to treat the files as alsa unit content.
++
++
++.EX
++.PP
++.B alsa_var_lib_t
++.EE
++
++- Set files with the alsa_var_lib_t type, if you want to store the alsa files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
++.PP
++The following process types are defined for alsa:
++
++.EX
++.B alsa_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8
+new file mode 100644
+index 0000000..1ada188
+--- /dev/null
++++ b/man/man8/amanda_selinux.8
+@@ -0,0 +1,219 @@
++.TH "amanda_selinux" "8" "amanda" "dwalsh at redhat.com" "amanda SELinux Policy documentation"
++.SH "NAME"
++amanda_selinux \- Security Enhanced Linux Policy for the amanda processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B amanda
++(Advanced Maryland Automatic Network Disk Archiver)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
++.PP
++The following file types are defined for amanda:
++
++
++.EX
++.PP
++.B amanda_amandates_t
++.EE
++
++- Set files with the amanda_amandates_t type, if you want to treat the files as amanda amandates data.
++
++
++.EX
++.PP
++.B amanda_config_t
++.EE
++
++- Set files with the amanda_config_t type, if you want to treat the files as amanda configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/amanda(/.*)?, /var/lib/amanda/\.amandahosts
++
++.EX
++.PP
++.B amanda_data_t
++.EE
++
++- Set files with the amanda_data_t type, if you want to treat the files as amanda content.
++
++.br
++.TP 5
++Paths:
++/var/lib/amanda/[^/]+(/.*)?, /etc/amanda/.*/tapelist(/.*)?, /etc/amanda/.*/index(/.*)?
++
++.EX
++.PP
++.B amanda_dumpdates_t
++.EE
++
++- Set files with the amanda_dumpdates_t type, if you want to treat the files as amanda dumpdates data.
++
++
++.EX
++.PP
++.B amanda_exec_t
++.EE
++
++- Set files with the amanda_exec_t type, if you want to transition an executable to the amanda_t domain.
++
++
++.EX
++.PP
++.B amanda_gnutarlists_t
++.EE
++
++- Set files with the amanda_gnutarlists_t type, if you want to treat the files as amanda gnutarlists data.
++
++
++.EX
++.PP
++.B amanda_inetd_exec_t
++.EE
++
++- Set files with the amanda_inetd_exec_t type, if you want to transition an executable to the amanda_inetd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/amanda/amindexd, /usr/lib/amanda/amidxtaped, /usr/lib/amanda/amandad
++
++.EX
++.PP
++.B amanda_log_t
++.EE
++
++- Set files with the amanda_log_t type, if you want to treat the data as amanda log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/amanda(/.*)?, /var/lib/amanda/[^/]*/log(/.*)?
++
++.EX
++.PP
++.B amanda_recover_dir_t
++.EE
++
++- Set files with the amanda_recover_dir_t type, if you want to treat the files as amanda recover dir data.
++
++
++.EX
++.PP
++.B amanda_recover_exec_t
++.EE
++
++- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain.
++
++
++.EX
++.PP
++.B amanda_tmp_t
++.EE
++
++- Set files with the amanda_tmp_t type, if you want to store amanda temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B amanda_usr_lib_t
++.EE
++
++- Set files with the amanda_usr_lib_t type, if you want to treat the files as amanda usr lib data.
++
++
++.EX
++.PP
++.B amanda_var_lib_t
++.EE
++
++- Set files with the amanda_var_lib_t type, if you want to store the amanda files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/amanda, /var/lib/amanda/[^/]+/index(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
++.PP
++The following port types are defined for amanda:
++
++.EX
++.TP 5
++.B amanda_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
++.PP
++The following process types are defined for amanda:
++
++.EX
++.B amanda_t, amanda_recover_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8
+new file mode 100644
+index 0000000..52d2f0d
+--- /dev/null
++++ b/man/man8/amavis_selinux.8
+@@ -0,0 +1,193 @@
++.TH "amavis_selinux" "8" "amavis" "dwalsh at redhat.com" "amavis SELinux Policy documentation"
++.SH "NAME"
++amavis_selinux \- Security Enhanced Linux Policy for the amavis processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B amavis
++(
++Daemon that interfaces mail transfer agents and content
++checkers, such as virus scanners.
++)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
++.PP
++The following file types are defined for amavis:
++
++
++.EX
++.PP
++.B amavis_etc_t
++.EE
++
++- Set files with the amavis_etc_t type, if you want to store amavis files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/amavis\.conf, /etc/amavisd(/.*)?
++
++.EX
++.PP
++.B amavis_exec_t
++.EE
++
++- Set files with the amavis_exec_t type, if you want to transition an executable to the amavis_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/amavisd.*, /usr/lib/AntiVir/antivir
++
++.EX
++.PP
++.B amavis_initrc_exec_t
++.EE
++
++- Set files with the amavis_initrc_exec_t type, if you want to transition an executable to the amavis_initrc_t domain.
++
++
++.EX
++.PP
++.B amavis_quarantine_t
++.EE
++
++- Set files with the amavis_quarantine_t type, if you want to treat the files as amavis quarantine data.
++
++
++.EX
++.PP
++.B amavis_spool_t
++.EE
++
++- Set files with the amavis_spool_t type, if you want to store the amavis files under the /var/spool directory.
++
++
++.EX
++.PP
++.B amavis_tmp_t
++.EE
++
++- Set files with the amavis_tmp_t type, if you want to store amavis temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B amavis_var_lib_t
++.EE
++
++- Set files with the amavis_var_lib_t type, if you want to store the amavis files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/amavis(/.*)?, /var/amavis(/.*)?
++
++.EX
++.PP
++.B amavis_var_log_t
++.EE
++
++- Set files with the amavis_var_log_t type, if you want to treat the data as amavis var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B amavis_var_run_t
++.EE
++
++- Set files with the amavis_var_run_t type, if you want to store the amavis files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
++.PP
++The following port types are defined for amavis:
++
++.EX
++.TP 5
++.B amavisd_recv_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B amavisd_send_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
++.PP
++The following process types are defined for amavis:
++
++.EX
++.B amavis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), amavis(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8
+new file mode 100644
+index 0000000..511f260
+--- /dev/null
++++ b/man/man8/amtu_selinux.8
+@@ -0,0 +1,77 @@
++.TH "amtu_selinux" "8" "amtu" "dwalsh at redhat.com" "amtu SELinux Policy documentation"
++.SH "NAME"
++amtu_selinux \- Security Enhanced Linux Policy for the amtu processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B amtu
++(Abstract Machine Test Utility)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
++.PP
++The following file types are defined for amtu:
++
++
++.EX
++.PP
++.B amtu_exec_t
++.EE
++
++- Set files with the amtu_exec_t type, if you want to transition an executable to the amtu_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
++.PP
++The following process types are defined for amtu:
++
++.EX
++.B amtu_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8
+new file mode 100644
+index 0000000..dab6c6a
+--- /dev/null
++++ b/man/man8/apcupsd_selinux.8
+@@ -0,0 +1,159 @@
++.TH "apcupsd_selinux" "8" "apcupsd" "dwalsh at redhat.com" "apcupsd SELinux Policy documentation"
++.SH "NAME"
++apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B apcupsd
++(APC UPS monitoring daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
++.PP
++The following file types are defined for apcupsd:
++
++
++.EX
++.PP
++.B apcupsd_exec_t
++.EE
++
++- Set files with the apcupsd_exec_t type, if you want to transition an executable to the apcupsd_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/apcupsd, /usr/sbin/apcupsd
++
++.EX
++.PP
++.B apcupsd_initrc_exec_t
++.EE
++
++- Set files with the apcupsd_initrc_exec_t type, if you want to transition an executable to the apcupsd_initrc_t domain.
++
++
++.EX
++.PP
++.B apcupsd_lock_t
++.EE
++
++- Set files with the apcupsd_lock_t type, if you want to treat the files as apcupsd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B apcupsd_log_t
++.EE
++
++- Set files with the apcupsd_log_t type, if you want to treat the data as apcupsd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/apcupsd\.status.*, /var/log/apcupsd\.events.*
++
++.EX
++.PP
++.B apcupsd_tmp_t
++.EE
++
++- Set files with the apcupsd_tmp_t type, if you want to store apcupsd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B apcupsd_unit_file_t
++.EE
++
++- Set files with the apcupsd_unit_file_t type, if you want to treat the files as apcupsd unit content.
++
++
++.EX
++.PP
++.B apcupsd_var_run_t
++.EE
++
++- Set files with the apcupsd_var_run_t type, if you want to store the apcupsd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
++.PP
++The following port types are defined for apcupsd:
++
++.EX
++.TP 5
++.B apcupsd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
++.PP
++The following process types are defined for apcupsd:
++
++.EX
++.B apcupsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8
+new file mode 100644
+index 0000000..1c6243c
+--- /dev/null
++++ b/man/man8/apm_selinux.8
+@@ -0,0 +1,133 @@
++.TH "apm_selinux" "8" "apm" "dwalsh at redhat.com" "apm SELinux Policy documentation"
++.SH "NAME"
++apm_selinux \- Security Enhanced Linux Policy for the apm processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B apm
++(Advanced power management daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
++.PP
++The following file types are defined for apm:
++
++
++.EX
++.PP
++.B apm_exec_t
++.EE
++
++- Set files with the apm_exec_t type, if you want to transition an executable to the apm_t domain.
++
++
++.EX
++.PP
++.B apmd_exec_t
++.EE
++
++- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/powersaved, /usr/sbin/acpid, /usr/sbin/apmd
++
++.EX
++.PP
++.B apmd_lock_t
++.EE
++
++- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B apmd_log_t
++.EE
++
++- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B apmd_tmp_t
++.EE
++
++- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B apmd_unit_file_t
++.EE
++
++- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
++
++
++.EX
++.PP
++.B apmd_var_run_t
++.EE
++
++- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
++.PP
++The following process types are defined for apm:
++
++.EX
++.B apm_t, apmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), apm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8
+new file mode 100644
+index 0000000..6449d94
+--- /dev/null
++++ b/man/man8/apmd_selinux.8
+@@ -0,0 +1,127 @@
++.TH "apmd_selinux" "8" "apmd" "dwalsh at redhat.com" "apmd SELinux Policy documentation"
++.SH "NAME"
++apmd_selinux \- Security Enhanced Linux Policy for the apmd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
++.PP
++The following file types are defined for apmd:
++
++
++.EX
++.PP
++.B apm_exec_t
++.EE
++
++- Set files with the apm_exec_t type, if you want to transition an executable to the apm_t domain.
++
++
++.EX
++.PP
++.B apmd_exec_t
++.EE
++
++- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/powersaved, /usr/sbin/acpid, /usr/sbin/apmd
++
++.EX
++.PP
++.B apmd_lock_t
++.EE
++
++- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B apmd_log_t
++.EE
++
++- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B apmd_tmp_t
++.EE
++
++- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B apmd_unit_file_t
++.EE
++
++- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
++
++
++.EX
++.PP
++.B apmd_var_run_t
++.EE
++
++- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
++.PP
++The following process types are defined for apmd:
++
++.EX
++.B apm_t, apmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8
+new file mode 100644
+index 0000000..8052609
+--- /dev/null
++++ b/man/man8/arpwatch_selinux.8
+@@ -0,0 +1,121 @@
++.TH "arpwatch_selinux" "8" "arpwatch" "dwalsh at redhat.com" "arpwatch SELinux Policy documentation"
++.SH "NAME"
++arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B arpwatch
++(Ethernet activity monitor)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
++.PP
++The following file types are defined for arpwatch:
++
++
++.EX
++.PP
++.B arpwatch_data_t
++.EE
++
++- Set files with the arpwatch_data_t type, if you want to treat the files as arpwatch content.
++
++.br
++.TP 5
++Paths:
++/var/arpwatch(/.*)?, /var/lib/arpwatch(/.*)?
++
++.EX
++.PP
++.B arpwatch_exec_t
++.EE
++
++- Set files with the arpwatch_exec_t type, if you want to transition an executable to the arpwatch_t domain.
++
++
++.EX
++.PP
++.B arpwatch_initrc_exec_t
++.EE
++
++- Set files with the arpwatch_initrc_exec_t type, if you want to transition an executable to the arpwatch_initrc_t domain.
++
++
++.EX
++.PP
++.B arpwatch_tmp_t
++.EE
++
++- Set files with the arpwatch_tmp_t type, if you want to store arpwatch temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B arpwatch_unit_file_t
++.EE
++
++- Set files with the arpwatch_unit_file_t type, if you want to treat the files as arpwatch unit content.
++
++
++.EX
++.PP
++.B arpwatch_var_run_t
++.EE
++
++- Set files with the arpwatch_var_run_t type, if you want to store the arpwatch files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for arpwatch:
++
++.EX
++.B arpwatch_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8
+new file mode 100644
+index 0000000..c00565c
+--- /dev/null
++++ b/man/man8/asterisk_selinux.8
+@@ -0,0 +1,167 @@
++.TH "asterisk_selinux" "8" "asterisk" "dwalsh at redhat.com" "asterisk SELinux Policy documentation"
++.SH "NAME"
++asterisk_selinux \- Security Enhanced Linux Policy for the asterisk processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B asterisk
++(Asterisk IP telephony server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
++.PP
++The following file types are defined for asterisk:
++
++
++.EX
++.PP
++.B asterisk_etc_t
++.EE
++
++- Set files with the asterisk_etc_t type, if you want to store asterisk files in the /etc directories.
++
++
++.EX
++.PP
++.B asterisk_exec_t
++.EE
++
++- Set files with the asterisk_exec_t type, if you want to transition an executable to the asterisk_t domain.
++
++
++.EX
++.PP
++.B asterisk_initrc_exec_t
++.EE
++
++- Set files with the asterisk_initrc_exec_t type, if you want to transition an executable to the asterisk_initrc_t domain.
++
++
++.EX
++.PP
++.B asterisk_log_t
++.EE
++
++- Set files with the asterisk_log_t type, if you want to treat the data as asterisk log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B asterisk_spool_t
++.EE
++
++- Set files with the asterisk_spool_t type, if you want to store the asterisk files under the /var/spool directory.
++
++
++.EX
++.PP
++.B asterisk_tmp_t
++.EE
++
++- Set files with the asterisk_tmp_t type, if you want to store asterisk temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B asterisk_tmpfs_t
++.EE
++
++- Set files with the asterisk_tmpfs_t type, if you want to store asterisk files on a tmpfs file system.
++
++
++.EX
++.PP
++.B asterisk_var_lib_t
++.EE
++
++- Set files with the asterisk_var_lib_t type, if you want to store the asterisk files under the /var/lib directory.
++
++
++.EX
++.PP
++.B asterisk_var_run_t
++.EE
++
++- Set files with the asterisk_var_run_t type, if you want to store the asterisk files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
++.PP
++The following port types are defined for asterisk:
++
++.EX
++.TP 5
++.B asterisk_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
++.PP
++The following process types are defined for asterisk:
++
++.EX
++.B asterisk_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8
+new file mode 100644
+index 0000000..dc30264
+--- /dev/null
++++ b/man/man8/audisp_selinux.8
+@@ -0,0 +1,95 @@
++.TH "audisp_selinux" "8" "audisp" "dwalsh at redhat.com" "audisp SELinux Policy documentation"
++.SH "NAME"
++audisp_selinux \- Security Enhanced Linux Policy for the audisp processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
++.PP
++The following file types are defined for audisp:
++
++
++.EX
++.PP
++.B audisp_exec_t
++.EE
++
++- Set files with the audisp_exec_t type, if you want to transition an executable to the audisp_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/audispd, /usr/sbin/audispd
++
++.EX
++.PP
++.B audisp_remote_exec_t
++.EE
++
++- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/audisp-remote, /sbin/audisp-remote
++
++.EX
++.PP
++.B audisp_var_run_t
++.EE
++
++- Set files with the audisp_var_run_t type, if you want to store the audisp files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
++.PP
++The following process types are defined for audisp:
++
++.EX
++.B audisp_remote_t, audisp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), audisp(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/auditadm_selinux.8 b/man/man8/auditadm_selinux.8
+new file mode 100644
+index 0000000..cba947e
+--- /dev/null
++++ b/man/man8/auditadm_selinux.8
+@@ -0,0 +1,65 @@
++.TH "auditadm_selinux" "8" "auditadm" "mgrepl at redhat.com" "auditadm SELinux Policy documentation"
++.SH "NAME"
++auditadm_r \- \fBAudit administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control, some Linux roles are login roles, while other roles need to be transition to.
++
++Note: The examples in the man page will user the staff_u user.
++
++Non login roles are usually used for administrative tasks.
++
++Roles usually have default types assigned to them.
++
++The default type for the auditadm_r role is auditadm_t.
++
++You can use the
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r auditadm_r -t auditadm_t
++
++.B sudo
++can also be setup to transition to this role using the visudo command.
++
++USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
++
++If you want to use a non login role, you need to make sure the SELinux user you are using can reach this role.
++
++You can see all of the assigned SELinux roles using the following
++
++.B semanage user -l
++
++If you wanted to add auditadm_r to the staff_u user, you would execute:
++
++.B $ semanage user -m -R 'staff_r auditadm_r' staff_u
++
++
++
++SELinux policy also controls which roles can transition to a different role.
++You can list these rules using the following command.
++
++.B sesearch --role_allow
++
++SELinux policy allows the sysadm_r, secadm_r, staff_r roles can transition to the auditadm_r role.
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8
+new file mode 100644
+index 0000000..96a49e6
+--- /dev/null
++++ b/man/man8/auditctl_selinux.8
+@@ -0,0 +1,75 @@
++.TH "auditctl_selinux" "8" "auditctl" "dwalsh at redhat.com" "auditctl SELinux Policy documentation"
++.SH "NAME"
++auditctl_selinux \- Security Enhanced Linux Policy for the auditctl processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
++.PP
++The following file types are defined for auditctl:
++
++
++.EX
++.PP
++.B auditctl_exec_t
++.EE
++
++- Set files with the auditctl_exec_t type, if you want to transition an executable to the auditctl_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/auditctl, /usr/sbin/auditctl
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
++.PP
++The following process types are defined for auditctl:
++
++.EX
++.B auditctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8
+new file mode 100644
+index 0000000..50c15c2
+--- /dev/null
++++ b/man/man8/auditd_selinux.8
+@@ -0,0 +1,157 @@
++.TH "auditd_selinux" "8" "auditd" "dwalsh at redhat.com" "auditd SELinux Policy documentation"
++.SH "NAME"
++auditd_selinux \- Security Enhanced Linux Policy for the auditd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
++.PP
++The following file types are defined for auditd:
++
++
++.EX
++.PP
++.B audit_spool_t
++.EE
++
++- Set files with the audit_spool_t type, if you want to store the audit files under the /var/spool directory.
++
++
++.EX
++.PP
++.B auditd_etc_t
++.EE
++
++- Set files with the auditd_etc_t type, if you want to store auditd files in the /etc directories.
++
++
++.EX
++.PP
++.B auditd_exec_t
++.EE
++
++- Set files with the auditd_exec_t type, if you want to transition an executable to the auditd_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/auditd, /usr/sbin/auditd
++
++.EX
++.PP
++.B auditd_initrc_exec_t
++.EE
++
++- Set files with the auditd_initrc_exec_t type, if you want to transition an executable to the auditd_initrc_t domain.
++
++
++.EX
++.PP
++.B auditd_log_t
++.EE
++
++- Set files with the auditd_log_t type, if you want to treat the data as auditd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/audit(/.*)?, /var/log/audit\.log
++
++.EX
++.PP
++.B auditd_unit_file_t
++.EE
++
++- Set files with the auditd_unit_file_t type, if you want to treat the files as auditd unit content.
++
++
++.EX
++.PP
++.B auditd_var_run_t
++.EE
++
++- Set files with the auditd_var_run_t type, if you want to store the auditd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/audit_events, /var/run/auditd_sock, /var/run/auditd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
++.PP
++The following port types are defined for auditd:
++
++.EX
++.TP 5
++.B audit_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
++.PP
++The following process types are defined for auditd:
++
++.EX
++.B auditadm_su_t, auditadm_seunshare_t, auditadm_dbusd_t, auditadm_t, auditadm_sudo_t, auditadm_wine_t, auditadm_screen_t, auditadm_gkeyringd_t, auditd_t, auditctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8
+new file mode 100644
+index 0000000..ff75942
+--- /dev/null
++++ b/man/man8/automount_selinux.8
+@@ -0,0 +1,129 @@
++.TH "automount_selinux" "8" "automount" "dwalsh at redhat.com" "automount SELinux Policy documentation"
++.SH "NAME"
++automount_selinux \- Security Enhanced Linux Policy for the automount processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B automount
++(Filesystem automounter service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
++.PP
++The following file types are defined for automount:
++
++
++.EX
++.PP
++.B automount_exec_t
++.EE
++
++- Set files with the automount_exec_t type, if you want to transition an executable to the automount_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/automount, /etc/apm/event\.d/autofs
++
++.EX
++.PP
++.B automount_initrc_exec_t
++.EE
++
++- Set files with the automount_initrc_exec_t type, if you want to transition an executable to the automount_initrc_t domain.
++
++
++.EX
++.PP
++.B automount_keytab_t
++.EE
++
++- Set files with the automount_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B automount_lock_t
++.EE
++
++- Set files with the automount_lock_t type, if you want to treat the files as automount lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B automount_tmp_t
++.EE
++
++- Set files with the automount_tmp_t type, if you want to store automount temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B automount_unit_file_t
++.EE
++
++- Set files with the automount_unit_file_t type, if you want to treat the files as automount unit content.
++
++
++.EX
++.PP
++.B automount_var_run_t
++.EE
++
++- Set files with the automount_var_run_t type, if you want to store the automount files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
++.PP
++The following process types are defined for automount:
++
++.EX
++.B automount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), automount(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8
+new file mode 100644
+index 0000000..f489dad
+--- /dev/null
++++ b/man/man8/avahi_selinux.8
+@@ -0,0 +1,128 @@
++.TH "avahi_selinux" "8" "avahi" "dwalsh at redhat.com" "avahi SELinux Policy documentation"
++.SH "NAME"
++avahi_selinux \- Security Enhanced Linux Policy for the avahi processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B avahi
++(mDNS/DNS-SD daemon implementing Apple ZeroConf architecture)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible.
++
++
++.PP
++If you want to allow Apache to communicate with avahi service via dbu, you must turn on the httpd_dbus_avahi boolean.
++
++.EX
++.B setsebool -P httpd_dbus_avahi 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
++.PP
++The following file types are defined for avahi:
++
++
++.EX
++.PP
++.B avahi_exec_t
++.EE
++
++- Set files with the avahi_exec_t type, if you want to transition an executable to the avahi_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/avahi-dnsconfd, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-daemon
++
++.EX
++.PP
++.B avahi_initrc_exec_t
++.EE
++
++- Set files with the avahi_initrc_exec_t type, if you want to transition an executable to the avahi_initrc_t domain.
++
++
++.EX
++.PP
++.B avahi_unit_file_t
++.EE
++
++- Set files with the avahi_unit_file_t type, if you want to treat the files as avahi unit content.
++
++
++.EX
++.PP
++.B avahi_var_lib_t
++.EE
++
++- Set files with the avahi_var_lib_t type, if you want to store the avahi files under the /var/lib directory.
++
++
++.EX
++.PP
++.B avahi_var_run_t
++.EE
++
++- Set files with the avahi_var_run_t type, if you want to store the avahi files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
++.PP
++The following process types are defined for avahi:
++
++.EX
++.B avahi_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), avahi(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8
+new file mode 100644
+index 0000000..b76d620
+--- /dev/null
++++ b/man/man8/awstats_selinux.8
+@@ -0,0 +1,96 @@
++.TH "awstats_selinux" "8" "awstats" "dwalsh at redhat.com" "awstats SELinux Policy documentation"
++.SH "NAME"
++awstats_selinux \- Security Enhanced Linux Policy for the awstats processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B awstats
++(
++AWStats is a free powerful and featureful tool that generates advanced
++web, streaming, ftp or mail server statistics, graphically.
++)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
++.PP
++The following file types are defined for awstats:
++
++
++.EX
++.PP
++.B awstats_exec_t
++.EE
++
++- Set files with the awstats_exec_t type, if you want to transition an executable to the awstats_t domain.
++
++
++.EX
++.PP
++.B awstats_tmp_t
++.EE
++
++- Set files with the awstats_tmp_t type, if you want to store awstats temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B awstats_var_lib_t
++.EE
++
++- Set files with the awstats_var_lib_t type, if you want to store the awstats files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
++.PP
++The following process types are defined for awstats:
++
++.EX
++.B awstats_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8
+new file mode 100644
+index 0000000..fcb6393
+--- /dev/null
++++ b/man/man8/bcfg2_selinux.8
+@@ -0,0 +1,101 @@
++.TH "bcfg2_selinux" "8" "bcfg2" "dwalsh at redhat.com" "bcfg2 SELinux Policy documentation"
++.SH "NAME"
++bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B bcfg2
++(policy for bcfg2)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
++.PP
++The following file types are defined for bcfg2:
++
++
++.EX
++.PP
++.B bcfg2_exec_t
++.EE
++
++- Set files with the bcfg2_exec_t type, if you want to transition an executable to the bcfg2_t domain.
++
++
++.EX
++.PP
++.B bcfg2_initrc_exec_t
++.EE
++
++- Set files with the bcfg2_initrc_exec_t type, if you want to transition an executable to the bcfg2_initrc_t domain.
++
++
++.EX
++.PP
++.B bcfg2_unit_file_t
++.EE
++
++- Set files with the bcfg2_unit_file_t type, if you want to treat the files as bcfg2 unit content.
++
++
++.EX
++.PP
++.B bcfg2_var_lib_t
++.EE
++
++- Set files with the bcfg2_var_lib_t type, if you want to store the bcfg2 files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
++.PP
++The following process types are defined for bcfg2:
++
++.EX
++.B bcfg2_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8
+new file mode 100644
+index 0000000..7c1b8b9
+--- /dev/null
++++ b/man/man8/bitlbee_selinux.8
+@@ -0,0 +1,133 @@
++.TH "bitlbee_selinux" "8" "bitlbee" "dwalsh at redhat.com" "bitlbee SELinux Policy documentation"
++.SH "NAME"
++bitlbee_selinux \- Security Enhanced Linux Policy for the bitlbee processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B bitlbee
++(Bitlbee service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
++.PP
++The following file types are defined for bitlbee:
++
++
++.EX
++.PP
++.B bitlbee_conf_t
++.EE
++
++- Set files with the bitlbee_conf_t type, if you want to treat the files as bitlbee configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B bitlbee_exec_t
++.EE
++
++- Set files with the bitlbee_exec_t type, if you want to transition an executable to the bitlbee_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/bitlbee, /usr/bin/bip
++
++.EX
++.PP
++.B bitlbee_initrc_exec_t
++.EE
++
++- Set files with the bitlbee_initrc_exec_t type, if you want to transition an executable to the bitlbee_initrc_t domain.
++
++
++.EX
++.PP
++.B bitlbee_log_t
++.EE
++
++- Set files with the bitlbee_log_t type, if you want to treat the data as bitlbee log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B bitlbee_tmp_t
++.EE
++
++- Set files with the bitlbee_tmp_t type, if you want to store bitlbee temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B bitlbee_var_run_t
++.EE
++
++- Set files with the bitlbee_var_run_t type, if you want to store the bitlbee files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/bitlbee\.pid, /var/run/bip(/.*)?, /var/run/bitlbee\.sock
++
++.EX
++.PP
++.B bitlbee_var_t
++.EE
++
++- Set files with the bitlbee_var_t type, if you want to store the bit files under the /var directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
++.PP
++The following process types are defined for bitlbee:
++
++.EX
++.B bitlbee_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8
+new file mode 100644
+index 0000000..4a344b5
+--- /dev/null
++++ b/man/man8/blktap_selinux.8
+@@ -0,0 +1,98 @@
++.TH "blktap_selinux" "8" "blktap" "dwalsh at redhat.com" "blktap SELinux Policy documentation"
++.SH "NAME"
++blktap_selinux \- Security Enhanced Linux Policy for the blktap processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. blktap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blktap with the tightest access possible.
++
++
++.PP
++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
++
++.EX
++.B setsebool -P xend_run_blktap 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
++.PP
++The following file types are defined for blktap:
++
++
++.EX
++.PP
++.B blktap_exec_t
++.EE
++
++- Set files with the blktap_exec_t type, if you want to transition an executable to the blktap_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/blktapctrl, /usr/sbin/tapdisk
++
++.EX
++.PP
++.B blktap_var_run_t
++.EE
++
++- Set files with the blktap_var_run_t type, if you want to store the blktap files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
++.PP
++The following process types are defined for blktap:
++
++.EX
++.B blktap_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), blktap(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8
+new file mode 100644
+index 0000000..834703f
+--- /dev/null
++++ b/man/man8/blueman_selinux.8
+@@ -0,0 +1,77 @@
++.TH "blueman_selinux" "8" "blueman" "dwalsh at redhat.com" "blueman SELinux Policy documentation"
++.SH "NAME"
++blueman_selinux \- Security Enhanced Linux Policy for the blueman processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B blueman
++(policy for blueman)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
++.PP
++The following file types are defined for blueman:
++
++
++.EX
++.PP
++.B blueman_exec_t
++.EE
++
++- Set files with the blueman_exec_t type, if you want to transition an executable to the blueman_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
++.PP
++The following process types are defined for blueman:
++
++.EX
++.B blueman_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8
+new file mode 100644
+index 0000000..d344b7b
+--- /dev/null
++++ b/man/man8/bluetooth_selinux.8
+@@ -0,0 +1,184 @@
++.TH "bluetooth_selinux" "8" "bluetooth" "dwalsh at redhat.com" "bluetooth SELinux Policy documentation"
++.SH "NAME"
++bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B bluetooth
++(Bluetooth tools and system services)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible.
++
++
++.PP
++If you want to allow xguest users to use blue tooth device, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
++.PP
++The following file types are defined for bluetooth:
++
++
++.EX
++.PP
++.B bluetooth_conf_rw_t
++.EE
++
++- Set files with the bluetooth_conf_rw_t type, if you want to treat the files as bluetooth conf read/write content.
++
++
++.EX
++.PP
++.B bluetooth_conf_t
++.EE
++
++- Set files with the bluetooth_conf_t type, if you want to treat the files as bluetooth configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B bluetooth_exec_t
++.EE
++
++- Set files with the bluetooth_exec_t type, if you want to transition an executable to the bluetooth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/hcid, /usr/bin/rfcomm, /usr/sbin/sdpd, /usr/bin/hidd, /usr/sbin/bluetoothd, /usr/sbin/hid2hci, /usr/bin/dund, /usr/sbin/hciattach
++
++.EX
++.PP
++.B bluetooth_helper_exec_t
++.EE
++
++- Set files with the bluetooth_helper_exec_t type, if you want to transition an executable to the bluetooth_helper_t domain.
++
++
++.EX
++.PP
++.B bluetooth_helper_tmp_t
++.EE
++
++- Set files with the bluetooth_helper_tmp_t type, if you want to store bluetooth helper temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B bluetooth_helper_tmpfs_t
++.EE
++
++- Set files with the bluetooth_helper_tmpfs_t type, if you want to store bluetooth helper files on a tmpfs file system.
++
++
++.EX
++.PP
++.B bluetooth_initrc_exec_t
++.EE
++
++- Set files with the bluetooth_initrc_exec_t type, if you want to transition an executable to the bluetooth_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/dund, /etc/rc\.d/init\.d/bluetooth, /etc/rc\.d/init\.d/pand
++
++.EX
++.PP
++.B bluetooth_lock_t
++.EE
++
++- Set files with the bluetooth_lock_t type, if you want to treat the files as bluetooth lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B bluetooth_unit_file_t
++.EE
++
++- Set files with the bluetooth_unit_file_t type, if you want to treat the files as bluetooth unit content.
++
++
++.EX
++.PP
++.B bluetooth_var_lib_t
++.EE
++
++- Set files with the bluetooth_var_lib_t type, if you want to store the bluetooth files under the /var/lib directory.
++
++
++.EX
++.PP
++.B bluetooth_var_run_t
++.EE
++
++- Set files with the bluetooth_var_run_t type, if you want to store the bluetooth files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/bluetoothd_address, /var/run/sdp
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
++.PP
++The following process types are defined for bluetooth:
++
++.EX
++.B bluetooth_helper_t, bluetooth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), bluetooth(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8
+new file mode 100644
+index 0000000..ae842c8
+--- /dev/null
++++ b/man/man8/boinc_selinux.8
+@@ -0,0 +1,166 @@
++.TH "boinc_selinux" "8" "boinc" "dwalsh at redhat.com" "boinc SELinux Policy documentation"
++.SH "NAME"
++boinc_selinux \- Security Enhanced Linux Policy for the boinc processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B boinc
++(policy for boinc)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
++.PP
++The following file types are defined for boinc:
++
++
++.EX
++.PP
++.B boinc_exec_t
++.EE
++
++- Set files with the boinc_exec_t type, if you want to transition an executable to the boinc_t domain.
++
++
++.EX
++.PP
++.B boinc_initrc_exec_t
++.EE
++
++- Set files with the boinc_initrc_exec_t type, if you want to transition an executable to the boinc_initrc_t domain.
++
++
++.EX
++.PP
++.B boinc_project_tmp_t
++.EE
++
++- Set files with the boinc_project_tmp_t type, if you want to store boinc project temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B boinc_project_var_lib_t
++.EE
++
++- Set files with the boinc_project_var_lib_t type, if you want to store the boinc project files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/boinc/projects(/.*)?, /var/lib/boinc/slots(/.*)?
++
++.EX
++.PP
++.B boinc_tmp_t
++.EE
++
++- Set files with the boinc_tmp_t type, if you want to store boinc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B boinc_tmpfs_t
++.EE
++
++- Set files with the boinc_tmpfs_t type, if you want to store boinc files on a tmpfs file system.
++
++
++.EX
++.PP
++.B boinc_var_lib_t
++.EE
++
++- Set files with the boinc_var_lib_t type, if you want to store the boinc files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
++.PP
++The following port types are defined for boinc:
++
++.EX
++.TP 5
++.B boinc_client_ctrl_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B boinc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
++.PP
++The following process types are defined for boinc:
++
++.EX
++.B boinc_t, boinc_project_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8
+new file mode 100644
+index 0000000..892a587
+--- /dev/null
++++ b/man/man8/bootloader_selinux.8
+@@ -0,0 +1,116 @@
++.TH "bootloader_selinux" "8" "bootloader" "dwalsh at redhat.com" "bootloader SELinux Policy documentation"
++.SH "NAME"
++bootloader_selinux \- Security Enhanced Linux Policy for the bootloader processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B bootloader
++(Policy for the kernel modules, kernel image, and bootloader)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible.
++
++
++.PP
++If you want to allow the graphical login program to execute bootloade, you must turn on the xdm_exec_bootloader boolean.
++
++.EX
++.B setsebool -P xdm_exec_bootloader 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
++.PP
++The following file types are defined for bootloader:
++
++
++.EX
++.PP
++.B bootloader_etc_t
++.EE
++
++- Set files with the bootloader_etc_t type, if you want to store bootloader files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/yaboot\.conf.*, /etc/default/grub, /etc/lilo\.conf.*
++
++.EX
++.PP
++.B bootloader_exec_t
++.EE
++
++- Set files with the bootloader_exec_t type, if you want to transition an executable to the bootloader_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ybin.*, /usr/sbin/grub.*, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/lilo.*, /sbin/grub.*
++
++.EX
++.PP
++.B bootloader_tmp_t
++.EE
++
++- Set files with the bootloader_tmp_t type, if you want to store bootloader temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
++.PP
++The following process types are defined for bootloader:
++
++.EX
++.B bootloader_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), bootloader(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8
+new file mode 100644
+index 0000000..664324c
+--- /dev/null
++++ b/man/man8/brctl_selinux.8
+@@ -0,0 +1,77 @@
++.TH "brctl_selinux" "8" "brctl" "dwalsh at redhat.com" "brctl SELinux Policy documentation"
++.SH "NAME"
++brctl_selinux \- Security Enhanced Linux Policy for the brctl processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B brctl
++(Utilities for configuring the linux ethernet bridge)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
++.PP
++The following file types are defined for brctl:
++
++
++.EX
++.PP
++.B brctl_exec_t
++.EE
++
++- Set files with the brctl_exec_t type, if you want to transition an executable to the brctl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
++.PP
++The following process types are defined for brctl:
++
++.EX
++.B brctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8
+new file mode 100644
+index 0000000..03e5916
+--- /dev/null
++++ b/man/man8/cachefilesd_selinux.8
+@@ -0,0 +1,101 @@
++.TH "cachefilesd_selinux" "8" "cachefilesd" "dwalsh at redhat.com" "cachefilesd SELinux Policy documentation"
++.SH "NAME"
++cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cachefilesd
++(policy for cachefilesd)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
++.PP
++The following file types are defined for cachefilesd:
++
++
++.EX
++.PP
++.B cachefiles_var_t
++.EE
++
++- Set files with the cachefiles_var_t type, if you want to store the cachef files under the /var directory.
++
++.br
++.TP 5
++Paths:
++/var/run/cachefilesd\.pid, /var/fscache(/.*)?, /var/cache/fscache(/.*)?
++
++.EX
++.PP
++.B cachefilesd_exec_t
++.EE
++
++- Set files with the cachefilesd_exec_t type, if you want to transition an executable to the cachefilesd_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/cachefilesd, /usr/sbin/cachefilesd
++
++.EX
++.PP
++.B cachefilesd_var_run_t
++.EE
++
++- Set files with the cachefilesd_var_run_t type, if you want to store the cachefilesd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
++.PP
++The following process types are defined for cachefilesd:
++
++.EX
++.B cachefilesd_t, cachefiles_kernel_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8
+new file mode 100644
+index 0000000..831d1b4
+--- /dev/null
++++ b/man/man8/calamaris_selinux.8
+@@ -0,0 +1,93 @@
++.TH "calamaris_selinux" "8" "calamaris" "dwalsh at redhat.com" "calamaris SELinux Policy documentation"
++.SH "NAME"
++calamaris_selinux \- Security Enhanced Linux Policy for the calamaris processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B calamaris
++(Squid log analysis)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
++.PP
++The following file types are defined for calamaris:
++
++
++.EX
++.PP
++.B calamaris_exec_t
++.EE
++
++- Set files with the calamaris_exec_t type, if you want to transition an executable to the calamaris_t domain.
++
++
++.EX
++.PP
++.B calamaris_log_t
++.EE
++
++- Set files with the calamaris_log_t type, if you want to treat the data as calamaris log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B calamaris_www_t
++.EE
++
++- Set files with the calamaris_www_t type, if you want to treat the files as calamaris www data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
++.PP
++The following process types are defined for calamaris:
++
++.EX
++.B calamaris_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8
+new file mode 100644
+index 0000000..00210e6
+--- /dev/null
++++ b/man/man8/callweaver_selinux.8
+@@ -0,0 +1,117 @@
++.TH "callweaver_selinux" "8" "callweaver" "dwalsh at redhat.com" "callweaver SELinux Policy documentation"
++.SH "NAME"
++callweaver_selinux \- Security Enhanced Linux Policy for the callweaver processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B callweaver
++(Open source PBX project)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
++.PP
++The following file types are defined for callweaver:
++
++
++.EX
++.PP
++.B callweaver_exec_t
++.EE
++
++- Set files with the callweaver_exec_t type, if you want to transition an executable to the callweaver_t domain.
++
++
++.EX
++.PP
++.B callweaver_initrc_exec_t
++.EE
++
++- Set files with the callweaver_initrc_exec_t type, if you want to transition an executable to the callweaver_initrc_t domain.
++
++
++.EX
++.PP
++.B callweaver_log_t
++.EE
++
++- Set files with the callweaver_log_t type, if you want to treat the data as callweaver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B callweaver_spool_t
++.EE
++
++- Set files with the callweaver_spool_t type, if you want to store the callweaver files under the /var/spool directory.
++
++
++.EX
++.PP
++.B callweaver_var_lib_t
++.EE
++
++- Set files with the callweaver_var_lib_t type, if you want to store the callweaver files under the /var/lib directory.
++
++
++.EX
++.PP
++.B callweaver_var_run_t
++.EE
++
++- Set files with the callweaver_var_run_t type, if you want to store the callweaver files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
++.PP
++The following process types are defined for callweaver:
++
++.EX
++.B callweaver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8
+new file mode 100644
+index 0000000..f254edc
+--- /dev/null
++++ b/man/man8/canna_selinux.8
+@@ -0,0 +1,125 @@
++.TH "canna_selinux" "8" "canna" "dwalsh at redhat.com" "canna SELinux Policy documentation"
++.SH "NAME"
++canna_selinux \- Security Enhanced Linux Policy for the canna processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B canna
++(Canna - kana-kanji conversion server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
++.PP
++The following file types are defined for canna:
++
++
++.EX
++.PP
++.B canna_exec_t
++.EE
++
++- Set files with the canna_exec_t type, if you want to transition an executable to the canna_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/catdic, /usr/bin/cannaping, /usr/sbin/jserver, /usr/sbin/cannaserver
++
++.EX
++.PP
++.B canna_initrc_exec_t
++.EE
++
++- Set files with the canna_initrc_exec_t type, if you want to transition an executable to the canna_initrc_t domain.
++
++
++.EX
++.PP
++.B canna_log_t
++.EE
++
++- Set files with the canna_log_t type, if you want to treat the data as canna log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/wnn(/.*)?, /var/log/canna(/.*)?
++
++.EX
++.PP
++.B canna_var_lib_t
++.EE
++
++- Set files with the canna_var_lib_t type, if you want to store the canna files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/wnn/dic(/.*)?, /var/lib/canna/dic(/.*)?
++
++.EX
++.PP
++.B canna_var_run_t
++.EE
++
++- Set files with the canna_var_run_t type, if you want to store the canna files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/\.iroha_unix/.*, /var/run/wnn-unix(/.*)?, /var/run/\.iroha_unix
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
++.PP
++The following process types are defined for canna:
++
++.EX
++.B canna_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), canna(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8
+new file mode 100644
+index 0000000..a494bcb
+--- /dev/null
++++ b/man/man8/cardmgr_selinux.8
+@@ -0,0 +1,111 @@
++.TH "cardmgr_selinux" "8" "cardmgr" "dwalsh at redhat.com" "cardmgr SELinux Policy documentation"
++.SH "NAME"
++cardmgr_selinux \- Security Enhanced Linux Policy for the cardmgr processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
++.PP
++The following file types are defined for cardmgr:
++
++
++.EX
++.PP
++.B cardmgr_dev_t
++.EE
++
++- Set files with the cardmgr_dev_t type, if you want to treat the files as cardmgr dev data.
++
++
++.EX
++.PP
++.B cardmgr_exec_t
++.EE
++
++- Set files with the cardmgr_exec_t type, if you want to transition an executable to the cardmgr_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/cardmgr, /etc/apm/event\.d/pcmcia, /usr/sbin/cardmgr
++
++.EX
++.PP
++.B cardmgr_lnk_t
++.EE
++
++- Set files with the cardmgr_lnk_t type, if you want to treat the files as cardmgr lnk data.
++
++
++.EX
++.PP
++.B cardmgr_var_lib_t
++.EE
++
++- Set files with the cardmgr_var_lib_t type, if you want to store the cardmgr files under the /var/lib directory.
++
++
++.EX
++.PP
++.B cardmgr_var_run_t
++.EE
++
++- Set files with the cardmgr_var_run_t type, if you want to store the cardmgr files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/cardmgr\.pid, /var/run/stab, /var/lib/pcmcia(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
++.PP
++The following process types are defined for cardmgr:
++
++.EX
++.B cardmgr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8
+new file mode 100644
+index 0000000..d2d4fde
+--- /dev/null
++++ b/man/man8/ccs_selinux.8
+@@ -0,0 +1,125 @@
++.TH "ccs_selinux" "8" "ccs" "dwalsh at redhat.com" "ccs SELinux Policy documentation"
++.SH "NAME"
++ccs_selinux \- Security Enhanced Linux Policy for the ccs processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ccs
++(Cluster Configuration System)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
++.PP
++The following file types are defined for ccs:
++
++
++.EX
++.PP
++.B ccs_exec_t
++.EE
++
++- Set files with the ccs_exec_t type, if you want to transition an executable to the ccs_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ccsd, /sbin/ccsd
++
++.EX
++.PP
++.B ccs_tmp_t
++.EE
++
++- Set files with the ccs_tmp_t type, if you want to store ccs temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ccs_tmpfs_t
++.EE
++
++- Set files with the ccs_tmpfs_t type, if you want to store ccs files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ccs_var_lib_t
++.EE
++
++- Set files with the ccs_var_lib_t type, if you want to store the ccs files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ccs_var_log_t
++.EE
++
++- Set files with the ccs_var_log_t type, if you want to treat the data as ccs var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ccs_var_run_t
++.EE
++
++- Set files with the ccs_var_run_t type, if you want to store the ccs files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/cluster/ccsd\.pid, /var/run/cluster/ccsd\.sock
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
++.PP
++The following process types are defined for ccs:
++
++.EX
++.B ccs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8
+new file mode 100644
+index 0000000..217f349
+--- /dev/null
++++ b/man/man8/cdcc_selinux.8
+@@ -0,0 +1,79 @@
++.TH "cdcc_selinux" "8" "cdcc" "dwalsh at redhat.com" "cdcc SELinux Policy documentation"
++.SH "NAME"
++cdcc_selinux \- Security Enhanced Linux Policy for the cdcc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
++.PP
++The following file types are defined for cdcc:
++
++
++.EX
++.PP
++.B cdcc_exec_t
++.EE
++
++- Set files with the cdcc_exec_t type, if you want to transition an executable to the cdcc_t domain.
++
++
++.EX
++.PP
++.B cdcc_tmp_t
++.EE
++
++- Set files with the cdcc_tmp_t type, if you want to store cdcc temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
++.PP
++The following process types are defined for cdcc:
++
++.EX
++.B cdcc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8
+new file mode 100644
+index 0000000..db2a2e1
+--- /dev/null
++++ b/man/man8/cdrecord_selinux.8
+@@ -0,0 +1,96 @@
++.TH "cdrecord_selinux" "8" "cdrecord" "dwalsh at redhat.com" "cdrecord SELinux Policy documentation"
++.SH "NAME"
++cdrecord_selinux \- Security Enhanced Linux Policy for the cdrecord processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cdrecord
++(Policy for cdrecord)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. cdrecord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdrecord with the tightest access possible.
++
++
++.PP
++If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content file, you must turn on the cdrecord_read_content boolean.
++
++.EX
++.B setsebool -P cdrecord_read_content 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
++.PP
++The following file types are defined for cdrecord:
++
++
++.EX
++.PP
++.B cdrecord_exec_t
++.EE
++
++- Set files with the cdrecord_exec_t type, if you want to transition an executable to the cdrecord_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/cdrecord, /usr/bin/wodim, /usr/bin/growisofs
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
++.PP
++The following process types are defined for cdrecord:
++
++.EX
++.B cdrecord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cdrecord(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8
+new file mode 100644
+index 0000000..bf4f6c4
+--- /dev/null
++++ b/man/man8/certmaster_selinux.8
+@@ -0,0 +1,143 @@
++.TH "certmaster_selinux" "8" "certmaster" "dwalsh at redhat.com" "certmaster SELinux Policy documentation"
++.SH "NAME"
++certmaster_selinux \- Security Enhanced Linux Policy for the certmaster processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B certmaster
++(Certmaster SSL certificate distribution service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
++.PP
++The following file types are defined for certmaster:
++
++
++.EX
++.PP
++.B certmaster_etc_rw_t
++.EE
++
++- Set files with the certmaster_etc_rw_t type, if you want to treat the files as certmaster etc read/write content.
++
++
++.EX
++.PP
++.B certmaster_exec_t
++.EE
++
++- Set files with the certmaster_exec_t type, if you want to transition an executable to the certmaster_t domain.
++
++
++.EX
++.PP
++.B certmaster_initrc_exec_t
++.EE
++
++- Set files with the certmaster_initrc_exec_t type, if you want to transition an executable to the certmaster_initrc_t domain.
++
++
++.EX
++.PP
++.B certmaster_var_lib_t
++.EE
++
++- Set files with the certmaster_var_lib_t type, if you want to store the certmaster files under the /var/lib directory.
++
++
++.EX
++.PP
++.B certmaster_var_log_t
++.EE
++
++- Set files with the certmaster_var_log_t type, if you want to treat the data as certmaster var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B certmaster_var_run_t
++.EE
++
++- Set files with the certmaster_var_run_t type, if you want to store the certmaster files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
++.PP
++The following port types are defined for certmaster:
++
++.EX
++.TP 5
++.B certmaster_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
++.PP
++The following process types are defined for certmaster:
++
++.EX
++.B certmaster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8
+new file mode 100644
+index 0000000..2f01973
+--- /dev/null
++++ b/man/man8/certmonger_selinux.8
+@@ -0,0 +1,109 @@
++.TH "certmonger_selinux" "8" "certmonger" "dwalsh at redhat.com" "certmonger SELinux Policy documentation"
++.SH "NAME"
++certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B certmonger
++(Certificate status monitor and PKI enrollment client)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
++.PP
++The following file types are defined for certmonger:
++
++
++.EX
++.PP
++.B certmonger_exec_t
++.EE
++
++- Set files with the certmonger_exec_t type, if you want to transition an executable to the certmonger_t domain.
++
++
++.EX
++.PP
++.B certmonger_initrc_exec_t
++.EE
++
++- Set files with the certmonger_initrc_exec_t type, if you want to transition an executable to the certmonger_initrc_t domain.
++
++
++.EX
++.PP
++.B certmonger_unconfined_exec_t
++.EE
++
++- Set files with the certmonger_unconfined_exec_t type, if you want to transition an executable to the certmonger_unconfined_t domain.
++
++
++.EX
++.PP
++.B certmonger_var_lib_t
++.EE
++
++- Set files with the certmonger_var_lib_t type, if you want to store the certmonger files under the /var/lib directory.
++
++
++.EX
++.PP
++.B certmonger_var_run_t
++.EE
++
++- Set files with the certmonger_var_run_t type, if you want to store the certmonger files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
++.PP
++The following process types are defined for certmonger:
++
++.EX
++.B certmonger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8
+new file mode 100644
+index 0000000..612259c
+--- /dev/null
++++ b/man/man8/certwatch_selinux.8
+@@ -0,0 +1,77 @@
++.TH "certwatch_selinux" "8" "certwatch" "dwalsh at redhat.com" "certwatch SELinux Policy documentation"
++.SH "NAME"
++certwatch_selinux \- Security Enhanced Linux Policy for the certwatch processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B certwatch
++(Digital Certificate Tracking)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
++.PP
++The following file types are defined for certwatch:
++
++
++.EX
++.PP
++.B certwatch_exec_t
++.EE
++
++- Set files with the certwatch_exec_t type, if you want to transition an executable to the certwatch_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for certwatch:
++
++.EX
++.B certwatch_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cfengine_selinux.8 b/man/man8/cfengine_selinux.8
+new file mode 100644
+index 0000000..0831deb
+--- /dev/null
++++ b/man/man8/cfengine_selinux.8
+@@ -0,0 +1,113 @@
++.TH "cfengine_selinux" "8" "cfengine" "dwalsh at redhat.com" "cfengine SELinux Policy documentation"
++.SH "NAME"
++cfengine_selinux \- Security Enhanced Linux Policy for the cfengine processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cfengine
++(policy for cfengine)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cfengine policy is very flexible allowing users to setup their cfengine processes in as secure a method as possible.
++.PP
++The following file types are defined for cfengine:
++
++
++.EX
++.PP
++.B cfengine_execd_exec_t
++.EE
++
++- Set files with the cfengine_execd_exec_t type, if you want to transition an executable to the cfengine_execd_t domain.
++
++
++.EX
++.PP
++.B cfengine_initrc_exec_t
++.EE
++
++- Set files with the cfengine_initrc_exec_t type, if you want to transition an executable to the cfengine_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/cf-serverd, /etc/rc\.d/init\.d/cf-execd, /etc/rc\.d/init\.d/cf-monitord
++
++.EX
++.PP
++.B cfengine_monitord_exec_t
++.EE
++
++- Set files with the cfengine_monitord_exec_t type, if you want to transition an executable to the cfengine_monitord_t domain.
++
++
++.EX
++.PP
++.B cfengine_serverd_exec_t
++.EE
++
++- Set files with the cfengine_serverd_exec_t type, if you want to transition an executable to the cfengine_serverd_t domain.
++
++
++.EX
++.PP
++.B cfengine_var_lib_t
++.EE
++
++- Set files with the cfengine_var_lib_t type, if you want to store the cfengine files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cfengine policy is very flexible allowing users to setup their cfengine processes in as secure a method as possible.
++.PP
++The following process types are defined for cfengine:
++
++.EX
++.B cfengine_execd_t, cfengine_monitord_t, cfengine_serverd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cfengine(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8
+new file mode 100644
+index 0000000..8dc7a1f
+--- /dev/null
++++ b/man/man8/cgclear_selinux.8
+@@ -0,0 +1,75 @@
++.TH "cgclear_selinux" "8" "cgclear" "dwalsh at redhat.com" "cgclear SELinux Policy documentation"
++.SH "NAME"
++cgclear_selinux \- Security Enhanced Linux Policy for the cgclear processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
++.PP
++The following file types are defined for cgclear:
++
++
++.EX
++.PP
++.B cgclear_exec_t
++.EE
++
++- Set files with the cgclear_exec_t type, if you want to transition an executable to the cgclear_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/cgclear, /usr/sbin/cgclear
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
++.PP
++The following process types are defined for cgclear:
++
++.EX
++.B cgclear_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8
+new file mode 100644
+index 0000000..bf8323b
+--- /dev/null
++++ b/man/man8/cgconfig_selinux.8
+@@ -0,0 +1,95 @@
++.TH "cgconfig_selinux" "8" "cgconfig" "dwalsh at redhat.com" "cgconfig SELinux Policy documentation"
++.SH "NAME"
++cgconfig_selinux \- Security Enhanced Linux Policy for the cgconfig processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
++.PP
++The following file types are defined for cgconfig:
++
++
++.EX
++.PP
++.B cgconfig_etc_t
++.EE
++
++- Set files with the cgconfig_etc_t type, if you want to store cgconfig files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/sysconfig/cgconfig, /etc/cgconfig.conf
++
++.EX
++.PP
++.B cgconfig_exec_t
++.EE
++
++- Set files with the cgconfig_exec_t type, if you want to transition an executable to the cgconfig_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/cgconfigparser, /sbin/cgconfigparser
++
++.EX
++.PP
++.B cgconfig_initrc_exec_t
++.EE
++
++- Set files with the cgconfig_initrc_exec_t type, if you want to transition an executable to the cgconfig_initrc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for cgconfig:
++
++.EX
++.B cgconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8
+new file mode 100644
+index 0000000..8cf1b40
+--- /dev/null
++++ b/man/man8/cgred_selinux.8
+@@ -0,0 +1,99 @@
++.TH "cgred_selinux" "8" "cgred" "dwalsh at redhat.com" "cgred SELinux Policy documentation"
++.SH "NAME"
++cgred_selinux \- Security Enhanced Linux Policy for the cgred processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
++.PP
++The following file types are defined for cgred:
++
++
++.EX
++.PP
++.B cgred_exec_t
++.EE
++
++- Set files with the cgred_exec_t type, if you want to transition an executable to the cgred_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/cgrulesengd, /usr/sbin/cgrulesengd
++
++.EX
++.PP
++.B cgred_initrc_exec_t
++.EE
++
++- Set files with the cgred_initrc_exec_t type, if you want to transition an executable to the cgred_initrc_t domain.
++
++
++.EX
++.PP
++.B cgred_log_t
++.EE
++
++- Set files with the cgred_log_t type, if you want to treat the data as cgred log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cgred_var_run_t
++.EE
++
++- Set files with the cgred_var_run_t type, if you want to store the cgred files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
++.PP
++The following process types are defined for cgred:
++
++.EX
++.B cgred_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8
+new file mode 100644
+index 0000000..5c6fcde
+--- /dev/null
++++ b/man/man8/checkpc_selinux.8
+@@ -0,0 +1,79 @@
++.TH "checkpc_selinux" "8" "checkpc" "dwalsh at redhat.com" "checkpc SELinux Policy documentation"
++.SH "NAME"
++checkpc_selinux \- Security Enhanced Linux Policy for the checkpc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
++.PP
++The following file types are defined for checkpc:
++
++
++.EX
++.PP
++.B checkpc_exec_t
++.EE
++
++- Set files with the checkpc_exec_t type, if you want to transition an executable to the checkpc_t domain.
++
++
++.EX
++.PP
++.B checkpc_log_t
++.EE
++
++- Set files with the checkpc_log_t type, if you want to treat the data as checkpc log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
++.PP
++The following process types are defined for checkpc:
++
++.EX
++.B checkpc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8
+new file mode 100644
+index 0000000..b67fcc4
+--- /dev/null
++++ b/man/man8/checkpolicy_selinux.8
+@@ -0,0 +1,71 @@
++.TH "checkpolicy_selinux" "8" "checkpolicy" "dwalsh at redhat.com" "checkpolicy SELinux Policy documentation"
++.SH "NAME"
++checkpolicy_selinux \- Security Enhanced Linux Policy for the checkpolicy processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
++.PP
++The following file types are defined for checkpolicy:
++
++
++.EX
++.PP
++.B checkpolicy_exec_t
++.EE
++
++- Set files with the checkpolicy_exec_t type, if you want to transition an executable to the checkpolicy_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
++.PP
++The following process types are defined for checkpolicy:
++
++.EX
++.B checkpolicy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8
+new file mode 100644
+index 0000000..c81760f
+--- /dev/null
++++ b/man/man8/chfn_selinux.8
+@@ -0,0 +1,75 @@
++.TH "chfn_selinux" "8" "chfn" "dwalsh at redhat.com" "chfn SELinux Policy documentation"
++.SH "NAME"
++chfn_selinux \- Security Enhanced Linux Policy for the chfn processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
++.PP
++The following file types are defined for chfn:
++
++
++.EX
++.PP
++.B chfn_exec_t
++.EE
++
++- Set files with the chfn_exec_t type, if you want to transition an executable to the chfn_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/chfn, /usr/bin/chsh
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
++.PP
++The following process types are defined for chfn:
++
++.EX
++.B chfn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8
+new file mode 100644
+index 0000000..03d8e09
+--- /dev/null
++++ b/man/man8/chkpwd_selinux.8
+@@ -0,0 +1,75 @@
++.TH "chkpwd_selinux" "8" "chkpwd" "dwalsh at redhat.com" "chkpwd SELinux Policy documentation"
++.SH "NAME"
++chkpwd_selinux \- Security Enhanced Linux Policy for the chkpwd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
++.PP
++The following file types are defined for chkpwd:
++
++
++.EX
++.PP
++.B chkpwd_exec_t
++.EE
++
++- Set files with the chkpwd_exec_t type, if you want to transition an executable to the chkpwd_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/unix_verify, /sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
++.PP
++The following process types are defined for chkpwd:
++
++.EX
++.B chkpwd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/chrome_selinux.8 b/man/man8/chrome_selinux.8
+new file mode 100644
+index 0000000..e83770b
+--- /dev/null
++++ b/man/man8/chrome_selinux.8
+@@ -0,0 +1,124 @@
++.TH "chrome_selinux" "8" "chrome" "dwalsh at redhat.com" "chrome SELinux Policy documentation"
++.SH "NAME"
++chrome_selinux \- Security Enhanced Linux Policy for the chrome processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B chrome
++(policy for chrome)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. chrome policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome with the tightest access possible.
++
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbo, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chrome policy is very flexible allowing users to setup their chrome processes in as secure a method as possible.
++.PP
++The following file types are defined for chrome:
++
++
++.EX
++.PP
++.B chrome_sandbox_exec_t
++.EE
++
++- Set files with the chrome_sandbox_exec_t type, if you want to transition an executable to the chrome_sandbox_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/chromium-browser/chrome-sandbox, /opt/google/chrome/chrome-sandbox
++
++.EX
++.PP
++.B chrome_sandbox_nacl_exec_t
++.EE
++
++- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/chromium-browser/nacl_helper_bootstrap, /opt/google/chrome/nacl_helper_bootstrap
++
++.EX
++.PP
++.B chrome_sandbox_tmp_t
++.EE
++
++- Set files with the chrome_sandbox_tmp_t type, if you want to store chrome sandbox temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B chrome_sandbox_tmpfs_t
++.EE
++
++- Set files with the chrome_sandbox_tmpfs_t type, if you want to store chrome sandbox files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chrome policy is very flexible allowing users to setup their chrome processes in as secure a method as possible.
++.PP
++The following process types are defined for chrome:
++
++.EX
++.B chrome_sandbox_t, chrome_sandbox_nacl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), chrome(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8
+new file mode 100644
+index 0000000..b178fb9
+--- /dev/null
++++ b/man/man8/chronyd_selinux.8
+@@ -0,0 +1,167 @@
++.TH "chronyd_selinux" "8" "chronyd" "dwalsh at redhat.com" "chronyd SELinux Policy documentation"
++.SH "NAME"
++chronyd_selinux \- Security Enhanced Linux Policy for the chronyd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B chronyd
++(Chrony NTP background daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
++.PP
++The following file types are defined for chronyd:
++
++
++.EX
++.PP
++.B chronyd_exec_t
++.EE
++
++- Set files with the chronyd_exec_t type, if you want to transition an executable to the chronyd_t domain.
++
++
++.EX
++.PP
++.B chronyd_initrc_exec_t
++.EE
++
++- Set files with the chronyd_initrc_exec_t type, if you want to transition an executable to the chronyd_initrc_t domain.
++
++
++.EX
++.PP
++.B chronyd_keys_t
++.EE
++
++- Set files with the chronyd_keys_t type, if you want to treat the files as chronyd keys data.
++
++
++.EX
++.PP
++.B chronyd_tmpfs_t
++.EE
++
++- Set files with the chronyd_tmpfs_t type, if you want to store chronyd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B chronyd_unit_file_t
++.EE
++
++- Set files with the chronyd_unit_file_t type, if you want to treat the files as chronyd unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/chrony.*, /usr/lib/systemd/system/chronyd.*
++
++.EX
++.PP
++.B chronyd_var_lib_t
++.EE
++
++- Set files with the chronyd_var_lib_t type, if you want to store the chronyd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B chronyd_var_log_t
++.EE
++
++- Set files with the chronyd_var_log_t type, if you want to treat the data as chronyd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B chronyd_var_run_t
++.EE
++
++- Set files with the chronyd_var_run_t type, if you want to store the chronyd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/chronyd(/.*), /var/run/chronyd\.sock, /var/run/chronyd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
++.PP
++The following port types are defined for chronyd:
++
++.EX
++.TP 5
++.B chronyd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
++.PP
++The following process types are defined for chronyd:
++
++.EX
++.B chronyd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8
+new file mode 100644
+index 0000000..e387cea
+--- /dev/null
++++ b/man/man8/ciped_selinux.8
+@@ -0,0 +1,71 @@
++.TH "ciped_selinux" "8" "ciped" "dwalsh at redhat.com" "ciped SELinux Policy documentation"
++.SH "NAME"
++ciped_selinux \- Security Enhanced Linux Policy for the ciped processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
++.PP
++The following file types are defined for ciped:
++
++
++.EX
++.PP
++.B ciped_exec_t
++.EE
++
++- Set files with the ciped_exec_t type, if you want to transition an executable to the ciped_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
++.PP
++The following process types are defined for ciped:
++
++.EX
++.B ciped_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8
+new file mode 100644
+index 0000000..7ffdf73
+--- /dev/null
++++ b/man/man8/clamd_selinux.8
+@@ -0,0 +1,183 @@
++.TH "clamd_selinux" "8" "clamd" "dwalsh at redhat.com" "clamd SELinux Policy documentation"
++.SH "NAME"
++clamd_selinux \- Security Enhanced Linux Policy for the clamd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. clamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamd with the tightest access possible.
++
++
++.PP
++If you want to allow clamscan to read user conten, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.PP
++If you want to allow clamd to use JIT compile, you must turn on the clamd_use_jit boolean.
++
++.EX
++.B setsebool -P clamd_use_jit 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
++.PP
++The following file types are defined for clamd:
++
++
++.EX
++.PP
++.B clamd_etc_t
++.EE
++
++- Set files with the clamd_etc_t type, if you want to store clamd files in the /etc directories.
++
++
++.EX
++.PP
++.B clamd_exec_t
++.EE
++
++- Set files with the clamd_exec_t type, if you want to transition an executable to the clamd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/clamd, /usr/sbin/clamav-milter
++
++.EX
++.PP
++.B clamd_initrc_exec_t
++.EE
++
++- Set files with the clamd_initrc_exec_t type, if you want to transition an executable to the clamd_initrc_t domain.
++
++
++.EX
++.PP
++.B clamd_tmp_t
++.EE
++
++- Set files with the clamd_tmp_t type, if you want to store clamd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B clamd_var_lib_t
++.EE
++
++- Set files with the clamd_var_lib_t type, if you want to store the clamd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/clamd.*, /var/clamav(/.*)?, /var/lib/clamav(/.*)?
++
++.EX
++.PP
++.B clamd_var_log_t
++.EE
++
++- Set files with the clamd_var_log_t type, if you want to treat the data as clamd var log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/clamav.*, /var/log/clamd.*
++
++.EX
++.PP
++.B clamd_var_run_t
++.EE
++
++- Set files with the clamd_var_run_t type, if you want to store the clamd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/amavis(d)?/clamd\.pid, /var/run/clamd.*, /var/run/clamav.*, /var/spool/MailScanner(/.*)?, /var/spool/amavisd/clamd\.sock
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
++.PP
++The following port types are defined for clamd:
++
++.EX
++.TP 5
++.B clamd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
++.PP
++The following process types are defined for clamd:
++
++.EX
++.B clamd_t, clamscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), clamd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8
+new file mode 100644
+index 0000000..4b82f56
+--- /dev/null
++++ b/man/man8/clamscan_selinux.8
+@@ -0,0 +1,98 @@
++.TH "clamscan_selinux" "8" "clamscan" "dwalsh at redhat.com" "clamscan SELinux Policy documentation"
++.SH "NAME"
++clamscan_selinux \- Security Enhanced Linux Policy for the clamscan processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. clamscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamscan with the tightest access possible.
++
++
++.PP
++If you want to allow clamscan to read user conten, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
++.PP
++The following file types are defined for clamscan:
++
++
++.EX
++.PP
++.B clamscan_exec_t
++.EE
++
++- Set files with the clamscan_exec_t type, if you want to transition an executable to the clamscan_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/clamdscan, /usr/bin/clamscan
++
++.EX
++.PP
++.B clamscan_tmp_t
++.EE
++
++- Set files with the clamscan_tmp_t type, if you want to store clamscan temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
++.PP
++The following process types are defined for clamscan:
++
++.EX
++.B clamscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), clamscan(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8
+new file mode 100644
+index 0000000..c68d541
+--- /dev/null
++++ b/man/man8/clogd_selinux.8
+@@ -0,0 +1,93 @@
++.TH "clogd_selinux" "8" "clogd" "dwalsh at redhat.com" "clogd SELinux Policy documentation"
++.SH "NAME"
++clogd_selinux \- Security Enhanced Linux Policy for the clogd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B clogd
++(clogd - Clustered Mirror Log Server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
++.PP
++The following file types are defined for clogd:
++
++
++.EX
++.PP
++.B clogd_exec_t
++.EE
++
++- Set files with the clogd_exec_t type, if you want to transition an executable to the clogd_t domain.
++
++
++.EX
++.PP
++.B clogd_tmpfs_t
++.EE
++
++- Set files with the clogd_tmpfs_t type, if you want to store clogd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B clogd_var_run_t
++.EE
++
++- Set files with the clogd_var_run_t type, if you want to store the clogd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
++.PP
++The following process types are defined for clogd:
++
++.EX
++.B clogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8
+new file mode 100644
+index 0000000..f25da6c
+--- /dev/null
++++ b/man/man8/clvmd_selinux.8
+@@ -0,0 +1,95 @@
++.TH "clvmd_selinux" "8" "clvmd" "dwalsh at redhat.com" "clvmd SELinux Policy documentation"
++.SH "NAME"
++clvmd_selinux \- Security Enhanced Linux Policy for the clvmd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
++.PP
++The following file types are defined for clvmd:
++
++
++.EX
++.PP
++.B clvmd_exec_t
++.EE
++
++- Set files with the clvmd_exec_t type, if you want to transition an executable to the clvmd_t domain.
++
++
++.EX
++.PP
++.B clvmd_initrc_exec_t
++.EE
++
++- Set files with the clvmd_initrc_exec_t type, if you want to transition an executable to the clvmd_initrc_t domain.
++
++
++.EX
++.PP
++.B clvmd_tmpfs_t
++.EE
++
++- Set files with the clvmd_tmpfs_t type, if you want to store clvmd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B clvmd_var_run_t
++.EE
++
++- Set files with the clvmd_var_run_t type, if you want to store the clvmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
++.PP
++The following process types are defined for clvmd:
++
++.EX
++.B clvmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8
+new file mode 100644
+index 0000000..056abd4
+--- /dev/null
++++ b/man/man8/cmirrord_selinux.8
+@@ -0,0 +1,101 @@
++.TH "cmirrord_selinux" "8" "cmirrord" "dwalsh at redhat.com" "cmirrord SELinux Policy documentation"
++.SH "NAME"
++cmirrord_selinux \- Security Enhanced Linux Policy for the cmirrord processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cmirrord
++(Cluster mirror log daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
++.PP
++The following file types are defined for cmirrord:
++
++
++.EX
++.PP
++.B cmirrord_exec_t
++.EE
++
++- Set files with the cmirrord_exec_t type, if you want to transition an executable to the cmirrord_t domain.
++
++
++.EX
++.PP
++.B cmirrord_initrc_exec_t
++.EE
++
++- Set files with the cmirrord_initrc_exec_t type, if you want to transition an executable to the cmirrord_initrc_t domain.
++
++
++.EX
++.PP
++.B cmirrord_tmpfs_t
++.EE
++
++- Set files with the cmirrord_tmpfs_t type, if you want to store cmirrord files on a tmpfs file system.
++
++
++.EX
++.PP
++.B cmirrord_var_run_t
++.EE
++
++- Set files with the cmirrord_var_run_t type, if you want to store the cmirrord files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
++.PP
++The following process types are defined for cmirrord:
++
++.EX
++.B cmirrord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8
+new file mode 100644
+index 0000000..9a63029
+--- /dev/null
++++ b/man/man8/cobblerd_selinux.8
+@@ -0,0 +1,211 @@
++.TH "cobblerd_selinux" "8" "cobblerd" "dwalsh at redhat.com" "cobblerd SELinux Policy documentation"
++.SH "NAME"
++cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. cobblerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cobblerd with the tightest access possible.
++
++
++.PP
++If you want to allow Cobbler to connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean.
++
++.EX
++.B setsebool -P cobbler_can_network_connect 1
++.EE
++
++.PP
++If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
++
++.EX
++.B setsebool -P cobbler_use_nfs 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_cobbler 1
++.EE
++
++.PP
++If you want to allow Cobbler to access cifs file systems, you must turn on the cobbler_use_cifs boolean.
++
++.EX
++.B setsebool -P cobbler_use_cifs 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow cobblerd servers to read the /var/cobblerd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/cobblerd(/.*)?"
++.br
++.B restorecon -F -R -v /var/cobblerd
++.pp
++.TP
++Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/cobblerd/incoming
++
++
++.PP
++If you want to allow Cobbler to modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean.
++
++.EX
++.B setsebool -P cobbler_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
++.PP
++The following file types are defined for cobblerd:
++
++
++.EX
++.PP
++.B cobbler_etc_t
++.EE
++
++- Set files with the cobbler_etc_t type, if you want to store cobbler files in the /etc directories.
++
++
++.EX
++.PP
++.B cobbler_tmp_t
++.EE
++
++- Set files with the cobbler_tmp_t type, if you want to store cobbler temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cobbler_var_lib_t
++.EE
++
++- Set files with the cobbler_var_lib_t type, if you want to store the cobbler files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/cobbler(/.*)?, /var/www/cobbler/images(/.*)?, /var/www/cobbler/repo_mirror(/.*)?, /var/lib/tftpboot/pxelinux\.cfg(/.*)?, /var/lib/tftpboot/memdisk, /var/lib/tftpboot/s390x(/.*)?, /var/www/cobbler/links(/.*)?, /var/lib/tftpboot/menu\.c32, /var/lib/tftpboot/yaboot, /var/www/cobbler/localmirror(/.*)?, /var/www/cobbler/ks_mirror(/.*)?, /var/lib/tftpboot/grub(/.*)?, /var/www/cobbler/pub(/.*)?, /var/lib/tftpboot/ppc(/.*)?, /var/lib/tftpboot/pxelinux\.0, /var/lib/tftpboot/images(/.*)?, /var/lib/tftpboot/etc(/.*)?, /var/www/cobbler/rendered(/.*)?
++
++.EX
++.PP
++.B cobbler_var_log_t
++.EE
++
++- Set files with the cobbler_var_log_t type, if you want to treat the data as cobbler var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cobblerd_exec_t
++.EE
++
++- Set files with the cobblerd_exec_t type, if you want to transition an executable to the cobblerd_t domain.
++
++
++.EX
++.PP
++.B cobblerd_initrc_exec_t
++.EE
++
++- Set files with the cobblerd_initrc_exec_t type, if you want to transition an executable to the cobblerd_initrc_t domain.
++
++
++.EX
++.PP
++.B cobblerd_unit_file_t
++.EE
++
++- Set files with the cobblerd_unit_file_t type, if you want to treat the files as cobblerd unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
++.PP
++The following port types are defined for cobblerd:
++
++.EX
++.TP 5
++.B cobbler_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
++.PP
++The following process types are defined for cobblerd:
++
++.EX
++.B cobblerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cobblerd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8
+new file mode 100644
+index 0000000..6210747
+--- /dev/null
++++ b/man/man8/collectd_selinux.8
+@@ -0,0 +1,124 @@
++.TH "collectd_selinux" "8" "collectd" "dwalsh at redhat.com" "collectd SELinux Policy documentation"
++.SH "NAME"
++collectd_selinux \- Security Enhanced Linux Policy for the collectd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B collectd
++(policy for collectd)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. collectd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run collectd with the tightest access possible.
++
++
++.PP
++If you want to allow collectd to connect to the network using TCP, you must turn on the collectd_can_network_connect boolean.
++
++.EX
++.B setsebool -P collectd_can_network_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
++.PP
++The following file types are defined for collectd:
++
++
++.EX
++.PP
++.B collectd_exec_t
++.EE
++
++- Set files with the collectd_exec_t type, if you want to transition an executable to the collectd_t domain.
++
++
++.EX
++.PP
++.B collectd_initrc_exec_t
++.EE
++
++- Set files with the collectd_initrc_exec_t type, if you want to transition an executable to the collectd_initrc_t domain.
++
++
++.EX
++.PP
++.B collectd_unit_file_t
++.EE
++
++- Set files with the collectd_unit_file_t type, if you want to treat the files as collectd unit content.
++
++
++.EX
++.PP
++.B collectd_var_lib_t
++.EE
++
++- Set files with the collectd_var_lib_t type, if you want to store the collectd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B collectd_var_run_t
++.EE
++
++- Set files with the collectd_var_run_t type, if you want to store the collectd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
++.PP
++The following process types are defined for collectd:
++
++.EX
++.B collectd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), collectd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8
+new file mode 100644
+index 0000000..7ed4ac6
+--- /dev/null
++++ b/man/man8/colord_selinux.8
+@@ -0,0 +1,117 @@
++.TH "colord_selinux" "8" "colord" "dwalsh at redhat.com" "colord SELinux Policy documentation"
++.SH "NAME"
++colord_selinux \- Security Enhanced Linux Policy for the colord processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B colord
++(GNOME color manager)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
++.PP
++The following file types are defined for colord:
++
++
++.EX
++.PP
++.B colord_exec_t
++.EE
++
++- Set files with the colord_exec_t type, if you want to transition an executable to the colord_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/colord-sane, /usr/libexec/colord
++
++.EX
++.PP
++.B colord_tmp_t
++.EE
++
++- Set files with the colord_tmp_t type, if you want to store colord temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B colord_tmpfs_t
++.EE
++
++- Set files with the colord_tmpfs_t type, if you want to store colord files on a tmpfs file system.
++
++
++.EX
++.PP
++.B colord_unit_file_t
++.EE
++
++- Set files with the colord_unit_file_t type, if you want to treat the files as colord unit content.
++
++
++.EX
++.PP
++.B colord_var_lib_t
++.EE
++
++- Set files with the colord_var_lib_t type, if you want to store the colord files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/color(/.*)?, /var/lib/colord(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
++.PP
++The following process types are defined for colord:
++
++.EX
++.B colord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), colord(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8
+new file mode 100644
+index 0000000..da3d8e9
+--- /dev/null
++++ b/man/man8/comsat_selinux.8
+@@ -0,0 +1,119 @@
++.TH "comsat_selinux" "8" "comsat" "dwalsh at redhat.com" "comsat SELinux Policy documentation"
++.SH "NAME"
++comsat_selinux \- Security Enhanced Linux Policy for the comsat processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B comsat
++(Comsat, a biff server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
++.PP
++The following file types are defined for comsat:
++
++
++.EX
++.PP
++.B comsat_exec_t
++.EE
++
++- Set files with the comsat_exec_t type, if you want to transition an executable to the comsat_t domain.
++
++
++.EX
++.PP
++.B comsat_tmp_t
++.EE
++
++- Set files with the comsat_tmp_t type, if you want to store comsat temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B comsat_var_run_t
++.EE
++
++- Set files with the comsat_var_run_t type, if you want to store the comsat files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
++.PP
++The following port types are defined for comsat:
++
++.EX
++.TP 5
++.B comsat_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
++.PP
++The following process types are defined for comsat:
++
++.EX
++.B comsat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8
+new file mode 100644
+index 0000000..cac5397
+--- /dev/null
++++ b/man/man8/consolekit_selinux.8
+@@ -0,0 +1,113 @@
++.TH "consolekit_selinux" "8" "consolekit" "dwalsh at redhat.com" "consolekit SELinux Policy documentation"
++.SH "NAME"
++consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B consolekit
++(Framework for facilitating multiple user sessions on desktops)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
++.PP
++The following file types are defined for consolekit:
++
++
++.EX
++.PP
++.B consolekit_exec_t
++.EE
++
++- Set files with the consolekit_exec_t type, if you want to transition an executable to the consolekit_t domain.
++
++
++.EX
++.PP
++.B consolekit_log_t
++.EE
++
++- Set files with the consolekit_log_t type, if you want to treat the data as consolekit log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B consolekit_tmpfs_t
++.EE
++
++- Set files with the consolekit_tmpfs_t type, if you want to store consolekit files on a tmpfs file system.
++
++
++.EX
++.PP
++.B consolekit_unit_file_t
++.EE
++
++- Set files with the consolekit_unit_file_t type, if you want to treat the files as consolekit unit content.
++
++
++.EX
++.PP
++.B consolekit_var_run_t
++.EE
++
++- Set files with the consolekit_var_run_t type, if you want to store the consolekit files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/console-kit-daemon\.pid, /var/run/ConsoleKit(/.*)?, /var/run/consolekit\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
++.PP
++The following process types are defined for consolekit:
++
++.EX
++.B consolekit_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8
+new file mode 100644
+index 0000000..931d27b
+--- /dev/null
++++ b/man/man8/consoletype_selinux.8
+@@ -0,0 +1,83 @@
++.TH "consoletype_selinux" "8" "consoletype" "dwalsh at redhat.com" "consoletype SELinux Policy documentation"
++.SH "NAME"
++consoletype_selinux \- Security Enhanced Linux Policy for the consoletype processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B consoletype
++(
++Determine of the console connected to the controlling terminal.
++)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
++.PP
++The following file types are defined for consoletype:
++
++
++.EX
++.PP
++.B consoletype_exec_t
++.EE
++
++- Set files with the consoletype_exec_t type, if you want to transition an executable to the consoletype_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/consoletype, /sbin/consoletype
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
++.PP
++The following process types are defined for consoletype:
++
++.EX
++.B consoletype_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8
+new file mode 100644
+index 0000000..a20c704
+--- /dev/null
++++ b/man/man8/corosync_selinux.8
+@@ -0,0 +1,149 @@
++.TH "corosync_selinux" "8" "corosync" "dwalsh at redhat.com" "corosync SELinux Policy documentation"
++.SH "NAME"
++corosync_selinux \- Security Enhanced Linux Policy for the corosync processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B corosync
++(Corosync Cluster Engine)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
++.PP
++The following file types are defined for corosync:
++
++
++.EX
++.PP
++.B corosync_exec_t
++.EE
++
++- Set files with the corosync_exec_t type, if you want to transition an executable to the corosync_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ccs_tool, /usr/sbin/corosync, /usr/sbin/corosync-notifyd, /usr/lib(64)?/heartbeat/heartbeat, /usr/sbin/cman_tool
++
++.EX
++.PP
++.B corosync_initrc_exec_t
++.EE
++
++- Set files with the corosync_initrc_exec_t type, if you want to transition an executable to the corosync_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/heartbeat, /etc/rc\.d/init\.d/corosync
++
++.EX
++.PP
++.B corosync_tmp_t
++.EE
++
++- Set files with the corosync_tmp_t type, if you want to store corosync temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B corosync_tmpfs_t
++.EE
++
++- Set files with the corosync_tmpfs_t type, if you want to store corosync files on a tmpfs file system.
++
++
++.EX
++.PP
++.B corosync_unit_file_t
++.EE
++
++- Set files with the corosync_unit_file_t type, if you want to treat the files as corosync unit content.
++
++
++.EX
++.PP
++.B corosync_var_lib_t
++.EE
++
++- Set files with the corosync_var_lib_t type, if you want to store the corosync files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/corosync(/.*)?, /usr/lib(64)?/heartbeat(/.*)?
++
++.EX
++.PP
++.B corosync_var_log_t
++.EE
++
++- Set files with the corosync_var_log_t type, if you want to treat the data as corosync var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B corosync_var_run_t
++.EE
++
++- Set files with the corosync_var_run_t type, if you want to store the corosync files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/hearbeat(/.*)?, /var/run/corosync\.pid, /var/run/cman_.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
++.PP
++The following process types are defined for corosync:
++
++.EX
++.B corosync_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8
+new file mode 100644
+index 0000000..61ec71c
+--- /dev/null
++++ b/man/man8/couchdb_selinux.8
+@@ -0,0 +1,151 @@
++.TH "couchdb_selinux" "8" "couchdb" "dwalsh at redhat.com" "couchdb SELinux Policy documentation"
++.SH "NAME"
++couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B couchdb
++(policy for couchdb)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following file types are defined for couchdb:
++
++
++.EX
++.PP
++.B couchdb_etc_t
++.EE
++
++- Set files with the couchdb_etc_t type, if you want to store couchdb files in the /etc directories.
++
++
++.EX
++.PP
++.B couchdb_exec_t
++.EE
++
++- Set files with the couchdb_exec_t type, if you want to transition an executable to the couchdb_t domain.
++
++
++.EX
++.PP
++.B couchdb_log_t
++.EE
++
++- Set files with the couchdb_log_t type, if you want to treat the data as couchdb log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B couchdb_tmp_t
++.EE
++
++- Set files with the couchdb_tmp_t type, if you want to store couchdb temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B couchdb_unit_file_t
++.EE
++
++- Set files with the couchdb_unit_file_t type, if you want to treat the files as couchdb unit content.
++
++
++.EX
++.PP
++.B couchdb_var_lib_t
++.EE
++
++- Set files with the couchdb_var_lib_t type, if you want to store the couchdb files under the /var/lib directory.
++
++
++.EX
++.PP
++.B couchdb_var_run_t
++.EE
++
++- Set files with the couchdb_var_run_t type, if you want to store the couchdb files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following port types are defined for couchdb:
++
++.EX
++.TP 5
++.B couchdb_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following process types are defined for couchdb:
++
++.EX
++.B couchdb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/courier_selinux.8 b/man/man8/courier_selinux.8
+new file mode 100644
+index 0000000..3dc9d81
+--- /dev/null
++++ b/man/man8/courier_selinux.8
+@@ -0,0 +1,165 @@
++.TH "courier_selinux" "8" "courier" "dwalsh at redhat.com" "courier SELinux Policy documentation"
++.SH "NAME"
++courier_selinux \- Security Enhanced Linux Policy for the courier processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B courier
++(Courier IMAP and POP3 email servers)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux courier policy is very flexible allowing users to setup their courier processes in as secure a method as possible.
++.PP
++The following file types are defined for courier:
++
++
++.EX
++.PP
++.B courier_authdaemon_exec_t
++.EE
++
++- Set files with the courier_authdaemon_exec_t type, if you want to transition an executable to the courier_authdaemon_t domain.
++
++
++.EX
++.PP
++.B courier_etc_t
++.EE
++
++- Set files with the courier_etc_t type, if you want to store courier files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/usr/lib/courier/rootcerts(/.*)?, /etc/courier(/.*)?
++
++.EX
++.PP
++.B courier_exec_t
++.EE
++
++- Set files with the courier_exec_t type, if you want to transition an executable to the courier_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/courierlogger, /usr/lib/courier/courier/.*, /usr/sbin/courierldapaliasd
++
++.EX
++.PP
++.B courier_pcp_exec_t
++.EE
++
++- Set files with the courier_pcp_exec_t type, if you want to transition an executable to the courier_pcp_t domain.
++
++
++.EX
++.PP
++.B courier_pop_exec_t
++.EE
++
++- Set files with the courier_pop_exec_t type, if you want to transition an executable to the courier_pop_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/courier/imapd, /usr/lib/courier/courier/courierpop.*, /usr/lib/courier/pop3d, /usr/lib/courier/courier/imaplogin, /usr/bin/imapd
++
++.EX
++.PP
++.B courier_spool_t
++.EE
++
++- Set files with the courier_spool_t type, if you want to store the courier files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/authdaemon(/.*)?, /var/spool/courier(/.*)?
++
++.EX
++.PP
++.B courier_sqwebmail_exec_t
++.EE
++
++- Set files with the courier_sqwebmail_exec_t type, if you want to transition an executable to the courier_sqwebmail_t domain.
++
++
++.EX
++.PP
++.B courier_tcpd_exec_t
++.EE
++
++- Set files with the courier_tcpd_exec_t type, if you want to transition an executable to the courier_tcpd_t domain.
++
++
++.EX
++.PP
++.B courier_var_lib_t
++.EE
++
++- Set files with the courier_var_lib_t type, if you want to store the courier files under the /var/lib directory.
++
++
++.EX
++.PP
++.B courier_var_run_t
++.EE
++
++- Set files with the courier_var_run_t type, if you want to store the courier files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier policy is very flexible allowing users to setup their courier processes in as secure a method as possible.
++.PP
++The following process types are defined for courier:
++
++.EX
++.B courier_sqwebmail_t, courier_tcpd_t, courier_authdaemon_t, courier_pcp_t, courier_pop_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), courier(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8
+new file mode 100644
+index 0000000..e50677e
+--- /dev/null
++++ b/man/man8/cpucontrol_selinux.8
+@@ -0,0 +1,89 @@
++.TH "cpucontrol_selinux" "8" "cpucontrol" "dwalsh at redhat.com" "cpucontrol SELinux Policy documentation"
++.SH "NAME"
++cpucontrol_selinux \- Security Enhanced Linux Policy for the cpucontrol processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cpucontrol
++(Services for loading CPU microcode and CPU frequency scaling)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
++.PP
++The following file types are defined for cpucontrol:
++
++
++.EX
++.PP
++.B cpucontrol_conf_t
++.EE
++
++- Set files with the cpucontrol_conf_t type, if you want to treat the files as cpucontrol configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B cpucontrol_exec_t
++.EE
++
++- Set files with the cpucontrol_exec_t type, if you want to transition an executable to the cpucontrol_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/microcode_ctl, /usr/sbin/microcode_ctl
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
++.PP
++The following process types are defined for cpucontrol:
++
++.EX
++.B cpucontrol_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8
+new file mode 100644
+index 0000000..e7b10a3
+--- /dev/null
++++ b/man/man8/cpufreqselector_selinux.8
+@@ -0,0 +1,77 @@
++.TH "cpufreqselector_selinux" "8" "cpufreqselector" "dwalsh at redhat.com" "cpufreqselector SELinux Policy documentation"
++.SH "NAME"
++cpufreqselector_selinux \- Security Enhanced Linux Policy for the cpufreqselector processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cpufreqselector
++(Command-line CPU frequency settings)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
++.PP
++The following file types are defined for cpufreqselector:
++
++
++.EX
++.PP
++.B cpufreqselector_exec_t
++.EE
++
++- Set files with the cpufreqselector_exec_t type, if you want to transition an executable to the cpufreqselector_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
++.PP
++The following process types are defined for cpufreqselector:
++
++.EX
++.B cpufreqselector_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8
+new file mode 100644
+index 0000000..8142e64
+--- /dev/null
++++ b/man/man8/cpuspeed_selinux.8
+@@ -0,0 +1,83 @@
++.TH "cpuspeed_selinux" "8" "cpuspeed" "dwalsh at redhat.com" "cpuspeed SELinux Policy documentation"
++.SH "NAME"
++cpuspeed_selinux \- Security Enhanced Linux Policy for the cpuspeed processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
++.PP
++The following file types are defined for cpuspeed:
++
++
++.EX
++.PP
++.B cpuspeed_exec_t
++.EE
++
++- Set files with the cpuspeed_exec_t type, if you want to transition an executable to the cpuspeed_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/cpuspeed, /usr/sbin/powernowd, /usr/sbin/cpufreqd
++
++.EX
++.PP
++.B cpuspeed_var_run_t
++.EE
++
++- Set files with the cpuspeed_var_run_t type, if you want to store the cpuspeed files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
++.PP
++The following process types are defined for cpuspeed:
++
++.EX
++.B cpuspeed_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8
+new file mode 100644
+index 0000000..328fc4d
+--- /dev/null
++++ b/man/man8/crack_selinux.8
+@@ -0,0 +1,95 @@
++.TH "crack_selinux" "8" "crack" "dwalsh at redhat.com" "crack SELinux Policy documentation"
++.SH "NAME"
++crack_selinux \- Security Enhanced Linux Policy for the crack processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
++.PP
++The following file types are defined for crack:
++
++
++.EX
++.PP
++.B crack_db_t
++.EE
++
++- Set files with the crack_db_t type, if you want to treat the files as crack database content.
++
++.br
++.TP 5
++Paths:
++/var/cache/cracklib(/.*)?, /usr/share/cracklib(/.*)?, /usr/lib/cracklib_dict.*
++
++.EX
++.PP
++.B crack_exec_t
++.EE
++
++- Set files with the crack_exec_t type, if you want to transition an executable to the crack_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/cracklib-[a-z]*, /usr/sbin/crack_[a-z]*
++
++.EX
++.PP
++.B crack_tmp_t
++.EE
++
++- Set files with the crack_tmp_t type, if you want to store crack temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
++.PP
++The following process types are defined for crack:
++
++.EX
++.B crack_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), crack(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8
+new file mode 100644
+index 0000000..b717fd8
+--- /dev/null
++++ b/man/man8/crond_selinux.8
+@@ -0,0 +1,173 @@
++.TH "crond_selinux" "8" "crond" "dwalsh at redhat.com" "crond SELinux Policy documentation"
++.SH "NAME"
++crond_selinux \- Security Enhanced Linux Policy for the crond processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible.
++
++
++.PP
++If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean.
++
++.EX
++.B setsebool -P fcron_crond 1
++.EE
++
++.PP
++If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean.
++
++.EX
++.B setsebool -P cron_can_relabel 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
++.PP
++The following file types are defined for crond:
++
++
++.EX
++.PP
++.B cron_log_t
++.EE
++
++- Set files with the cron_log_t type, if you want to treat the data as cron log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cron_spool_t
++.EE
++
++- Set files with the cron_spool_t type, if you want to store the cron files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/fcron, /var/spool/cron/crontabs
++
++.EX
++.PP
++.B cron_var_lib_t
++.EE
++
++- Set files with the cron_var_lib_t type, if you want to store the cron files under the /var/lib directory.
++
++
++.EX
++.PP
++.B cron_var_run_t
++.EE
++
++- Set files with the cron_var_run_t type, if you want to store the cron files under the /run directory.
++
++
++.EX
++.PP
++.B crond_exec_t
++.EE
++
++- Set files with the crond_exec_t type, if you want to transition an executable to the crond_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/atd, /usr/sbin/fcron, /usr/sbin/cron(d)?
++
++.EX
++.PP
++.B crond_initrc_exec_t
++.EE
++
++- Set files with the crond_initrc_exec_t type, if you want to transition an executable to the crond_initrc_t domain.
++
++
++.EX
++.PP
++.B crond_tmp_t
++.EE
++
++- Set files with the crond_tmp_t type, if you want to store crond temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B crond_unit_file_t
++.EE
++
++- Set files with the crond_unit_file_t type, if you want to treat the files as crond unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/atd\.service, /usr/lib/systemd/system/crond\.service, /lib/systemd/system/crond\.service
++
++.EX
++.PP
++.B crond_var_run_t
++.EE
++
++- Set files with the crond_var_run_t type, if you want to store the crond files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/crond?\.pid, /var/run/.*cron.*, /var/run/fcron\.pid, /var/run/crond?\.reboot, /var/run/fcron\.fifo, /var/run/atd\.pid, /var/run/anacron\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
++.PP
++The following process types are defined for crond:
++
++.EX
++.B crond_t, cronjob_t, crontab_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), crond(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8
+new file mode 100644
+index 0000000..3de534f
+--- /dev/null
++++ b/man/man8/crontab_selinux.8
+@@ -0,0 +1,83 @@
++.TH "crontab_selinux" "8" "crontab" "dwalsh at redhat.com" "crontab SELinux Policy documentation"
++.SH "NAME"
++crontab_selinux \- Security Enhanced Linux Policy for the crontab processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
++.PP
++The following file types are defined for crontab:
++
++
++.EX
++.PP
++.B crontab_exec_t
++.EE
++
++- Set files with the crontab_exec_t type, if you want to transition an executable to the crontab_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/(f)?crontab, /usr/bin/at
++
++.EX
++.PP
++.B crontab_tmp_t
++.EE
++
++- Set files with the crontab_tmp_t type, if you want to store crontab temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
++.PP
++The following process types are defined for crontab:
++
++.EX
++.B crontab_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8
+new file mode 100644
+index 0000000..1da47eb
+--- /dev/null
++++ b/man/man8/ctdbd_selinux.8
+@@ -0,0 +1,155 @@
++.TH "ctdbd_selinux" "8" "ctdbd" "dwalsh at redhat.com" "ctdbd SELinux Policy documentation"
++.SH "NAME"
++ctdbd_selinux \- Security Enhanced Linux Policy for the ctdbd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ctdbd
++(policy for ctdbd)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
++.PP
++The following file types are defined for ctdbd:
++
++
++.EX
++.PP
++.B ctdbd_exec_t
++.EE
++
++- Set files with the ctdbd_exec_t type, if you want to transition an executable to the ctdbd_t domain.
++
++
++.EX
++.PP
++.B ctdbd_initrc_exec_t
++.EE
++
++- Set files with the ctdbd_initrc_exec_t type, if you want to transition an executable to the ctdbd_initrc_t domain.
++
++
++.EX
++.PP
++.B ctdbd_log_t
++.EE
++
++- Set files with the ctdbd_log_t type, if you want to treat the data as ctdbd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ctdbd_spool_t
++.EE
++
++- Set files with the ctdbd_spool_t type, if you want to store the ctdbd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B ctdbd_tmp_t
++.EE
++
++- Set files with the ctdbd_tmp_t type, if you want to store ctdbd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ctdbd_var_lib_t
++.EE
++
++- Set files with the ctdbd_var_lib_t type, if you want to store the ctdbd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/ctdb(/.*)?, /var/lib/ctdbd(/.*)?, /etc/ctdb(/.*)?, /var/ctdbd(/.*)?
++
++.EX
++.PP
++.B ctdbd_var_run_t
++.EE
++
++- Set files with the ctdbd_var_run_t type, if you want to store the ctdbd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
++.PP
++The following port types are defined for ctdbd:
++
++.EX
++.TP 5
++.B ctdb_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
++.PP
++The following process types are defined for ctdbd:
++
++.EX
++.B ctdbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cups_selinux.8 b/man/man8/cups_selinux.8
+new file mode 100644
+index 0000000..8bedca4
+--- /dev/null
++++ b/man/man8/cups_selinux.8
+@@ -0,0 +1,225 @@
++.TH "cups_selinux" "8" "cups" "dwalsh at redhat.com" "cups SELinux Policy documentation"
++.SH "NAME"
++cups_selinux \- Security Enhanced Linux Policy for the cups processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cups
++(Common UNIX printing system)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cups policy is very flexible allowing users to setup their cups processes in as secure a method as possible.
++.PP
++The following file types are defined for cups:
++
++
++.EX
++.PP
++.B cups_pdf_exec_t
++.EE
++
++- Set files with the cups_pdf_exec_t type, if you want to transition an executable to the cups_pdf_t domain.
++
++
++.EX
++.PP
++.B cups_pdf_tmp_t
++.EE
++
++- Set files with the cups_pdf_tmp_t type, if you want to store cups pdf temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_config_exec_t
++.EE
++
++- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon
++
++.EX
++.PP
++.B cupsd_config_var_run_t
++.EE
++
++- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory.
++
++
++.EX
++.PP
++.B cupsd_etc_t
++.EE
++
++- Set files with the cupsd_etc_t type, if you want to store cupsd files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/usr/share/cups(/.*)?, /etc/cups(/.*)?
++
++.EX
++.PP
++.B cupsd_exec_t
++.EE
++
++- Set files with the cupsd_exec_t type, if you want to transition an executable to the cupsd_t domain.
++
++
++.EX
++.PP
++.B cupsd_initrc_exec_t
++.EE
++
++- Set files with the cupsd_initrc_exec_t type, if you want to transition an executable to the cupsd_initrc_t domain.
++
++
++.EX
++.PP
++.B cupsd_interface_t
++.EE
++
++- Set files with the cupsd_interface_t type, if you want to treat the files as cupsd interface data.
++
++
++.EX
++.PP
++.B cupsd_lock_t
++.EE
++
++- Set files with the cupsd_lock_t type, if you want to treat the files as cupsd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B cupsd_log_t
++.EE
++
++- Set files with the cupsd_log_t type, if you want to treat the data as cupsd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/cups(/.*)?, /usr/local/Brother/fax/.*\.log, /var/log/turboprint.*
++
++.EX
++.PP
++.B cupsd_lpd_exec_t
++.EE
++
++- Set files with the cupsd_lpd_exec_t type, if you want to transition an executable to the cupsd_lpd_t domain.
++
++
++.EX
++.PP
++.B cupsd_lpd_tmp_t
++.EE
++
++- Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd lpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_lpd_var_run_t
++.EE
++
++- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory.
++
++
++.EX
++.PP
++.B cupsd_rw_etc_t
++.EE
++
++- Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
++
++.EX
++.PP
++.B cupsd_tmp_t
++.EE
++
++- Set files with the cupsd_tmp_t type, if you want to store cupsd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_unit_file_t
++.EE
++
++- Set files with the cupsd_unit_file_t type, if you want to treat the files as cupsd unit content.
++
++
++.EX
++.PP
++.B cupsd_var_run_t
++.EE
++
++- Set files with the cupsd_var_run_t type, if you want to store the cupsd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cups policy is very flexible allowing users to setup their cups processes in as secure a method as possible.
++.PP
++The following process types are defined for cups:
++
++.EX
++.B cupsd_t, cupsd_config_t, cupsd_lpd_t, cups_pdf_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cups(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8
+new file mode 100644
+index 0000000..2ce03af
+--- /dev/null
++++ b/man/man8/cupsd_selinux.8
+@@ -0,0 +1,219 @@
++.TH "cupsd_selinux" "8" "cupsd" "dwalsh at redhat.com" "cupsd SELinux Policy documentation"
++.SH "NAME"
++cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
++.PP
++The following file types are defined for cupsd:
++
++
++.EX
++.PP
++.B cups_pdf_exec_t
++.EE
++
++- Set files with the cups_pdf_exec_t type, if you want to transition an executable to the cups_pdf_t domain.
++
++
++.EX
++.PP
++.B cups_pdf_tmp_t
++.EE
++
++- Set files with the cups_pdf_tmp_t type, if you want to store cups pdf temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_config_exec_t
++.EE
++
++- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon
++
++.EX
++.PP
++.B cupsd_config_var_run_t
++.EE
++
++- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory.
++
++
++.EX
++.PP
++.B cupsd_etc_t
++.EE
++
++- Set files with the cupsd_etc_t type, if you want to store cupsd files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/usr/share/cups(/.*)?, /etc/cups(/.*)?
++
++.EX
++.PP
++.B cupsd_exec_t
++.EE
++
++- Set files with the cupsd_exec_t type, if you want to transition an executable to the cupsd_t domain.
++
++
++.EX
++.PP
++.B cupsd_initrc_exec_t
++.EE
++
++- Set files with the cupsd_initrc_exec_t type, if you want to transition an executable to the cupsd_initrc_t domain.
++
++
++.EX
++.PP
++.B cupsd_interface_t
++.EE
++
++- Set files with the cupsd_interface_t type, if you want to treat the files as cupsd interface data.
++
++
++.EX
++.PP
++.B cupsd_lock_t
++.EE
++
++- Set files with the cupsd_lock_t type, if you want to treat the files as cupsd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B cupsd_log_t
++.EE
++
++- Set files with the cupsd_log_t type, if you want to treat the data as cupsd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/cups(/.*)?, /usr/local/Brother/fax/.*\.log, /var/log/turboprint.*
++
++.EX
++.PP
++.B cupsd_lpd_exec_t
++.EE
++
++- Set files with the cupsd_lpd_exec_t type, if you want to transition an executable to the cupsd_lpd_t domain.
++
++
++.EX
++.PP
++.B cupsd_lpd_tmp_t
++.EE
++
++- Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd lpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_lpd_var_run_t
++.EE
++
++- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory.
++
++
++.EX
++.PP
++.B cupsd_rw_etc_t
++.EE
++
++- Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
++
++.EX
++.PP
++.B cupsd_tmp_t
++.EE
++
++- Set files with the cupsd_tmp_t type, if you want to store cupsd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cupsd_unit_file_t
++.EE
++
++- Set files with the cupsd_unit_file_t type, if you want to treat the files as cupsd unit content.
++
++
++.EX
++.PP
++.B cupsd_var_run_t
++.EE
++
++- Set files with the cupsd_var_run_t type, if you want to store the cupsd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
++.PP
++The following process types are defined for cupsd:
++
++.EX
++.B cupsd_t, cupsd_config_t, cupsd_lpd_t, cups_pdf_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8
+new file mode 100644
+index 0000000..5047556
+--- /dev/null
++++ b/man/man8/cvs_selinux.8
+@@ -0,0 +1,162 @@
++.TH "cvs_selinux" "8" "cvs" "dwalsh at redhat.com" "cvs SELinux Policy documentation"
++.SH "NAME"
++cvs_selinux \- Security Enhanced Linux Policy for the cvs processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cvs
++(Concurrent versions system)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible.
++
++
++.PP
++If you want to allow cvs daemon to read shado, you must turn on the allow_cvs_read_shadow boolean.
++
++.EX
++.B setsebool -P allow_cvs_read_shadow 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
++.PP
++The following file types are defined for cvs:
++
++
++.EX
++.PP
++.B cvs_data_t
++.EE
++
++- Set files with the cvs_data_t type, if you want to treat the files as cvs content.
++
++.br
++.TP 5
++Paths:
++/opt/cvs(/.*)?, /var/cvs(/.*)?
++
++.EX
++.PP
++.B cvs_exec_t
++.EE
++
++- Set files with the cvs_exec_t type, if you want to transition an executable to the cvs_t domain.
++
++
++.EX
++.PP
++.B cvs_initrc_exec_t
++.EE
++
++- Set files with the cvs_initrc_exec_t type, if you want to transition an executable to the cvs_initrc_t domain.
++
++
++.EX
++.PP
++.B cvs_keytab_t
++.EE
++
++- Set files with the cvs_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B cvs_tmp_t
++.EE
++
++- Set files with the cvs_tmp_t type, if you want to store cvs temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cvs_var_run_t
++.EE
++
++- Set files with the cvs_var_run_t type, if you want to store the cvs files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
++.PP
++The following port types are defined for cvs:
++
++.EX
++.TP 5
++.B cvs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
++.PP
++The following process types are defined for cvs:
++
++.EX
++.B cvs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cvs(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8
+new file mode 100644
+index 0000000..25cbcca
+--- /dev/null
++++ b/man/man8/cyphesis_selinux.8
+@@ -0,0 +1,127 @@
++.TH "cyphesis_selinux" "8" "cyphesis" "dwalsh at redhat.com" "cyphesis SELinux Policy documentation"
++.SH "NAME"
++cyphesis_selinux \- Security Enhanced Linux Policy for the cyphesis processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cyphesis
++(Cyphesis WorldForge game server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
++.PP
++The following file types are defined for cyphesis:
++
++
++.EX
++.PP
++.B cyphesis_exec_t
++.EE
++
++- Set files with the cyphesis_exec_t type, if you want to transition an executable to the cyphesis_t domain.
++
++
++.EX
++.PP
++.B cyphesis_log_t
++.EE
++
++- Set files with the cyphesis_log_t type, if you want to treat the data as cyphesis log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cyphesis_tmp_t
++.EE
++
++- Set files with the cyphesis_tmp_t type, if you want to store cyphesis temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cyphesis_var_run_t
++.EE
++
++- Set files with the cyphesis_var_run_t type, if you want to store the cyphesis files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
++.PP
++The following port types are defined for cyphesis:
++
++.EX
++.TP 5
++.B cyphesis_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
++.PP
++The following process types are defined for cyphesis:
++
++.EX
++.B cyphesis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8
+new file mode 100644
+index 0000000..d9b68c2
+--- /dev/null
++++ b/man/man8/cyrus_selinux.8
+@@ -0,0 +1,125 @@
++.TH "cyrus_selinux" "8" "cyrus" "dwalsh at redhat.com" "cyrus SELinux Policy documentation"
++.SH "NAME"
++cyrus_selinux \- Security Enhanced Linux Policy for the cyrus processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B cyrus
++(Cyrus is an IMAP service intended to be run on sealed servers)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
++.PP
++The following file types are defined for cyrus:
++
++
++.EX
++.PP
++.B cyrus_exec_t
++.EE
++
++- Set files with the cyrus_exec_t type, if you want to transition an executable to the cyrus_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/cyrus-imapd/cyrus-master, /usr/lib/cyrus/master
++
++.EX
++.PP
++.B cyrus_initrc_exec_t
++.EE
++
++- Set files with the cyrus_initrc_exec_t type, if you want to transition an executable to the cyrus_initrc_t domain.
++
++
++.EX
++.PP
++.B cyrus_keytab_t
++.EE
++
++- Set files with the cyrus_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B cyrus_tmp_t
++.EE
++
++- Set files with the cyrus_tmp_t type, if you want to store cyrus temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cyrus_var_lib_t
++.EE
++
++- Set files with the cyrus_var_lib_t type, if you want to store the cyrus files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/imap(/.*)?, /var/lib/imap(/.*)?
++
++.EX
++.PP
++.B cyrus_var_run_t
++.EE
++
++- Set files with the cyrus_var_run_t type, if you want to store the cyrus files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
++.PP
++The following process types are defined for cyrus:
++
++.EX
++.B cyrus_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), cyrus(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dbadm_selinux.8 b/man/man8/dbadm_selinux.8
+new file mode 100644
+index 0000000..4bbec80
+--- /dev/null
++++ b/man/man8/dbadm_selinux.8
+@@ -0,0 +1,65 @@
++.TH "dbadm_selinux" "8" "dbadm" "mgrepl at redhat.com" "dbadm SELinux Policy documentation"
++.SH "NAME"
++dbadm_r \- \fBDatabase administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control, some Linux roles are login roles, while other roles need to be transition to.
++
++Note: The examples in the man page will user the staff_u user.
++
++Non login roles are usually used for administrative tasks.
++
++Roles usually have default types assigned to them.
++
++The default type for the dbadm_r role is dbadm_t.
++
++You can use the
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r dbadm_r -t dbadm_t
++
++.B sudo
++can also be setup to transition to this role using the visudo command.
++
++USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
++
++If you want to use a non login role, you need to make sure the SELinux user you are using can reach this role.
++
++You can see all of the assigned SELinux roles using the following
++
++.B semanage user -l
++
++If you wanted to add dbadm_r to the staff_u user, you would execute:
++
++.B $ semanage user -m -R 'staff_r dbadm_r' staff_u
++
++
++
++SELinux policy also controls which roles can transition to a different role.
++You can list these rules using the following command.
++
++.B sesearch --role_allow
++
++SELinux policy allows the staff_r role can transition to the dbadm_r role.
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8
+new file mode 100644
+index 0000000..224a13a
+--- /dev/null
++++ b/man/man8/dbskkd_selinux.8
+@@ -0,0 +1,113 @@
++.TH "dbskkd_selinux" "8" "dbskkd" "dwalsh at redhat.com" "dbskkd SELinux Policy documentation"
++.SH "NAME"
++dbskkd_selinux \- Security Enhanced Linux Policy for the dbskkd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
++.PP
++The following file types are defined for dbskkd:
++
++
++.EX
++.PP
++.B dbskkd_exec_t
++.EE
++
++- Set files with the dbskkd_exec_t type, if you want to transition an executable to the dbskkd_t domain.
++
++
++.EX
++.PP
++.B dbskkd_tmp_t
++.EE
++
++- Set files with the dbskkd_tmp_t type, if you want to store dbskkd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dbskkd_var_run_t
++.EE
++
++- Set files with the dbskkd_var_run_t type, if you want to store the dbskkd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
++.PP
++The following port types are defined for dbskkd:
++
++.EX
++.TP 5
++.B dbskkd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
++.PP
++The following process types are defined for dbskkd:
++
++.EX
++.B dbskkd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dcc_selinux.8 b/man/man8/dcc_selinux.8
+new file mode 100644
+index 0000000..ac78346
+--- /dev/null
++++ b/man/man8/dcc_selinux.8
+@@ -0,0 +1,246 @@
++.TH "dcc_selinux" "8" "dcc" "dwalsh at redhat.com" "dcc SELinux Policy documentation"
++.SH "NAME"
++dcc_selinux \- Security Enhanced Linux Policy for the dcc processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dcc
++(Distributed checksum clearinghouse spam filtering)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dcc policy is very flexible allowing users to setup their dcc processes in as secure a method as possible.
++.PP
++The following file types are defined for dcc:
++
++
++.EX
++.PP
++.B dcc_client_exec_t
++.EE
++
++- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain.
++
++
++.EX
++.PP
++.B dcc_client_map_t
++.EE
++
++- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data.
++
++.br
++.TP 5
++Paths:
++/var/lib/dcc/map, /etc/dcc/map, /var/run/dcc/map, /var/dcc/map
++
++.EX
++.PP
++.B dcc_client_tmp_t
++.EE
++
++- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dcc_dbclean_exec_t
++.EE
++
++- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain.
++
++
++.EX
++.PP
++.B dcc_dbclean_tmp_t
++.EE
++
++- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dcc_var_run_t
++.EE
++
++- Set files with the dcc_var_run_t type, if you want to store the dcc files under the /run directory.
++
++
++.EX
++.PP
++.B dcc_var_t
++.EE
++
++- Set files with the dcc_var_t type, if you want to store the files under the /var directory.
++
++.br
++.TP 5
++Paths:
++/etc/dcc(/.*)?, /var/dcc(/.*)?, /var/lib/dcc(/.*)?
++
++.EX
++.PP
++.B dccd_exec_t
++.EE
++
++- Set files with the dccd_exec_t type, if you want to transition an executable to the dccd_t domain.
++
++
++.EX
++.PP
++.B dccd_tmp_t
++.EE
++
++- Set files with the dccd_tmp_t type, if you want to store dccd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccd_var_run_t
++.EE
++
++- Set files with the dccd_var_run_t type, if you want to store the dccd files under the /run directory.
++
++
++.EX
++.PP
++.B dccifd_exec_t
++.EE
++
++- Set files with the dccifd_exec_t type, if you want to transition an executable to the dccifd_t domain.
++
++
++.EX
++.PP
++.B dccifd_tmp_t
++.EE
++
++- Set files with the dccifd_tmp_t type, if you want to store dccifd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccifd_var_run_t
++.EE
++
++- Set files with the dccifd_var_run_t type, if you want to store the dccifd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/etc/dcc/dccifd, /var/run/dcc/dccifd
++
++.EX
++.PP
++.B dccm_exec_t
++.EE
++
++- Set files with the dccm_exec_t type, if you want to transition an executable to the dccm_t domain.
++
++
++.EX
++.PP
++.B dccm_tmp_t
++.EE
++
++- Set files with the dccm_tmp_t type, if you want to store dccm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccm_var_run_t
++.EE
++
++- Set files with the dccm_var_run_t type, if you want to store the dccm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dcc policy is very flexible allowing users to setup their dcc processes in as secure a method as possible.
++.PP
++The following port types are defined for dcc:
++
++.EX
++.TP 5
++.B dcc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B dccm_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcc policy is very flexible allowing users to setup their dcc processes in as secure a method as possible.
++.PP
++The following process types are defined for dcc:
++
++.EX
++.B dccm_t, dcc_client_t, dcc_dbclean_t, dccifd_t, dccd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dcc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8
+new file mode 100644
+index 0000000..2da502a
+--- /dev/null
++++ b/man/man8/dccd_selinux.8
+@@ -0,0 +1,188 @@
++.TH "dccd_selinux" "8" "dccd" "dwalsh at redhat.com" "dccd SELinux Policy documentation"
++.SH "NAME"
++dccd_selinux \- Security Enhanced Linux Policy for the dccd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
++.PP
++The following file types are defined for dccd:
++
++
++.EX
++.PP
++.B dcc_client_exec_t
++.EE
++
++- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain.
++
++
++.EX
++.PP
++.B dcc_client_map_t
++.EE
++
++- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data.
++
++.br
++.TP 5
++Paths:
++/var/lib/dcc/map, /etc/dcc/map, /var/run/dcc/map, /var/dcc/map
++
++.EX
++.PP
++.B dcc_client_tmp_t
++.EE
++
++- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dcc_dbclean_exec_t
++.EE
++
++- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain.
++
++
++.EX
++.PP
++.B dcc_dbclean_tmp_t
++.EE
++
++- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dcc_var_run_t
++.EE
++
++- Set files with the dcc_var_run_t type, if you want to store the dcc files under the /run directory.
++
++
++.EX
++.PP
++.B dcc_var_t
++.EE
++
++- Set files with the dcc_var_t type, if you want to store the files under the /var directory.
++
++.br
++.TP 5
++Paths:
++/etc/dcc(/.*)?, /var/dcc(/.*)?, /var/lib/dcc(/.*)?
++
++.EX
++.PP
++.B dccd_exec_t
++.EE
++
++- Set files with the dccd_exec_t type, if you want to transition an executable to the dccd_t domain.
++
++
++.EX
++.PP
++.B dccd_tmp_t
++.EE
++
++- Set files with the dccd_tmp_t type, if you want to store dccd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccd_var_run_t
++.EE
++
++- Set files with the dccd_var_run_t type, if you want to store the dccd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
++.PP
++The following port types are defined for dccd:
++
++.EX
++.TP 5
++.B dcc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B dccm_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
++.PP
++The following process types are defined for dccd:
++
++.EX
++.B dccm_t, dcc_client_t, dcc_dbclean_t, dccifd_t, dccd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dccd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8
+new file mode 100644
+index 0000000..c80e92b
+--- /dev/null
++++ b/man/man8/dccifd_selinux.8
+@@ -0,0 +1,91 @@
++.TH "dccifd_selinux" "8" "dccifd" "dwalsh at redhat.com" "dccifd SELinux Policy documentation"
++.SH "NAME"
++dccifd_selinux \- Security Enhanced Linux Policy for the dccifd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
++.PP
++The following file types are defined for dccifd:
++
++
++.EX
++.PP
++.B dccifd_exec_t
++.EE
++
++- Set files with the dccifd_exec_t type, if you want to transition an executable to the dccifd_t domain.
++
++
++.EX
++.PP
++.B dccifd_tmp_t
++.EE
++
++- Set files with the dccifd_tmp_t type, if you want to store dccifd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccifd_var_run_t
++.EE
++
++- Set files with the dccifd_var_run_t type, if you want to store the dccifd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/etc/dcc/dccifd, /var/run/dcc/dccifd
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
++.PP
++The following process types are defined for dccifd:
++
++.EX
++.B dccifd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8
+new file mode 100644
+index 0000000..a9a2caa
+--- /dev/null
++++ b/man/man8/dccm_selinux.8
+@@ -0,0 +1,113 @@
++.TH "dccm_selinux" "8" "dccm" "dwalsh at redhat.com" "dccm SELinux Policy documentation"
++.SH "NAME"
++dccm_selinux \- Security Enhanced Linux Policy for the dccm processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
++.PP
++The following file types are defined for dccm:
++
++
++.EX
++.PP
++.B dccm_exec_t
++.EE
++
++- Set files with the dccm_exec_t type, if you want to transition an executable to the dccm_t domain.
++
++
++.EX
++.PP
++.B dccm_tmp_t
++.EE
++
++- Set files with the dccm_tmp_t type, if you want to store dccm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dccm_var_run_t
++.EE
++
++- Set files with the dccm_var_run_t type, if you want to store the dccm files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
++.PP
++The following port types are defined for dccm:
++
++.EX
++.TP 5
++.B dccm_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
++.PP
++The following process types are defined for dccm:
++
++.EX
++.B dccm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8
+new file mode 100644
+index 0000000..7e28fe1
+--- /dev/null
++++ b/man/man8/dcerpcd_selinux.8
+@@ -0,0 +1,95 @@
++.TH "dcerpcd_selinux" "8" "dcerpcd" "dwalsh at redhat.com" "dcerpcd SELinux Policy documentation"
++.SH "NAME"
++dcerpcd_selinux \- Security Enhanced Linux Policy for the dcerpcd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
++.PP
++The following file types are defined for dcerpcd:
++
++
++.EX
++.PP
++.B dcerpcd_exec_t
++.EE
++
++- Set files with the dcerpcd_exec_t type, if you want to transition an executable to the dcerpcd_t domain.
++
++
++.EX
++.PP
++.B dcerpcd_var_lib_t
++.EE
++
++- Set files with the dcerpcd_var_lib_t type, if you want to store the dcerpcd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dcerpcd_var_run_t
++.EE
++
++- Set files with the dcerpcd_var_run_t type, if you want to store the dcerpcd files under the /run directory.
++
++
++.EX
++.PP
++.B dcerpcd_var_socket_t
++.EE
++
++- Set files with the dcerpcd_var_socket_t type, if you want to treat the files as dcerpcd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
++.PP
++The following process types are defined for dcerpcd:
++
++.EX
++.B dcerpcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8
+new file mode 100644
+index 0000000..13df14d
+--- /dev/null
++++ b/man/man8/ddclient_selinux.8
+@@ -0,0 +1,145 @@
++.TH "ddclient_selinux" "8" "ddclient" "dwalsh at redhat.com" "ddclient SELinux Policy documentation"
++.SH "NAME"
++ddclient_selinux \- Security Enhanced Linux Policy for the ddclient processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ddclient
++(Update dynamic IP address at DynDNS.org)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
++.PP
++The following file types are defined for ddclient:
++
++
++.EX
++.PP
++.B ddclient_etc_t
++.EE
++
++- Set files with the ddclient_etc_t type, if you want to store ddclient files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/ddclient\.conf, /etc/ddtcd\.conf
++
++.EX
++.PP
++.B ddclient_exec_t
++.EE
++
++- Set files with the ddclient_exec_t type, if you want to transition an executable to the ddclient_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ddclient, /usr/sbin/ddtcd
++
++.EX
++.PP
++.B ddclient_initrc_exec_t
++.EE
++
++- Set files with the ddclient_initrc_exec_t type, if you want to transition an executable to the ddclient_initrc_t domain.
++
++
++.EX
++.PP
++.B ddclient_log_t
++.EE
++
++- Set files with the ddclient_log_t type, if you want to treat the data as ddclient log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ddclient_tmp_t
++.EE
++
++- Set files with the ddclient_tmp_t type, if you want to store ddclient temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ddclient_var_lib_t
++.EE
++
++- Set files with the ddclient_var_lib_t type, if you want to store the ddclient files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ddclient_var_run_t
++.EE
++
++- Set files with the ddclient_var_run_t type, if you want to store the ddclient files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/ddtcd\.pid, /var/run/ddclient\.pid
++
++.EX
++.PP
++.B ddclient_var_t
++.EE
++
++- Set files with the ddclient_var_t type, if you want to store the ddcl files under the /var directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
++.PP
++The following process types are defined for ddclient:
++
++.EX
++.B ddclient_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8
+new file mode 100644
+index 0000000..7d2381f
+--- /dev/null
++++ b/man/man8/deltacloudd_selinux.8
+@@ -0,0 +1,95 @@
++.TH "deltacloudd_selinux" "8" "deltacloudd" "dwalsh at redhat.com" "deltacloudd SELinux Policy documentation"
++.SH "NAME"
++deltacloudd_selinux \- Security Enhanced Linux Policy for the deltacloudd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
++.PP
++The following file types are defined for deltacloudd:
++
++
++.EX
++.PP
++.B deltacloudd_exec_t
++.EE
++
++- Set files with the deltacloudd_exec_t type, if you want to transition an executable to the deltacloudd_t domain.
++
++
++.EX
++.PP
++.B deltacloudd_log_t
++.EE
++
++- Set files with the deltacloudd_log_t type, if you want to treat the data as deltacloudd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B deltacloudd_tmp_t
++.EE
++
++- Set files with the deltacloudd_tmp_t type, if you want to store deltacloudd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B deltacloudd_var_run_t
++.EE
++
++- Set files with the deltacloudd_var_run_t type, if you want to store the deltacloudd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
++.PP
++The following process types are defined for deltacloudd:
++
++.EX
++.B deltacloudd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8
+new file mode 100644
+index 0000000..ff32a2b
+--- /dev/null
++++ b/man/man8/denyhosts_selinux.8
+@@ -0,0 +1,109 @@
++.TH "denyhosts_selinux" "8" "denyhosts" "dwalsh at redhat.com" "denyhosts SELinux Policy documentation"
++.SH "NAME"
++denyhosts_selinux \- Security Enhanced Linux Policy for the denyhosts processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B denyhosts
++(DenyHosts SSH dictionary attack mitigation)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
++.PP
++The following file types are defined for denyhosts:
++
++
++.EX
++.PP
++.B denyhosts_exec_t
++.EE
++
++- Set files with the denyhosts_exec_t type, if you want to transition an executable to the denyhosts_t domain.
++
++
++.EX
++.PP
++.B denyhosts_initrc_exec_t
++.EE
++
++- Set files with the denyhosts_initrc_exec_t type, if you want to transition an executable to the denyhosts_initrc_t domain.
++
++
++.EX
++.PP
++.B denyhosts_var_lib_t
++.EE
++
++- Set files with the denyhosts_var_lib_t type, if you want to store the denyhosts files under the /var/lib directory.
++
++
++.EX
++.PP
++.B denyhosts_var_lock_t
++.EE
++
++- Set files with the denyhosts_var_lock_t type, if you want to treat the files as denyhosts var lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B denyhosts_var_log_t
++.EE
++
++- Set files with the denyhosts_var_log_t type, if you want to treat the data as denyhosts var log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
++.PP
++The following process types are defined for denyhosts:
++
++.EX
++.B denyhosts_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8
+new file mode 100644
+index 0000000..b5dcbff
+--- /dev/null
++++ b/man/man8/depmod_selinux.8
+@@ -0,0 +1,75 @@
++.TH "depmod_selinux" "8" "depmod" "dwalsh at redhat.com" "depmod SELinux Policy documentation"
++.SH "NAME"
++depmod_selinux \- Security Enhanced Linux Policy for the depmod processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
++.PP
++The following file types are defined for depmod:
++
++
++.EX
++.PP
++.B depmod_exec_t
++.EE
++
++- Set files with the depmod_exec_t type, if you want to transition an executable to the depmod_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/depmod.*, /usr/sbin/depmod.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
++.PP
++The following process types are defined for depmod:
++
++.EX
++.B depmod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8
+new file mode 100644
+index 0000000..fbd38fb
+--- /dev/null
++++ b/man/man8/devicekit_selinux.8
+@@ -0,0 +1,145 @@
++.TH "devicekit_selinux" "8" "devicekit" "dwalsh at redhat.com" "devicekit SELinux Policy documentation"
++.SH "NAME"
++devicekit_selinux \- Security Enhanced Linux Policy for the devicekit processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B devicekit
++(Devicekit modular hardware abstraction layer)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
++.PP
++The following file types are defined for devicekit:
++
++
++.EX
++.PP
++.B devicekit_disk_exec_t
++.EE
++
++- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/udev/udisks-part-id, /lib/udisks2/udisksd, /usr/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/libexec/devkit-disks-daemon, /usr/libexec/udisks-daemon
++
++.EX
++.PP
++.B devicekit_exec_t
++.EE
++
++- Set files with the devicekit_exec_t type, if you want to transition an executable to the devicekit_t domain.
++
++
++.EX
++.PP
++.B devicekit_power_exec_t
++.EE
++
++- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/upowerd, /usr/libexec/devkit-power-daemon
++
++.EX
++.PP
++.B devicekit_tmp_t
++.EE
++
++- Set files with the devicekit_tmp_t type, if you want to store devicekit temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B devicekit_var_lib_t
++.EE
++
++- Set files with the devicekit_var_lib_t type, if you want to store the devicekit files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/udisks.*, /var/lib/DeviceKit-.*, /var/lib/upower(/.*)?
++
++.EX
++.PP
++.B devicekit_var_log_t
++.EE
++
++- Set files with the devicekit_var_log_t type, if you want to treat the data as devicekit var log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/pm-suspend\.log, /var/log/pm-powersave\.log
++
++.EX
++.PP
++.B devicekit_var_run_t
++.EE
++
++- Set files with the devicekit_var_run_t type, if you want to store the devicekit files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/upower(/.*)?, /var/run/udisks.*, /var/run/devkit(/.*)?, /var/run/DeviceKit-disks(/.*)?, /var/run/pm-utils(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
++.PP
++The following process types are defined for devicekit:
++
++.EX
++.B devicekit_power_t, devicekit_disk_t, devicekit_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), devicekit(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8
+new file mode 100644
+index 0000000..b805e27
+--- /dev/null
++++ b/man/man8/dhcpc_selinux.8
+@@ -0,0 +1,152 @@
++.TH "dhcpc_selinux" "8" "dhcpc" "dwalsh at redhat.com" "dhcpc SELinux Policy documentation"
++.SH "NAME"
++dhcpc_selinux \- Security Enhanced Linux Policy for the dhcpc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible.
++
++
++.PP
++If you want to allow dhcpc client applications to execute iptables command, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
++.PP
++The following file types are defined for dhcpc:
++
++
++.EX
++.PP
++.B dhcpc_exec_t
++.EE
++
++- Set files with the dhcpc_exec_t type, if you want to transition an executable to the dhcpc_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/dhcpcd, /usr/sbin/pump, /sbin/dhclient.*, /usr/sbin/dhcpcd, /sbin/pump, /usr/sbin/dhclient.*, /usr/sbin/dhcdbd, /sbin/dhcdbd
++
++.EX
++.PP
++.B dhcpc_helper_exec_t
++.EE
++
++- Set files with the dhcpc_helper_exec_t type, if you want to transition an executable to the dhcpc_helper_t domain.
++
++
++.EX
++.PP
++.B dhcpc_state_t
++.EE
++
++- Set files with the dhcpc_state_t type, if you want to treat the files as dhcpc state data.
++
++.br
++.TP 5
++Paths:
++/var/lib/dhclient(/.*)?, /var/lib/dhcp3?/dhclient.*, /var/lib/wifiroamd(/.*)?, /var/lib/dhcpcd(/.*)?
++
++.EX
++.PP
++.B dhcpc_tmp_t
++.EE
++
++- Set files with the dhcpc_tmp_t type, if you want to store dhcpc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dhcpc_var_run_t
++.EE
++
++- Set files with the dhcpc_var_run_t type, if you want to store the dhcpc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
++.PP
++The following port types are defined for dhcpc:
++
++.EX
++.TP 5
++.B dhcpc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
++.PP
++The following process types are defined for dhcpc:
++
++.EX
++.B dhcpc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dhcpc(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8
+new file mode 100644
+index 0000000..db3ea11
+--- /dev/null
++++ b/man/man8/dhcpd_selinux.8
+@@ -0,0 +1,191 @@
++.TH "dhcpd_selinux" "8" "dhcpd" "dwalsh at redhat.com" "dhcpd SELinux Policy documentation"
++.SH "NAME"
++dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible.
++
++
++.PP
++If you want to allow dhcpc client applications to execute iptables command, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
++.PP
++The following file types are defined for dhcpd:
++
++
++.EX
++.PP
++.B dhcp_etc_t
++.EE
++
++- Set files with the dhcp_etc_t type, if you want to store dhcp files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/dhcp3(/.*)?, /etc/dhcp3?/dhclient.*, /etc/dhcpd(6)?\.conf, /etc/dhcpc.*, /etc/dhclient-script, /etc/dhclient.*conf, /etc/dhcp/dhcpd(6)?\.conf
++
++.EX
++.PP
++.B dhcp_state_t
++.EE
++
++- Set files with the dhcp_state_t type, if you want to treat the files as dhcp state data.
++
++
++.EX
++.PP
++.B dhcpd_exec_t
++.EE
++
++- Set files with the dhcpd_exec_t type, if you want to transition an executable to the dhcpd_t domain.
++
++
++.EX
++.PP
++.B dhcpd_initrc_exec_t
++.EE
++
++- Set files with the dhcpd_initrc_exec_t type, if you want to transition an executable to the dhcpd_initrc_t domain.
++
++
++.EX
++.PP
++.B dhcpd_state_t
++.EE
++
++- Set files with the dhcpd_state_t type, if you want to treat the files as dhcpd state data.
++
++.br
++.TP 5
++Paths:
++/var/lib/dhcp(3)?/dhcpd\.leases.*, /var/lib/dhcpd(/.*)?
++
++.EX
++.PP
++.B dhcpd_tmp_t
++.EE
++
++- Set files with the dhcpd_tmp_t type, if you want to store dhcpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dhcpd_unit_file_t
++.EE
++
++- Set files with the dhcpd_unit_file_t type, if you want to treat the files as dhcpd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/dhcpcd.*, /lib/systemd/system/dhcpcd.*
++
++.EX
++.PP
++.B dhcpd_var_run_t
++.EE
++
++- Set files with the dhcpd_var_run_t type, if you want to store the dhcpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
++.PP
++The following port types are defined for dhcpd:
++
++.EX
++.TP 5
++.B dhcpc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B dhcpd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for dhcpd:
++
++.EX
++.B dhcpc_t, dhcpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dhcpd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8
+new file mode 100644
+index 0000000..53e911a
+--- /dev/null
++++ b/man/man8/dictd_selinux.8
+@@ -0,0 +1,135 @@
++.TH "dictd_selinux" "8" "dictd" "dwalsh at redhat.com" "dictd SELinux Policy documentation"
++.SH "NAME"
++dictd_selinux \- Security Enhanced Linux Policy for the dictd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dictd
++(Dictionary daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
++.PP
++The following file types are defined for dictd:
++
++
++.EX
++.PP
++.B dictd_etc_t
++.EE
++
++- Set files with the dictd_etc_t type, if you want to store dictd files in the /etc directories.
++
++
++.EX
++.PP
++.B dictd_exec_t
++.EE
++
++- Set files with the dictd_exec_t type, if you want to transition an executable to the dictd_t domain.
++
++
++.EX
++.PP
++.B dictd_initrc_exec_t
++.EE
++
++- Set files with the dictd_initrc_exec_t type, if you want to transition an executable to the dictd_initrc_t domain.
++
++
++.EX
++.PP
++.B dictd_var_lib_t
++.EE
++
++- Set files with the dictd_var_lib_t type, if you want to store the dictd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dictd_var_run_t
++.EE
++
++- Set files with the dictd_var_run_t type, if you want to store the dictd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
++.PP
++The following port types are defined for dictd:
++
++.EX
++.TP 5
++.B dict_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
++.PP
++The following process types are defined for dictd:
++
++.EX
++.B dictd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8
+new file mode 100644
+index 0000000..7c06f47
+--- /dev/null
++++ b/man/man8/dirsrv_selinux.8
+@@ -0,0 +1,217 @@
++.TH "dirsrv_selinux" "8" "dirsrv" "dwalsh at redhat.com" "dirsrv SELinux Policy documentation"
++.SH "NAME"
++dirsrv_selinux \- Security Enhanced Linux Policy for the dirsrv processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dirsrv
++(policy for dirsrv)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
++.PP
++The following file types are defined for dirsrv:
++
++
++.EX
++.PP
++.B dirsrv_config_t
++.EE
++
++- Set files with the dirsrv_config_t type, if you want to treat the files as dirsrv configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B dirsrv_exec_t
++.EE
++
++- Set files with the dirsrv_exec_t type, if you want to transition an executable to the dirsrv_t domain.
++
++
++.EX
++.PP
++.B dirsrv_share_t
++.EE
++
++- Set files with the dirsrv_share_t type, if you want to treat the files as dirsrv share data.
++
++
++.EX
++.PP
++.B dirsrv_snmp_exec_t
++.EE
++
++- Set files with the dirsrv_snmp_exec_t type, if you want to transition an executable to the dirsrv_snmp_t domain.
++
++
++.EX
++.PP
++.B dirsrv_snmp_var_log_t
++.EE
++
++- Set files with the dirsrv_snmp_var_log_t type, if you want to treat the data as dirsrv snmp var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dirsrv_snmp_var_run_t
++.EE
++
++- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run directory.
++
++
++.EX
++.PP
++.B dirsrv_tmp_t
++.EE
++
++- Set files with the dirsrv_tmp_t type, if you want to store dirsrv temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dirsrv_tmpfs_t
++.EE
++
++- Set files with the dirsrv_tmpfs_t type, if you want to store dirsrv files on a tmpfs file system.
++
++
++.EX
++.PP
++.B dirsrv_var_lib_t
++.EE
++
++- Set files with the dirsrv_var_lib_t type, if you want to store the dirsrv files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dirsrv_var_lock_t
++.EE
++
++- Set files with the dirsrv_var_lock_t type, if you want to treat the files as dirsrv var lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B dirsrv_var_log_t
++.EE
++
++- Set files with the dirsrv_var_log_t type, if you want to treat the data as dirsrv var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dirsrv_var_run_t
++.EE
++
++- Set files with the dirsrv_var_run_t type, if you want to store the dirsrv files under the /run directory.
++
++
++.EX
++.PP
++.B dirsrvadmin_config_t
++.EE
++
++- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/dirsrv/admin-serv(/.*)?, /etc/dirsrv/dsgw(/.*)?
++
++.EX
++.PP
++.B dirsrvadmin_exec_t
++.EE
++
++- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/start-ds-admin, /usr/sbin/stop-ds-admin, /usr/sbin/restart-ds-admin
++
++.EX
++.PP
++.B dirsrvadmin_lock_t
++.EE
++
++- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B dirsrvadmin_tmp_t
++.EE
++
++- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dirsrvadmin_unconfined_script_exec_t
++.EE
++
++- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrv:
++
++.EX
++.B dirsrvadmin_unconfined_script_t, dirsrv_snmp_t, dirsrvadmin_t, dirsrv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8
+new file mode 100644
+index 0000000..f314f5a
+--- /dev/null
++++ b/man/man8/dirsrvadmin_selinux.8
+@@ -0,0 +1,115 @@
++.TH "dirsrvadmin_selinux" "8" "dirsrvadmin" "dwalsh at redhat.com" "dirsrvadmin SELinux Policy documentation"
++.SH "NAME"
++dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
++.PP
++The following file types are defined for dirsrvadmin:
++
++
++.EX
++.PP
++.B dirsrvadmin_config_t
++.EE
++
++- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/dirsrv/admin-serv(/.*)?, /etc/dirsrv/dsgw(/.*)?
++
++.EX
++.PP
++.B dirsrvadmin_exec_t
++.EE
++
++- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/start-ds-admin, /usr/sbin/stop-ds-admin, /usr/sbin/restart-ds-admin
++
++.EX
++.PP
++.B dirsrvadmin_lock_t
++.EE
++
++- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B dirsrvadmin_tmp_t
++.EE
++
++- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dirsrvadmin_unconfined_script_exec_t
++.EE
++
++- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrvadmin:
++
++.EX
++.B dirsrvadmin_unconfined_script_t, dirsrvadmin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/disk_selinux.8 b/man/man8/disk_selinux.8
+new file mode 100644
+index 0000000..d3d396c
+--- /dev/null
++++ b/man/man8/disk_selinux.8
+@@ -0,0 +1,83 @@
++.TH "disk_selinux" "8" "disk" "dwalsh at redhat.com" "disk SELinux Policy documentation"
++.SH "NAME"
++disk_selinux \- Security Enhanced Linux Policy for the disk processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux disk policy is very flexible allowing users to setup their disk processes in as secure a method as possible.
++.PP
++The following file types are defined for disk:
++
++
++.EX
++.PP
++.B disk_munin_plugin_exec_t
++.EE
++
++- Set files with the disk_munin_plugin_exec_t type, if you want to transition an executable to the disk_munin_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/munin/plugins/diskstat.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/df.*
++
++.EX
++.PP
++.B disk_munin_plugin_tmp_t
++.EE
++
++- Set files with the disk_munin_plugin_tmp_t type, if you want to store disk munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux disk policy is very flexible allowing users to setup their disk processes in as secure a method as possible.
++.PP
++The following process types are defined for disk:
++
++.EX
++.B disk_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), disk(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dkim_selinux.8 b/man/man8/dkim_selinux.8
+new file mode 100644
+index 0000000..ff5f6d1
+--- /dev/null
++++ b/man/man8/dkim_selinux.8
+@@ -0,0 +1,97 @@
++.TH "dkim_selinux" "8" "dkim" "dwalsh at redhat.com" "dkim SELinux Policy documentation"
++.SH "NAME"
++dkim_selinux \- Security Enhanced Linux Policy for the dkim processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dkim
++(DomainKeys Identified Mail milter)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dkim policy is very flexible allowing users to setup their dkim processes in as secure a method as possible.
++.PP
++The following file types are defined for dkim:
++
++
++.EX
++.PP
++.B dkim_milter_data_t
++.EE
++
++- Set files with the dkim_milter_data_t type, if you want to treat the files as dkim milter content.
++
++.br
++.TP 5
++Paths:
++/var/lib/dkim-milter(/.*)?, /var/run/dkim-milter(/.*)?
++
++.EX
++.PP
++.B dkim_milter_exec_t
++.EE
++
++- Set files with the dkim_milter_exec_t type, if you want to transition an executable to the dkim_milter_t domain.
++
++
++.EX
++.PP
++.B dkim_milter_private_key_t
++.EE
++
++- Set files with the dkim_milter_private_key_t type, if you want to treat the files as dkim milter private key data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dkim policy is very flexible allowing users to setup their dkim processes in as secure a method as possible.
++.PP
++The following process types are defined for dkim:
++
++.EX
++.B dkim_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dkim(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dlm_selinux.8 b/man/man8/dlm_selinux.8
+new file mode 100644
+index 0000000..d1bdbac
+--- /dev/null
++++ b/man/man8/dlm_selinux.8
+@@ -0,0 +1,95 @@
++.TH "dlm_selinux" "8" "dlm" "dwalsh at redhat.com" "dlm SELinux Policy documentation"
++.SH "NAME"
++dlm_selinux \- Security Enhanced Linux Policy for the dlm processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dlm policy is very flexible allowing users to setup their dlm processes in as secure a method as possible.
++.PP
++The following file types are defined for dlm:
++
++
++.EX
++.PP
++.B dlm_controld_exec_t
++.EE
++
++- Set files with the dlm_controld_exec_t type, if you want to transition an executable to the dlm_controld_t domain.
++
++
++.EX
++.PP
++.B dlm_controld_tmpfs_t
++.EE
++
++- Set files with the dlm_controld_tmpfs_t type, if you want to store dlm controld files on a tmpfs file system.
++
++
++.EX
++.PP
++.B dlm_controld_var_log_t
++.EE
++
++- Set files with the dlm_controld_var_log_t type, if you want to treat the data as dlm controld var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dlm_controld_var_run_t
++.EE
++
++- Set files with the dlm_controld_var_run_t type, if you want to store the dlm controld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dlm policy is very flexible allowing users to setup their dlm processes in as secure a method as possible.
++.PP
++The following process types are defined for dlm:
++
++.EX
++.B dlm_controld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dlm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8
+new file mode 100644
+index 0000000..7ba27b0
+--- /dev/null
++++ b/man/man8/dmesg_selinux.8
+@@ -0,0 +1,96 @@
++.TH "dmesg_selinux" "8" "dmesg" "dwalsh at redhat.com" "dmesg SELinux Policy documentation"
++.SH "NAME"
++dmesg_selinux \- Security Enhanced Linux Policy for the dmesg processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dmesg
++(Policy for dmesg)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dmesg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dmesg with the tightest access possible.
++
++
++.PP
++If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++
++.EX
++.B setsebool -P user_dmesg 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
++.PP
++The following file types are defined for dmesg:
++
++
++.EX
++.PP
++.B dmesg_exec_t
++.EE
++
++- Set files with the dmesg_exec_t type, if you want to transition an executable to the dmesg_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/dmesg, /bin/dmesg
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
++.PP
++The following process types are defined for dmesg:
++
++.EX
++.B dmesg_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dmesg(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8
+new file mode 100644
+index 0000000..d2c6acf
+--- /dev/null
++++ b/man/man8/dmidecode_selinux.8
+@@ -0,0 +1,81 @@
++.TH "dmidecode_selinux" "8" "dmidecode" "dwalsh at redhat.com" "dmidecode SELinux Policy documentation"
++.SH "NAME"
++dmidecode_selinux \- Security Enhanced Linux Policy for the dmidecode processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dmidecode
++(Decode DMI data for x86/ia64 bioses)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
++.PP
++The following file types are defined for dmidecode:
++
++
++.EX
++.PP
++.B dmidecode_exec_t
++.EE
++
++- Set files with the dmidecode_exec_t type, if you want to transition an executable to the dmidecode_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ownership, /usr/sbin/dmidecode, /usr/sbin/vpddecode
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
++.PP
++The following process types are defined for dmidecode:
++
++.EX
++.B dmidecode_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8
+new file mode 100644
+index 0000000..2913852
+--- /dev/null
++++ b/man/man8/dnsmasq_selinux.8
+@@ -0,0 +1,137 @@
++.TH "dnsmasq_selinux" "8" "dnsmasq" "dwalsh at redhat.com" "dnsmasq SELinux Policy documentation"
++.SH "NAME"
++dnsmasq_selinux \- Security Enhanced Linux Policy for the dnsmasq processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dnsmasq
++(dnsmasq DNS forwarder and DHCP server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
++.PP
++The following file types are defined for dnsmasq:
++
++
++.EX
++.PP
++.B dnsmasq_etc_t
++.EE
++
++- Set files with the dnsmasq_etc_t type, if you want to store dnsmasq files in the /etc directories.
++
++
++.EX
++.PP
++.B dnsmasq_exec_t
++.EE
++
++- Set files with the dnsmasq_exec_t type, if you want to transition an executable to the dnsmasq_t domain.
++
++
++.EX
++.PP
++.B dnsmasq_initrc_exec_t
++.EE
++
++- Set files with the dnsmasq_initrc_exec_t type, if you want to transition an executable to the dnsmasq_initrc_t domain.
++
++
++.EX
++.PP
++.B dnsmasq_lease_t
++.EE
++
++- Set files with the dnsmasq_lease_t type, if you want to treat the files as dnsmasq lease data.
++
++.br
++.TP 5
++Paths:
++/var/lib/dnsmasq(/.*)?, /var/lib/misc/dnsmasq\.leases
++
++.EX
++.PP
++.B dnsmasq_unit_file_t
++.EE
++
++- Set files with the dnsmasq_unit_file_t type, if you want to treat the files as dnsmasq unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/dnsmasq.*, /lib/systemd/system/dnsmasq.*
++
++.EX
++.PP
++.B dnsmasq_var_log_t
++.EE
++
++- Set files with the dnsmasq_var_log_t type, if you want to treat the data as dnsmasq var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dnsmasq_var_run_t
++.EE
++
++- Set files with the dnsmasq_var_run_t type, if you want to store the dnsmasq files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/dnsmasq\.pid, /var/run/libvirt/network(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
++.PP
++The following process types are defined for dnsmasq:
++
++.EX
++.B dnsmasq_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dnssec_selinux.8 b/man/man8/dnssec_selinux.8
+new file mode 100644
+index 0000000..c8a6a53
+--- /dev/null
++++ b/man/man8/dnssec_selinux.8
+@@ -0,0 +1,123 @@
++.TH "dnssec_selinux" "8" "dnssec" "dwalsh at redhat.com" "dnssec SELinux Policy documentation"
++.SH "NAME"
++dnssec_selinux \- Security Enhanced Linux Policy for the dnssec processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dnssec
++(policy for dnssec_trigger)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dnssec policy is very flexible allowing users to setup their dnssec processes in as secure a method as possible.
++.PP
++The following file types are defined for dnssec:
++
++
++.EX
++.PP
++.B dnssec_t
++.EE
++
++- Set files with the dnssec_t type, if you want to treat the files as dnssec data.
++
++.br
++.TP 5
++Paths:
++/etc/unbound/.*\.key, /var/named/chroot/etc/rndc\.key, /etc/dnssec-trigger/dnssec_trigger_server\.key, /etc/rndc\.key
++
++.EX
++.PP
++.B dnssec_trigger_exec_t
++.EE
++
++- Set files with the dnssec_trigger_exec_t type, if you want to transition an executable to the dnssec_trigger_t domain.
++
++
++.EX
++.PP
++.B dnssec_trigger_var_run_t
++.EE
++
++- Set files with the dnssec_trigger_var_run_t type, if you want to store the dnssec trigger files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux dnssec policy is very flexible allowing users to setup their dnssec processes in as secure a method as possible.
++.PP
++The following port types are defined for dnssec:
++
++.EX
++.TP 5
++.B dnssec_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dnssec policy is very flexible allowing users to setup their dnssec processes in as secure a method as possible.
++.PP
++The following process types are defined for dnssec:
++
++.EX
++.B dnssec_trigger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dnssec(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8
+new file mode 100644
+index 0000000..9dccfb5
+--- /dev/null
++++ b/man/man8/dovecot_selinux.8
+@@ -0,0 +1,213 @@
++.TH "dovecot_selinux" "8" "dovecot" "dwalsh at redhat.com" "dovecot SELinux Policy documentation"
++.SH "NAME"
++dovecot_selinux \- Security Enhanced Linux Policy for the dovecot processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dovecot
++(Dovecot POP and IMAP mail server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
++.PP
++The following file types are defined for dovecot:
++
++
++.EX
++.PP
++.B dovecot_auth_exec_t
++.EE
++
++- Set files with the dovecot_auth_exec_t type, if you want to transition an executable to the dovecot_auth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
++
++.EX
++.PP
++.B dovecot_auth_tmp_t
++.EE
++
++- Set files with the dovecot_auth_tmp_t type, if you want to store dovecot auth temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dovecot_cert_t
++.EE
++
++- Set files with the dovecot_cert_t type, if you want to treat the files as dovecot certificate data.
++
++.br
++.TP 5
++Paths:
++/usr/share/ssl/private/dovecot\.pem, /etc/pki/dovecot(/.*)?, /usr/share/ssl/certs/dovecot\.pem
++
++.EX
++.PP
++.B dovecot_deliver_exec_t
++.EE
++
++- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/dovecot/dovecot-lda, /usr/libexec/dovecot/deliver
++
++.EX
++.PP
++.B dovecot_deliver_tmp_t
++.EE
++
++- Set files with the dovecot_deliver_tmp_t type, if you want to store dovecot deliver temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dovecot_etc_t
++.EE
++
++- Set files with the dovecot_etc_t type, if you want to store dovecot files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/dovecot(/.*)?*, /etc/dovecot\.conf.*
++
++.EX
++.PP
++.B dovecot_exec_t
++.EE
++
++- Set files with the dovecot_exec_t type, if you want to transition an executable to the dovecot_t domain.
++
++
++.EX
++.PP
++.B dovecot_initrc_exec_t
++.EE
++
++- Set files with the dovecot_initrc_exec_t type, if you want to transition an executable to the dovecot_initrc_t domain.
++
++
++.EX
++.PP
++.B dovecot_keytab_t
++.EE
++
++- Set files with the dovecot_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B dovecot_passwd_t
++.EE
++
++- Set files with the dovecot_passwd_t type, if you want to treat the files as dovecot passwd data.
++
++
++.EX
++.PP
++.B dovecot_spool_t
++.EE
++
++- Set files with the dovecot_spool_t type, if you want to store the dovecot files under the /var/spool directory.
++
++
++.EX
++.PP
++.B dovecot_tmp_t
++.EE
++
++- Set files with the dovecot_tmp_t type, if you want to store dovecot temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dovecot_var_lib_t
++.EE
++
++- Set files with the dovecot_var_lib_t type, if you want to store the dovecot files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/run/dovecot/login/ssl-parameters.dat, /var/lib/dovecot(/.*)?
++
++.EX
++.PP
++.B dovecot_var_log_t
++.EE
++
++- Set files with the dovecot_var_log_t type, if you want to treat the data as dovecot var log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/dovecot\.log.*, /var/log/dovecot(/.*)?
++
++.EX
++.PP
++.B dovecot_var_run_t
++.EE
++
++- Set files with the dovecot_var_run_t type, if you want to store the dovecot files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
++.PP
++The following process types are defined for dovecot:
++
++.EX
++.B dovecot_deliver_t, dovecot_auth_t, dovecot_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8
+new file mode 100644
+index 0000000..9cd65f4
+--- /dev/null
++++ b/man/man8/drbd_selinux.8
+@@ -0,0 +1,97 @@
++.TH "drbd_selinux" "8" "drbd" "dwalsh at redhat.com" "drbd SELinux Policy documentation"
++.SH "NAME"
++drbd_selinux \- Security Enhanced Linux Policy for the drbd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B drbd
++(policy for drbd)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
++.PP
++The following file types are defined for drbd:
++
++
++.EX
++.PP
++.B drbd_exec_t
++.EE
++
++- Set files with the drbd_exec_t type, if you want to transition an executable to the drbd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/drbdadm, /sbin/drbdadm, /usr/lib/ocf/resource.\d/linbit/drbd, /usr/sbin/drbdsetup, /sbin/drbdsetup
++
++.EX
++.PP
++.B drbd_lock_t
++.EE
++
++- Set files with the drbd_lock_t type, if you want to treat the files as drbd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B drbd_var_lib_t
++.EE
++
++- Set files with the drbd_var_lib_t type, if you want to store the drbd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
++.PP
++The following process types are defined for drbd:
++
++.EX
++.B drbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8
+new file mode 100644
+index 0000000..fba374b
+--- /dev/null
++++ b/man/man8/dspam_selinux.8
+@@ -0,0 +1,117 @@
++.TH "dspam_selinux" "8" "dspam" "dwalsh at redhat.com" "dspam SELinux Policy documentation"
++.SH "NAME"
++dspam_selinux \- Security Enhanced Linux Policy for the dspam processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B dspam
++(policy for dspam)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
++.PP
++The following file types are defined for dspam:
++
++
++.EX
++.PP
++.B dspam_exec_t
++.EE
++
++- Set files with the dspam_exec_t type, if you want to transition an executable to the dspam_t domain.
++
++
++.EX
++.PP
++.B dspam_initrc_exec_t
++.EE
++
++- Set files with the dspam_initrc_exec_t type, if you want to transition an executable to the dspam_initrc_t domain.
++
++
++.EX
++.PP
++.B dspam_log_t
++.EE
++
++- Set files with the dspam_log_t type, if you want to treat the data as dspam log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B dspam_tmp_t
++.EE
++
++- Set files with the dspam_tmp_t type, if you want to store dspam temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dspam_var_lib_t
++.EE
++
++- Set files with the dspam_var_lib_t type, if you want to store the dspam files under the /var/lib directory.
++
++
++.EX
++.PP
++.B dspam_var_run_t
++.EE
++
++- Set files with the dspam_var_run_t type, if you want to store the dspam files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
++.PP
++The following process types are defined for dspam:
++
++.EX
++.B dspam_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8
+new file mode 100644
+index 0000000..907170c
+--- /dev/null
++++ b/man/man8/entropyd_selinux.8
+@@ -0,0 +1,108 @@
++.TH "entropyd_selinux" "8" "entropyd" "dwalsh at redhat.com" "entropyd SELinux Policy documentation"
++.SH "NAME"
++entropyd_selinux \- Security Enhanced Linux Policy for the entropyd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B entropyd
++(Generate entropy from audio input)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible.
++
++
++.PP
++If you want to allow the use of the audio devices as the source for the entropy feed, you must turn on the entropyd_use_audio boolean.
++
++.EX
++.B setsebool -P entropyd_use_audio 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
++.PP
++The following file types are defined for entropyd:
++
++
++.EX
++.PP
++.B entropyd_exec_t
++.EE
++
++- Set files with the entropyd_exec_t type, if you want to transition an executable to the entropyd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/audio-entropyd, /usr/sbin/haveged
++
++.EX
++.PP
++.B entropyd_var_run_t
++.EE
++
++- Set files with the entropyd_var_run_t type, if you want to store the entropyd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/audio-entropyd\.pid, /var/run/haveged\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
++.PP
++The following process types are defined for entropyd:
++
++.EX
++.B entropyd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), entropyd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8
+new file mode 100644
+index 0000000..01e8f18
+--- /dev/null
++++ b/man/man8/eventlogd_selinux.8
+@@ -0,0 +1,95 @@
++.TH "eventlogd_selinux" "8" "eventlogd" "dwalsh at redhat.com" "eventlogd SELinux Policy documentation"
++.SH "NAME"
++eventlogd_selinux \- Security Enhanced Linux Policy for the eventlogd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
++.PP
++The following file types are defined for eventlogd:
++
++
++.EX
++.PP
++.B eventlogd_exec_t
++.EE
++
++- Set files with the eventlogd_exec_t type, if you want to transition an executable to the eventlogd_t domain.
++
++
++.EX
++.PP
++.B eventlogd_var_lib_t
++.EE
++
++- Set files with the eventlogd_var_lib_t type, if you want to store the eventlogd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B eventlogd_var_run_t
++.EE
++
++- Set files with the eventlogd_var_run_t type, if you want to store the eventlogd files under the /run directory.
++
++
++.EX
++.PP
++.B eventlogd_var_socket_t
++.EE
++
++- Set files with the eventlogd_var_socket_t type, if you want to treat the files as eventlogd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
++.PP
++The following process types are defined for eventlogd:
++
++.EX
++.B eventlogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8
+new file mode 100644
+index 0000000..fc58144
+--- /dev/null
++++ b/man/man8/evtchnd_selinux.8
+@@ -0,0 +1,91 @@
++.TH "evtchnd_selinux" "8" "evtchnd" "dwalsh at redhat.com" "evtchnd SELinux Policy documentation"
++.SH "NAME"
++evtchnd_selinux \- Security Enhanced Linux Policy for the evtchnd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
++.PP
++The following file types are defined for evtchnd:
++
++
++.EX
++.PP
++.B evtchnd_exec_t
++.EE
++
++- Set files with the evtchnd_exec_t type, if you want to transition an executable to the evtchnd_t domain.
++
++
++.EX
++.PP
++.B evtchnd_var_log_t
++.EE
++
++- Set files with the evtchnd_var_log_t type, if you want to treat the data as evtchnd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B evtchnd_var_run_t
++.EE
++
++- Set files with the evtchnd_var_run_t type, if you want to store the evtchnd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/evtchnd, /var/run/evtchnd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
++.PP
++The following process types are defined for evtchnd:
++
++.EX
++.B evtchnd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8
+new file mode 100644
+index 0000000..bb54ea6
+--- /dev/null
++++ b/man/man8/exim_selinux.8
+@@ -0,0 +1,158 @@
++.TH "exim_selinux" "8" "exim" "dwalsh at redhat.com" "exim SELinux Policy documentation"
++.SH "NAME"
++exim_selinux \- Security Enhanced Linux Policy for the exim processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B exim
++(Exim mail transfer agent)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. exim policy is extremely flexible and has several booleans that allow you to manipulate the policy and run exim with the tightest access possible.
++
++
++.PP
++If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean.
++
++.EX
++.B setsebool -P exim_read_user_files 1
++.EE
++
++.PP
++If you want to allow exim to connect to databases (PostgreSQL, MySQL, you must turn on the exim_can_connect_db boolean.
++
++.EX
++.B setsebool -P exim_can_connect_db 1
++.EE
++
++.PP
++If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean.
++
++.EX
++.B setsebool -P exim_manage_user_files 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
++.PP
++The following file types are defined for exim:
++
++
++.EX
++.PP
++.B exim_exec_t
++.EE
++
++- Set files with the exim_exec_t type, if you want to transition an executable to the exim_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/exim_tidydb, /usr/sbin/exim[0-9]?
++
++.EX
++.PP
++.B exim_initrc_exec_t
++.EE
++
++- Set files with the exim_initrc_exec_t type, if you want to transition an executable to the exim_initrc_t domain.
++
++
++.EX
++.PP
++.B exim_keytab_t
++.EE
++
++- Set files with the exim_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B exim_log_t
++.EE
++
++- Set files with the exim_log_t type, if you want to treat the data as exim log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B exim_spool_t
++.EE
++
++- Set files with the exim_spool_t type, if you want to store the exim files under the /var/spool directory.
++
++
++.EX
++.PP
++.B exim_tmp_t
++.EE
++
++- Set files with the exim_tmp_t type, if you want to store exim temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B exim_var_run_t
++.EE
++
++- Set files with the exim_var_run_t type, if you want to store the exim files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
++.PP
++The following process types are defined for exim:
++
++.EX
++.B exim_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), exim(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8
+new file mode 100644
+index 0000000..8084e6e
+--- /dev/null
++++ b/man/man8/fail2ban_selinux.8
+@@ -0,0 +1,129 @@
++.TH "fail2ban_selinux" "8" "fail2ban" "dwalsh at redhat.com" "fail2ban SELinux Policy documentation"
++.SH "NAME"
++fail2ban_selinux \- Security Enhanced Linux Policy for the fail2ban processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B fail2ban
++(Update firewall filtering to ban IP addresses with too many password failures)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
++.PP
++The following file types are defined for fail2ban:
++
++
++.EX
++.PP
++.B fail2ban_client_exec_t
++.EE
++
++- Set files with the fail2ban_client_exec_t type, if you want to transition an executable to the fail2ban_client_t domain.
++
++
++.EX
++.PP
++.B fail2ban_exec_t
++.EE
++
++- Set files with the fail2ban_exec_t type, if you want to transition an executable to the fail2ban_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/fail2ban-server, /usr/bin/fail2ban
++
++.EX
++.PP
++.B fail2ban_initrc_exec_t
++.EE
++
++- Set files with the fail2ban_initrc_exec_t type, if you want to transition an executable to the fail2ban_initrc_t domain.
++
++
++.EX
++.PP
++.B fail2ban_log_t
++.EE
++
++- Set files with the fail2ban_log_t type, if you want to treat the data as fail2ban log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fail2ban_tmp_t
++.EE
++
++- Set files with the fail2ban_tmp_t type, if you want to store fail2ban temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B fail2ban_var_lib_t
++.EE
++
++- Set files with the fail2ban_var_lib_t type, if you want to store the fail2ban files under the /var/lib directory.
++
++
++.EX
++.PP
++.B fail2ban_var_run_t
++.EE
++
++- Set files with the fail2ban_var_run_t type, if you want to store the fail2ban files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
++.PP
++The following process types are defined for fail2ban:
++
++.EX
++.B fail2ban_client_t, fail2ban_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8
+new file mode 100644
+index 0000000..7f07e27
+--- /dev/null
++++ b/man/man8/fcoemon_selinux.8
+@@ -0,0 +1,89 @@
++.TH "fcoemon_selinux" "8" "fcoemon" "dwalsh at redhat.com" "fcoemon SELinux Policy documentation"
++.SH "NAME"
++fcoemon_selinux \- Security Enhanced Linux Policy for the fcoemon processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B fcoemon
++(policy for fcoemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
++.PP
++The following file types are defined for fcoemon:
++
++
++.EX
++.PP
++.B fcoemon_exec_t
++.EE
++
++- Set files with the fcoemon_exec_t type, if you want to transition an executable to the fcoemon_t domain.
++
++
++.EX
++.PP
++.B fcoemon_var_run_t
++.EE
++
++- Set files with the fcoemon_var_run_t type, if you want to store the fcoemon files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/fcm(/.*)?, /var/run/fcoemon\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
++.PP
++The following process types are defined for fcoemon:
++
++.EX
++.B fcoemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8
+new file mode 100644
+index 0000000..8a95cd7
+--- /dev/null
++++ b/man/man8/fenced_selinux.8
+@@ -0,0 +1,141 @@
++.TH "fenced_selinux" "8" "fenced" "dwalsh at redhat.com" "fenced SELinux Policy documentation"
++.SH "NAME"
++fenced_selinux \- Security Enhanced Linux Policy for the fenced processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible.
++
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean.
++
++.EX
++.B setsebool -P fenced_can_network_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
++.PP
++The following file types are defined for fenced:
++
++
++.EX
++.PP
++.B fenced_exec_t
++.EE
++
++- Set files with the fenced_exec_t type, if you want to transition an executable to the fenced_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/fence_node, /usr/sbin/fence_tool, /usr/sbin/fenced
++
++.EX
++.PP
++.B fenced_lock_t
++.EE
++
++- Set files with the fenced_lock_t type, if you want to treat the files as fenced lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B fenced_tmp_t
++.EE
++
++- Set files with the fenced_tmp_t type, if you want to store fenced temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B fenced_tmpfs_t
++.EE
++
++- Set files with the fenced_tmpfs_t type, if you want to store fenced files on a tmpfs file system.
++
++
++.EX
++.PP
++.B fenced_var_log_t
++.EE
++
++- Set files with the fenced_var_log_t type, if you want to treat the data as fenced var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fenced_var_run_t
++.EE
++
++- Set files with the fenced_var_run_t type, if you want to store the fenced files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/cluster/fenced_override, /var/run/cluster/fence_scsi.*, /var/run/fenced\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
++.PP
++The following process types are defined for fenced:
++
++.EX
++.B fenced_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fenced(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8
+new file mode 100644
+index 0000000..65f9aa3
+--- /dev/null
++++ b/man/man8/fetchmail_selinux.8
+@@ -0,0 +1,109 @@
++.TH "fetchmail_selinux" "8" "fetchmail" "dwalsh at redhat.com" "fetchmail SELinux Policy documentation"
++.SH "NAME"
++fetchmail_selinux \- Security Enhanced Linux Policy for the fetchmail processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B fetchmail
++(Remote-mail retrieval and forwarding utility)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
++.PP
++The following file types are defined for fetchmail:
++
++
++.EX
++.PP
++.B fetchmail_etc_t
++.EE
++
++- Set files with the fetchmail_etc_t type, if you want to store fetchmail files in the /etc directories.
++
++
++.EX
++.PP
++.B fetchmail_exec_t
++.EE
++
++- Set files with the fetchmail_exec_t type, if you want to transition an executable to the fetchmail_t domain.
++
++
++.EX
++.PP
++.B fetchmail_home_t
++.EE
++
++- Set files with the fetchmail_home_t type, if you want to store fetchmail files in the users home directory.
++
++
++.EX
++.PP
++.B fetchmail_uidl_cache_t
++.EE
++
++- Set files with the fetchmail_uidl_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B fetchmail_var_run_t
++.EE
++
++- Set files with the fetchmail_var_run_t type, if you want to store the fetchmail files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
++.PP
++The following process types are defined for fetchmail:
++
++.EX
++.B fetchmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8
+new file mode 100644
+index 0000000..b1c9f85
+--- /dev/null
++++ b/man/man8/fingerd_selinux.8
+@@ -0,0 +1,125 @@
++.TH "fingerd_selinux" "8" "fingerd" "dwalsh at redhat.com" "fingerd SELinux Policy documentation"
++.SH "NAME"
++fingerd_selinux \- Security Enhanced Linux Policy for the fingerd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
++.PP
++The following file types are defined for fingerd:
++
++
++.EX
++.PP
++.B fingerd_etc_t
++.EE
++
++- Set files with the fingerd_etc_t type, if you want to store fingerd files in the /etc directories.
++
++
++.EX
++.PP
++.B fingerd_exec_t
++.EE
++
++- Set files with the fingerd_exec_t type, if you want to transition an executable to the fingerd_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/cron\.weekly/(c)?fingerd, /usr/sbin/[cef]fingerd, /usr/sbin/in\.fingerd
++
++.EX
++.PP
++.B fingerd_log_t
++.EE
++
++- Set files with the fingerd_log_t type, if you want to treat the data as fingerd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fingerd_var_run_t
++.EE
++
++- Set files with the fingerd_var_run_t type, if you want to store the fingerd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
++.PP
++The following port types are defined for fingerd:
++
++.EX
++.TP 5
++.B fingerd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
++.PP
++The following process types are defined for fingerd:
++
++.EX
++.B fingerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8
+new file mode 100644
+index 0000000..c6d98d6
+--- /dev/null
++++ b/man/man8/firewalld_selinux.8
+@@ -0,0 +1,121 @@
++.TH "firewalld_selinux" "8" "firewalld" "dwalsh at redhat.com" "firewalld SELinux Policy documentation"
++.SH "NAME"
++firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B firewalld
++(policy for firewalld)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
++.PP
++The following file types are defined for firewalld:
++
++
++.EX
++.PP
++.B firewalld_etc_rw_t
++.EE
++
++- Set files with the firewalld_etc_rw_t type, if you want to treat the files as firewalld etc read/write content.
++
++
++.EX
++.PP
++.B firewalld_exec_t
++.EE
++
++- Set files with the firewalld_exec_t type, if you want to transition an executable to the firewalld_t domain.
++
++
++.EX
++.PP
++.B firewalld_initrc_exec_t
++.EE
++
++- Set files with the firewalld_initrc_exec_t type, if you want to transition an executable to the firewalld_initrc_t domain.
++
++
++.EX
++.PP
++.B firewalld_unit_file_t
++.EE
++
++- Set files with the firewalld_unit_file_t type, if you want to treat the files as firewalld unit content.
++
++
++.EX
++.PP
++.B firewalld_var_log_t
++.EE
++
++- Set files with the firewalld_var_log_t type, if you want to treat the data as firewalld var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B firewalld_var_run_t
++.EE
++
++- Set files with the firewalld_var_run_t type, if you want to store the firewalld files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/firewalld(/.*)?, /var/run/firewalld\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
++.PP
++The following process types are defined for firewalld:
++
++.EX
++.B firewallgui_t, firewalld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8
+new file mode 100644
+index 0000000..6fd604e
+--- /dev/null
++++ b/man/man8/firewallgui_selinux.8
+@@ -0,0 +1,85 @@
++.TH "firewallgui_selinux" "8" "firewallgui" "dwalsh at redhat.com" "firewallgui SELinux Policy documentation"
++.SH "NAME"
++firewallgui_selinux \- Security Enhanced Linux Policy for the firewallgui processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B firewallgui
++(policy for firewallgui)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
++.PP
++The following file types are defined for firewallgui:
++
++
++.EX
++.PP
++.B firewallgui_exec_t
++.EE
++
++- Set files with the firewallgui_exec_t type, if you want to transition an executable to the firewallgui_t domain.
++
++
++.EX
++.PP
++.B firewallgui_tmp_t
++.EE
++
++- Set files with the firewallgui_tmp_t type, if you want to store firewallgui temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
++.PP
++The following process types are defined for firewallgui:
++
++.EX
++.B firewallgui_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8
+new file mode 100644
+index 0000000..b1bbe5c
+--- /dev/null
++++ b/man/man8/firstboot_selinux.8
+@@ -0,0 +1,100 @@
++.TH "firstboot_selinux" "8" "firstboot" "dwalsh at redhat.com" "firstboot SELinux Policy documentation"
++.SH "NAME"
++firstboot_selinux \- Security Enhanced Linux Policy for the firstboot processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B firstboot
++(
++Final system configuration run during the first boot
++after installation of Red Hat/Fedora systems.
++)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
++.PP
++The following file types are defined for firstboot:
++
++
++.EX
++.PP
++.B firstboot_etc_t
++.EE
++
++- Set files with the firstboot_etc_t type, if you want to store firstboot files in the /etc directories.
++
++
++.EX
++.PP
++.B firstboot_exec_t
++.EE
++
++- Set files with the firstboot_exec_t type, if you want to transition an executable to the firstboot_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/firstboot/firstboot\.py, /usr/sbin/firstboot
++
++.EX
++.PP
++.B firstboot_tmp_t
++.EE
++
++- Set files with the firstboot_tmp_t type, if you want to store firstboot temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
++.PP
++The following process types are defined for firstboot:
++
++.EX
++.B firstboot_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8
+new file mode 100644
+index 0000000..828ba62
+--- /dev/null
++++ b/man/man8/foghorn_selinux.8
+@@ -0,0 +1,95 @@
++.TH "foghorn_selinux" "8" "foghorn" "dwalsh at redhat.com" "foghorn SELinux Policy documentation"
++.SH "NAME"
++foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
++.PP
++The following file types are defined for foghorn:
++
++
++.EX
++.PP
++.B foghorn_exec_t
++.EE
++
++- Set files with the foghorn_exec_t type, if you want to transition an executable to the foghorn_t domain.
++
++
++.EX
++.PP
++.B foghorn_tmpfs_t
++.EE
++
++- Set files with the foghorn_tmpfs_t type, if you want to store foghorn files on a tmpfs file system.
++
++
++.EX
++.PP
++.B foghorn_var_log_t
++.EE
++
++- Set files with the foghorn_var_log_t type, if you want to treat the data as foghorn var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B foghorn_var_run_t
++.EE
++
++- Set files with the foghorn_var_run_t type, if you want to store the foghorn files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
++.PP
++The following process types are defined for foghorn:
++
++.EX
++.B foghorn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8
+new file mode 100644
+index 0000000..cd72389
+--- /dev/null
++++ b/man/man8/fprintd_selinux.8
+@@ -0,0 +1,85 @@
++.TH "fprintd_selinux" "8" "fprintd" "dwalsh at redhat.com" "fprintd SELinux Policy documentation"
++.SH "NAME"
++fprintd_selinux \- Security Enhanced Linux Policy for the fprintd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B fprintd
++(DBus fingerprint reader service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
++.PP
++The following file types are defined for fprintd:
++
++
++.EX
++.PP
++.B fprintd_exec_t
++.EE
++
++- Set files with the fprintd_exec_t type, if you want to transition an executable to the fprintd_t domain.
++
++
++.EX
++.PP
++.B fprintd_var_lib_t
++.EE
++
++- Set files with the fprintd_var_lib_t type, if you want to store the fprintd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
++.PP
++The following process types are defined for fprintd:
++
++.EX
++.B fprintd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8
+new file mode 100644
+index 0000000..f012b28
+--- /dev/null
++++ b/man/man8/freshclam_selinux.8
+@@ -0,0 +1,83 @@
++.TH "freshclam_selinux" "8" "freshclam" "dwalsh at redhat.com" "freshclam SELinux Policy documentation"
++.SH "NAME"
++freshclam_selinux \- Security Enhanced Linux Policy for the freshclam processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
++.PP
++The following file types are defined for freshclam:
++
++
++.EX
++.PP
++.B freshclam_exec_t
++.EE
++
++- Set files with the freshclam_exec_t type, if you want to transition an executable to the freshclam_t domain.
++
++
++.EX
++.PP
++.B freshclam_var_log_t
++.EE
++
++- Set files with the freshclam_var_log_t type, if you want to treat the data as freshclam var log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/clamav/freshclam.*, /var/log/freshclam.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
++.PP
++The following process types are defined for freshclam:
++
++.EX
++.B freshclam_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8
+new file mode 100644
+index 0000000..9400571
+--- /dev/null
++++ b/man/man8/fsadm_selinux.8
+@@ -0,0 +1,91 @@
++.TH "fsadm_selinux" "8" "fsadm" "dwalsh at redhat.com" "fsadm SELinux Policy documentation"
++.SH "NAME"
++fsadm_selinux \- Security Enhanced Linux Policy for the fsadm processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
++.PP
++The following file types are defined for fsadm:
++
++
++.EX
++.PP
++.B fsadm_exec_t
++.EE
++
++- Set files with the fsadm_exec_t type, if you want to transition an executable to the fsadm_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /usr/sbin/raidstart, /sbin/mkreiserfs, /sbin/sfdisk, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /usr/sbin/mke2fs, /sbin/tune2fs, /sbin/losetup.*, /sbin/resize.*fs, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /sbin/dosfsck, /usr/sbin/mkfs.*, /sbin/e2label, /lib/systemd/systemd-fsck, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/e2fsck, /sbin/
fsck.*, /usr/sbin/install-mbr, /usr/sbin/clubufflush, /sbin/jfs_.*, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /usr/sbin/cfdisk, /usr/sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm
++
++.EX
++.PP
++.B fsadm_log_t
++.EE
++
++- Set files with the fsadm_log_t type, if you want to treat the data as fsadm log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B fsadm_tmp_t
++.EE
++
++- Set files with the fsadm_tmp_t type, if you want to store fsadm temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
++.PP
++The following process types are defined for fsadm:
++
++.EX
++.B fsadm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8
+new file mode 100644
+index 0000000..0f3466e
+--- /dev/null
++++ b/man/man8/fsdaemon_selinux.8
+@@ -0,0 +1,95 @@
++.TH "fsdaemon_selinux" "8" "fsdaemon" "dwalsh at redhat.com" "fsdaemon SELinux Policy documentation"
++.SH "NAME"
++fsdaemon_selinux \- Security Enhanced Linux Policy for the fsdaemon processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
++.PP
++The following file types are defined for fsdaemon:
++
++
++.EX
++.PP
++.B fsdaemon_exec_t
++.EE
++
++- Set files with the fsdaemon_exec_t type, if you want to transition an executable to the fsdaemon_t domain.
++
++
++.EX
++.PP
++.B fsdaemon_initrc_exec_t
++.EE
++
++- Set files with the fsdaemon_initrc_exec_t type, if you want to transition an executable to the fsdaemon_initrc_t domain.
++
++
++.EX
++.PP
++.B fsdaemon_tmp_t
++.EE
++
++- Set files with the fsdaemon_tmp_t type, if you want to store fsdaemon temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B fsdaemon_var_run_t
++.EE
++
++- Set files with the fsdaemon_var_run_t type, if you want to store the fsdaemon files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
++.PP
++The following process types are defined for fsdaemon:
++
++.EX
++.B fsdaemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
+index 5bebd82..c617a6e 100644
+--- a/man/man8/ftpd_selinux.8
++++ b/man/man8/ftpd_selinux.8
+@@ -1,65 +1,321 @@
+-.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "ftpd SELinux policy documentation"
++.TH "ftpd_selinux" "8" "ftpd" "dwalsh at redhat.com" "ftpd SELinux Policy documentation"
+ .SH "NAME"
+-.PP
+-ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
++ftpd_selinux \- Security Enhanced Linux Policy for the ftpd processes
+ .SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible.
++
++
+ .PP
+-Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
+-.SH FILE_CONTEXTS
++If you want to allow ftp to read and write files in the user home directorie, you must turn on the ftp_home_dir boolean.
++
++.EX
++.B setsebool -P ftp_home_dir 1
++.EE
++
+ .PP
+-SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
+-.TP
+-Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
++If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the allow_ftpd_full_access boolean.
++
++.EX
++.B setsebool -P allow_ftpd_full_access 1
++.EE
++
+ .PP
+-.B
+-semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
+-.TP
+-.B
+-restorecon -F -R -v /var/ftp
+-.TP
+-Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
++If you want to allow ftp servers to connect to mysql database port, you must turn on the ftpd_connect_db boolean.
++
++.EX
++.B setsebool -P ftpd_connect_db 1
++.EE
++
+ .PP
+-.B
+-semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
+-.TP
+-.B
+-restorecon -F -R -v /var/ftp/incoming
++If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the allow_ftpd_use_cifs boolean.
++
++.EX
++.B setsebool -P allow_ftpd_use_cifs 1
++.EE
+
+-.SH BOOLEANS
+ .PP
+-SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
+-.TP
+-Allow ftp servers to read and write files with the public_content_rw_t file type.
++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the allow_ftpd_use_nfs boolean.
++
++.EX
++.B setsebool -P allow_ftpd_use_nfs 1
++.EE
++
+ .PP
+-.B
+-setsebool -P allow_ftpd_anon_write on
+-.TP
+-Allow ftp servers to read or write files in the user home directories.
++If you want to allow sftp-internal to read and write files in the user home directorie, you must turn on the sftpd_enable_homedirs boolean.
++
++.EX
++.B setsebool -P sftpd_enable_homedirs 1
++.EE
++
+ .PP
+-.B
+-setsebool -P ftp_home_dir on
+-.TP
+-Allow ftp servers to read or write all files on the system.
++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral port, you must turn on the httpd_can_connect_ftp boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ftp 1
++.EE
++
+ .PP
+-.B
+-setsebool -P allow_ftpd_full_access on
++If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean.
++
++.EX
++.B setsebool -P sftpd_full_access 1
++.EE
++
++.PP
++If you want to allow ftp servers to connect to all ports > 102, you must turn on the ftpd_connect_all_unreserved boolean.
++
++.EX
++.B setsebool -P ftpd_connect_all_unreserved 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++
++.EX
++.B setsebool -P httpd_enable_ftp_server 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+ .TP
+-Allow ftp servers to use cifs for public file transfer services.
++Allow ftpd servers to read the /var/ftpd directory by adding the public_content_t file type to the directory and by restoring the file type.
+ .PP
+ .B
+-setsebool -P allow_ftpd_use_cifs on
++semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?"
++.br
++.B restorecon -F -R -v /var/ftpd
++.pp
+ .TP
+-Allow ftp servers to use nfs for public file transfer services.
++Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
+ .PP
+ .B
+-setsebool -P allow_ftpd_use_nfs on
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
++semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/ftpd/incoming
++
++
+ .PP
+-This manual page was written by Dan Walsh <dwalsh at redhat.com>.
++If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
+
+-.SH "SEE ALSO"
++.EX
++.B setsebool -P tftp_anon_write 1
++.EE
++
++.PP
++If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the allow_ftpd_anon_write boolean.
++
++.EX
++.B setsebool -P allow_ftpd_anon_write 1
++.EE
++
++.PP
++If you want to allow anon internal-sftp to upload files, used for public file transfer services, directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean.
++
++.EX
++.B setsebool -P sftpd_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
++.PP
++The following file types are defined for ftpd:
++
++
++.EX
++.PP
++.B ftpd_etc_t
++.EE
++
++- Set files with the ftpd_etc_t type, if you want to store ftpd files in the /etc directories.
++
++
++.EX
++.PP
++.B ftpd_exec_t
++.EE
++
++- Set files with the ftpd_exec_t type, if you want to transition an executable to the ftpd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ftpwho, /etc/cron\.monthly/proftpd, /usr/sbin/in\.ftpd, /usr/sbin/proftpd, /usr/kerberos/sbin/ftpd, /usr/sbin/muddleftpd, /usr/sbin/vsftpd
++
++.EX
++.PP
++.B ftpd_initrc_exec_t
++.EE
++
++- Set files with the ftpd_initrc_exec_t type, if you want to transition an executable to the ftpd_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/proftpd, /etc/rc\.d/init\.d/vsftpd
++
++.EX
++.PP
++.B ftpd_keytab_t
++.EE
++
++- Set files with the ftpd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B ftpd_lock_t
++.EE
++
++- Set files with the ftpd_lock_t type, if you want to treat the files as ftpd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B ftpd_tmp_t
++.EE
++
++- Set files with the ftpd_tmp_t type, if you want to store ftpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ftpd_tmpfs_t
++.EE
++
++- Set files with the ftpd_tmpfs_t type, if you want to store ftpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ftpd_unit_file_t
++.EE
++
++- Set files with the ftpd_unit_file_t type, if you want to treat the files as ftpd unit content.
++
++
++.EX
++.PP
++.B ftpd_var_run_t
++.EE
++
++- Set files with the ftpd_var_run_t type, if you want to store the ftpd files under the /run directory.
++
++
++.EX
+ .PP
++.B ftpdctl_exec_t
++.EE
+
+-selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
++- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain.
++
++
++.EX
++.PP
++.B ftpdctl_tmp_t
++.EE
++
++- Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
++.PP
++The following port types are defined for ftpd:
++
++.EX
++.TP 5
++.B ftp_data_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B ftp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
++.PP
++The following process types are defined for ftpd:
++
++.EX
++.B ftpd_t, ftpdctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ftpd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8
+new file mode 100644
+index 0000000..8903b4b
+--- /dev/null
++++ b/man/man8/ftpdctl_selinux.8
+@@ -0,0 +1,79 @@
++.TH "ftpdctl_selinux" "8" "ftpdctl" "dwalsh at redhat.com" "ftpdctl SELinux Policy documentation"
++.SH "NAME"
++ftpdctl_selinux \- Security Enhanced Linux Policy for the ftpdctl processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
++.PP
++The following file types are defined for ftpdctl:
++
++
++.EX
++.PP
++.B ftpdctl_exec_t
++.EE
++
++- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain.
++
++
++.EX
++.PP
++.B ftpdctl_tmp_t
++.EE
++
++- Set files with the ftpdctl_tmp_t type, if you want to store ftpdctl temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
++.PP
++The following process types are defined for ftpdctl:
++
++.EX
++.B ftpdctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8
+new file mode 100644
+index 0000000..4ba69f7
+--- /dev/null
++++ b/man/man8/games_selinux.8
+@@ -0,0 +1,117 @@
++.TH "games_selinux" "8" "games" "dwalsh at redhat.com" "games SELinux Policy documentation"
++.SH "NAME"
++games_selinux \- Security Enhanced Linux Policy for the games processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B games
++(Games)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
++.PP
++The following file types are defined for games:
++
++
++.EX
++.PP
++.B games_data_t
++.EE
++
++- Set files with the games_data_t type, if you want to treat the files as games content.
++
++.br
++.TP 5
++Paths:
++/var/games(/.*)?, /var/lib/games(/.*)?
++
++.EX
++.PP
++.B games_exec_t
++.EE
++
++- Set files with the games_exec_t type, if you want to transition an executable to the games_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnome-stones, /usr/bin/gnotski, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/katomic, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/ktuberling, /usr/bin/kbounce, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kwin4, /usr/bin/ktron, /usr/bin/mahjongg, /usr/bin/kbackgammon, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnect, /usr/bin/kbattleship, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksokoban, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/gnomine, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines
, /usr/bin/kwin4proc
++
++.EX
++.PP
++.B games_srv_var_run_t
++.EE
++
++- Set files with the games_srv_var_run_t type, if you want to store the games srv files under the /run directory.
++
++
++.EX
++.PP
++.B games_tmp_t
++.EE
++
++- Set files with the games_tmp_t type, if you want to store games temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B games_tmpfs_t
++.EE
++
++- Set files with the games_tmpfs_t type, if you want to store games files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
++.PP
++The following process types are defined for games:
++
++.EX
++.B games_t, games_srv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), games(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8
+new file mode 100644
+index 0000000..6146c3a
+--- /dev/null
++++ b/man/man8/gconfd_selinux.8
+@@ -0,0 +1,107 @@
++.TH "gconfd_selinux" "8" "gconfd" "dwalsh at redhat.com" "gconfd SELinux Policy documentation"
++.SH "NAME"
++gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
++.PP
++The following file types are defined for gconfd:
++
++
++.EX
++.PP
++.B gconf_etc_t
++.EE
++
++- Set files with the gconf_etc_t type, if you want to store gconf files in the /etc directories.
++
++
++.EX
++.PP
++.B gconf_home_t
++.EE
++
++- Set files with the gconf_home_t type, if you want to store gconf files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.gconf(d)?(/.*)?, /root/\.local.*
++
++.EX
++.PP
++.B gconf_tmp_t
++.EE
++
++- Set files with the gconf_tmp_t type, if you want to store gconf temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B gconfd_exec_t
++.EE
++
++- Set files with the gconfd_exec_t type, if you want to transition an executable to the gconfd_t domain.
++
++
++.EX
++.PP
++.B gconfdefaultsm_exec_t
++.EE
++
++- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
++.PP
++The following process types are defined for gconfd:
++
++.EX
++.B gconfdefaultsm_t, gconfd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gconfd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8
+new file mode 100644
+index 0000000..71a23ac
+--- /dev/null
++++ b/man/man8/gconfdefaultsm_selinux.8
+@@ -0,0 +1,71 @@
++.TH "gconfdefaultsm_selinux" "8" "gconfdefaultsm" "dwalsh at redhat.com" "gconfdefaultsm SELinux Policy documentation"
++.SH "NAME"
++gconfdefaultsm_selinux \- Security Enhanced Linux Policy for the gconfdefaultsm processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
++.PP
++The following file types are defined for gconfdefaultsm:
++
++
++.EX
++.PP
++.B gconfdefaultsm_exec_t
++.EE
++
++- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
++.PP
++The following process types are defined for gconfdefaultsm:
++
++.EX
++.B gconfdefaultsm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gconfdefaultsm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8
+new file mode 100644
+index 0000000..85b78f2
+--- /dev/null
++++ b/man/man8/getty_selinux.8
+@@ -0,0 +1,129 @@
++.TH "getty_selinux" "8" "getty" "dwalsh at redhat.com" "getty SELinux Policy documentation"
++.SH "NAME"
++getty_selinux \- Security Enhanced Linux Policy for the getty processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B getty
++(Policy for getty)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
++.PP
++The following file types are defined for getty:
++
++
++.EX
++.PP
++.B getty_etc_t
++.EE
++
++- Set files with the getty_etc_t type, if you want to store getty files in the /etc directories.
++
++
++.EX
++.PP
++.B getty_exec_t
++.EE
++
++- Set files with the getty_exec_t type, if you want to transition an executable to the getty_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/.*getty, /sbin/.*getty
++
++.EX
++.PP
++.B getty_lock_t
++.EE
++
++- Set files with the getty_lock_t type, if you want to treat the files as getty lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B getty_log_t
++.EE
++
++- Set files with the getty_log_t type, if you want to treat the data as getty log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/mgetty\.log.*, /var/log/vgetty\.log\..*
++
++.EX
++.PP
++.B getty_tmp_t
++.EE
++
++- Set files with the getty_tmp_t type, if you want to store getty temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B getty_var_run_t
++.EE
++
++- Set files with the getty_var_run_t type, if you want to store the getty files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/voice(/.*)?, /var/spool/fax(/.*)?, /var/run/mgetty\.pid.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
++.PP
++The following process types are defined for getty:
++
++.EX
++.B getty_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), getty(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gfs_selinux.8 b/man/man8/gfs_selinux.8
+new file mode 100644
+index 0000000..c681f11
+--- /dev/null
++++ b/man/man8/gfs_selinux.8
+@@ -0,0 +1,95 @@
++.TH "gfs_selinux" "8" "gfs" "dwalsh at redhat.com" "gfs SELinux Policy documentation"
++.SH "NAME"
++gfs_selinux \- Security Enhanced Linux Policy for the gfs processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gfs policy is very flexible allowing users to setup their gfs processes in as secure a method as possible.
++.PP
++The following file types are defined for gfs:
++
++
++.EX
++.PP
++.B gfs_controld_exec_t
++.EE
++
++- Set files with the gfs_controld_exec_t type, if you want to transition an executable to the gfs_controld_t domain.
++
++
++.EX
++.PP
++.B gfs_controld_tmpfs_t
++.EE
++
++- Set files with the gfs_controld_tmpfs_t type, if you want to store gfs controld files on a tmpfs file system.
++
++
++.EX
++.PP
++.B gfs_controld_var_log_t
++.EE
++
++- Set files with the gfs_controld_var_log_t type, if you want to treat the data as gfs controld var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B gfs_controld_var_run_t
++.EE
++
++- Set files with the gfs_controld_var_run_t type, if you want to store the gfs controld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gfs policy is very flexible allowing users to setup their gfs processes in as secure a method as possible.
++.PP
++The following process types are defined for gfs:
++
++.EX
++.B gfs_controld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gfs(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/git_shell_selinux.8 b/man/man8/git_shell_selinux.8
+new file mode 100644
+index 0000000..6031c31
+--- /dev/null
++++ b/man/man8/git_shell_selinux.8
+@@ -0,0 +1,183 @@
++.TH "git_shell_selinux" "8" "git_shell" "mgrepl at redhat.com" "git_shell SELinux Policy documentation"
++.SH "NAME"
++git_shell_u \- \fBgit_shell user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBgit_shell_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBgit_shell_r\fP. The
++default role has a default type, \fBgit_shell_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B git_shell_u:git_shell_r:git_shell_u:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the git_shell_u user, you would execute:
++
++.B semanage login -m -s git_shell_u __default__
++
++
++.SH USER DESCRIPTION
++
++The SELinux user git_shell_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++The SELinux type git_shell_t is not allowed to execute sudo.
++
++.SH X WINDOWS LOGIN
++
++The SELinux user git_shell_u is not able to X Windows login.
++
++.SH TERMINAL LOGIN
++
++The SELinux user git_shell_u is not able to terminal login.
++
++.SH NETWORK
++
++.TP
++The SELinux user git_shell_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B ocsp_port_t: 9080
++
++.B kerberos_port_t: 88,750,4444
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. git_shell_t policy is extremely flexible and has several booleans that allow you to manipulate the policy and run git_shell_t with the tightest access possible.
++
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the allow_user_mysql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_mysql_connect 1
++.EE
++
++.PP
++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.PP
++If you want to allow w to display everyone, you must turn on the user_ttyfile_stat boolean.
++
++.EX
++.B setsebool -P user_ttyfile_stat 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the user_share_music boolean.
++
++.EX
++.B setsebool -P user_share_music 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the user_direct_dri boolean.
++
++.EX
++.B setsebool -P user_direct_dri 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the user_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P user_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++
++.EX
++.B setsebool -P user_tcp_server 1
++.EE
++
++.PP
++If you want to allow regular users direct mouse access, you must turn on the user_direct_mouse boolean.
++
++.EX
++.B setsebool -P user_direct_mouse 1
++.EE
++
++.PP
++If you want to allow user processes to change their priority, you must turn on the user_setrlimit boolean.
++
++.EX
++.B setsebool -P user_setrlimit 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the allow_user_postgresql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_postgresql_connect 1
++.EE
++
++.PP
++If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++
++.EX
++.B setsebool -P user_dmesg 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user git_shell_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when git_shell_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny git_shell_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow git_shell_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user git_shell_t can execute without transitioning:
++
++.B sesearch -A -s git_shell_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow git_shell_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user git_shell_t can execute and transition:
++
++.B $ sesearch -A -s git_shell_t -c process -p transition
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8
+new file mode 100644
+index 0000000..0db16b5
+--- /dev/null
++++ b/man/man8/gitosis_selinux.8
+@@ -0,0 +1,108 @@
++.TH "gitosis_selinux" "8" "gitosis" "dwalsh at redhat.com" "gitosis SELinux Policy documentation"
++.SH "NAME"
++gitosis_selinux \- Security Enhanced Linux Policy for the gitosis processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B gitosis
++(Tools for managing and hosting git repositories)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gitosis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gitosis with the tightest access possible.
++
++
++.PP
++If you want to allow gitisis daemon to send mai, you must turn on the gitosis_can_sendmail boolean.
++
++.EX
++.B setsebool -P gitosis_can_sendmail 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
++.PP
++The following file types are defined for gitosis:
++
++
++.EX
++.PP
++.B gitosis_exec_t
++.EE
++
++- Set files with the gitosis_exec_t type, if you want to transition an executable to the gitosis_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/gitosis-serve, /usr/bin/gl-auth-command
++
++.EX
++.PP
++.B gitosis_var_lib_t
++.EE
++
++- Set files with the gitosis_var_lib_t type, if you want to store the gitosis files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/gitolite(/.*)?, /var/lib/gitosis(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
++.PP
++The following process types are defined for gitosis:
++
++.EX
++.B gitosis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gitosis(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/glance_selinux.8 b/man/man8/glance_selinux.8
+new file mode 100644
+index 0000000..5fe5fae
+--- /dev/null
++++ b/man/man8/glance_selinux.8
+@@ -0,0 +1,167 @@
++.TH "glance_selinux" "8" "glance" "dwalsh at redhat.com" "glance SELinux Policy documentation"
++.SH "NAME"
++glance_selinux \- Security Enhanced Linux Policy for the glance processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B glance
++(policy for glance)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux glance policy is very flexible allowing users to setup their glance processes in as secure a method as possible.
++.PP
++The following file types are defined for glance:
++
++
++.EX
++.PP
++.B glance_api_exec_t
++.EE
++
++- Set files with the glance_api_exec_t type, if you want to transition an executable to the glance_api_t domain.
++
++
++.EX
++.PP
++.B glance_api_initrc_exec_t
++.EE
++
++- Set files with the glance_api_initrc_exec_t type, if you want to transition an executable to the glance_api_initrc_t domain.
++
++
++.EX
++.PP
++.B glance_log_t
++.EE
++
++- Set files with the glance_log_t type, if you want to treat the data as glance log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B glance_registry_exec_t
++.EE
++
++- Set files with the glance_registry_exec_t type, if you want to transition an executable to the glance_registry_t domain.
++
++
++.EX
++.PP
++.B glance_registry_initrc_exec_t
++.EE
++
++- Set files with the glance_registry_initrc_exec_t type, if you want to transition an executable to the glance_registry_initrc_t domain.
++
++
++.EX
++.PP
++.B glance_registry_tmp_t
++.EE
++
++- Set files with the glance_registry_tmp_t type, if you want to store glance registry temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B glance_tmp_t
++.EE
++
++- Set files with the glance_tmp_t type, if you want to store glance temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B glance_var_lib_t
++.EE
++
++- Set files with the glance_var_lib_t type, if you want to store the glance files under the /var/lib directory.
++
++
++.EX
++.PP
++.B glance_var_run_t
++.EE
++
++- Set files with the glance_var_run_t type, if you want to store the glance files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux glance policy is very flexible allowing users to setup their glance processes in as secure a method as possible.
++.PP
++The following port types are defined for glance:
++
++.EX
++.TP 5
++.B glance_registry_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux glance policy is very flexible allowing users to setup their glance processes in as secure a method as possible.
++.PP
++The following process types are defined for glance:
++
++.EX
++.B glance_registry_t, glance_api_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), glance(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8
+new file mode 100644
+index 0000000..9664dd6
+--- /dev/null
++++ b/man/man8/gnomeclock_selinux.8
+@@ -0,0 +1,81 @@
++.TH "gnomeclock_selinux" "8" "gnomeclock" "dwalsh at redhat.com" "gnomeclock SELinux Policy documentation"
++.SH "NAME"
++gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B gnomeclock
++(Gnome clock handler for setting the time)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
++.PP
++The following file types are defined for gnomeclock:
++
++
++.EX
++.PP
++.B gnomeclock_exec_t
++.EE
++
++- Set files with the gnomeclock_exec_t type, if you want to transition an executable to the gnomeclock_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/gsd-datetime-mechanism, /usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/libexec/gnome-clock-applet-mechanism
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
++.PP
++The following process types are defined for gnomeclock:
++
++.EX
++.B gnomeclock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8
+new file mode 100644
+index 0000000..d92b3e4
+--- /dev/null
++++ b/man/man8/gnomesystemmm_selinux.8
+@@ -0,0 +1,75 @@
++.TH "gnomesystemmm_selinux" "8" "gnomesystemmm" "dwalsh at redhat.com" "gnomesystemmm SELinux Policy documentation"
++.SH "NAME"
++gnomesystemmm_selinux \- Security Enhanced Linux Policy for the gnomesystemmm processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
++.PP
++The following file types are defined for gnomesystemmm:
++
++
++.EX
++.PP
++.B gnomesystemmm_exec_t
++.EE
++
++- Set files with the gnomesystemmm_exec_t type, if you want to transition an executable to the gnomesystemmm_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
++.PP
++The following process types are defined for gnomesystemmm:
++
++.EX
++.B gnomesystemmm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8
+new file mode 100644
+index 0000000..9072646
+--- /dev/null
++++ b/man/man8/gpg_selinux.8
+@@ -0,0 +1,177 @@
++.TH "gpg_selinux" "8" "gpg" "dwalsh at redhat.com" "gpg SELinux Policy documentation"
++.SH "NAME"
++gpg_selinux \- Security Enhanced Linux Policy for the gpg processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B gpg
++(Policy for GNU Privacy Guard and related programs)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible.
++
++
++.PP
++If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
++
++.EX
++.B setsebool -P gpg_agent_env_file 1
++.EE
++
++.PP
++If you want to allow httpd to run gpg in gpg-web domai, you must turn on the httpd_use_gpg boolean.
++
++.EX
++.B setsebool -P httpd_use_gpg 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow gpg servers to read the /var/gpg directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/gpg(/.*)?"
++.br
++.B restorecon -F -R -v /var/gpg
++.pp
++.TP
++Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpg_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/gpg/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/gpg/incoming
++
++
++.PP
++If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean.
++
++.EX
++.B setsebool -P gpg_web_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
++.PP
++The following file types are defined for gpg:
++
++
++.EX
++.PP
++.B gpg_agent_exec_t
++.EE
++
++- Set files with the gpg_agent_exec_t type, if you want to transition an executable to the gpg_agent_t domain.
++
++
++.EX
++.PP
++.B gpg_agent_tmp_t
++.EE
++
++- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B gpg_exec_t
++.EE
++
++- Set files with the gpg_exec_t type, if you want to transition an executable to the gpg_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/gpg(2)?, /usr/bin/kgpg, /usr/lib/gnupg/.*
++
++.EX
++.PP
++.B gpg_helper_exec_t
++.EE
++
++- Set files with the gpg_helper_exec_t type, if you want to transition an executable to the gpg_helper_t domain.
++
++
++.EX
++.PP
++.B gpg_pinentry_tmp_t
++.EE
++
++- Set files with the gpg_pinentry_tmp_t type, if you want to store gpg pinentry temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B gpg_pinentry_tmpfs_t
++.EE
++
++- Set files with the gpg_pinentry_tmpfs_t type, if you want to store gpg pinentry files on a tmpfs file system.
++
++
++.EX
++.PP
++.B gpg_secret_t
++.EE
++
++- Set files with the gpg_secret_t type, if you want to treat the files as gpg se secret data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
++.PP
++The following process types are defined for gpg:
++
++.EX
++.B gpg_t, gpg_pinentry_t, gpg_helper_t, gpg_web_t, gpg_agent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gpg(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8
+new file mode 100644
+index 0000000..7c67dba
+--- /dev/null
++++ b/man/man8/gpm_selinux.8
+@@ -0,0 +1,113 @@
++.TH "gpm_selinux" "8" "gpm" "dwalsh at redhat.com" "gpm SELinux Policy documentation"
++.SH "NAME"
++gpm_selinux \- Security Enhanced Linux Policy for the gpm processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B gpm
++(General Purpose Mouse driver)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
++.PP
++The following file types are defined for gpm:
++
++
++.EX
++.PP
++.B gpm_conf_t
++.EE
++
++- Set files with the gpm_conf_t type, if you want to treat the files as gpm configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B gpm_exec_t
++.EE
++
++- Set files with the gpm_exec_t type, if you want to transition an executable to the gpm_t domain.
++
++
++.EX
++.PP
++.B gpm_tmp_t
++.EE
++
++- Set files with the gpm_tmp_t type, if you want to store gpm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B gpm_var_run_t
++.EE
++
++- Set files with the gpm_var_run_t type, if you want to store the gpm files under the /run directory.
++
++
++.EX
++.PP
++.B gpmctl_t
++.EE
++
++- Set files with the gpmctl_t type, if you want to treat the files as gpmctl data.
++
++.br
++.TP 5
++Paths:
++/dev/gpmctl, /dev/gpmdata
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
++.PP
++The following process types are defined for gpm:
++
++.EX
++.B gpm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8
+new file mode 100644
+index 0000000..804e552
+--- /dev/null
++++ b/man/man8/gpsd_selinux.8
+@@ -0,0 +1,131 @@
++.TH "gpsd_selinux" "8" "gpsd" "dwalsh at redhat.com" "gpsd SELinux Policy documentation"
++.SH "NAME"
++gpsd_selinux \- Security Enhanced Linux Policy for the gpsd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B gpsd
++(gpsd monitor daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
++.PP
++The following file types are defined for gpsd:
++
++
++.EX
++.PP
++.B gpsd_exec_t
++.EE
++
++- Set files with the gpsd_exec_t type, if you want to transition an executable to the gpsd_t domain.
++
++
++.EX
++.PP
++.B gpsd_initrc_exec_t
++.EE
++
++- Set files with the gpsd_initrc_exec_t type, if you want to transition an executable to the gpsd_initrc_t domain.
++
++
++.EX
++.PP
++.B gpsd_tmpfs_t
++.EE
++
++- Set files with the gpsd_tmpfs_t type, if you want to store gpsd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B gpsd_var_run_t
++.EE
++
++- Set files with the gpsd_var_run_t type, if you want to store the gpsd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/gpsd\.sock, /var/run/gpsd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
++.PP
++The following port types are defined for gpsd:
++
++.EX
++.TP 5
++.B gpsd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
++.PP
++The following process types are defined for gpsd:
++
++.EX
++.B gpsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/greylist_selinux.8 b/man/man8/greylist_selinux.8
+new file mode 100644
+index 0000000..893c92e
+--- /dev/null
++++ b/man/man8/greylist_selinux.8
+@@ -0,0 +1,83 @@
++.TH "greylist_selinux" "8" "greylist" "dwalsh at redhat.com" "greylist SELinux Policy documentation"
++.SH "NAME"
++greylist_selinux \- Security Enhanced Linux Policy for the greylist processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux greylist policy is very flexible allowing users to setup their greylist processes in as secure a method as possible.
++.PP
++The following file types are defined for greylist:
++
++
++.EX
++.PP
++.B greylist_milter_data_t
++.EE
++
++- Set files with the greylist_milter_data_t type, if you want to treat the files as greylist milter content.
++
++.br
++.TP 5
++Paths:
++/var/run/milter-greylist\.pid, /var/run/milter-greylist(/.*)?, /var/lib/milter-greylist(/.*)?
++
++.EX
++.PP
++.B greylist_milter_exec_t
++.EE
++
++- Set files with the greylist_milter_exec_t type, if you want to transition an executable to the greylist_milter_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux greylist policy is very flexible allowing users to setup their greylist processes in as secure a method as possible.
++.PP
++The following process types are defined for greylist:
++
++.EX
++.B greylist_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), greylist(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8
+new file mode 100644
+index 0000000..7774b5f
+--- /dev/null
++++ b/man/man8/groupadd_selinux.8
+@@ -0,0 +1,75 @@
++.TH "groupadd_selinux" "8" "groupadd" "dwalsh at redhat.com" "groupadd SELinux Policy documentation"
++.SH "NAME"
++groupadd_selinux \- Security Enhanced Linux Policy for the groupadd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
++.PP
++The following file types are defined for groupadd:
++
++
++.EX
++.PP
++.B groupadd_exec_t
++.EE
++
++- Set files with the groupadd_exec_t type, if you want to transition an executable to the groupadd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/gpasswd, /usr/bin/gpasswd, /usr/sbin/groupdel, /usr/sbin/groupadd, /usr/sbin/groupmod
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
++.PP
++The following process types are defined for groupadd:
++
++.EX
++.B groupadd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8
+new file mode 100644
+index 0000000..7285b15
+--- /dev/null
++++ b/man/man8/groupd_selinux.8
+@@ -0,0 +1,95 @@
++.TH "groupd_selinux" "8" "groupd" "dwalsh at redhat.com" "groupd SELinux Policy documentation"
++.SH "NAME"
++groupd_selinux \- Security Enhanced Linux Policy for the groupd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
++.PP
++The following file types are defined for groupd:
++
++
++.EX
++.PP
++.B groupd_exec_t
++.EE
++
++- Set files with the groupd_exec_t type, if you want to transition an executable to the groupd_t domain.
++
++
++.EX
++.PP
++.B groupd_tmpfs_t
++.EE
++
++- Set files with the groupd_tmpfs_t type, if you want to store groupd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B groupd_var_log_t
++.EE
++
++- Set files with the groupd_var_log_t type, if you want to treat the data as groupd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B groupd_var_run_t
++.EE
++
++- Set files with the groupd_var_run_t type, if you want to store the groupd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
++.PP
++The following process types are defined for groupd:
++
++.EX
++.B groupadd_t, groupd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), groupd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8
+new file mode 100644
+index 0000000..2e36991
+--- /dev/null
++++ b/man/man8/gssd_selinux.8
+@@ -0,0 +1,106 @@
++.TH "gssd_selinux" "8" "gssd" "dwalsh at redhat.com" "gssd SELinux Policy documentation"
++.SH "NAME"
++gssd_selinux \- Security Enhanced Linux Policy for the gssd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible.
++
++
++.PP
++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the allow_gssd_read_tmp boolean.
++
++.EX
++.B setsebool -P allow_gssd_read_tmp 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
++.PP
++The following file types are defined for gssd:
++
++
++.EX
++.PP
++.B gssd_exec_t
++.EE
++
++- Set files with the gssd_exec_t type, if you want to transition an executable to the gssd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/rpc\.gssd, /usr/sbin/rpc\.svcgssd
++
++.EX
++.PP
++.B gssd_keytab_t
++.EE
++
++- Set files with the gssd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B gssd_tmp_t
++.EE
++
++- Set files with the gssd_tmp_t type, if you want to store gssd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
++.PP
++The following process types are defined for gssd:
++
++.EX
++.B gssd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), gssd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/guest_selinux.8 b/man/man8/guest_selinux.8
+new file mode 100644
+index 0000000..faeeaf7
+--- /dev/null
++++ b/man/man8/guest_selinux.8
+@@ -0,0 +1,188 @@
++.TH "guest_selinux" "8" "guest" "mgrepl at redhat.com" "guest SELinux Policy documentation"
++.SH "NAME"
++guest_u \- \fBLeast privledge terminal user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBguest_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBguest_r\fP. The
++default role has a default type, \fBguest_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B guest_u:guest_r:guest_u:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the guest_u user, you would execute:
++
++.B semanage login -m -s guest_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user guest, you would execute:
++
++.B $ semanage login -a -s guest_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user guest_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++The SELinux type guest_t is not allowed to execute sudo.
++
++.SH X WINDOWS LOGIN
++
++The SELinux user guest_u is not able to X Windows login.
++
++.SH TERMINAL LOGIN
++
++The SELinux user guest_u is able to terminal login.
++
++.SH NETWORK
++
++.TP
++The SELinux user guest_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B ocsp_port_t: 9080
++
++.B kerberos_port_t: 88,750,4444
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. guest_t policy is extremely flexible and has several booleans that allow you to manipulate the policy and run guest_t with the tightest access possible.
++
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the allow_user_mysql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_mysql_connect 1
++.EE
++
++.PP
++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.PP
++If you want to allow w to display everyone, you must turn on the user_ttyfile_stat boolean.
++
++.EX
++.B setsebool -P user_ttyfile_stat 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the user_share_music boolean.
++
++.EX
++.B setsebool -P user_share_music 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the user_direct_dri boolean.
++
++.EX
++.B setsebool -P user_direct_dri 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the user_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P user_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++
++.EX
++.B setsebool -P user_tcp_server 1
++.EE
++
++.PP
++If you want to allow regular users direct mouse access, you must turn on the user_direct_mouse boolean.
++
++.EX
++.B setsebool -P user_direct_mouse 1
++.EE
++
++.PP
++If you want to allow user processes to change their priority, you must turn on the user_setrlimit boolean.
++
++.EX
++.B setsebool -P user_setrlimit 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the allow_user_postgresql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_postgresql_connect 1
++.EE
++
++.PP
++If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++
++.EX
++.B setsebool -P user_dmesg 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user guest_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when guest_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny guest_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow guest_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user guest_t can execute without transitioning:
++
++.B sesearch -A -s guest_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow guest_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user guest_t can execute and transition:
++
++.B $ sesearch -A -s guest_t -c process -p transition
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8
+new file mode 100644
+index 0000000..132cb89
+--- /dev/null
++++ b/man/man8/hddtemp_selinux.8
+@@ -0,0 +1,119 @@
++.TH "hddtemp_selinux" "8" "hddtemp" "dwalsh at redhat.com" "hddtemp SELinux Policy documentation"
++.SH "NAME"
++hddtemp_selinux \- Security Enhanced Linux Policy for the hddtemp processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B hddtemp
++(hddtemp hard disk temperature tool running as a daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
++.PP
++The following file types are defined for hddtemp:
++
++
++.EX
++.PP
++.B hddtemp_etc_t
++.EE
++
++- Set files with the hddtemp_etc_t type, if you want to store hddtemp files in the /etc directories.
++
++
++.EX
++.PP
++.B hddtemp_exec_t
++.EE
++
++- Set files with the hddtemp_exec_t type, if you want to transition an executable to the hddtemp_t domain.
++
++
++.EX
++.PP
++.B hddtemp_initrc_exec_t
++.EE
++
++- Set files with the hddtemp_initrc_exec_t type, if you want to transition an executable to the hddtemp_initrc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
++.PP
++The following port types are defined for hddtemp:
++
++.EX
++.TP 5
++.B hddtemp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
++.PP
++The following process types are defined for hddtemp:
++
++.EX
++.B hddtemp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8
+new file mode 100644
+index 0000000..519b849
+--- /dev/null
++++ b/man/man8/hostname_selinux.8
+@@ -0,0 +1,81 @@
++.TH "hostname_selinux" "8" "hostname" "dwalsh at redhat.com" "hostname SELinux Policy documentation"
++.SH "NAME"
++hostname_selinux \- Security Enhanced Linux Policy for the hostname processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B hostname
++(Policy for changing the system host name)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
++.PP
++The following file types are defined for hostname:
++
++
++.EX
++.PP
++.B hostname_exec_t
++.EE
++
++- Set files with the hostname_exec_t type, if you want to transition an executable to the hostname_t domain.
++
++.br
++.TP 5
++Paths:
++/bin/hostname, /usr/bin/hostname
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
++.PP
++The following process types are defined for hostname:
++
++.EX
++.B hostname_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8
+new file mode 100644
+index 0000000..05353ce
+--- /dev/null
++++ b/man/man8/hplip_selinux.8
+@@ -0,0 +1,137 @@
++.TH "hplip_selinux" "8" "hplip" "dwalsh at redhat.com" "hplip SELinux Policy documentation"
++.SH "NAME"
++hplip_selinux \- Security Enhanced Linux Policy for the hplip processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
++.PP
++The following file types are defined for hplip:
++
++
++.EX
++.PP
++.B hplip_etc_t
++.EE
++
++- Set files with the hplip_etc_t type, if you want to store hplip files in the /etc directories.
++
++
++.EX
++.PP
++.B hplip_exec_t
++.EE
++
++- Set files with the hplip_exec_t type, if you want to transition an executable to the hplip_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/hpijs, /usr/share/hplip/.*\.py, /usr/sbin/hp-[^/]+, /usr/lib/cups/backend/hp.*, /usr/sbin/hpiod
++
++.EX
++.PP
++.B hplip_tmp_t
++.EE
++
++- Set files with the hplip_tmp_t type, if you want to store hplip temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B hplip_var_lib_t
++.EE
++
++- Set files with the hplip_var_lib_t type, if you want to store the hplip files under the /var/lib directory.
++
++
++.EX
++.PP
++.B hplip_var_run_t
++.EE
++
++- Set files with the hplip_var_run_t type, if you want to store the hplip files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/hp.*\.pid, /var/run/hp.*\.port
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
++.PP
++The following port types are defined for hplip:
++
++.EX
++.TP 5
++.B hplip_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
++.PP
++The following process types are defined for hplip:
++
++.EX
++.B hplip_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
-index 16e8b13..87925e6 100644
+index 16e8b13..335b09f 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
-@@ -28,9 +28,9 @@ httpd_sys_script_exec_t
- .EE
- - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
+@@ -1,120 +1,1514 @@
+-.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "httpd Selinux Policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
++.TH "httpd_selinux" "8" "httpd" "dwalsh at redhat.com" "httpd SELinux Policy documentation"
+ .SH "NAME"
+-httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
++httpd_selinux \- Security Enhanced Linux Policy for the httpd processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the httpd server via flexible mandatory access
++
++SELinux Linux secures
++.B httpd
++(Apache web server)
++processes via flexible mandatory access
+ control.
+-.SH FILE_CONTEXTS
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
++
++
++.PP
++If you want to allow httpd to act as a rela, you must turn on the httpd_can_network_relay boolean.
++
++.EX
++.B setsebool -P httpd_can_network_relay 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_db 1
++.EE
++
++.PP
++If you want to allow httpd to run gpg in gpg-web domai, you must turn on the httpd_use_gpg boolean.
++
++.EX
++.B setsebool -P httpd_use_gpg 1
++.EE
++
++.PP
++If you want to allow httpd to execute cgi script, you must turn on the httpd_enable_cgi boolean.
++
++.EX
++.B setsebool -P httpd_enable_cgi 1
++.EE
++
++.PP
++If you want to allow httpd to access cifs file system, you must turn on the httpd_use_cifs boolean.
++
++.EX
++.B setsebool -P httpd_use_cifs 1
++.EE
++
++.PP
++If you want to allow Apache to use mod_auth_pa, you must turn on the allow_httpd_mod_auth_pam boolean.
++
++.EX
++.B setsebool -P allow_httpd_mod_auth_pam 1
++.EE
++
++.PP
++If you want to allow httpd to read home directorie, you must turn on the httpd_enable_homedirs boolean.
++
++.EX
++.B setsebool -P httpd_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow Apache to communicate with avahi service via dbu, you must turn on the httpd_dbus_avahi boolean.
++
++.EX
++.B setsebool -P httpd_dbus_avahi 1
++.EE
++
++.PP
++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.
++
++.EX
++.B setsebool -P httpd_unified 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to the network using any TCP port, you must turn on the httpd_can_network_connect boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect 1
++.EE
++
++.PP
++If you want to allow httpd scripts and modules execmem/execstac, you must turn on the httpd_execmem boolean.
++
++.EX
++.B setsebool -P httpd_execmem 1
++.EE
++
++.PP
++If you want to allow httpd to connect to the ldap por, you must turn on the httpd_can_connect_ldap boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ldap 1
++.EE
++
++.PP
++If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the allow_httpd_mod_auth_ntlm_winbind boolean.
++
++.EX
++.B setsebool -P allow_httpd_mod_auth_ntlm_winbind 1
++.EE
++
++.PP
++If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.
++
++.EX
++.B setsebool -P httpd_tty_comm 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral port, you must turn on the httpd_can_connect_ftp boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ftp 1
++.EE
++
++.PP
++If you want to allow httpd to read user conten, you must turn on the httpd_read_user_content boolean.
++
++.EX
++.B setsebool -P httpd_read_user_content 1
++.EE
++
++.PP
++If you want to allow httpd to access nfs file system, you must turn on the httpd_use_nfs boolean.
++
++.EX
++.B setsebool -P httpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
++
++.EX
++.B setsebool -P httpd_tmp_exec 1
++.EE
++
++.PP
++If you want to allow httpd processes to manage IPA conten, you must turn on the httpd_manage_ipa boolean.
++
++.EX
++.B setsebool -P httpd_manage_ipa 1
++.EE
++
++.PP
++If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean.
++
++.EX
++.B setsebool -P httpd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow httpd to use built in scripting (usually php, you must turn on the httpd_builtin_scripting boolean.
++
++.EX
++.B setsebool -P httpd_builtin_scripting 1
++.EE
++
++.PP
++If you want to allow http daemon to check spa, you must turn on the httpd_can_check_spam boolean.
++
++.EX
++.B setsebool -P httpd_can_check_spam 1
++.EE
++
++.PP
++If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
++
++.EX
++.B setsebool -P named_bind_http_port 1
++.EE
++
++.PP
++If you want to allow httpd to connect to memcache serve, you must turn on the httpd_can_network_memcache boolean.
++
++.EX
++.B setsebool -P httpd_can_network_memcache 1
++.EE
++
++.PP
++If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
++
++.EX
++.B setsebool -P httpd_can_network_connect_cobbler 1
++.EE
++
++.PP
++If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
++
++.EX
++.B setsebool -P httpd_ssi_exec 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++
++.EX
++.B setsebool -P httpd_enable_ftp_server 1
++.EE
++
++.PP
++If you want to allow http daemon to connect to zabbi, you must turn on the httpd_can_connect_zabbix boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_zabbix 1
++.EE
++
++.PP
++If you want to allow httpd daemon to change system limit, you must turn on the httpd_setrlimit boolean.
++
++.EX
++.B setsebool -P httpd_setrlimit 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
++.br
++.B restorecon -F -R -v /var/httpd
++.pp
++.TP
++Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/httpd/incoming
++
++
++.PP
++If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the allow_httpd_sys_script_anon_write boolean.
++
++.EX
++.B setsebool -P allow_httpd_sys_script_anon_write 1
++.EE
++
++.PP
++If you want to allow Apache to modify public files used for public file transfer services, directories/files must be labeled public_content_rw_t., you must turn on the allow_httpd_anon_write boolean.
++
++.EX
++.B setsebool -P allow_httpd_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
+ SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
+ .PP
+-The following file contexts types are defined for httpd:
++The following file types are defined for httpd:
++
++
+ .EX
+-httpd_sys_content_t
+-.EE
+-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
++.PP
++.B httpd_apcupsd_cgi_content_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_content_t type, if you want to treat the files as httpd apcupsd cgi content.
++
++
+ .EX
+-httpd_sys_script_exec_t
+-.EE
+-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
++.PP
++.B httpd_apcupsd_cgi_htaccess_t
++.EE
++
++- Set files with the httpd_apcupsd_cgi_htaccess_t type, if you want to treat the file as a httpd apcupsd cgi access file.
++
++
+ .EX
+-httpd_sys_content_rw_t
++.PP
++.B httpd_apcupsd_cgi_ra_content_t
+ .EE
+-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
++
++- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content.
++
++
+ .EX
+-httpd_sys_content_ra_t
++.PP
++.B httpd_apcupsd_cgi_rw_content_t
+ .EE
+-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
++
++- Set files with the httpd_apcupsd_cgi_rw_content_t type, if you want to treat the files as httpd apcupsd cgi read/write content.
++
++
+ .EX
+-httpd_unconfined_script_exec_t
+-.EE
+-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
++.PP
++.B httpd_apcupsd_cgi_script_exec_t
++.EE
+
+-.SH NOTE
+-With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
++- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain.
+
+-.SH SHARING FILES
+-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
++.br
++.TP 5
++Paths:
++/var/www/apcupsd/upsfstats\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/multimon\.cgi, /var/www/cgi-bin/apcgui(/.*)?
+
+ .EX
+-setsebool -P allow_httpd_anon_write=1
++.PP
++.B httpd_awstats_content_t
+ .EE
+
+-or
++- Set files with the httpd_awstats_content_t type, if you want to treat the files as httpd awstats content.
++
+
+ .EX
+-setsebool -P allow_httpd_sys_script_anon_write=1
++.PP
++.B httpd_awstats_htaccess_t
+ .EE
+
+-.SH BOOLEANS
+-SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
++- Set files with the httpd_awstats_htaccess_t type, if you want to treat the file as a httpd awstats access file.
++
++
++.EX
++.PP
++.B httpd_awstats_ra_content_t
++.EE
++
++- Set files with the httpd_awstats_ra_content_t type, if you want to treat the files as httpd awstats read/append content.
++
++
++.EX
+ .PP
+-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
++.B httpd_awstats_rw_content_t
++.EE
++
++- Set files with the httpd_awstats_rw_content_t type, if you want to treat the files as httpd awstats read/write content.
++
+
+ .EX
+-setsebool -P httpd_enable_cgi 1
++.PP
++.B httpd_awstats_script_exec_t
+ .EE
+
++- Set files with the httpd_awstats_script_exec_t type, if you want to transition an executable to the httpd_awstats_script_t domain.
++
++
++.EX
+ .PP
+-SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
++.B httpd_bugzilla_content_t
++.EE
++
++- Set files with the httpd_bugzilla_content_t type, if you want to treat the files as httpd bugzilla content.
++
+
+ .EX
+-setsebool -P httpd_enable_homedirs 1
+-chcon -R -t httpd_sys_content_t ~user/public_html
++.PP
++.B httpd_bugzilla_htaccess_t
+ .EE
+
++- Set files with the httpd_bugzilla_htaccess_t type, if you want to treat the file as a httpd bugzilla access file.
++
++
++.EX
+ .PP
+-SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
++.B httpd_bugzilla_ra_content_t
++.EE
++
++- Set files with the httpd_bugzilla_ra_content_t type, if you want to treat the files as httpd bugzilla read/append content.
++
+
+ .EX
+-setsebool -P httpd_tty_comm 1
++.PP
++.B httpd_bugzilla_rw_content_t
+ .EE
+
++- Set files with the httpd_bugzilla_rw_content_t type, if you want to treat the files as httpd bugzilla read/write content.
++
++
++.EX
+ .PP
+-httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
++.B httpd_bugzilla_script_exec_t
++.EE
++
++- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain.
++
+
+ .EX
+-setsebool -P httpd_unified 0
++.PP
++.B httpd_bugzilla_tmp_t
+ .EE
+
++- Set files with the httpd_bugzilla_tmp_t type, if you want to store httpd bugzilla temporary files in the /tmp directories.
++
++
++.EX
+ .PP
+-SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
++.B httpd_cache_t
++.EE
++
++- Set files with the httpd_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/php-.*, /var/cache/mediawiki(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/jetty(/.*)?, /var/cache/mod_.*, /var/cache/ssl.*\.sem, /var/cache/httpd(/.*)?, /var/cache/rt3(/.*)?, /var/cache/php-eaccelerator(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_proxy(/.*)?
+
+ .EX
+-setsebool -P httpd_can_sendmail 1
+ .PP
+-httpd can be configured to turn off internal scripting (PHP). PHP and other
+-loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
++.B httpd_cobbler_content_t
++.EE
++
++- Set files with the httpd_cobbler_content_t type, if you want to treat the files as httpd cobbler content.
++
+
+ .EX
+-setsebool -P httpd_builtin_scripting 0
++.PP
++.B httpd_cobbler_htaccess_t
+ .EE
+
++- Set files with the httpd_cobbler_htaccess_t type, if you want to treat the file as a httpd cobbler access file.
++
++
++.EX
+ .PP
+-SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
+-This would prevent a hacker from breaking into you httpd server and attacking
+-other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
++.B httpd_cobbler_ra_content_t
++.EE
++
++- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content.
++
+
+ .EX
+-setsebool -P httpd_can_network_connect 1
++.PP
++.B httpd_cobbler_rw_content_t
+ .EE
+
++- Set files with the httpd_cobbler_rw_content_t type, if you want to treat the files as httpd cobbler read/write content.
++
++
++.EX
+ .PP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh <dwalsh at redhat.com>.
++.B httpd_cobbler_script_exec_t
++.EE
+
+-.SH "SEE ALSO"
+-selinux(8), httpd(8), chcon(1), setsebool(8)
++- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain.
+
+
++.EX
++.PP
++.B httpd_collectd_content_t
++.EE
++
++- Set files with the httpd_collectd_content_t type, if you want to treat the files as httpd collectd content.
++
++
++.EX
++.PP
++.B httpd_collectd_htaccess_t
++.EE
++
++- Set files with the httpd_collectd_htaccess_t type, if you want to treat the file as a httpd collectd access file.
++
++
++.EX
++.PP
++.B httpd_collectd_ra_content_t
++.EE
++
++- Set files with the httpd_collectd_ra_content_t type, if you want to treat the files as httpd collectd read/append content.
++
++
++.EX
++.PP
++.B httpd_collectd_rw_content_t
++.EE
++
++- Set files with the httpd_collectd_rw_content_t type, if you want to treat the files as httpd collectd read/write content.
++
++
++.EX
++.PP
++.B httpd_collectd_script_exec_t
++.EE
++
++- Set files with the httpd_collectd_script_exec_t type, if you want to transition an executable to the httpd_collectd_script_t domain.
++
++
++.EX
++.PP
++.B httpd_config_t
++.EE
++
++- Set files with the httpd_config_t type, if you want to treat the files as httpd configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?, /etc/cherokee(/.*)?
++
++.EX
++.PP
++.B httpd_cvs_content_t
++.EE
++
++- Set files with the httpd_cvs_content_t type, if you want to treat the files as httpd cvs content.
++
++
++.EX
++.PP
++.B httpd_cvs_htaccess_t
++.EE
++
++- Set files with the httpd_cvs_htaccess_t type, if you want to treat the file as a httpd cvs access file.
++
++
++.EX
++.PP
++.B httpd_cvs_ra_content_t
++.EE
++
++- Set files with the httpd_cvs_ra_content_t type, if you want to treat the files as httpd cvs read/append content.
++
++
++.EX
++.PP
++.B httpd_cvs_rw_content_t
++.EE
++
++- Set files with the httpd_cvs_rw_content_t type, if you want to treat the files as httpd cvs read/write content.
++
++
++.EX
++.PP
++.B httpd_cvs_script_exec_t
++.EE
++
++- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/cvsweb/cvsweb\.cgi, /var/www/cgi-bin/cvsweb\.cgi
++
++.EX
++.PP
++.B httpd_dirsrvadmin_content_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_content_t type, if you want to treat the files as httpd dirsrvadmin content.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_htaccess_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_htaccess_t type, if you want to treat the file as a httpd dirsrvadmin access file.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_ra_content_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_ra_content_t type, if you want to treat the files as httpd dirsrvadmin read/append content.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_rw_content_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_rw_content_t type, if you want to treat the files as httpd dirsrvadmin read/write content.
++
++
++.EX
++.PP
++.B httpd_dirsrvadmin_script_exec_t
++.EE
++
++- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)?, /usr/lib/dirsrv/cgi-bin(/.*)?
++
++.EX
++.PP
++.B httpd_dspam_content_t
++.EE
++
++- Set files with the httpd_dspam_content_t type, if you want to treat the files as httpd dspam content.
++
++
++.EX
++.PP
++.B httpd_dspam_htaccess_t
++.EE
++
++- Set files with the httpd_dspam_htaccess_t type, if you want to treat the file as a httpd dspam access file.
++
++
++.EX
++.PP
++.B httpd_dspam_ra_content_t
++.EE
++
++- Set files with the httpd_dspam_ra_content_t type, if you want to treat the files as httpd dspam read/append content.
++
++
++.EX
++.PP
++.B httpd_dspam_rw_content_t
++.EE
++
++- Set files with the httpd_dspam_rw_content_t type, if you want to treat the files as httpd dspam read/write content.
++
++
++.EX
++.PP
++.B httpd_dspam_script_exec_t
++.EE
++
++- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain.
++
++
++.EX
++.PP
++.B httpd_exec_t
++.EE
++
++- Set files with the httpd_exec_t type, if you want to transition an executable to the httpd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/apache(2)?, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd\.event, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd
++
++.EX
++.PP
++.B httpd_git_content_t
++.EE
++
++- Set files with the httpd_git_content_t type, if you want to treat the files as httpd git content.
++
++
++.EX
++.PP
++.B httpd_git_htaccess_t
++.EE
++
++- Set files with the httpd_git_htaccess_t type, if you want to treat the file as a httpd git access file.
++
++
++.EX
++.PP
++.B httpd_git_ra_content_t
++.EE
++
++- Set files with the httpd_git_ra_content_t type, if you want to treat the files as httpd git read/append content.
++
++
++.EX
++.PP
++.B httpd_git_rw_content_t
++.EE
++
++- Set files with the httpd_git_rw_content_t type, if you want to treat the files as httpd git read/write content.
++
++.br
++.TP 5
++Paths:
++/var/cache/gitweb-caching(/.*)?, /var/cache/cgit(/.*)?
++
++.EX
++.PP
++.B httpd_git_script_exec_t
++.EE
++
++- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain.
++
++.br
++.TP 5
++Paths:
++/var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi
++
++.EX
++.PP
++.B httpd_helper_exec_t
++.EE
++
++- Set files with the httpd_helper_exec_t type, if you want to transition an executable to the httpd_helper_t domain.
++
++
++.EX
++.PP
++.B httpd_initrc_exec_t
++.EE
++
++- Set files with the httpd_initrc_exec_t type, if you want to transition an executable to the httpd_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/init\.d/cherokee, /etc/rc\.d/init\.d/httpd, /etc/rc\.d/init\.d/lighttpd
++
++.EX
++.PP
++.B httpd_keytab_t
++.EE
++
++- Set files with the httpd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B httpd_libra_content_t
++.EE
++
++- Set files with the httpd_libra_content_t type, if you want to treat the files as httpd libra content.
++
++
++.EX
++.PP
++.B httpd_libra_htaccess_t
++.EE
++
++- Set files with the httpd_libra_htaccess_t type, if you want to treat the file as a httpd libra access file.
++
++
++.EX
++.PP
++.B httpd_libra_ra_content_t
++.EE
++
++- Set files with the httpd_libra_ra_content_t type, if you want to treat the files as httpd libra read/append content.
++
++
++.EX
++.PP
++.B httpd_libra_rw_content_t
++.EE
++
++- Set files with the httpd_libra_rw_content_t type, if you want to treat the files as httpd libra read/write content.
++
++
++.EX
++.PP
++.B httpd_libra_script_exec_t
++.EE
++
++- Set files with the httpd_libra_script_exec_t type, if you want to transition an executable to the httpd_libra_script_t domain.
++
++
++.EX
++.PP
++.B httpd_lock_t
++.EE
++
++- Set files with the httpd_lock_t type, if you want to treat the files as httpd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B httpd_log_t
++.EE
++
++- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/apache-ssl(2)?(/.*)?, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/cherokee(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/cgiwrap\.log.*, /var/log/lighttpd(/.*)?, /var/log/suphp\.log, /var/log/cacti(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /etc/httpd/logs, /var/log/jetty(/.*)?
++
++.EX
++.PP
++.B httpd_mediawiki_content_t
++.EE
++
++- Set files with the httpd_mediawiki_content_t type, if you want to treat the files as httpd mediawiki content.
++
++.br
++.TP 5
++Paths:
++/var/www/wiki/.*\.php, /usr/share/mediawiki(/.*)?
++
++.EX
++.PP
++.B httpd_mediawiki_htaccess_t
++.EE
++
++- Set files with the httpd_mediawiki_htaccess_t type, if you want to treat the file as a httpd mediawiki access file.
++
++
++.EX
++.PP
++.B httpd_mediawiki_ra_content_t
++.EE
++
++- Set files with the httpd_mediawiki_ra_content_t type, if you want to treat the files as httpd mediawiki read/append content.
++
++
++.EX
++.PP
++.B httpd_mediawiki_rw_content_t
++.EE
++
++- Set files with the httpd_mediawiki_rw_content_t type, if you want to treat the files as httpd mediawiki read/write content.
++
++
++.EX
++.PP
++.B httpd_mediawiki_script_exec_t
++.EE
++
++- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tes
++
++.EX
++.PP
++.B httpd_modules_t
++.EE
++
++- Set files with the httpd_modules_t type, if you want to treat the files as httpd modules.
++
++.br
++.TP 5
++Paths:
++/usr/lib/cherokee(/.*)?, /usr/lib/lighttpd(/.*)?, /usr/lib/apache(/.*)?, /etc/httpd/modules, /usr/lib/httpd(/.*)?, /usr/lib/apache2/modules(/.*)?
++
++.EX
++.PP
++.B httpd_mojomojo_content_t
++.EE
++
++- Set files with the httpd_mojomojo_content_t type, if you want to treat the files as httpd mojomojo content.
++
++
++.EX
++.PP
++.B httpd_mojomojo_htaccess_t
++.EE
++
++- Set files with the httpd_mojomojo_htaccess_t type, if you want to treat the file as a httpd mojomojo access file.
++
++
++.EX
++.PP
++.B httpd_mojomojo_ra_content_t
++.EE
++
++- Set files with the httpd_mojomojo_ra_content_t type, if you want to treat the files as httpd mojomojo read/append content.
++
++
++.EX
++.PP
++.B httpd_mojomojo_rw_content_t
++.EE
++
++- Set files with the httpd_mojomojo_rw_content_t type, if you want to treat the files as httpd mojomojo read/write content.
++
++
++.EX
++.PP
++.B httpd_mojomojo_script_exec_t
++.EE
++
++- Set files with the httpd_mojomojo_script_exec_t type, if you want to transition an executable to the httpd_mojomojo_script_t domain.
++
++
++.EX
++.PP
++.B httpd_mojomojo_tmp_t
++.EE
++
++- Set files with the httpd_mojomojo_tmp_t type, if you want to store httpd mojomojo temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_munin_content_t
++.EE
++
++- Set files with the httpd_munin_content_t type, if you want to treat the files as httpd munin content.
++
++
++.EX
++.PP
++.B httpd_munin_htaccess_t
++.EE
++
++- Set files with the httpd_munin_htaccess_t type, if you want to treat the file as a httpd munin access file.
++
++
++.EX
++.PP
++.B httpd_munin_ra_content_t
++.EE
++
++- Set files with the httpd_munin_ra_content_t type, if you want to treat the files as httpd munin read/append content.
++
++
++.EX
++.PP
++.B httpd_munin_rw_content_t
++.EE
++
++- Set files with the httpd_munin_rw_content_t type, if you want to treat the files as httpd munin read/write content.
++
++
++.EX
++.PP
++.B httpd_munin_script_exec_t
++.EE
++
++- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain.
++
++
++.EX
++.PP
++.B httpd_nagios_content_t
++.EE
++
++- Set files with the httpd_nagios_content_t type, if you want to treat the files as httpd nagios content.
++
++
++.EX
++.PP
++.B httpd_nagios_htaccess_t
++.EE
++
++- Set files with the httpd_nagios_htaccess_t type, if you want to treat the file as a httpd nagios access file.
++
++
++.EX
++.PP
++.B httpd_nagios_ra_content_t
++.EE
++
++- Set files with the httpd_nagios_ra_content_t type, if you want to treat the files as httpd nagios read/append content.
++
++
++.EX
++.PP
++.B httpd_nagios_rw_content_t
++.EE
++
++- Set files with the httpd_nagios_rw_content_t type, if you want to treat the files as httpd nagios read/write content.
++
++
++.EX
++.PP
++.B httpd_nagios_script_exec_t
++.EE
++
++- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?, /usr/lib/nagios/cgi(/.*)?
++
++.EX
++.PP
++.B httpd_nutups_cgi_content_t
++.EE
++
++- Set files with the httpd_nutups_cgi_content_t type, if you want to treat the files as httpd nutups cgi content.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_htaccess_t
++.EE
++
++- Set files with the httpd_nutups_cgi_htaccess_t type, if you want to treat the file as a httpd nutups cgi access file.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_ra_content_t
++.EE
++
++- Set files with the httpd_nutups_cgi_ra_content_t type, if you want to treat the files as httpd nutups cgi read/append content.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_rw_content_t
++.EE
++
++- Set files with the httpd_nutups_cgi_rw_content_t type, if you want to treat the files as httpd nutups cgi read/write content.
++
++
++.EX
++.PP
++.B httpd_nutups_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain.
++
++.br
++.TP 5
++Paths:
++/var/www/nut-cgi-bin/upsstats\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsset\.cgi
++
++.EX
++.PP
++.B httpd_passwd_exec_t
++.EE
++
++- Set files with the httpd_passwd_exec_t type, if you want to transition an executable to the httpd_passwd_t domain.
++
++
++.EX
++.PP
++.B httpd_php_exec_t
++.EE
++
++- Set files with the httpd_php_exec_t type, if you want to transition an executable to the httpd_php_t domain.
++
++
++.EX
++.PP
++.B httpd_php_tmp_t
++.EE
++
++- Set files with the httpd_php_tmp_t type, if you want to store httpd php temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_prewikka_content_t
++.EE
++
++- Set files with the httpd_prewikka_content_t type, if you want to treat the files as httpd prewikka content.
++
++
++.EX
++.PP
++.B httpd_prewikka_htaccess_t
++.EE
++
++- Set files with the httpd_prewikka_htaccess_t type, if you want to treat the file as a httpd prewikka access file.
++
++
++.EX
++.PP
++.B httpd_prewikka_ra_content_t
++.EE
++
++- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content.
++
++
++.EX
++.PP
++.B httpd_prewikka_rw_content_t
++.EE
++
++- Set files with the httpd_prewikka_rw_content_t type, if you want to treat the files as httpd prewikka read/write content.
++
++
++.EX
++.PP
++.B httpd_prewikka_script_exec_t
++.EE
++
++- Set files with the httpd_prewikka_script_exec_t type, if you want to transition an executable to the httpd_prewikka_script_t domain.
++
++
++.EX
++.PP
++.B httpd_rotatelogs_exec_t
++.EE
++
++- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_content_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_content_t type, if you want to treat the files as httpd smokeping cgi content.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_htaccess_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_htaccess_t type, if you want to treat the file as a httpd smokeping cgi access file.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_ra_content_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_rw_content_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_rw_content_t type, if you want to treat the files as httpd smokeping cgi read/write content.
++
++
++.EX
++.PP
++.B httpd_smokeping_cgi_script_exec_t
++.EE
++
++- Set files with the httpd_smokeping_cgi_script_exec_t type, if you want to transition an executable to the httpd_smokeping_cgi_script_t domain.
++
++
++.EX
++.PP
++.B httpd_squid_content_t
++.EE
++
++- Set files with the httpd_squid_content_t type, if you want to treat the files as httpd squid content.
++
++
++.EX
++.PP
++.B httpd_squid_htaccess_t
++.EE
++
++- Set files with the httpd_squid_htaccess_t type, if you want to treat the file as a httpd squid access file.
++
++
++.EX
++.PP
++.B httpd_squid_ra_content_t
++.EE
++
++- Set files with the httpd_squid_ra_content_t type, if you want to treat the files as httpd squid read/append content.
++
++
++.EX
++.PP
++.B httpd_squid_rw_content_t
++.EE
++
++- Set files with the httpd_squid_rw_content_t type, if you want to treat the files as httpd squid read/write content.
++
++
++.EX
++.PP
++.B httpd_squid_script_exec_t
++.EE
++
++- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain.
++
++
++.EX
++.PP
++.B httpd_squirrelmail_t
++.EE
++
++- Set files with the httpd_squirrelmail_t type, if you want to treat the files as httpd squirrelmail data.
++
++
++.EX
++.PP
++.B httpd_suexec_exec_t
++.EE
++
++- Set files with the httpd_suexec_exec_t type, if you want to transition an executable to the httpd_suexec_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/apache(2)?/suexec(2)?, /usr/sbin/suexec, /usr/lib/cgi-bin/(nph-)?cgiwrap(d)?
++
++.EX
++.PP
++.B httpd_suexec_tmp_t
++.EE
++
++- Set files with the httpd_suexec_tmp_t type, if you want to store httpd suexec temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_sys_content_t
++.EE
++
++- Set files with the httpd_sys_content_t type, if you want to treat the files as httpd sys content.
++
++.br
++.TP 5
++Paths:
++/usr/share/icecast(/.*)?, /usr/share/htdig(/.*)?, /etc/htdig(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/mythtv/data(/.*)?, /var/lib/htdig(/.*)?, /srv/gallery2(/.*)?, /srv/([^/]*/)?www(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythweb(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /usr/share/drupal.*, /var/lib/trac(/.*)?, /var/www(/.*)?, /var/www/icons(/.*)?
++
++.EX
++.PP
++.B httpd_sys_htaccess_t
++.EE
++
++- Set files with the httpd_sys_htaccess_t type, if you want to treat the file as a httpd sys access file.
++
++
++.EX
++.PP
++.B httpd_sys_ra_content_t
++.EE
++
++- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content.
++
++
++.EX
++.PP
++.B httpd_sys_rw_content_t
++.EE
++
++- Set files with the httpd_sys_rw_content_t type, if you want to treat the files as httpd sys read/write content.
++
++.br
++.TP 5
++Paths:
++/var/spool/viewvc(/.*)?, /etc/WebCalendar(/.*)?, /etc/mock/koji(/.*)?, /var/lib/svn(/.*)?, /var/spool/gosa(/.*)?, /etc/zabbix/web(/.*)?, /var/lib/pootle/po(/.*)?, /etc/drupal.*, /var/www/gallery/albums(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /var/www/html/configuration\.php, /usr/share/wordpress/wp-content/upgrade(/.*)?, /var/lib/drupal.*, /usr/share/wordpress-mu/wp-content(/.*)?, /var/lib/dokuwiki(/.*)?, /var/www/moodledata(/.*)?, /var/www/svn(/.*)?, /var/www/html/wp-content(/.*)?
++
++.EX
++.PP
++.B httpd_sys_script_exec_t
++.EE
++
++- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain.
++
++.br
++.TP 5
++Paths:
++/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?
++
++.EX
++.PP
++.B httpd_tmp_t
++.EE
++
++- Set files with the httpd_tmp_t type, if you want to store httpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_tmpfs_t
++.EE
++
++- Set files with the httpd_tmpfs_t type, if you want to store httpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B httpd_unit_file_t
++.EE
++
++- Set files with the httpd_unit_file_t type, if you want to treat the files as httpd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/httpd.?\.service, /lib/systemd/system/jetty.*\.service, /lib/systemd/system/httpd.*\.service
++
++.EX
++.PP
++.B httpd_user_content_t
++.EE
++
++- Set files with the httpd_user_content_t type, if you want to treat the files as httpd user content.
++
++
++.EX
++.PP
++.B httpd_user_htaccess_t
++.EE
++
++- Set files with the httpd_user_htaccess_t type, if you want to treat the file as a httpd user access file.
++
++
++.EX
++.PP
++.B httpd_user_ra_content_t
++.EE
++
++- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content.
++
++
++.EX
++.PP
++.B httpd_user_rw_content_t
++.EE
++
++- Set files with the httpd_user_rw_content_t type, if you want to treat the files as httpd user read/write content.
++
++
++.EX
++.PP
++.B httpd_user_script_exec_t
++.EE
++
++- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain.
++
++
++.EX
++.PP
++.B httpd_var_lib_t
++.EE
++
++- Set files with the httpd_var_lib_t type, if you want to store the httpd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/rt3/data/RT-Shredder(/.*)?, /var/lib/jetty(/.*)?, /var/lib/httpd(/.*)?, /var/lib/cherokee(/.*)?, /var/lib/dav(/.*)?
++
++.EX
++.PP
++.B httpd_var_run_t
++.EE
++
++- Set files with the httpd_var_run_t type, if you want to store the httpd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/mod_.*, /var/run/wsgi.*, /var/run/apache.*, /var/run/jetty(/.*)?, /var/run/gcache_port, /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?, /var/run/httpd.*, /var/run/dirsrv/admin-serv.*, /var/lib/php/session(/.*)?, /var/run/lighttpd(/.*)?
++
++.EX
++.PP
++.B httpd_w3c_validator_content_t
++.EE
++
++- Set files with the httpd_w3c_validator_content_t type, if you want to treat the files as httpd w3c validator content.
++
++
++.EX
++.PP
++.B httpd_w3c_validator_htaccess_t
++.EE
++
++- Set files with the httpd_w3c_validator_htaccess_t type, if you want to treat the file as a httpd w3c validator access file.
++
++
++.EX
++.PP
++.B httpd_w3c_validator_ra_content_t
++.EE
++
++- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content.
++
++
++.EX
++.PP
++.B httpd_w3c_validator_rw_content_t
++.EE
++
++- Set files with the httpd_w3c_validator_rw_content_t type, if you want to treat the files as httpd w3c validator read/write content.
++
++
++.EX
++.PP
++.B httpd_w3c_validator_script_exec_t
++.EE
++
++- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check
++
++.EX
++.PP
++.B httpd_w3c_validator_tmp_t
++.EE
++
++- Set files with the httpd_w3c_validator_tmp_t type, if you want to store httpd w3c validator temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B httpd_zoneminder_content_t
++.EE
++
++- Set files with the httpd_zoneminder_content_t type, if you want to treat the files as httpd zoneminder content.
++
++
++.EX
++.PP
++.B httpd_zoneminder_htaccess_t
++.EE
++
++- Set files with the httpd_zoneminder_htaccess_t type, if you want to treat the file as a httpd zoneminder access file.
++
++
++.EX
++.PP
++.B httpd_zoneminder_ra_content_t
++.EE
++
++- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content.
++
++
++.EX
++.PP
++.B httpd_zoneminder_rw_content_t
++.EE
++
++- Set files with the httpd_zoneminder_rw_content_t type, if you want to treat the files as httpd zoneminder read/write content.
++
++
++.EX
++.PP
++.B httpd_zoneminder_script_exec_t
++.EE
++
++- Set files with the httpd_zoneminder_script_exec_t type, if you want to transition an executable to the httpd_zoneminder_script_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
++.PP
++The following port types are defined for httpd:
++
++.EX
++.TP 5
++.B http_cache_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B http_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd:
++
++.EX
++.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_libra_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8
+new file mode 100644
+index 0000000..1928dc4
+--- /dev/null
++++ b/man/man8/hwclock_selinux.8
+@@ -0,0 +1,75 @@
++.TH "hwclock_selinux" "8" "hwclock" "dwalsh at redhat.com" "hwclock SELinux Policy documentation"
++.SH "NAME"
++hwclock_selinux \- Security Enhanced Linux Policy for the hwclock processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
++.PP
++The following file types are defined for hwclock:
++
++
++.EX
++.PP
++.B hwclock_exec_t
++.EE
++
++- Set files with the hwclock_exec_t type, if you want to transition an executable to the hwclock_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/hwclock, /sbin/hwclock
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
++.PP
++The following process types are defined for hwclock:
++
++.EX
++.B hwclock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8
+new file mode 100644
+index 0000000..53e495f
+--- /dev/null
++++ b/man/man8/iceauth_selinux.8
+@@ -0,0 +1,87 @@
++.TH "iceauth_selinux" "8" "iceauth" "dwalsh at redhat.com" "iceauth SELinux Policy documentation"
++.SH "NAME"
++iceauth_selinux \- Security Enhanced Linux Policy for the iceauth processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
++.PP
++The following file types are defined for iceauth:
++
++
++.EX
++.PP
++.B iceauth_exec_t
++.EE
++
++- Set files with the iceauth_exec_t type, if you want to transition an executable to the iceauth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/iceauth, /usr/X11R6/bin/iceauth
++
++.EX
++.PP
++.B iceauth_home_t
++.EE
++
++- Set files with the iceauth_home_t type, if you want to store iceauth files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.DCOP.*, /root/\.ICEauthority.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
++.PP
++The following process types are defined for iceauth:
++
++.EX
++.B iceauth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8
+new file mode 100644
+index 0000000..ca10859
+--- /dev/null
++++ b/man/man8/icecast_selinux.8
+@@ -0,0 +1,116 @@
++.TH "icecast_selinux" "8" "icecast" "dwalsh at redhat.com" "icecast SELinux Policy documentation"
++.SH "NAME"
++icecast_selinux \- Security Enhanced Linux Policy for the icecast processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B icecast
++( ShoutCast compatible streaming media server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible.
++
++
++.PP
++If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean.
++
++.EX
++.B setsebool -P icecast_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
++.PP
++The following file types are defined for icecast:
++
++
++.EX
++.PP
++.B icecast_exec_t
++.EE
++
++- Set files with the icecast_exec_t type, if you want to transition an executable to the icecast_t domain.
++
++
++.EX
++.PP
++.B icecast_initrc_exec_t
++.EE
++
++- Set files with the icecast_initrc_exec_t type, if you want to transition an executable to the icecast_initrc_t domain.
++
++
++.EX
++.PP
++.B icecast_log_t
++.EE
++
++- Set files with the icecast_log_t type, if you want to treat the data as icecast log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B icecast_var_run_t
++.EE
++
++- Set files with the icecast_var_run_t type, if you want to store the icecast files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
++.PP
++The following process types are defined for icecast:
++
++.EX
++.B icecast_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), icecast(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8
+new file mode 100644
+index 0000000..b2444a2
+--- /dev/null
++++ b/man/man8/ifconfig_selinux.8
+@@ -0,0 +1,75 @@
++.TH "ifconfig_selinux" "8" "ifconfig" "dwalsh at redhat.com" "ifconfig SELinux Policy documentation"
++.SH "NAME"
++ifconfig_selinux \- Security Enhanced Linux Policy for the ifconfig processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
++.PP
++The following file types are defined for ifconfig:
++
++
++.EX
++.PP
++.B ifconfig_exec_t
++.EE
++
++- Set files with the ifconfig_exec_t type, if you want to transition an executable to the ifconfig_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ipx_internal_net, /sbin/ipx_configure, /sbin/tc, /usr/sbin/ipx_configure, /usr/sbin/iwconfig, /usr/sbin/ipx_interface, /usr/sbin/mii-tool, /usr/sbin/ethtool, /sbin/ipx_internal_net, /usr/sbin/ifconfig, /bin/ip, /usr/bin/ip, /usr/sbin/tc, /sbin/iwconfig, /sbin/ifconfig, /sbin/mii-tool, /sbin/ethtool, /usr/sbin/ip, /sbin/ipx_interface, /sbin/ip
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for ifconfig:
++
++.EX
++.B ifconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8
+new file mode 100644
+index 0000000..122a8f9
+--- /dev/null
++++ b/man/man8/inetd_selinux.8
+@@ -0,0 +1,159 @@
++.TH "inetd_selinux" "8" "inetd" "dwalsh at redhat.com" "inetd SELinux Policy documentation"
++.SH "NAME"
++inetd_selinux \- Security Enhanced Linux Policy for the inetd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B inetd
++(Internet services daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
++.PP
++The following file types are defined for inetd:
++
++
++.EX
++.PP
++.B inetd_child_exec_t
++.EE
++
++- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/identd, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/in\..*d
++
++.EX
++.PP
++.B inetd_child_tmp_t
++.EE
++
++- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B inetd_child_var_run_t
++.EE
++
++- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run directory.
++
++
++.EX
++.PP
++.B inetd_exec_t
++.EE
++
++- Set files with the inetd_exec_t type, if you want to transition an executable to the inetd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/inetd, /usr/sbin/xinetd, /usr/sbin/rlinetd
++
++.EX
++.PP
++.B inetd_log_t
++.EE
++
++- Set files with the inetd_log_t type, if you want to treat the data as inetd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B inetd_tmp_t
++.EE
++
++- Set files with the inetd_tmp_t type, if you want to store inetd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B inetd_var_run_t
++.EE
++
++- Set files with the inetd_var_run_t type, if you want to store the inetd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
++.PP
++The following port types are defined for inetd:
++
++.EX
++.TP 5
++.B inetd_child_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
++.PP
++The following process types are defined for inetd:
++
++.EX
++.B inetd_t, inetd_child_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8
+new file mode 100644
+index 0000000..ce0a398
+--- /dev/null
++++ b/man/man8/init_selinux.8
+@@ -0,0 +1,167 @@
++.TH "init_selinux" "8" "init" "dwalsh at redhat.com" "init SELinux Policy documentation"
++.SH "NAME"
++init_selinux \- Security Enhanced Linux Policy for the init processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B init
++(System initialization programs (init and init scripts))
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. init policy is extremely flexible and has several booleans that allow you to manipulate the policy and run init with the tightest access possible.
++
++
++.PP
++If you want to enable support for upstart as the init program, you must turn on the init_upstart boolean.
++
++.EX
++.B setsebool -P init_upstart 1
++.EE
++
++.PP
++If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean.
++
++.EX
++.B setsebool -P init_systemd 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
++.PP
++The following file types are defined for init:
++
++
++.EX
++.PP
++.B init_exec_t
++.EE
++
++- Set files with the init_exec_t type, if you want to transition an executable to the init_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/init(ng)?, /lib/systemd/[^/]*, /sbin/init(ng)?, /bin/systemd, /usr/lib/systemd/system-generators/[^/]*, /usr/bin/systemd, /lib/systemd/system-generators/[^/]*, /sbin/upstart, /usr/sbin/upstart, /usr/lib/systemd/[^/]*
++
++.EX
++.PP
++.B init_var_run_t
++.EE
++
++- Set files with the init_var_run_t type, if you want to store the init files under the /run directory.
++
++
++.EX
++.PP
++.B initctl_t
++.EE
++
++- Set files with the initctl_t type, if you want to treat the files as initctl data.
++
++
++.EX
++.PP
++.B initrc_devpts_t
++.EE
++
++- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data.
++
++
++.EX
++.PP
++.B initrc_exec_t
++.EE
++
++- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl
++
++.EX
++.PP
++.B initrc_state_t
++.EE
++
++- Set files with the initrc_state_t type, if you want to treat the files as initrc state data.
++
++
++.EX
++.PP
++.B initrc_tmp_t
++.EE
++
++- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B initrc_var_run_t
++.EE
++
++- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
++.PP
++The following process types are defined for init:
++
++.EX
++.B initrc_t, init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), init(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8
+new file mode 100644
+index 0000000..2fa2434
+--- /dev/null
++++ b/man/man8/initrc_selinux.8
+@@ -0,0 +1,111 @@
++.TH "initrc_selinux" "8" "initrc" "dwalsh at redhat.com" "initrc SELinux Policy documentation"
++.SH "NAME"
++initrc_selinux \- Security Enhanced Linux Policy for the initrc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
++.PP
++The following file types are defined for initrc:
++
++
++.EX
++.PP
++.B initrc_devpts_t
++.EE
++
++- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data.
++
++
++.EX
++.PP
++.B initrc_exec_t
++.EE
++
++- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl
++
++.EX
++.PP
++.B initrc_state_t
++.EE
++
++- Set files with the initrc_state_t type, if you want to treat the files as initrc state data.
++
++
++.EX
++.PP
++.B initrc_tmp_t
++.EE
++
++- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B initrc_var_run_t
++.EE
++
++- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
++.PP
++The following process types are defined for initrc:
++
++.EX
++.B initrc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8
+new file mode 100644
+index 0000000..541f9e9
+--- /dev/null
++++ b/man/man8/innd_selinux.8
+@@ -0,0 +1,145 @@
++.TH "innd_selinux" "8" "innd" "dwalsh at redhat.com" "innd SELinux Policy documentation"
++.SH "NAME"
++innd_selinux \- Security Enhanced Linux Policy for the innd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
++.PP
++The following file types are defined for innd:
++
++
++.EX
++.PP
++.B innd_etc_t
++.EE
++
++- Set files with the innd_etc_t type, if you want to store innd files in the /etc directories.
++
++
++.EX
++.PP
++.B innd_exec_t
++.EE
++
++- Set files with the innd_exec_t type, if you want to transition an executable to the innd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/innd, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /etc/news/boot, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/ne
ws/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf
++
++.EX
++.PP
++.B innd_initrc_exec_t
++.EE
++
++- Set files with the innd_initrc_exec_t type, if you want to transition an executable to the innd_initrc_t domain.
++
++
++.EX
++.PP
++.B innd_log_t
++.EE
++
++- Set files with the innd_log_t type, if you want to treat the data as innd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B innd_var_lib_t
++.EE
++
++- Set files with the innd_var_lib_t type, if you want to store the innd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B innd_var_run_t
++.EE
++
++- Set files with the innd_var_run_t type, if you want to store the innd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/innd(/.*)?, /var/run/news(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
++.PP
++The following port types are defined for innd:
++
++.EX
++.TP 5
++.B innd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
++.PP
++The following process types are defined for innd:
++
++.EX
++.B innd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), innd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8
+new file mode 100644
+index 0000000..0e25a12
+--- /dev/null
++++ b/man/man8/insmod_selinux.8
+@@ -0,0 +1,105 @@
++.TH "insmod_selinux" "8" "insmod" "dwalsh at redhat.com" "insmod SELinux Policy documentation"
++.SH "NAME"
++insmod_selinux \- Security Enhanced Linux Policy for the insmod processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible.
++
++
++.PP
++If you want to disallow programs and users from transitioning to insmod domain, you must turn on the secure_mode_insmod boolean.
++
++.EX
++.B setsebool -P secure_mode_insmod 1
++.EE
++
++.PP
++If you want to allow pppd to load kernel modules for certain modem, you must turn on the pppd_can_insmod boolean.
++
++.EX
++.B setsebool -P pppd_can_insmod 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
++.PP
++The following file types are defined for insmod:
++
++
++.EX
++.PP
++.B insmod_exec_t
++.EE
++
++- Set files with the insmod_exec_t type, if you want to transition an executable to the insmod_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/modprobe.*, /sbin/rmmod.*, /sbin/insmod.*, /usr/sbin/modprobe.*, /usr/bin/kmod, /usr/sbin/insmod.*, /usr/sbin/rmmod.*
++
++.EX
++.PP
++.B insmod_tmpfs_t
++.EE
++
++- Set files with the insmod_tmpfs_t type, if you want to store insmod files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
++.PP
++The following process types are defined for insmod:
++
++.EX
++.B insmod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), insmod(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8
+new file mode 100644
+index 0000000..3273369
+--- /dev/null
++++ b/man/man8/ipsec_selinux.8
+@@ -0,0 +1,199 @@
++.TH "ipsec_selinux" "8" "ipsec" "dwalsh at redhat.com" "ipsec SELinux Policy documentation"
++.SH "NAME"
++ipsec_selinux \- Security Enhanced Linux Policy for the ipsec processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ipsec
++(TCP/IP encryption)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
++.PP
++The following file types are defined for ipsec:
++
++
++.EX
++.PP
++.B ipsec_conf_file_t
++.EE
++
++- Set files with the ipsec_conf_file_t type, if you want to treat the files as ipsec conf content.
++
++.br
++.TP 5
++Paths:
++/etc/ipsec\.conf, /etc/racoon(/.*)?
++
++.EX
++.PP
++.B ipsec_exec_t
++.EE
++
++- Set files with the ipsec_exec_t type, if you want to transition an executable to the ipsec_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/local/lib/ipsec/eroute, /usr/lib/ipsec/pluto, /usr/local/lib/ipsec/pluto, /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/spi, /usr/lib/ipsec/eroute, /usr/local/lib/ipsec/klipsdebug, /usr/local/lib/ipsec/spi, /usr/libexec/ipsec/spi, /usr/libexec/ipsec/klipsdebug
++
++.EX
++.PP
++.B ipsec_initrc_exec_t
++.EE
++
++- Set files with the ipsec_initrc_exec_t type, if you want to transition an executable to the ipsec_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/racoon, /etc/rc\.d/init\.d/ipsec
++
++.EX
++.PP
++.B ipsec_key_file_t
++.EE
++
++- Set files with the ipsec_key_file_t type, if you want to treat the files as ipsec key content.
++
++.br
++.TP 5
++Paths:
++/etc/ipsec\.secrets, /etc/racoon/psk\.txt, /etc/racoon/certs(/.*)?, /etc/ipsec\.d(/.*)?
++
++.EX
++.PP
++.B ipsec_log_t
++.EE
++
++- Set files with the ipsec_log_t type, if you want to treat the data as ipsec log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ipsec_mgmt_exec_t
++.EE
++
++- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service, /usr/lib/ipsec/_plutoload, /usr/sbin/ipsec, /usr/libexec/ipsec/_plutorun
++
++.EX
++.PP
++.B ipsec_mgmt_lock_t
++.EE
++
++- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B ipsec_mgmt_var_run_t
++.EE
++
++- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run directory.
++
++
++.EX
++.PP
++.B ipsec_tmp_t
++.EE
++
++- Set files with the ipsec_tmp_t type, if you want to store ipsec temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ipsec_var_run_t
++.EE
++
++- Set files with the ipsec_var_run_t type, if you want to store the ipsec files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/racoon\.pid, /var/run/pluto(/.*)?, /var/racoon(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
++.PP
++The following port types are defined for ipsec:
++
++.EX
++.TP 5
++.B ipsecnat_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
++.PP
++The following process types are defined for ipsec:
++
++.EX
++.B ipsec_t, ipsec_mgmt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8
+new file mode 100644
+index 0000000..8e6b3de
+--- /dev/null
++++ b/man/man8/iptables_selinux.8
+@@ -0,0 +1,136 @@
++.TH "iptables_selinux" "8" "iptables" "dwalsh at redhat.com" "iptables SELinux Policy documentation"
++.SH "NAME"
++iptables_selinux \- Security Enhanced Linux Policy for the iptables processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B iptables
++(Policy for iptables)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible.
++
++
++.PP
++If you want to allow dhcpc client applications to execute iptables command, you must turn on the dhcpc_exec_iptables boolean.
++
++.EX
++.B setsebool -P dhcpc_exec_iptables 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
++.PP
++The following file types are defined for iptables:
++
++
++.EX
++.PP
++.B iptables_exec_t
++.EE
++
++- Set files with the iptables_exec_t type, if you want to transition an executable to the iptables_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/ebtables-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /usr/sbin/ip6?tables, /sbin/ebtables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore
++
++.EX
++.PP
++.B iptables_initrc_exec_t
++.EE
++
++- Set files with the iptables_initrc_exec_t type, if you want to transition an executable to the iptables_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/ebtables, /etc/rc\.d/init\.d/ip6?tables
++
++.EX
++.PP
++.B iptables_tmp_t
++.EE
++
++- Set files with the iptables_tmp_t type, if you want to store iptables temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B iptables_unit_file_t
++.EE
++
++- Set files with the iptables_unit_file_t type, if you want to treat the files as iptables unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/iptables6?.service, /lib/systemd/system/ip6tables.service, /lib/systemd/system/slapd.*, /usr/lib/systemd/system/vsftpd.*, /lib/systemd/system/ppp.*, /usr/lib/systemd/system/kdump.service, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /lib/systemd/system/kdump.service, /lib/systemd/system/proftpd.*, /lib/systemd/system/iptables.service
++
++.EX
++.PP
++.B iptables_var_run_t
++.EE
++
++- Set files with the iptables_var_run_t type, if you want to store the iptables files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
++.PP
++The following process types are defined for iptables:
++
++.EX
++.B iptables_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), iptables(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8
+new file mode 100644
+index 0000000..6bd8081
+--- /dev/null
++++ b/man/man8/irc_selinux.8
+@@ -0,0 +1,123 @@
++.TH "irc_selinux" "8" "irc" "dwalsh at redhat.com" "irc SELinux Policy documentation"
++.SH "NAME"
++irc_selinux \- Security Enhanced Linux Policy for the irc processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B irc
++(IRC client policy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
++.PP
++The following file types are defined for irc:
++
++
++.EX
++.PP
++.B irc_exec_t
++.EE
++
++- Set files with the irc_exec_t type, if you want to transition an executable to the irc_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/ircII, /usr/bin/tinyirc, /usr/bin/[st]irc
++
++.EX
++.PP
++.B irc_home_t
++.EE
++
++- Set files with the irc_home_t type, if you want to store irc files in the users home directory.
++
++
++.EX
++.PP
++.B irc_tmp_t
++.EE
++
++- Set files with the irc_tmp_t type, if you want to store irc temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
++.PP
++The following port types are defined for irc:
++
++.EX
++.TP 5
++.B ircd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
++.PP
++The following process types are defined for irc:
++
++.EX
++.B irc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), irc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8
+new file mode 100644
+index 0000000..daf7657
+--- /dev/null
++++ b/man/man8/irqbalance_selinux.8
+@@ -0,0 +1,85 @@
++.TH "irqbalance_selinux" "8" "irqbalance" "dwalsh at redhat.com" "irqbalance SELinux Policy documentation"
++.SH "NAME"
++irqbalance_selinux \- Security Enhanced Linux Policy for the irqbalance processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B irqbalance
++(IRQ balancing daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
++.PP
++The following file types are defined for irqbalance:
++
++
++.EX
++.PP
++.B irqbalance_exec_t
++.EE
++
++- Set files with the irqbalance_exec_t type, if you want to transition an executable to the irqbalance_t domain.
++
++
++.EX
++.PP
++.B irqbalance_var_run_t
++.EE
++
++- Set files with the irqbalance_var_run_t type, if you want to store the irqbalance files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
++.PP
++The following process types are defined for irqbalance:
++
++.EX
++.B irqbalance_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8
+new file mode 100644
+index 0000000..3320869
+--- /dev/null
++++ b/man/man8/irssi_selinux.8
+@@ -0,0 +1,102 @@
++.TH "irssi_selinux" "8" "irssi" "dwalsh at redhat.com" "irssi SELinux Policy documentation"
++.SH "NAME"
++irssi_selinux \- Security Enhanced Linux Policy for the irssi processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible.
++
++
++.PP
++If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean.
++
++.EX
++.B setsebool -P irssi_use_full_network 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
++.PP
++The following file types are defined for irssi:
++
++
++.EX
++.PP
++.B irssi_etc_t
++.EE
++
++- Set files with the irssi_etc_t type, if you want to store irssi files in the /etc directories.
++
++
++.EX
++.PP
++.B irssi_exec_t
++.EE
++
++- Set files with the irssi_exec_t type, if you want to transition an executable to the irssi_t domain.
++
++
++.EX
++.PP
++.B irssi_home_t
++.EE
++
++- Set files with the irssi_home_t type, if you want to store irssi files in the users home directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
++.PP
++The following process types are defined for irssi:
++
++.EX
++.B irssi_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), irssi(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8
+new file mode 100644
+index 0000000..4f0d9c3
+--- /dev/null
++++ b/man/man8/iscsid_selinux.8
+@@ -0,0 +1,145 @@
++.TH "iscsid_selinux" "8" "iscsid" "dwalsh at redhat.com" "iscsid SELinux Policy documentation"
++.SH "NAME"
++iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
++.PP
++The following file types are defined for iscsid:
++
++
++.EX
++.PP
++.B iscsi_lock_t
++.EE
++
++- Set files with the iscsi_lock_t type, if you want to treat the files as iscsi lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B iscsi_log_t
++.EE
++
++- Set files with the iscsi_log_t type, if you want to treat the data as iscsi log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/iscsiuio\.log.*, /var/log/brcm-iscsi\.log
++
++.EX
++.PP
++.B iscsi_tmp_t
++.EE
++
++- Set files with the iscsi_tmp_t type, if you want to store iscsi temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B iscsi_var_lib_t
++.EE
++
++- Set files with the iscsi_var_lib_t type, if you want to store the iscsi files under the /var/lib directory.
++
++
++.EX
++.PP
++.B iscsi_var_run_t
++.EE
++
++- Set files with the iscsi_var_run_t type, if you want to store the iscsi files under the /run directory.
++
++
++.EX
++.PP
++.B iscsid_exec_t
++.EE
++
++- Set files with the iscsid_exec_t type, if you want to transition an executable to the iscsid_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/brcm_iscsiuio, /sbin/iscsiuio, /usr/sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/brcm_iscsiuio, /sbin/iscsid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
++.PP
++The following port types are defined for iscsid:
++
++.EX
++.TP 5
++.B iscsi_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
++.PP
++The following process types are defined for iscsid:
++
++.EX
++.B iscsid_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8
+new file mode 100644
+index 0000000..2031201
+--- /dev/null
++++ b/man/man8/iwhd_selinux.8
+@@ -0,0 +1,103 @@
++.TH "iwhd_selinux" "8" "iwhd" "dwalsh at redhat.com" "iwhd SELinux Policy documentation"
++.SH "NAME"
++iwhd_selinux \- Security Enhanced Linux Policy for the iwhd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
++.PP
++The following file types are defined for iwhd:
++
++
++.EX
++.PP
++.B iwhd_exec_t
++.EE
++
++- Set files with the iwhd_exec_t type, if you want to transition an executable to the iwhd_t domain.
++
++
++.EX
++.PP
++.B iwhd_initrc_exec_t
++.EE
++
++- Set files with the iwhd_initrc_exec_t type, if you want to transition an executable to the iwhd_initrc_t domain.
++
++
++.EX
++.PP
++.B iwhd_log_t
++.EE
++
++- Set files with the iwhd_log_t type, if you want to treat the data as iwhd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B iwhd_var_lib_t
++.EE
++
++- Set files with the iwhd_var_lib_t type, if you want to store the iwhd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B iwhd_var_run_t
++.EE
++
++- Set files with the iwhd_var_run_t type, if you want to store the iwhd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
++.PP
++The following process types are defined for iwhd:
++
++.EX
++.B iwhd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8
+new file mode 100644
+index 0000000..5f3d39d
+--- /dev/null
++++ b/man/man8/jabberd_selinux.8
+@@ -0,0 +1,151 @@
++.TH "jabberd_selinux" "8" "jabberd" "dwalsh at redhat.com" "jabberd SELinux Policy documentation"
++.SH "NAME"
++jabberd_selinux \- Security Enhanced Linux Policy for the jabberd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
++.PP
++The following file types are defined for jabberd:
++
++
++.EX
++.PP
++.B jabberd_exec_t
++.EE
++
++- Set files with the jabberd_exec_t type, if you want to transition an executable to the jabberd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/s2s, /usr/bin/sm
++
++.EX
++.PP
++.B jabberd_initrc_exec_t
++.EE
++
++- Set files with the jabberd_initrc_exec_t type, if you want to transition an executable to the jabberd_initrc_t domain.
++
++
++.EX
++.PP
++.B jabberd_router_exec_t
++.EE
++
++- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/c2s, /usr/bin/router
++
++.EX
++.PP
++.B jabberd_var_lib_t
++.EE
++
++- Set files with the jabberd_var_lib_t type, if you want to store the jabberd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
++.PP
++The following port types are defined for jabberd:
++
++.EX
++.TP 5
++.B jabber_client_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B jabber_interserver_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B jabber_router_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
++.PP
++The following process types are defined for jabberd:
++
++.EX
++.B jabberd_router_t, jabberd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8
+new file mode 100644
+index 0000000..239af62
+--- /dev/null
++++ b/man/man8/jockey_selinux.8
+@@ -0,0 +1,97 @@
++.TH "jockey_selinux" "8" "jockey" "dwalsh at redhat.com" "jockey SELinux Policy documentation"
++.SH "NAME"
++jockey_selinux \- Security Enhanced Linux Policy for the jockey processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B jockey
++(policy for jockey)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
++.PP
++The following file types are defined for jockey:
++
++
++.EX
++.PP
++.B jockey_cache_t
++.EE
++
++- Set files with the jockey_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B jockey_exec_t
++.EE
++
++- Set files with the jockey_exec_t type, if you want to transition an executable to the jockey_t domain.
++
++
++.EX
++.PP
++.B jockey_var_log_t
++.EE
++
++- Set files with the jockey_var_log_t type, if you want to treat the data as jockey var log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/jockey\.log, /var/log/jockey(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
++.PP
++The following process types are defined for jockey:
++
++.EX
++.B jockey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8
+new file mode 100644
+index 0000000..b56c5c1
+--- /dev/null
++++ b/man/man8/kadmind_selinux.8
+@@ -0,0 +1,99 @@
++.TH "kadmind_selinux" "8" "kadmind" "dwalsh at redhat.com" "kadmind SELinux Policy documentation"
++.SH "NAME"
++kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
++.PP
++The following file types are defined for kadmind:
++
++
++.EX
++.PP
++.B kadmind_exec_t
++.EE
++
++- Set files with the kadmind_exec_t type, if you want to transition an executable to the kadmind_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/(local/)?(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local
++
++.EX
++.PP
++.B kadmind_log_t
++.EE
++
++- Set files with the kadmind_log_t type, if you want to treat the data as kadmind log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B kadmind_tmp_t
++.EE
++
++- Set files with the kadmind_tmp_t type, if you want to store kadmind temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B kadmind_var_run_t
++.EE
++
++- Set files with the kadmind_var_run_t type, if you want to store the kadmind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
++.PP
++The following process types are defined for kadmind:
++
++.EX
++.B kadmind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8
+new file mode 100644
+index 0000000..b47a14d
+--- /dev/null
++++ b/man/man8/kdump_selinux.8
+@@ -0,0 +1,121 @@
++.TH "kdump_selinux" "8" "kdump" "dwalsh at redhat.com" "kdump SELinux Policy documentation"
++.SH "NAME"
++kdump_selinux \- Security Enhanced Linux Policy for the kdump processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B kdump
++(Kernel crash dumping mechanism)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++.PP
++The following file types are defined for kdump:
++
++
++.EX
++.PP
++.B kdump_etc_t
++.EE
++
++- Set files with the kdump_etc_t type, if you want to store kdump files in the /etc directories.
++
++
++.EX
++.PP
++.B kdump_exec_t
++.EE
++
++- Set files with the kdump_exec_t type, if you want to transition an executable to the kdump_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/kdump, /usr/sbin/kexec, /sbin/kdump, /sbin/kexec
++
++.EX
++.PP
++.B kdump_initrc_exec_t
++.EE
++
++- Set files with the kdump_initrc_exec_t type, if you want to transition an executable to the kdump_initrc_t domain.
++
++
++.EX
++.PP
++.B kdump_unit_file_t
++.EE
++
++- Set files with the kdump_unit_file_t type, if you want to treat the files as kdump unit content.
++
++
++.EX
++.PP
++.B kdumpgui_exec_t
++.EE
++
++- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
++
++
++.EX
++.PP
++.B kdumpgui_tmp_t
++.EE
++
++- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++.PP
++The following process types are defined for kdump:
++
++.EX
++.B kdumpgui_t, kdump_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), kdump(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8
+new file mode 100644
+index 0000000..82754b0
+--- /dev/null
++++ b/man/man8/kdumpgui_selinux.8
+@@ -0,0 +1,85 @@
++.TH "kdumpgui_selinux" "8" "kdumpgui" "dwalsh at redhat.com" "kdumpgui SELinux Policy documentation"
++.SH "NAME"
++kdumpgui_selinux \- Security Enhanced Linux Policy for the kdumpgui processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B kdumpgui
++(system-config-kdump GUI)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
++.PP
++The following file types are defined for kdumpgui:
++
++
++.EX
++.PP
++.B kdumpgui_exec_t
++.EE
++
++- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain.
++
++
++.EX
++.PP
++.B kdumpgui_tmp_t
++.EE
++
++- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
++.PP
++The following process types are defined for kdumpgui:
++
++.EX
++.B kdumpgui_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8
+new file mode 100644
+index 0000000..782e48f
+--- /dev/null
++++ b/man/man8/keyboardd_selinux.8
+@@ -0,0 +1,77 @@
++.TH "keyboardd_selinux" "8" "keyboardd" "dwalsh at redhat.com" "keyboardd SELinux Policy documentation"
++.SH "NAME"
++keyboardd_selinux \- Security Enhanced Linux Policy for the keyboardd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B keyboardd
++(policy for system-setup-keyboard daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
++.PP
++The following file types are defined for keyboardd:
++
++
++.EX
++.PP
++.B keyboardd_exec_t
++.EE
++
++- Set files with the keyboardd_exec_t type, if you want to transition an executable to the keyboardd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
++.PP
++The following process types are defined for keyboardd:
++
++.EX
++.B keyboardd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8
+new file mode 100644
+index 0000000..1c2d5b6
+--- /dev/null
++++ b/man/man8/keystone_selinux.8
+@@ -0,0 +1,109 @@
++.TH "keystone_selinux" "8" "keystone" "dwalsh at redhat.com" "keystone SELinux Policy documentation"
++.SH "NAME"
++keystone_selinux \- Security Enhanced Linux Policy for the keystone processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B keystone
++(policy for keystone)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following file types are defined for keystone:
++
++
++.EX
++.PP
++.B keystone_exec_t
++.EE
++
++- Set files with the keystone_exec_t type, if you want to transition an executable to the keystone_t domain.
++
++
++.EX
++.PP
++.B keystone_log_t
++.EE
++
++- Set files with the keystone_log_t type, if you want to treat the data as keystone log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B keystone_tmp_t
++.EE
++
++- Set files with the keystone_tmp_t type, if you want to store keystone temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B keystone_unit_file_t
++.EE
++
++- Set files with the keystone_unit_file_t type, if you want to treat the files as keystone unit content.
++
++
++.EX
++.PP
++.B keystone_var_lib_t
++.EE
++
++- Set files with the keystone_var_lib_t type, if you want to store the keystone files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following process types are defined for keystone:
++
++.EX
++.B keystone_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8
+new file mode 100644
+index 0000000..678bdc4
+--- /dev/null
++++ b/man/man8/kismet_selinux.8
+@@ -0,0 +1,151 @@
++.TH "kismet_selinux" "8" "kismet" "dwalsh at redhat.com" "kismet SELinux Policy documentation"
++.SH "NAME"
++kismet_selinux \- Security Enhanced Linux Policy for the kismet processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B kismet
++(Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
++.PP
++The following file types are defined for kismet:
++
++
++.EX
++.PP
++.B kismet_exec_t
++.EE
++
++- Set files with the kismet_exec_t type, if you want to transition an executable to the kismet_t domain.
++
++
++.EX
++.PP
++.B kismet_home_t
++.EE
++
++- Set files with the kismet_home_t type, if you want to store kismet files in the users home directory.
++
++
++.EX
++.PP
++.B kismet_log_t
++.EE
++
++- Set files with the kismet_log_t type, if you want to treat the data as kismet log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B kismet_tmp_t
++.EE
++
++- Set files with the kismet_tmp_t type, if you want to store kismet temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B kismet_tmpfs_t
++.EE
++
++- Set files with the kismet_tmpfs_t type, if you want to store kismet files on a tmpfs file system.
++
++
++.EX
++.PP
++.B kismet_var_lib_t
++.EE
++
++- Set files with the kismet_var_lib_t type, if you want to store the kismet files under the /var/lib directory.
++
++
++.EX
++.PP
++.B kismet_var_run_t
++.EE
++
++- Set files with the kismet_var_run_t type, if you want to store the kismet files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
++.PP
++The following port types are defined for kismet:
++
++.EX
++.TP 5
++.B kismet_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
++.PP
++The following process types are defined for kismet:
++
++.EX
++.B kismet_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8
+new file mode 100644
+index 0000000..9dcdb4f
+--- /dev/null
++++ b/man/man8/klogd_selinux.8
+@@ -0,0 +1,91 @@
++.TH "klogd_selinux" "8" "klogd" "dwalsh at redhat.com" "klogd SELinux Policy documentation"
++.SH "NAME"
++klogd_selinux \- Security Enhanced Linux Policy for the klogd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
++.PP
++The following file types are defined for klogd:
++
++
++.EX
++.PP
++.B klogd_exec_t
++.EE
++
++- Set files with the klogd_exec_t type, if you want to transition an executable to the klogd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/rklogd, /sbin/klogd, /sbin/rklogd, /usr/sbin/klogd
++
++.EX
++.PP
++.B klogd_tmp_t
++.EE
++
++- Set files with the klogd_tmp_t type, if you want to store klogd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B klogd_var_run_t
++.EE
++
++- Set files with the klogd_var_run_t type, if you want to store the klogd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
++.PP
++The following process types are defined for klogd:
++
++.EX
++.B klogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8
+new file mode 100644
+index 0000000..5ad7425
+--- /dev/null
++++ b/man/man8/kpropd_selinux.8
+@@ -0,0 +1,97 @@
++.TH "kpropd_selinux" "8" "kpropd" "dwalsh at redhat.com" "kpropd SELinux Policy documentation"
++.SH "NAME"
++kpropd_selinux \- Security Enhanced Linux Policy for the kpropd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
++.PP
++The following file types are defined for kpropd:
++
++
++.EX
++.PP
++.B kpropd_exec_t
++.EE
++
++- Set files with the kpropd_exec_t type, if you want to transition an executable to the kpropd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
++.PP
++The following port types are defined for kpropd:
++
++.EX
++.TP 5
++.B kprop_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
++.PP
++The following process types are defined for kpropd:
++
++.EX
++.B kpropd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8
+new file mode 100644
+index 0000000..8a01b27
+--- /dev/null
++++ b/man/man8/krb5kdc_selinux.8
+@@ -0,0 +1,131 @@
++.TH "krb5kdc_selinux" "8" "krb5kdc" "dwalsh at redhat.com" "krb5kdc SELinux Policy documentation"
++.SH "NAME"
++krb5kdc_selinux \- Security Enhanced Linux Policy for the krb5kdc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
++.PP
++The following file types are defined for krb5kdc:
++
++
++.EX
++.PP
++.B krb5kdc_conf_t
++.EE
++
++- Set files with the krb5kdc_conf_t type, if you want to treat the files as krb5kdc configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/var/kerberos/krb5kdc(/.*)?, /etc/krb5kdc(/.*)?, /usr/local/var/krb5kdc(/.*)?
++
++.EX
++.PP
++.B krb5kdc_exec_t
++.EE
++
++- Set files with the krb5kdc_exec_t type, if you want to transition an executable to the krb5kdc_t domain.
++
++
++.EX
++.PP
++.B krb5kdc_lock_t
++.EE
++
++- Set files with the krb5kdc_lock_t type, if you want to treat the files as krb5kdc lock data, stored under the /var/lock directory
++
++.br
++.TP 5
++Paths:
++/var/kerberos/krb5kdc/principal.*\.ok, /var/kerberos/krb5kdc/from_master.*
++
++.EX
++.PP
++.B krb5kdc_log_t
++.EE
++
++- Set files with the krb5kdc_log_t type, if you want to treat the data as krb5kdc log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B krb5kdc_principal_t
++.EE
++
++- Set files with the krb5kdc_principal_t type, if you want to treat the files as krb5kdc principal data.
++
++.br
++.TP 5
++Paths:
++/usr/local/var/krb5kdc/principal.*, /etc/krb5kdc/principal.*, /var/kerberos/krb5kdc/principal.*
++
++.EX
++.PP
++.B krb5kdc_tmp_t
++.EE
++
++- Set files with the krb5kdc_tmp_t type, if you want to store krb5kdc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B krb5kdc_var_run_t
++.EE
++
++- Set files with the krb5kdc_var_run_t type, if you want to store the krb5kdc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
++.PP
++The following process types are defined for krb5kdc:
++
++.EX
++.B krb5kdc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8
+new file mode 100644
+index 0000000..5874ff2
+--- /dev/null
++++ b/man/man8/ksmtuned_selinux.8
+@@ -0,0 +1,101 @@
++.TH "ksmtuned_selinux" "8" "ksmtuned" "dwalsh at redhat.com" "ksmtuned SELinux Policy documentation"
++.SH "NAME"
++ksmtuned_selinux \- Security Enhanced Linux Policy for the ksmtuned processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ksmtuned
++(Kernel Samepage Merging (KSM) Tuning Daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
++.PP
++The following file types are defined for ksmtuned:
++
++
++.EX
++.PP
++.B ksmtuned_exec_t
++.EE
++
++- Set files with the ksmtuned_exec_t type, if you want to transition an executable to the ksmtuned_t domain.
++
++
++.EX
++.PP
++.B ksmtuned_initrc_exec_t
++.EE
++
++- Set files with the ksmtuned_initrc_exec_t type, if you want to transition an executable to the ksmtuned_initrc_t domain.
++
++
++.EX
++.PP
++.B ksmtuned_log_t
++.EE
++
++- Set files with the ksmtuned_log_t type, if you want to treat the data as ksmtuned log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ksmtuned_var_run_t
++.EE
++
++- Set files with the ksmtuned_var_run_t type, if you want to store the ksmtuned files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
++.PP
++The following process types are defined for ksmtuned:
++
++.EX
++.B ksmtuned_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8
+new file mode 100644
+index 0000000..2b084b7
+--- /dev/null
++++ b/man/man8/ktalkd_selinux.8
+@@ -0,0 +1,125 @@
++.TH "ktalkd_selinux" "8" "ktalkd" "dwalsh at redhat.com" "ktalkd SELinux Policy documentation"
++.SH "NAME"
++ktalkd_selinux \- Security Enhanced Linux Policy for the ktalkd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
++.PP
++The following file types are defined for ktalkd:
++
++
++.EX
++.PP
++.B ktalkd_exec_t
++.EE
++
++- Set files with the ktalkd_exec_t type, if you want to transition an executable to the ktalkd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/in\.talkd, /usr/bin/ktalkd, /usr/sbin/in\.ntalkd
++
++.EX
++.PP
++.B ktalkd_log_t
++.EE
++
++- Set files with the ktalkd_log_t type, if you want to treat the data as ktalkd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ktalkd_tmp_t
++.EE
++
++- Set files with the ktalkd_tmp_t type, if you want to store ktalkd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ktalkd_var_run_t
++.EE
++
++- Set files with the ktalkd_var_run_t type, if you want to store the ktalkd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
++.PP
++The following port types are defined for ktalkd:
++
++.EX
++.TP 5
++.B ktalkd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
++.PP
++The following process types are defined for ktalkd:
++
++.EX
++.B ktalkd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8
+new file mode 100644
+index 0000000..be9e0f9
+--- /dev/null
++++ b/man/man8/l2tpd_selinux.8
+@@ -0,0 +1,105 @@
++.TH "l2tpd_selinux" "8" "l2tpd" "dwalsh at redhat.com" "l2tpd SELinux Policy documentation"
++.SH "NAME"
++l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B l2tpd
++(policy for l2tpd)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
++.PP
++The following file types are defined for l2tpd:
++
++
++.EX
++.PP
++.B l2tpd_exec_t
++.EE
++
++- Set files with the l2tpd_exec_t type, if you want to transition an executable to the l2tpd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/xl2tpd, /usr/sbin/openl2tpd
++
++.EX
++.PP
++.B l2tpd_initrc_exec_t
++.EE
++
++- Set files with the l2tpd_initrc_exec_t type, if you want to transition an executable to the l2tpd_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/openl2tpd
++
++.EX
++.PP
++.B l2tpd_var_run_t
++.EE
++
++- Set files with the l2tpd_var_run_t type, if you want to store the l2tpd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/xl2tpd(/.*)?, /var/run/xl2tpd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
++.PP
++The following process types are defined for l2tpd:
++
++.EX
++.B l2tpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8
+new file mode 100644
+index 0000000..488c36b
+--- /dev/null
++++ b/man/man8/ldconfig_selinux.8
+@@ -0,0 +1,91 @@
++.TH "ldconfig_selinux" "8" "ldconfig" "dwalsh at redhat.com" "ldconfig SELinux Policy documentation"
++.SH "NAME"
++ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
++.PP
++The following file types are defined for ldconfig:
++
++
++.EX
++.PP
++.B ldconfig_cache_t
++.EE
++
++- Set files with the ldconfig_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B ldconfig_exec_t
++.EE
++
++- Set files with the ldconfig_exec_t type, if you want to transition an executable to the ldconfig_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ldconfig, /sbin/ldconfig
++
++.EX
++.PP
++.B ldconfig_tmp_t
++.EE
++
++- Set files with the ldconfig_tmp_t type, if you want to store ldconfig temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for ldconfig:
++
++.EX
++.B ldconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ldconfig(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/libra_selinux.8 b/man/man8/libra_selinux.8
+new file mode 100644
+index 0000000..8b6ac6e
+--- /dev/null
++++ b/man/man8/libra_selinux.8
+@@ -0,0 +1,173 @@
++.TH "libra_selinux" "8" "libra" "dwalsh at redhat.com" "libra SELinux Policy documentation"
++.SH "NAME"
++libra_selinux \- Security Enhanced Linux Policy for the libra processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux libra policy is very flexible allowing users to setup their libra processes in as secure a method as possible.
++.PP
++The following file types are defined for libra:
++
++
++.EX
++.PP
++.B libra_cgroup_read_exec_t
++.EE
++
++- Set files with the libra_cgroup_read_exec_t type, if you want to transition an executable to the libra_cgroup_read_t domain.
++
++
++.EX
++.PP
++.B libra_initrc_exec_t
++.EE
++
++- Set files with the libra_initrc_exec_t type, if you want to transition an executable to the libra_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/rhc-restorer, /etc/rc\.d/init\.d/mcollective, /etc/rc\.d/init\.d/libra
++
++.EX
++.PP
++.B libra_initrc_tmp_t
++.EE
++
++- Set files with the libra_initrc_tmp_t type, if you want to store libra initrc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B libra_log_t
++.EE
++
++- Set files with the libra_log_t type, if you want to treat the data as libra log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B libra_mail_tmp_t
++.EE
++
++- Set files with the libra_mail_tmp_t type, if you want to store libra mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B libra_private_file_t
++.EE
++
++- Set files with the libra_private_file_t type, if you want to treat the files as libra private content.
++
++
++.EX
++.PP
++.B libra_rw_file_t
++.EE
++
++- Set files with the libra_rw_file_t type, if you want to treat the files as libra rw content.
++
++
++.EX
++.PP
++.B libra_tmp_t
++.EE
++
++- Set files with the libra_tmp_t type, if you want to store libra temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B libra_var_lib_t
++.EE
++
++- Set files with the libra_var_lib_t type, if you want to store the libra files under the /var/lib directory.
++
++
++.EX
++.PP
++.B libra_var_run_t
++.EE
++
++- Set files with the libra_var_run_t type, if you want to store the libra files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux libra policy is very flexible allowing users to setup their libra processes in as secure a method as possible.
++.PP
++The following port types are defined for libra:
++
++.EX
++.TP 5
++.B libra_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux libra policy is very flexible allowing users to setup their libra processes in as secure a method as possible.
++.PP
++The following process types are defined for libra:
++
++.EX
++.B libra_t, libra_initrc_t, libra_mail_t, libra_net_app_t, libra_min_app_t, libra_app_t, libra_min_t, libra_net_t, libra_cgroup_read_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), libra(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8
+new file mode 100644
+index 0000000..6b5ddb1
+--- /dev/null
++++ b/man/man8/lircd_selinux.8
+@@ -0,0 +1,135 @@
++.TH "lircd_selinux" "8" "lircd" "dwalsh at redhat.com" "lircd SELinux Policy documentation"
++.SH "NAME"
++lircd_selinux \- Security Enhanced Linux Policy for the lircd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B lircd
++(Linux infared remote control daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
++.PP
++The following file types are defined for lircd:
++
++
++.EX
++.PP
++.B lircd_etc_t
++.EE
++
++- Set files with the lircd_etc_t type, if you want to store lircd files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/lircd\.conf, /etc/lirc(/.*)?
++
++.EX
++.PP
++.B lircd_exec_t
++.EE
++
++- Set files with the lircd_exec_t type, if you want to transition an executable to the lircd_t domain.
++
++
++.EX
++.PP
++.B lircd_initrc_exec_t
++.EE
++
++- Set files with the lircd_initrc_exec_t type, if you want to transition an executable to the lircd_initrc_t domain.
++
++
++.EX
++.PP
++.B lircd_var_run_t
++.EE
++
++- Set files with the lircd_var_run_t type, if you want to store the lircd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/lirc(/.*)?, /var/run/lircd(/.*)?, /var/run/lircd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
++.PP
++The following port types are defined for lircd:
++
++.EX
++.TP 5
++.B lirc_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
++.PP
++The following process types are defined for lircd:
++
++.EX
++.B lircd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8
+new file mode 100644
+index 0000000..01c43d5
+--- /dev/null
++++ b/man/man8/livecd_selinux.8
+@@ -0,0 +1,85 @@
++.TH "livecd_selinux" "8" "livecd" "dwalsh at redhat.com" "livecd SELinux Policy documentation"
++.SH "NAME"
++livecd_selinux \- Security Enhanced Linux Policy for the livecd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B livecd
++(Livecd tool for building alternate livecd for different os and policy versions)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
++.PP
++The following file types are defined for livecd:
++
++
++.EX
++.PP
++.B livecd_exec_t
++.EE
++
++- Set files with the livecd_exec_t type, if you want to transition an executable to the livecd_t domain.
++
++
++.EX
++.PP
++.B livecd_tmp_t
++.EE
++
++- Set files with the livecd_tmp_t type, if you want to store livecd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
++.PP
++The following process types are defined for livecd:
++
++.EX
++.B livecd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8
+new file mode 100644
+index 0000000..25e0ebf
+--- /dev/null
++++ b/man/man8/lldpad_selinux.8
+@@ -0,0 +1,109 @@
++.TH "lldpad_selinux" "8" "lldpad" "dwalsh at redhat.com" "lldpad SELinux Policy documentation"
++.SH "NAME"
++lldpad_selinux \- Security Enhanced Linux Policy for the lldpad processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B lldpad
++(policy for lldpad)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
++.PP
++The following file types are defined for lldpad:
++
++
++.EX
++.PP
++.B lldpad_exec_t
++.EE
++
++- Set files with the lldpad_exec_t type, if you want to transition an executable to the lldpad_t domain.
++
++
++.EX
++.PP
++.B lldpad_initrc_exec_t
++.EE
++
++- Set files with the lldpad_initrc_exec_t type, if you want to transition an executable to the lldpad_initrc_t domain.
++
++
++.EX
++.PP
++.B lldpad_tmpfs_t
++.EE
++
++- Set files with the lldpad_tmpfs_t type, if you want to store lldpad files on a tmpfs file system.
++
++
++.EX
++.PP
++.B lldpad_var_lib_t
++.EE
++
++- Set files with the lldpad_var_lib_t type, if you want to store the lldpad files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lldpad_var_run_t
++.EE
++
++- Set files with the lldpad_var_run_t type, if you want to store the lldpad files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
++.PP
++The following process types are defined for lldpad:
++
++.EX
++.B lldpad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/load_selinux.8 b/man/man8/load_selinux.8
+new file mode 100644
+index 0000000..27bf215
+--- /dev/null
++++ b/man/man8/load_selinux.8
+@@ -0,0 +1,116 @@
++.TH "load_selinux" "8" "load" "dwalsh at redhat.com" "load SELinux Policy documentation"
++.SH "NAME"
++load_selinux \- Security Enhanced Linux Policy for the load processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. load policy is extremely flexible and has several booleans that allow you to manipulate the policy and run load with the tightest access possible.
++
++
++.PP
++If you want to prevent all confined domains from loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it bac, you must turn on the secure_mode_policyload boolean.
++
++.EX
++.B setsebool -P secure_mode_policyload 1
++.EE
++
++.PP
++If you want to allow the graphical login program to execute bootloade, you must turn on the xdm_exec_bootloader boolean.
++
++.EX
++.B setsebool -P xdm_exec_bootloader 1
++.EE
++
++.PP
++If you want to allow all domains to have the kernel load module, you must turn on the domain_kernel_load_modules boolean.
++
++.EX
++.B setsebool -P domain_kernel_load_modules 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux load policy is very flexible allowing users to setup their load processes in as secure a method as possible.
++.PP
++The following file types are defined for load:
++
++
++.EX
++.PP
++.B load_policy_exec_t
++.EE
++
++- Set files with the load_policy_exec_t type, if you want to transition an executable to the load_policy_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/load_policy, /sbin/load_policy
++
++.EX
++.PP
++.B loadkeys_exec_t
++.EE
++
++- Set files with the loadkeys_exec_t type, if you want to transition an executable to the loadkeys_t domain.
++
++.br
++.TP 5
++Paths:
++/bin/unikeys, /usr/bin/unikeys, /bin/loadkeys, /usr/bin/loadkeys
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux load policy is very flexible allowing users to setup their load processes in as secure a method as possible.
++.PP
++The following process types are defined for load:
++
++.EX
++.B loadkeys_t, load_policy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), load(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8
+new file mode 100644
+index 0000000..7ea5471
+--- /dev/null
++++ b/man/man8/loadkeys_selinux.8
+@@ -0,0 +1,81 @@
++.TH "loadkeys_selinux" "8" "loadkeys" "dwalsh at redhat.com" "loadkeys SELinux Policy documentation"
++.SH "NAME"
++loadkeys_selinux \- Security Enhanced Linux Policy for the loadkeys processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B loadkeys
++(Load keyboard mappings)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
++.PP
++The following file types are defined for loadkeys:
++
++
++.EX
++.PP
++.B loadkeys_exec_t
++.EE
++
++- Set files with the loadkeys_exec_t type, if you want to transition an executable to the loadkeys_t domain.
++
++.br
++.TP 5
++Paths:
++/bin/unikeys, /usr/bin/unikeys, /bin/loadkeys, /usr/bin/loadkeys
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
++.PP
++The following process types are defined for loadkeys:
++
++.EX
++.B loadkeys_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8
+new file mode 100644
+index 0000000..d9c0a33
+--- /dev/null
++++ b/man/man8/locate_selinux.8
+@@ -0,0 +1,87 @@
++.TH "locate_selinux" "8" "locate" "dwalsh at redhat.com" "locate SELinux Policy documentation"
++.SH "NAME"
++locate_selinux \- Security Enhanced Linux Policy for the locate processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
++.PP
++The following file types are defined for locate:
++
++
++.EX
++.PP
++.B locate_exec_t
++.EE
++
++- Set files with the locate_exec_t type, if you want to transition an executable to the locate_t domain.
++
++
++.EX
++.PP
++.B locate_log_t
++.EE
++
++- Set files with the locate_log_t type, if you want to treat the data as locate log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B locate_var_lib_t
++.EE
++
++- Set files with the locate_var_lib_t type, if you want to store the locate files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
++.PP
++The following process types are defined for locate:
++
++.EX
++.B locate_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), locate(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8
+new file mode 100644
+index 0000000..c899a1b
+--- /dev/null
++++ b/man/man8/lockdev_selinux.8
+@@ -0,0 +1,85 @@
++.TH "lockdev_selinux" "8" "lockdev" "dwalsh at redhat.com" "lockdev SELinux Policy documentation"
++.SH "NAME"
++lockdev_selinux \- Security Enhanced Linux Policy for the lockdev processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B lockdev
++(device locking policy for lockdev)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
++.PP
++The following file types are defined for lockdev:
++
++
++.EX
++.PP
++.B lockdev_exec_t
++.EE
++
++- Set files with the lockdev_exec_t type, if you want to transition an executable to the lockdev_t domain.
++
++
++.EX
++.PP
++.B lockdev_lock_t
++.EE
++
++- Set files with the lockdev_lock_t type, if you want to treat the files as lockdev lock data, stored under the /var/lock directory
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
++.PP
++The following process types are defined for lockdev:
++
++.EX
++.B lockdev_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lockdev(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/logadm_selinux.8 b/man/man8/logadm_selinux.8
+new file mode 100644
+index 0000000..0edd73f
+--- /dev/null
++++ b/man/man8/logadm_selinux.8
+@@ -0,0 +1,65 @@
++.TH "logadm_selinux" "8" "logadm" "mgrepl at redhat.com" "logadm SELinux Policy documentation"
++.SH "NAME"
++logadm_r \- \fBLog administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control, some Linux roles are login roles, while other roles need to be transition to.
++
++Note: The examples in the man page will user the staff_u user.
++
++Non login roles are usually used for administrative tasks.
++
++Roles usually have default types assigned to them.
++
++The default type for the logadm_r role is logadm_t.
++
++You can use the
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r logadm_r -t logadm_t
++
++.B sudo
++can also be setup to transition to this role using the visudo command.
++
++USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
++
++If you want to use a non login role, you need to make sure the SELinux user you are using can reach this role.
++
++You can see all of the assigned SELinux roles using the following
++
++.B semanage user -l
++
++If you wanted to add logadm_r to the staff_u user, you would execute:
++
++.B $ semanage user -m -R 'staff_r logadm_r' staff_u
++
++
++
++SELinux policy also controls which roles can transition to a different role.
++You can list these rules using the following command.
++
++.B sesearch --role_allow
++
++SELinux policy allows the staff_r role can transition to the logadm_r role.
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8
+new file mode 100644
+index 0000000..7f01fd7
+--- /dev/null
++++ b/man/man8/logrotate_selinux.8
+@@ -0,0 +1,113 @@
++.TH "logrotate_selinux" "8" "logrotate" "dwalsh at redhat.com" "logrotate SELinux Policy documentation"
++.SH "NAME"
++logrotate_selinux \- Security Enhanced Linux Policy for the logrotate processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B logrotate
++(Rotate and archive system logs)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
++.PP
++The following file types are defined for logrotate:
++
++
++.EX
++.PP
++.B logrotate_exec_t
++.EE
++
++- Set files with the logrotate_exec_t type, if you want to transition an executable to the logrotate_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/logrotate, /etc/cron\.(daily|weekly)/sysklogd
++
++.EX
++.PP
++.B logrotate_lock_t
++.EE
++
++- Set files with the logrotate_lock_t type, if you want to treat the files as logrotate lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B logrotate_mail_tmp_t
++.EE
++
++- Set files with the logrotate_mail_tmp_t type, if you want to store logrotate mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logrotate_tmp_t
++.EE
++
++- Set files with the logrotate_tmp_t type, if you want to store logrotate temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logrotate_var_lib_t
++.EE
++
++- Set files with the logrotate_var_lib_t type, if you want to store the logrotate files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
++.PP
++The following process types are defined for logrotate:
++
++.EX
++.B logrotate_t, logrotate_mail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8
+new file mode 100644
+index 0000000..a03fd51
+--- /dev/null
++++ b/man/man8/logwatch_selinux.8
+@@ -0,0 +1,125 @@
++.TH "logwatch_selinux" "8" "logwatch" "dwalsh at redhat.com" "logwatch SELinux Policy documentation"
++.SH "NAME"
++logwatch_selinux \- Security Enhanced Linux Policy for the logwatch processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B logwatch
++(System log analyzer and reporter)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
++.PP
++The following file types are defined for logwatch:
++
++
++.EX
++.PP
++.B logwatch_cache_t
++.EE
++
++- Set files with the logwatch_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/epylog(/.*)?, /var/cache/logwatch(/.*)?, /var/lib/logcheck(/.*)?
++
++.EX
++.PP
++.B logwatch_exec_t
++.EE
++
++- Set files with the logwatch_exec_t type, if you want to transition an executable to the logwatch_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/logcheck, /usr/sbin/epylog, /usr/share/logwatch/scripts/logwatch\.pl
++
++.EX
++.PP
++.B logwatch_lock_t
++.EE
++
++- Set files with the logwatch_lock_t type, if you want to treat the files as logwatch lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B logwatch_mail_tmp_t
++.EE
++
++- Set files with the logwatch_mail_tmp_t type, if you want to store logwatch mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logwatch_tmp_t
++.EE
++
++- Set files with the logwatch_tmp_t type, if you want to store logwatch temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B logwatch_var_run_t
++.EE
++
++- Set files with the logwatch_var_run_t type, if you want to store the logwatch files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for logwatch:
++
++.EX
++.B logwatch_t, logwatch_mail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8
+new file mode 100644
+index 0000000..f69947a
+--- /dev/null
++++ b/man/man8/lpd_selinux.8
+@@ -0,0 +1,112 @@
++.TH "lpd_selinux" "8" "lpd" "dwalsh at redhat.com" "lpd SELinux Policy documentation"
++.SH "NAME"
++lpd_selinux \- Security Enhanced Linux Policy for the lpd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B lpd
++(Line printer daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible.
++
++
++.PP
++If you want to use lpd server instead of cup, you must turn on the use_lpd_server boolean.
++
++.EX
++.B setsebool -P use_lpd_server 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
++.PP
++The following file types are defined for lpd:
++
++
++.EX
++.PP
++.B lpd_exec_t
++.EE
++
++- Set files with the lpd_exec_t type, if you want to transition an executable to the lpd_t domain.
++
++
++.EX
++.PP
++.B lpd_tmp_t
++.EE
++
++- Set files with the lpd_tmp_t type, if you want to store lpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B lpd_var_run_t
++.EE
++
++- Set files with the lpd_var_run_t type, if you want to store the lpd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/lprng(/.*)?, /var/spool/turboprint(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
++.PP
++The following process types are defined for lpd:
++
++.EX
++.B lpd_t, lpr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lpd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8
+new file mode 100644
+index 0000000..90d47ef
+--- /dev/null
++++ b/man/man8/lpr_selinux.8
+@@ -0,0 +1,83 @@
++.TH "lpr_selinux" "8" "lpr" "dwalsh at redhat.com" "lpr SELinux Policy documentation"
++.SH "NAME"
++lpr_selinux \- Security Enhanced Linux Policy for the lpr processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
++.PP
++The following file types are defined for lpr:
++
++
++.EX
++.PP
++.B lpr_exec_t
++.EE
++
++- Set files with the lpr_exec_t type, if you want to transition an executable to the lpr_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/accept, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/local/linuxprinter/bin/l?lpr, /usr/bin/lpoptions, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /opt/gutenprint/s?bin(/.*)?, /usr/bin/lpr(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)?
++
++.EX
++.PP
++.B lpr_tmp_t
++.EE
++
++- Set files with the lpr_tmp_t type, if you want to store lpr temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
++.PP
++The following process types are defined for lpr:
++
++.EX
++.B lpr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8
+new file mode 100644
+index 0000000..087cd7b
+--- /dev/null
++++ b/man/man8/lsassd_selinux.8
+@@ -0,0 +1,111 @@
++.TH "lsassd_selinux" "8" "lsassd" "dwalsh at redhat.com" "lsassd SELinux Policy documentation"
++.SH "NAME"
++lsassd_selinux \- Security Enhanced Linux Policy for the lsassd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
++.PP
++The following file types are defined for lsassd:
++
++
++.EX
++.PP
++.B lsassd_exec_t
++.EE
++
++- Set files with the lsassd_exec_t type, if you want to transition an executable to the lsassd_t domain.
++
++
++.EX
++.PP
++.B lsassd_tmp_t
++.EE
++
++- Set files with the lsassd_tmp_t type, if you want to store lsassd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B lsassd_var_lib_t
++.EE
++
++- Set files with the lsassd_var_lib_t type, if you want to store the lsassd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/likewise-open/krb5ccr_lsass, /var/lib/likewise-open/db/lsass-adstate\.filedb, /var/lib/likewise-open/lsasd\.err, /var/lib/likewise-open/db/lsass-adcache\.db, /var/lib/likewise-open/db/sam\.db
++
++.EX
++.PP
++.B lsassd_var_run_t
++.EE
++
++- Set files with the lsassd_var_run_t type, if you want to store the lsassd files under the /run directory.
++
++
++.EX
++.PP
++.B lsassd_var_socket_t
++.EE
++
++- Set files with the lsassd_var_socket_t type, if you want to treat the files as lsassd var socket data.
++
++.br
++.TP 5
++Paths:
++/var/lib/likewise-open/rpc/lsass, /var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/\.ntlmd
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
++.PP
++The following process types are defined for lsassd:
++
++.EX
++.B lsassd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8
+new file mode 100644
+index 0000000..20c9a41
+--- /dev/null
++++ b/man/man8/lvm_selinux.8
+@@ -0,0 +1,141 @@
++.TH "lvm_selinux" "8" "lvm" "dwalsh at redhat.com" "lvm SELinux Policy documentation"
++.SH "NAME"
++lvm_selinux \- Security Enhanced Linux Policy for the lvm processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B lvm
++(Policy for logical volume management programs)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
++.PP
++The following file types are defined for lvm:
++
++
++.EX
++.PP
++.B lvm_etc_t
++.EE
++
++- Set files with the lvm_etc_t type, if you want to store lvm files in the /etc directories.
++
++
++.EX
++.PP
++.B lvm_exec_t
++.EE
++
++- Set files with the lvm_exec_t type, if you want to transition an executable to the lvm_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgmerge, /sbin/vgscan\.static, /usr/sbin/pvdisplay, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/sbin/vgremove, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/lvremove, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/pvcreate, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/sbin/lvm, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvmiopversion, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/
vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmiopversion, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /sbin/vgsplit, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /usr/sbin/lvcreate, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /sbin/vgreduce, /usr/sbin/lvreduce, /usr/sbin/vgwrapper, /sbin/lvrename, /lib/systemd/systemd-cryptsetup, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/s
bin/lvmsar, /usr/sbin/multipath\.static, /usr/sbin/vgdisplay, /usr/sbin/vgchange, /sbin/kpartx, /usr/sbin/pvs, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/pvremove, /usr/sbin/e2fsadm
++
++.EX
++.PP
++.B lvm_lock_t
++.EE
++
++- Set files with the lvm_lock_t type, if you want to treat the files as lvm lock data, stored under the /var/lock directory
++
++.br
++.TP 5
++Paths:
++/var/lock/lvm(/.*)?, /etc/lvm/lock(/.*)?
++
++.EX
++.PP
++.B lvm_metadata_t
++.EE
++
++- Set files with the lvm_metadata_t type, if you want to treat the files as lvm metadata data.
++
++.br
++.TP 5
++Paths:
++/etc/lvm/backup(/.*)?, /var/cache/multipathd(/.*)?, /etc/lvmtab\.d(/.*)?, /etc/lvmtab(/.*)?, /etc/lvm/\.cache, /etc/lvm/archive(/.*)?, /etc/lvm/cache(/.*)?
++
++.EX
++.PP
++.B lvm_tmp_t
++.EE
++
++- Set files with the lvm_tmp_t type, if you want to store lvm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B lvm_var_lib_t
++.EE
++
++- Set files with the lvm_var_lib_t type, if you want to store the lvm files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lvm_var_run_t
++.EE
++
++- Set files with the lvm_var_run_t type, if you want to store the lvm files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/lvm(/.*)?, /var/run/multipathd\.sock, /var/run/dmevent.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
++.PP
++The following process types are defined for lvm:
++
++.EX
++.B lvm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8
+new file mode 100644
+index 0000000..39b80fc
+--- /dev/null
++++ b/man/man8/lwiod_selinux.8
+@@ -0,0 +1,95 @@
++.TH "lwiod_selinux" "8" "lwiod" "dwalsh at redhat.com" "lwiod SELinux Policy documentation"
++.SH "NAME"
++lwiod_selinux \- Security Enhanced Linux Policy for the lwiod processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
++.PP
++The following file types are defined for lwiod:
++
++
++.EX
++.PP
++.B lwiod_exec_t
++.EE
++
++- Set files with the lwiod_exec_t type, if you want to transition an executable to the lwiod_t domain.
++
++
++.EX
++.PP
++.B lwiod_var_lib_t
++.EE
++
++- Set files with the lwiod_var_lib_t type, if you want to store the lwiod files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lwiod_var_run_t
++.EE
++
++- Set files with the lwiod_var_run_t type, if you want to store the lwiod files under the /run directory.
++
++
++.EX
++.PP
++.B lwiod_var_socket_t
++.EE
++
++- Set files with the lwiod_var_socket_t type, if you want to treat the files as lwiod var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
++.PP
++The following process types are defined for lwiod:
++
++.EX
++.B lwiod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8
+new file mode 100644
+index 0000000..e954cd1
+--- /dev/null
++++ b/man/man8/lwregd_selinux.8
+@@ -0,0 +1,99 @@
++.TH "lwregd_selinux" "8" "lwregd" "dwalsh at redhat.com" "lwregd SELinux Policy documentation"
++.SH "NAME"
++lwregd_selinux \- Security Enhanced Linux Policy for the lwregd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
++.PP
++The following file types are defined for lwregd:
++
++
++.EX
++.PP
++.B lwregd_exec_t
++.EE
++
++- Set files with the lwregd_exec_t type, if you want to transition an executable to the lwregd_t domain.
++
++
++.EX
++.PP
++.B lwregd_var_lib_t
++.EE
++
++- Set files with the lwregd_var_lib_t type, if you want to store the lwregd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/likewise-open/db/registry\.db, /var/lib/likewise-open/regsd\.err
++
++.EX
++.PP
++.B lwregd_var_run_t
++.EE
++
++- Set files with the lwregd_var_run_t type, if you want to store the lwregd files under the /run directory.
++
++
++.EX
++.PP
++.B lwregd_var_socket_t
++.EE
++
++- Set files with the lwregd_var_socket_t type, if you want to treat the files as lwregd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
++.PP
++The following process types are defined for lwregd:
++
++.EX
++.B lwregd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8
+new file mode 100644
+index 0000000..96c1b69
+--- /dev/null
++++ b/man/man8/lwsmd_selinux.8
+@@ -0,0 +1,95 @@
++.TH "lwsmd_selinux" "8" "lwsmd" "dwalsh at redhat.com" "lwsmd SELinux Policy documentation"
++.SH "NAME"
++lwsmd_selinux \- Security Enhanced Linux Policy for the lwsmd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
++.PP
++The following file types are defined for lwsmd:
++
++
++.EX
++.PP
++.B lwsmd_exec_t
++.EE
++
++- Set files with the lwsmd_exec_t type, if you want to transition an executable to the lwsmd_t domain.
++
++
++.EX
++.PP
++.B lwsmd_var_lib_t
++.EE
++
++- Set files with the lwsmd_var_lib_t type, if you want to store the lwsmd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B lwsmd_var_run_t
++.EE
++
++- Set files with the lwsmd_var_run_t type, if you want to store the lwsmd files under the /run directory.
++
++
++.EX
++.PP
++.B lwsmd_var_socket_t
++.EE
++
++- Set files with the lwsmd_var_socket_t type, if you want to treat the files as lwsmd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
++.PP
++The following process types are defined for lwsmd:
++
++.EX
++.B lwsmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mail_selinux.8 b/man/man8/mail_selinux.8
+new file mode 100644
+index 0000000..bd12996
+--- /dev/null
++++ b/man/man8/mail_selinux.8
+@@ -0,0 +1,277 @@
++.TH "mail_selinux" "8" "mail" "dwalsh at redhat.com" "mail SELinux Policy documentation"
++.SH "NAME"
++mail_selinux \- Security Enhanced Linux Policy for the mail processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mail with the tightest access possible.
++
++
++.PP
++If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the allow_postfix_local_write_mail_spool boolean.
++
++.EX
++.B setsebool -P allow_postfix_local_write_mail_spool 1
++.EE
++
++.PP
++If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean.
++
++.EX
++.B setsebool -P httpd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow syslogd daemon to send mai, you must turn on the logging_syslogd_can_sendmail boolean.
++
++.EX
++.B setsebool -P logging_syslogd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow gitisis daemon to send mai, you must turn on the gitosis_can_sendmail boolean.
++
++.EX
++.B setsebool -P gitosis_can_sendmail 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mail policy is very flexible allowing users to setup their mail processes in as secure a method as possible.
++.PP
++The following file types are defined for mail:
++
++
++.EX
++.PP
++.B mail_home_rw_t
++.EE
++
++- Set files with the mail_home_rw_t type, if you want to treat the files as mail home read/write content.
++
++
++.EX
++.PP
++.B mail_home_t
++.EE
++
++- Set files with the mail_home_t type, if you want to store mail files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.forward, /root/.mailrc, /root/dead.letter
++
++.EX
++.PP
++.B mail_munin_plugin_exec_t
++.EE
++
++- Set files with the mail_munin_plugin_exec_t type, if you want to transition an executable to the mail_munin_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/munin/plugins/postfix_mail.*, /usr/share/munin/plugins/mailscanner, /usr/share/munin/plugins/courier_mta_.*, /usr/share/munin/plugins/mailman, /usr/share/munin/plugins/exim_mail.*, /usr/share/munin/plugins/qmail.*, /usr/share/munin/plugins/sendmail_.*
++
++.EX
++.PP
++.B mail_munin_plugin_tmp_t
++.EE
++
++- Set files with the mail_munin_plugin_tmp_t type, if you want to store mail munin plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mail_spool_t
++.EE
++
++- Set files with the mail_spool_t type, if you want to store the mail files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/mail(/.*)?, /var/spool/imap(/.*)?, /var/spool/mail(/.*)?
++
++.EX
++.PP
++.B mailman_archive_t
++.EE
++
++- Set files with the mailman_archive_t type, if you want to treat the files as mailman archive data.
++
++
++.EX
++.PP
++.B mailman_cgi_exec_t
++.EE
++
++- Set files with the mailman_cgi_exec_t type, if you want to transition an executable to the mailman_cgi_t domain.
++
++
++.EX
++.PP
++.B mailman_cgi_tmp_t
++.EE
++
++- Set files with the mailman_cgi_tmp_t type, if you want to store mailman cgi temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mailman_data_t
++.EE
++
++- Set files with the mailman_data_t type, if you want to treat the files as mailman content.
++
++.br
++.TP 5
++Paths:
++/etc/mailman.*, /var/spool/mailman.*, /var/lib/mailman.*
++
++.EX
++.PP
++.B mailman_lock_t
++.EE
++
++- Set files with the mailman_lock_t type, if you want to treat the files as mailman lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B mailman_log_t
++.EE
++
++- Set files with the mailman_log_t type, if you want to treat the data as mailman log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mailman_mail_exec_t
++.EE
++
++- Set files with the mailman_mail_exec_t type, if you want to transition an executable to the mailman_mail_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman
++
++.EX
++.PP
++.B mailman_mail_tmp_t
++.EE
++
++- Set files with the mailman_mail_tmp_t type, if you want to store mailman mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mailman_queue_exec_t
++.EE
++
++- Set files with the mailman_queue_exec_t type, if you want to transition an executable to the mailman_queue_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner
++
++.EX
++.PP
++.B mailman_queue_tmp_t
++.EE
++
++- Set files with the mailman_queue_tmp_t type, if you want to store mailman queue temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mailman_var_run_t
++.EE
++
++- Set files with the mailman_var_run_t type, if you want to store the mailman files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mail policy is very flexible allowing users to setup their mail processes in as secure a method as possible.
++.PP
++The following port types are defined for mail:
++
++.EX
++.TP 5
++.B mail_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mail policy is very flexible allowing users to setup their mail processes in as secure a method as possible.
++.PP
++The following process types are defined for mail:
++
++.EX
++.B mailman_cgi_t, mailman_mail_t, mail_munin_plugin_t, mailman_queue_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mail(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mailman_selinux.8 b/man/man8/mailman_selinux.8
+new file mode 100644
+index 0000000..2cc348b
+--- /dev/null
++++ b/man/man8/mailman_selinux.8
+@@ -0,0 +1,169 @@
++.TH "mailman_selinux" "8" "mailman" "dwalsh at redhat.com" "mailman SELinux Policy documentation"
++.SH "NAME"
++mailman_selinux \- Security Enhanced Linux Policy for the mailman processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mailman
++(Mailman is for managing electronic mail discussion and e-newsletter lists)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mailman policy is very flexible allowing users to setup their mailman processes in as secure a method as possible.
++.PP
++The following file types are defined for mailman:
++
++
++.EX
++.PP
++.B mailman_archive_t
++.EE
++
++- Set files with the mailman_archive_t type, if you want to treat the files as mailman archive data.
++
++
++.EX
++.PP
++.B mailman_cgi_exec_t
++.EE
++
++- Set files with the mailman_cgi_exec_t type, if you want to transition an executable to the mailman_cgi_t domain.
++
++
++.EX
++.PP
++.B mailman_cgi_tmp_t
++.EE
++
++- Set files with the mailman_cgi_tmp_t type, if you want to store mailman cgi temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mailman_data_t
++.EE
++
++- Set files with the mailman_data_t type, if you want to treat the files as mailman content.
++
++.br
++.TP 5
++Paths:
++/etc/mailman.*, /var/spool/mailman.*, /var/lib/mailman.*
++
++.EX
++.PP
++.B mailman_lock_t
++.EE
++
++- Set files with the mailman_lock_t type, if you want to treat the files as mailman lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B mailman_log_t
++.EE
++
++- Set files with the mailman_log_t type, if you want to treat the data as mailman log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mailman_mail_exec_t
++.EE
++
++- Set files with the mailman_mail_exec_t type, if you want to transition an executable to the mailman_mail_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman
++
++.EX
++.PP
++.B mailman_mail_tmp_t
++.EE
++
++- Set files with the mailman_mail_tmp_t type, if you want to store mailman mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mailman_queue_exec_t
++.EE
++
++- Set files with the mailman_queue_exec_t type, if you want to transition an executable to the mailman_queue_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner
++
++.EX
++.PP
++.B mailman_queue_tmp_t
++.EE
++
++- Set files with the mailman_queue_tmp_t type, if you want to store mailman queue temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mailman_var_run_t
++.EE
++
++- Set files with the mailman_var_run_t type, if you want to store the mailman files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mailman policy is very flexible allowing users to setup their mailman processes in as secure a method as possible.
++.PP
++The following process types are defined for mailman:
++
++.EX
++.B mailman_cgi_t, mailman_mail_t, mailman_queue_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mailman(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/matahari_selinux.8 b/man/man8/matahari_selinux.8
+new file mode 100644
+index 0000000..6cbe09a
+--- /dev/null
++++ b/man/man8/matahari_selinux.8
+@@ -0,0 +1,243 @@
++.TH "matahari_selinux" "8" "matahari" "dwalsh at redhat.com" "matahari SELinux Policy documentation"
++.SH "NAME"
++matahari_selinux \- Security Enhanced Linux Policy for the matahari processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B matahari
++(policy for matahari)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux matahari policy is very flexible allowing users to setup their matahari processes in as secure a method as possible.
++.PP
++The following file types are defined for matahari:
++
++
++.EX
++.PP
++.B matahari_hostd_exec_t
++.EE
++
++- Set files with the matahari_hostd_exec_t type, if you want to transition an executable to the matahari_hostd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/matahari-qmf-hostd, /usr/sbin/matahari-hostd, /usr/sbin/matahari-dbus-hostd
++
++.EX
++.PP
++.B matahari_hostd_unit_file_t
++.EE
++
++- Set files with the matahari_hostd_unit_file_t type, if you want to treat the files as matahari hostd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/matahari-host\.service, /lib/systemd/system/matahari-host\.service
++
++.EX
++.PP
++.B matahari_initrc_exec_t
++.EE
++
++- Set files with the matahari_initrc_exec_t type, if you want to transition an executable to the matahari_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/matahari-sysconfig, /etc/rc\.d/init\.d/matahari-host, /etc/rc\.d/init\.d/matahari-service, /etc/init.d/matahari-sysconfig-console, /etc/rc\.d/init\.d/matahari-net
++
++.EX
++.PP
++.B matahari_netd_exec_t
++.EE
++
++- Set files with the matahari_netd_exec_t type, if you want to transition an executable to the matahari_netd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/matahari-qmf-networkd, /usr/sbin/matahari-dbus-networkd, /usr/sbin/matahari-netd
++
++.EX
++.PP
++.B matahari_netd_unit_file_t
++.EE
++
++- Set files with the matahari_netd_unit_file_t type, if you want to treat the files as matahari netd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/matahari-network\.service, /lib/systemd/system/matahari-network\.service
++
++.EX
++.PP
++.B matahari_rpcd_exec_t
++.EE
++
++- Set files with the matahari_rpcd_exec_t type, if you want to transition an executable to the matahari_rpcd_t domain.
++
++
++.EX
++.PP
++.B matahari_rpcd_unit_file_t
++.EE
++
++- Set files with the matahari_rpcd_unit_file_t type, if you want to treat the files as matahari rpcd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/matahari-rpc.service, /lib/systemd/system/matahari-rpc.service
++
++.EX
++.PP
++.B matahari_serviced_exec_t
++.EE
++
++- Set files with the matahari_serviced_exec_t type, if you want to transition an executable to the matahari_serviced_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/matahari-serviced, /usr/sbin/matahari-dbus-serviced, /usr/sbin/matahari-qmf-serviced
++
++.EX
++.PP
++.B matahari_serviced_unit_file_t
++.EE
++
++- Set files with the matahari_serviced_unit_file_t type, if you want to treat the files as matahari serviced unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/matahari-service\.service, /lib/systemd/system/matahari-service\.service
++
++.EX
++.PP
++.B matahari_sysconfigd_exec_t
++.EE
++
++- Set files with the matahari_sysconfigd_exec_t type, if you want to transition an executable to the matahari_sysconfigd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/matahari-qmf-sysconfigd, /usr/sbin/matahari-qmf-sysconfig-consoled
++
++.EX
++.PP
++.B matahari_sysconfigd_unit_file_t
++.EE
++
++- Set files with the matahari_sysconfigd_unit_file_t type, if you want to treat the files as matahari sysconfigd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/matahari-sysconfig-console\.service, /lib/systemd/system/matahari-sysconfig\.service, /usr/lib/systemd/system/matahari-sysconfig\.service, /lib/systemd/system/matahari-sysconfig-console\.service
++
++.EX
++.PP
++.B matahari_var_lib_t
++.EE
++
++- Set files with the matahari_var_lib_t type, if you want to store the matahari files under the /var/lib directory.
++
++
++.EX
++.PP
++.B matahari_var_run_t
++.EE
++
++- Set files with the matahari_var_run_t type, if you want to store the matahari files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/matahari(/.*)?, /var/run/matahari\.pid, /var/run/matahari-broker\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux matahari policy is very flexible allowing users to setup their matahari processes in as secure a method as possible.
++.PP
++The following port types are defined for matahari:
++
++.EX
++.TP 5
++.B matahari_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux matahari policy is very flexible allowing users to setup their matahari processes in as secure a method as possible.
++.PP
++The following process types are defined for matahari:
++
++.EX
++.B matahari_serviced_t, matahari_sysconfigd_t, matahari_hostd_t, matahari_netd_t, matahari_rpcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), matahari(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8
+new file mode 100644
+index 0000000..7292383
+--- /dev/null
++++ b/man/man8/mcelog_selinux.8
+@@ -0,0 +1,93 @@
++.TH "mcelog_selinux" "8" "mcelog" "dwalsh at redhat.com" "mcelog SELinux Policy documentation"
++.SH "NAME"
++mcelog_selinux \- Security Enhanced Linux Policy for the mcelog processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mcelog
++(policy for mcelog)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
++.PP
++The following file types are defined for mcelog:
++
++
++.EX
++.PP
++.B mcelog_exec_t
++.EE
++
++- Set files with the mcelog_exec_t type, if you want to transition an executable to the mcelog_t domain.
++
++
++.EX
++.PP
++.B mcelog_log_t
++.EE
++
++- Set files with the mcelog_log_t type, if you want to treat the data as mcelog log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mcelog_var_run_t
++.EE
++
++- Set files with the mcelog_var_run_t type, if you want to store the mcelog files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
++.PP
++The following process types are defined for mcelog:
++
++.EX
++.B mcelog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8
+new file mode 100644
+index 0000000..ab79be5
+--- /dev/null
++++ b/man/man8/mdadm_selinux.8
+@@ -0,0 +1,87 @@
++.TH "mdadm_selinux" "8" "mdadm" "dwalsh at redhat.com" "mdadm SELinux Policy documentation"
++.SH "NAME"
++mdadm_selinux \- Security Enhanced Linux Policy for the mdadm processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
++.PP
++The following file types are defined for mdadm:
++
++
++.EX
++.PP
++.B mdadm_exec_t
++.EE
++
++- Set files with the mdadm_exec_t type, if you want to transition an executable to the mdadm_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/raid-check, /sbin/mdmpd, /usr/sbin/iprinit, /usr/sbin/mdadm, /usr/sbin/iprupdate, /sbin/mdadm, /usr/sbin/mdmpd, /usr/sbin/iprdump
++
++.EX
++.PP
++.B mdadm_var_run_t
++.EE
++
++- Set files with the mdadm_var_run_t type, if you want to store the mdadm files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/mdadm(/.*)?, /dev/md/.*, /dev/.mdadm\.map
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
++.PP
++The following process types are defined for mdadm:
++
++.EX
++.B mdadm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8
+new file mode 100644
+index 0000000..62d286c
+--- /dev/null
++++ b/man/man8/memcached_selinux.8
+@@ -0,0 +1,138 @@
++.TH "memcached_selinux" "8" "memcached" "dwalsh at redhat.com" "memcached SELinux Policy documentation"
++.SH "NAME"
++memcached_selinux \- Security Enhanced Linux Policy for the memcached processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B memcached
++(high-performance memory object caching system)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible.
++
++
++.PP
++If you want to allow httpd to connect to memcache serve, you must turn on the httpd_can_network_memcache boolean.
++
++.EX
++.B setsebool -P httpd_can_network_memcache 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
++.PP
++The following file types are defined for memcached:
++
++
++.EX
++.PP
++.B memcached_exec_t
++.EE
++
++- Set files with the memcached_exec_t type, if you want to transition an executable to the memcached_t domain.
++
++
++.EX
++.PP
++.B memcached_initrc_exec_t
++.EE
++
++- Set files with the memcached_initrc_exec_t type, if you want to transition an executable to the memcached_initrc_t domain.
++
++
++.EX
++.PP
++.B memcached_var_run_t
++.EE
++
++- Set files with the memcached_var_run_t type, if you want to store the memcached files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/ipa_memcached(/.*)?, /var/run/memcached(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
++.PP
++The following port types are defined for memcached:
++
++.EX
++.TP 5
++.B memcache_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
++.PP
++The following process types are defined for memcached:
++
++.EX
++.B memcached_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), memcached(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8
+new file mode 100644
+index 0000000..aa093ee
+--- /dev/null
++++ b/man/man8/mencoder_selinux.8
+@@ -0,0 +1,71 @@
++.TH "mencoder_selinux" "8" "mencoder" "dwalsh at redhat.com" "mencoder SELinux Policy documentation"
++.SH "NAME"
++mencoder_selinux \- Security Enhanced Linux Policy for the mencoder processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
++.PP
++The following file types are defined for mencoder:
++
++
++.EX
++.PP
++.B mencoder_exec_t
++.EE
++
++- Set files with the mencoder_exec_t type, if you want to transition an executable to the mencoder_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
++.PP
++The following process types are defined for mencoder:
++
++.EX
++.B mencoder_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8
+new file mode 100644
+index 0000000..e7cc7e3
+--- /dev/null
++++ b/man/man8/mock_selinux.8
+@@ -0,0 +1,132 @@
++.TH "mock_selinux" "8" "mock" "dwalsh at redhat.com" "mock SELinux Policy documentation"
++.SH "NAME"
++mock_selinux \- Security Enhanced Linux Policy for the mock processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mock
++(policy for mock)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible.
++
++
++.PP
++If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean.
++
++.EX
++.B setsebool -P mock_enable_homedirs 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
++.PP
++The following file types are defined for mock:
++
++
++.EX
++.PP
++.B mock_build_exec_t
++.EE
++
++- Set files with the mock_build_exec_t type, if you want to transition an executable to the mock_build_t domain.
++
++
++.EX
++.PP
++.B mock_cache_t
++.EE
++
++- Set files with the mock_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B mock_etc_t
++.EE
++
++- Set files with the mock_etc_t type, if you want to store mock files in the /etc directories.
++
++
++.EX
++.PP
++.B mock_exec_t
++.EE
++
++- Set files with the mock_exec_t type, if you want to transition an executable to the mock_t domain.
++
++
++.EX
++.PP
++.B mock_tmp_t
++.EE
++
++- Set files with the mock_tmp_t type, if you want to store mock temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mock_var_lib_t
++.EE
++
++- Set files with the mock_var_lib_t type, if you want to store the mock files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
++.PP
++The following process types are defined for mock:
++
++.EX
++.B mock_t, mock_build_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mock(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8
+new file mode 100644
+index 0000000..3772dfe
+--- /dev/null
++++ b/man/man8/modemmanager_selinux.8
+@@ -0,0 +1,77 @@
++.TH "modemmanager_selinux" "8" "modemmanager" "dwalsh at redhat.com" "modemmanager SELinux Policy documentation"
++.SH "NAME"
++modemmanager_selinux \- Security Enhanced Linux Policy for the modemmanager processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B modemmanager
++(Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
++.PP
++The following file types are defined for modemmanager:
++
++
++.EX
++.PP
++.B modemmanager_exec_t
++.EE
++
++- Set files with the modemmanager_exec_t type, if you want to transition an executable to the modemmanager_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
++.PP
++The following process types are defined for modemmanager:
++
++.EX
++.B modemmanager_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8
+new file mode 100644
+index 0000000..7282fb2
+--- /dev/null
++++ b/man/man8/mongod_selinux.8
+@@ -0,0 +1,145 @@
++.TH "mongod_selinux" "8" "mongod" "dwalsh at redhat.com" "mongod SELinux Policy documentation"
++.SH "NAME"
++mongod_selinux \- Security Enhanced Linux Policy for the mongod processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
++.PP
++The following file types are defined for mongod:
++
++
++.EX
++.PP
++.B mongod_exec_t
++.EE
++
++- Set files with the mongod_exec_t type, if you want to transition an executable to the mongod_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/mongod, /usr/share/aeolus-conductor/dbomatic/dbomatic
++
++.EX
++.PP
++.B mongod_initrc_exec_t
++.EE
++
++- Set files with the mongod_initrc_exec_t type, if you want to transition an executable to the mongod_initrc_t domain.
++
++
++.EX
++.PP
++.B mongod_log_t
++.EE
++
++- Set files with the mongod_log_t type, if you want to treat the data as mongod log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mongod_tmp_t
++.EE
++
++- Set files with the mongod_tmp_t type, if you want to store mongod temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mongod_var_lib_t
++.EE
++
++- Set files with the mongod_var_lib_t type, if you want to store the mongod files under the /var/lib directory.
++
++
++.EX
++.PP
++.B mongod_var_run_t
++.EE
++
++- Set files with the mongod_var_run_t type, if you want to store the mongod files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/mongodb(/.*)?, /var/run/aeolus/dbomatic\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
++.PP
++The following port types are defined for mongod:
++
++.EX
++.TP 5
++.B mongod_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
++.PP
++The following process types are defined for mongod:
++
++.EX
++.B mongod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8
+new file mode 100644
+index 0000000..9744fa7
+--- /dev/null
++++ b/man/man8/mount_selinux.8
+@@ -0,0 +1,131 @@
++.TH "mount_selinux" "8" "mount" "dwalsh at redhat.com" "mount SELinux Policy documentation"
++.SH "NAME"
++mount_selinux \- Security Enhanced Linux Policy for the mount processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mount
++(Policy for mount)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible.
++
++
++.PP
++If you want to allow the mount command to mount any directory or file, you must turn on the allow_mount_anyfile boolean.
++
++.EX
++.B setsebool -P allow_mount_anyfile 1
++.EE
++
++.PP
++If you want to allow xguest users to mount removable medi, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
++.PP
++The following file types are defined for mount:
++
++
++.EX
++.PP
++.B mount_exec_t
++.EE
++
++- Set files with the mount_exec_t type, if you want to transition an executable to the mount_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/mount.*, /sbin/umount.*, /usr/bin/umount.*, /usr/sbin/umount.*, /bin/umount.*, /usr/bin/mount.*, /bin/mount.*, /usr/sbin/mount.*
++
++.EX
++.PP
++.B mount_loopback_t
++.EE
++
++- Set files with the mount_loopback_t type, if you want to treat the files as mount loopback data.
++
++
++.EX
++.PP
++.B mount_tmp_t
++.EE
++
++- Set files with the mount_tmp_t type, if you want to store mount temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mount_var_run_t
++.EE
++
++- Set files with the mount_var_run_t type, if you want to store the mount files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/run/mount(/.*)?, /dev/\.mount(/.*)?, /var/run/mount(/.*)?, /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
++.PP
++The following process types are defined for mount:
++
++.EX
++.B mount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mount(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8
+new file mode 100644
+index 0000000..2b94a8b
+--- /dev/null
++++ b/man/man8/mozilla_selinux.8
+@@ -0,0 +1,179 @@
++.TH "mozilla_selinux" "8" "mozilla" "dwalsh at redhat.com" "mozilla SELinux Policy documentation"
++.SH "NAME"
++mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mozilla
++(Policy for Mozilla and related web browsers)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mozilla policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla with the tightest access possible.
++
++
++.PP
++If you want to allow confined web browsers to read home directory conten, you must turn on the mozilla_read_content boolean.
++
++.EX
++.B setsebool -P mozilla_read_content 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
++.PP
++The following file types are defined for mozilla:
++
++
++.EX
++.PP
++.B mozilla_conf_t
++.EE
++
++- Set files with the mozilla_conf_t type, if you want to treat the files as mozilla configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B mozilla_exec_t
++.EE
++
++- Set files with the mozilla_exec_t type, if you want to transition an executable to the mozilla_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/galeon/galeon, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/netscape, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/epiphany-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/netscape/base-4/wrapper, /usr/bin/mozilla-snapshot, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/bin/mozilla-[0-9].*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/bin/mozilla, /usr/bin/epiphany
++
++.EX
++.PP
++.B mozilla_home_t
++.EE
++
++- Set files with the mozilla_home_t type, if you want to store mozilla files in the users home directory.
++
++
++.EX
++.PP
++.B mozilla_plugin_config_exec_t
++.EE
++
++- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain.
++
++
++.EX
++.PP
++.B mozilla_plugin_exec_t
++.EE
++
++- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/nspluginscan, /usr/lib/nspluginwrapper/npviewer.bin, /usr/lib/xulrunner[^/]*/plugin-container, /usr/bin/nspluginviewer
++
++.EX
++.PP
++.B mozilla_plugin_rw_t
++.EE
++
++- Set files with the mozilla_plugin_rw_t type, if you want to treat the files as mozilla plugin read/write content.
++
++
++.EX
++.PP
++.B mozilla_plugin_tmp_t
++.EE
++
++- Set files with the mozilla_plugin_tmp_t type, if you want to store mozilla plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mozilla_plugin_tmpfs_t
++.EE
++
++- Set files with the mozilla_plugin_tmpfs_t type, if you want to store mozilla plugin files on a tmpfs file system.
++
++
++.EX
++.PP
++.B mozilla_tmp_t
++.EE
++
++- Set files with the mozilla_tmp_t type, if you want to store mozilla temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mozilla_tmpfs_t
++.EE
++
++- Set files with the mozilla_tmpfs_t type, if you want to store mozilla files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
++.PP
++The following process types are defined for mozilla:
++
++.EX
++.B mozilla_t, mozilla_plugin_config_t, mozilla_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mozilla(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8
+new file mode 100644
+index 0000000..76210f5
+--- /dev/null
++++ b/man/man8/mpd_selinux.8
+@@ -0,0 +1,206 @@
++.TH "mpd_selinux" "8" "mpd" "dwalsh at redhat.com" "mpd SELinux Policy documentation"
++.SH "NAME"
++mpd_selinux \- Security Enhanced Linux Policy for the mpd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mpd
++(Music Player Daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mpd with the tightest access possible.
++
++
++.PP
++If you want to allow mplayer executable stac, you must turn on the allow_mplayer_execstack boolean.
++
++.EX
++.B setsebool -P allow_mplayer_execstack 1
++.EE
++
++.PP
++If you want to allow all daemons to write corefiles to , you must turn on the allow_daemons_dump_core boolean.
++
++.EX
++.B setsebool -P allow_daemons_dump_core 1
++.EE
++
++.PP
++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.
++
++.EX
++.B setsebool -P httpd_tmp_exec 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfine, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.PP
++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the allow_gssd_read_tmp boolean.
++
++.EX
++.B setsebool -P allow_gssd_read_tmp 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
++.PP
++The following file types are defined for mpd:
++
++
++.EX
++.PP
++.B mpd_data_t
++.EE
++
++- Set files with the mpd_data_t type, if you want to treat the files as mpd content.
++
++.br
++.TP 5
++Paths:
++/var/lib/mpd/playlists(/.*)?, /var/lib/mpd/music(/.*)?
++
++.EX
++.PP
++.B mpd_etc_t
++.EE
++
++- Set files with the mpd_etc_t type, if you want to store mpd files in the /etc directories.
++
++
++.EX
++.PP
++.B mpd_exec_t
++.EE
++
++- Set files with the mpd_exec_t type, if you want to transition an executable to the mpd_t domain.
++
++
++.EX
++.PP
++.B mpd_initrc_exec_t
++.EE
++
++- Set files with the mpd_initrc_exec_t type, if you want to transition an executable to the mpd_initrc_t domain.
++
++
++.EX
++.PP
++.B mpd_log_t
++.EE
++
++- Set files with the mpd_log_t type, if you want to treat the data as mpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mpd_tmp_t
++.EE
++
++- Set files with the mpd_tmp_t type, if you want to store mpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mpd_tmpfs_t
++.EE
++
++- Set files with the mpd_tmpfs_t type, if you want to store mpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B mpd_var_lib_t
++.EE
++
++- Set files with the mpd_var_lib_t type, if you want to store the mpd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
++.PP
++The following port types are defined for mpd:
++
++.EX
++.TP 5
++.B mpd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
++.PP
++The following process types are defined for mpd:
++
++.EX
++.B mpd_t, mplayer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mpd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8
+new file mode 100644
+index 0000000..0098b19
+--- /dev/null
++++ b/man/man8/mplayer_selinux.8
+@@ -0,0 +1,127 @@
++.TH "mplayer_selinux" "8" "mplayer" "dwalsh at redhat.com" "mplayer SELinux Policy documentation"
++.SH "NAME"
++mplayer_selinux \- Security Enhanced Linux Policy for the mplayer processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mplayer
++(Mplayer media player and encoder)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible.
++
++
++.PP
++If you want to allow mplayer executable stac, you must turn on the allow_mplayer_execstack boolean.
++
++.EX
++.B setsebool -P allow_mplayer_execstack 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfine, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
++.PP
++The following file types are defined for mplayer:
++
++
++.EX
++.PP
++.B mplayer_etc_t
++.EE
++
++- Set files with the mplayer_etc_t type, if you want to store mplayer files in the /etc directories.
++
++
++.EX
++.PP
++.B mplayer_exec_t
++.EE
++
++- Set files with the mplayer_exec_t type, if you want to transition an executable to the mplayer_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/vlc, /usr/bin/mplayer, /usr/bin/xine
++
++.EX
++.PP
++.B mplayer_home_t
++.EE
++
++- Set files with the mplayer_home_t type, if you want to store mplayer files in the users home directory.
++
++
++.EX
++.PP
++.B mplayer_tmpfs_t
++.EE
++
++- Set files with the mplayer_tmpfs_t type, if you want to store mplayer files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
++.PP
++The following process types are defined for mplayer:
++
++.EX
++.B mplayer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mplayer(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8
+new file mode 100644
+index 0000000..0ca59e6
+--- /dev/null
++++ b/man/man8/mrtg_selinux.8
+@@ -0,0 +1,121 @@
++.TH "mrtg_selinux" "8" "mrtg" "dwalsh at redhat.com" "mrtg SELinux Policy documentation"
++.SH "NAME"
++mrtg_selinux \- Security Enhanced Linux Policy for the mrtg processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B mrtg
++(Network traffic graphing)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
++.PP
++The following file types are defined for mrtg:
++
++
++.EX
++.PP
++.B mrtg_etc_t
++.EE
++
++- Set files with the mrtg_etc_t type, if you want to store mrtg files in the /etc directories.
++
++
++.EX
++.PP
++.B mrtg_exec_t
++.EE
++
++- Set files with the mrtg_exec_t type, if you want to transition an executable to the mrtg_t domain.
++
++
++.EX
++.PP
++.B mrtg_lock_t
++.EE
++
++- Set files with the mrtg_lock_t type, if you want to treat the files as mrtg lock data, stored under the /var/lock directory
++
++.br
++.TP 5
++Paths:
++/var/lock/mrtg(/.*)?, /etc/mrtg/mrtg\.ok
++
++.EX
++.PP
++.B mrtg_log_t
++.EE
++
++- Set files with the mrtg_log_t type, if you want to treat the data as mrtg log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mrtg_var_lib_t
++.EE
++
++- Set files with the mrtg_var_lib_t type, if you want to store the mrtg files under the /var/lib directory.
++
++
++.EX
++.PP
++.B mrtg_var_run_t
++.EE
++
++- Set files with the mrtg_var_run_t type, if you want to store the mrtg files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
++.PP
++The following process types are defined for mrtg:
++
++.EX
++.B mrtg_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8
+new file mode 100644
+index 0000000..1b9091c
+--- /dev/null
++++ b/man/man8/mscan_selinux.8
+@@ -0,0 +1,122 @@
++.TH "mscan_selinux" "8" "mscan" "dwalsh at redhat.com" "mscan SELinux Policy documentation"
++.SH "NAME"
++mscan_selinux \- Security Enhanced Linux Policy for the mscan processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible.
++
++
++.PP
++If you want to allow clamscan to read user conten, you must turn on the clamscan_read_user_content boolean.
++
++.EX
++.B setsebool -P clamscan_read_user_content 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
++.PP
++The following file types are defined for mscan:
++
++
++.EX
++.PP
++.B mscan_etc_t
++.EE
++
++- Set files with the mscan_etc_t type, if you want to store mscan files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/sysconfig/MailScanner, /etc/MailScanner(/.*)?, /etc/sysconfig/update_spamassassin
++
++.EX
++.PP
++.B mscan_exec_t
++.EE
++
++- Set files with the mscan_exec_t type, if you want to transition an executable to the mscan_t domain.
++
++
++.EX
++.PP
++.B mscan_initrc_exec_t
++.EE
++
++- Set files with the mscan_initrc_exec_t type, if you want to transition an executable to the mscan_initrc_t domain.
++
++
++.EX
++.PP
++.B mscan_tmp_t
++.EE
++
++- Set files with the mscan_tmp_t type, if you want to store mscan temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mscan_var_run_t
++.EE
++
++- Set files with the mscan_var_run_t type, if you want to store the mscan files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
++.PP
++The following process types are defined for mscan:
++
++.EX
++.B mscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mscan(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
+new file mode 100644
+index 0000000..17b161d
+--- /dev/null
++++ b/man/man8/munin_selinux.8
+@@ -0,0 +1,163 @@
++.TH "munin_selinux" "8" "munin" "dwalsh at redhat.com" "munin SELinux Policy documentation"
++.SH "NAME"
++munin_selinux \- Security Enhanced Linux Policy for the munin processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B munin
++(Munin network-wide load graphing (formerly LRRD))
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
++.PP
++The following file types are defined for munin:
++
++
++.EX
++.PP
++.B munin_etc_t
++.EE
++
++- Set files with the munin_etc_t type, if you want to store munin files in the /etc directories.
++
++
++.EX
++.PP
++.B munin_exec_t
++.EE
++
++- Set files with the munin_exec_t type, if you want to transition an executable to the munin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/munin-.*, /usr/share/munin/munin-.*, /usr/share/munin/plugins/.*, /usr/bin/munin-.*
++
++.EX
++.PP
++.B munin_initrc_exec_t
++.EE
++
++- Set files with the munin_initrc_exec_t type, if you want to transition an executable to the munin_initrc_t domain.
++
++
++.EX
++.PP
++.B munin_log_t
++.EE
++
++- Set files with the munin_log_t type, if you want to treat the data as munin log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B munin_plugin_state_t
++.EE
++
++- Set files with the munin_plugin_state_t type, if you want to treat the files as munin plugin state data.
++
++
++.EX
++.PP
++.B munin_tmp_t
++.EE
++
++- Set files with the munin_tmp_t type, if you want to store munin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B munin_var_lib_t
++.EE
++
++- Set files with the munin_var_lib_t type, if you want to store the munin files under the /var/lib directory.
++
++
++.EX
++.PP
++.B munin_var_run_t
++.EE
++
++- Set files with the munin_var_run_t type, if you want to store the munin files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
++.PP
++The following port types are defined for munin:
++
++.EX
++.TP 5
++.B munin_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
++.PP
++The following process types are defined for munin:
++
++.EX
++.B munin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), munin(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8
+new file mode 100644
+index 0000000..9f5bb25
+--- /dev/null
++++ b/man/man8/mysqld_selinux.8
+@@ -0,0 +1,214 @@
++.TH "mysqld_selinux" "8" "mysqld" "dwalsh at redhat.com" "mysqld SELinux Policy documentation"
++.SH "NAME"
++mysqld_selinux \- Security Enhanced Linux Policy for the mysqld processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible.
++
++
++.PP
++If you want to allow users to connect to the local mysql serve, you must turn on the allow_user_mysql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_mysql_connect 1
++.EE
++
++.PP
++If you want to allow mysqld to connect to all port, you must turn on the mysql_connect_any boolean.
++
++.EX
++.B setsebool -P mysql_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
++.PP
++The following file types are defined for mysqld:
++
++
++.EX
++.PP
++.B mysqld_db_t
++.EE
++
++- Set files with the mysqld_db_t type, if you want to treat the files as mysqld database content.
++
++
++.EX
++.PP
++.B mysqld_etc_t
++.EE
++
++- Set files with the mysqld_etc_t type, if you want to store mysqld files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/my\.cnf, /etc/mysql(/.*)?
++
++.EX
++.PP
++.B mysqld_exec_t
++.EE
++
++- Set files with the mysqld_exec_t type, if you want to transition an executable to the mysqld_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/mysqld, /usr/sbin/mysqld(-max)?
++
++.EX
++.PP
++.B mysqld_home_t
++.EE
++
++- Set files with the mysqld_home_t type, if you want to store mysqld files in the users home directory.
++
++
++.EX
++.PP
++.B mysqld_initrc_exec_t
++.EE
++
++- Set files with the mysqld_initrc_exec_t type, if you want to transition an executable to the mysqld_initrc_t domain.
++
++
++.EX
++.PP
++.B mysqld_log_t
++.EE
++
++- Set files with the mysqld_log_t type, if you want to treat the data as mysqld log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B mysqld_safe_exec_t
++.EE
++
++- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain.
++
++
++.EX
++.PP
++.B mysqld_tmp_t
++.EE
++
++- Set files with the mysqld_tmp_t type, if you want to store mysqld temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B mysqld_unit_file_t
++.EE
++
++- Set files with the mysqld_unit_file_t type, if you want to treat the files as mysqld unit content.
++
++
++.EX
++.PP
++.B mysqld_var_run_t
++.EE
++
++- Set files with the mysqld_var_run_t type, if you want to store the mysqld files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/mysqld(/.*)?, /var/lib/mysql/mysql\.sock
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
++.PP
++The following port types are defined for mysqld:
++
++.EX
++.TP 5
++.B mysqld_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B mysqlmanagerd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqld:
++
++.EX
++.B mysqld_safe_t, mysqlmanagerd_t, mysqld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mysqld(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8
+new file mode 100644
+index 0000000..6bce1f8
+--- /dev/null
++++ b/man/man8/mysqlmanagerd_selinux.8
+@@ -0,0 +1,113 @@
++.TH "mysqlmanagerd_selinux" "8" "mysqlmanagerd" "dwalsh at redhat.com" "mysqlmanagerd SELinux Policy documentation"
++.SH "NAME"
++mysqlmanagerd_selinux \- Security Enhanced Linux Policy for the mysqlmanagerd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
++.PP
++The following file types are defined for mysqlmanagerd:
++
++
++.EX
++.PP
++.B mysqlmanagerd_exec_t
++.EE
++
++- Set files with the mysqlmanagerd_exec_t type, if you want to transition an executable to the mysqlmanagerd_t domain.
++
++
++.EX
++.PP
++.B mysqlmanagerd_initrc_exec_t
++.EE
++
++- Set files with the mysqlmanagerd_initrc_exec_t type, if you want to transition an executable to the mysqlmanagerd_initrc_t domain.
++
++
++.EX
++.PP
++.B mysqlmanagerd_var_run_t
++.EE
++
++- Set files with the mysqlmanagerd_var_run_t type, if you want to store the mysqlmanagerd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
++.PP
++The following port types are defined for mysqlmanagerd:
++
++.EX
++.TP 5
++.B mysqlmanagerd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqlmanagerd:
++
++.EX
++.B mysqlmanagerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8
+new file mode 100644
+index 0000000..c1343c2
+--- /dev/null
++++ b/man/man8/nagios_selinux.8
+@@ -0,0 +1,225 @@
++.TH "nagios_selinux" "8" "nagios" "dwalsh at redhat.com" "nagios SELinux Policy documentation"
++.SH "NAME"
++nagios_selinux \- Security Enhanced Linux Policy for the nagios processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B nagios
++(Net Saint / NAGIOS - network monitoring server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
++.PP
++The following file types are defined for nagios:
++
++
++.EX
++.PP
++.B nagios_admin_plugin_exec_t
++.EE
++
++- Set files with the nagios_admin_plugin_exec_t type, if you want to transition an executable to the nagios_admin_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_checkdisk_plugin_exec_t
++.EE
++
++- Set files with the nagios_checkdisk_plugin_exec_t type, if you want to transition an executable to the nagios_checkdisk_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/nagios/plugins/check_linux_raid, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_disk
++
++.EX
++.PP
++.B nagios_etc_t
++.EE
++
++- Set files with the nagios_etc_t type, if you want to store nagios files in the /etc directories.
++
++
++.EX
++.PP
++.B nagios_eventhandler_plugin_exec_t
++.EE
++
++- Set files with the nagios_eventhandler_plugin_exec_t type, if you want to transition an executable to the nagios_eventhandler_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_eventhandler_plugin_tmp_t
++.EE
++
++- Set files with the nagios_eventhandler_plugin_tmp_t type, if you want to store nagios eventhandler plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nagios_exec_t
++.EE
++
++- Set files with the nagios_exec_t type, if you want to transition an executable to the nagios_t domain.
++
++
++.EX
++.PP
++.B nagios_initrc_exec_t
++.EE
++
++- Set files with the nagios_initrc_exec_t type, if you want to transition an executable to the nagios_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/nagios, /etc/rc\.d/init\.d/nrpe
++
++.EX
++.PP
++.B nagios_log_t
++.EE
++
++- Set files with the nagios_log_t type, if you want to treat the data as nagios log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/netsaint(/.*)?, /var/log/nagios(/.*)?
++
++.EX
++.PP
++.B nagios_mail_plugin_exec_t
++.EE
++
++- Set files with the nagios_mail_plugin_exec_t type, if you want to transition an executable to the nagios_mail_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_services_plugin_exec_t
++.EE
++
++- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/n
agios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_dns
++
++.EX
++.PP
++.B nagios_spool_t
++.EE
++
++- Set files with the nagios_spool_t type, if you want to store the nagios files under the /var/spool directory.
++
++
++.EX
++.PP
++.B nagios_system_plugin_exec_t
++.EE
++
++- Set files with the nagios_system_plugin_exec_t type, if you want to transition an executable to the nagios_system_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_ifoperstatus, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_overcr
++
++.EX
++.PP
++.B nagios_system_plugin_tmp_t
++.EE
++
++- Set files with the nagios_system_plugin_tmp_t type, if you want to store nagios system plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nagios_tmp_t
++.EE
++
++- Set files with the nagios_tmp_t type, if you want to store nagios temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nagios_unconfined_plugin_exec_t
++.EE
++
++- Set files with the nagios_unconfined_plugin_exec_t type, if you want to transition an executable to the nagios_unconfined_plugin_t domain.
++
++
++.EX
++.PP
++.B nagios_var_lib_t
++.EE
++
++- Set files with the nagios_var_lib_t type, if you want to store the nagios files under the /var/lib directory.
++
++
++.EX
++.PP
++.B nagios_var_run_t
++.EE
++
++- Set files with the nagios_var_run_t type, if you want to store the nagios files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios:
++
++.EX
++.B nagios_t, nagios_mail_plugin_t, nagios_checkdisk_plugin_t, nagios_services_plugin_t, nagios_eventhandler_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_admin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
+index fce0b48..653c29b 100644
+--- a/man/man8/named_selinux.8
++++ b/man/man8/named_selinux.8
+@@ -1,30 +1,211 @@
+-.TH "named_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "named Selinux Policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
++.TH "named_selinux" "8" "named" "dwalsh at redhat.com" "named SELinux Policy documentation"
+ .SH "NAME"
+-named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
++named_selinux \- Security Enhanced Linux Policy for the named processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the named server via flexible mandatory access
++
++SELinux Linux secures
++.B named
++(Berkeley internet name domain DNS server)
++processes via flexible mandatory access
+ control.
++
++
++
+ .SH BOOLEANS
+-SELinux policy is customizable based on least access required. So by
+-default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
++SELinux policy is customizable based on least access required. named policy is extremely flexible and has several booleans that allow you to manipulate the policy and run named with the tightest access possible.
++
++
++.PP
++If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean.
++
.EX
--httpd_sys_content_rw_t
-+httpd_sys_rw_content_t
+-setsebool -P named_write_master_zones 1
++.B setsebool -P named_write_master_zones 1
+ .EE
++
+ .PP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+-.SH AUTHOR
+-This manual page was written by Dan Walsh <dwalsh at redhat.com>.
++If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.
+
+-.SH "SEE ALSO"
+-selinux(8), named(8), chcon(1), setsebool(8)
++.EX
++.B setsebool -P named_bind_http_port 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
++.PP
++The following file types are defined for named:
++
++
++.EX
++.PP
++.B named_cache_t
++.EE
++
++- Set files with the named_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/named/chroot/var/named/data(/.*)?, /var/named/chroot/var/tmp(/.*)?, /var/named/data(/.*)?, /var/named/chroot/var/named/slaves(/.*)?, /var/named/dynamic(/.*)?, /var/named/slaves(/.*)?, /var/named/chroot/var/named/dynamic(/.*)?
++
++.EX
++.PP
++.B named_checkconf_exec_t
++.EE
++
++- Set files with the named_checkconf_exec_t type, if you want to transition an executable to the named_checkconf_t domain.
++
++
++.EX
++.PP
++.B named_conf_t
++.EE
++
++- Set files with the named_conf_t type, if you want to treat the files as named configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/var/named/chroot/etc/named\.root\.hints, /etc/named\.root\.hints, /var/named/chroot(/.*)?, /var/named/named\.ca, /etc/unbound(/.*)?, /var/named/chroot/etc/named\.caching-nameserver\.conf, /etc/named\.rfc1912.zones, /etc/named\.caching-nameserver\.conf, /etc/named\.conf, /var/named/chroot/var/named/named\.ca, /var/named/chroot/etc/named\.conf, /etc/rndc.*, /var/named/chroot/etc/named\.rfc1912.zones
++
++.EX
++.PP
++.B named_exec_t
++.EE
++
++- Set files with the named_exec_t type, if you want to transition an executable to the named_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/lwresd, /usr/sbin/named, /usr/sbin/unbound
++
++.EX
++.PP
++.B named_initrc_exec_t
++.EE
++
++- Set files with the named_initrc_exec_t type, if you want to transition an executable to the named_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound
++
++.EX
++.PP
++.B named_keytab_t
++.EE
++
++- Set files with the named_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B named_log_t
++.EE
++
++- Set files with the named_log_t type, if you want to treat the data as named log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/named.*, /var/named/chroot/var/log/named.*
++
++.EX
++.PP
++.B named_tmp_t
++.EE
++
++- Set files with the named_tmp_t type, if you want to store named temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B named_unit_file_t
++.EE
++
++- Set files with the named_unit_file_t type, if you want to treat the files as named unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/named.service, /usr/lib/systemd/system/named.service, /lib/systemd/system/unbound.service, /lib/systemd/system/unbound-keygen.service
++
++.EX
++.PP
++.B named_var_run_t
++.EE
+
++- Set files with the named_var_run_t type, if you want to store the named files under the /run directory.
+
++.br
++.TP 5
++Paths:
++/var/named/chroot/var/run/named.*, /var/run/ndc, /var/run/bind(/.*)?, /var/run/named(/.*)?, /var/run/unbound(/.*)?
++
++.EX
++.PP
++.B named_zone_t
++.EE
++
++- Set files with the named_zone_t type, if you want to treat the files as named zone data.
++
++.br
++.TP 5
++Paths:
++/var/named/chroot/var/named(/.*)?, /var/named(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
++.PP
++The following process types are defined for named:
++
++.EX
++.B named_t, namespace_init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), named(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/namespace_selinux.8 b/man/man8/namespace_selinux.8
+new file mode 100644
+index 0000000..7572442
+--- /dev/null
++++ b/man/man8/namespace_selinux.8
+@@ -0,0 +1,77 @@
++.TH "namespace_selinux" "8" "namespace" "dwalsh at redhat.com" "namespace SELinux Policy documentation"
++.SH "NAME"
++namespace_selinux \- Security Enhanced Linux Policy for the namespace processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B namespace
++(policy for namespace)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux namespace policy is very flexible allowing users to setup their namespace processes in as secure a method as possible.
++.PP
++The following file types are defined for namespace:
++
++
++.EX
++.PP
++.B namespace_init_exec_t
++.EE
++
++- Set files with the namespace_init_exec_t type, if you want to transition an executable to the namespace_init_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux namespace policy is very flexible allowing users to setup their namespace processes in as secure a method as possible.
++.PP
++The following process types are defined for namespace:
++
++.EX
++.B namespace_init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), namespace(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8
+new file mode 100644
+index 0000000..394997f
+--- /dev/null
++++ b/man/man8/ncftool_selinux.8
+@@ -0,0 +1,77 @@
++.TH "ncftool_selinux" "8" "ncftool" "dwalsh at redhat.com" "ncftool SELinux Policy documentation"
++.SH "NAME"
++ncftool_selinux \- Security Enhanced Linux Policy for the ncftool processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ncftool
++(Netcf network configuration tool (ncftool))
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
++.PP
++The following file types are defined for ncftool:
++
++
++.EX
++.PP
++.B ncftool_exec_t
++.EE
++
++- Set files with the ncftool_exec_t type, if you want to transition an executable to the ncftool_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
++.PP
++The following process types are defined for ncftool:
++
++.EX
++.B ncftool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8
+new file mode 100644
+index 0000000..fe49fef
+--- /dev/null
++++ b/man/man8/ndc_selinux.8
+@@ -0,0 +1,71 @@
++.TH "ndc_selinux" "8" "ndc" "dwalsh at redhat.com" "ndc SELinux Policy documentation"
++.SH "NAME"
++ndc_selinux \- Security Enhanced Linux Policy for the ndc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
++.PP
++The following file types are defined for ndc:
++
++
++.EX
++.PP
++.B ndc_exec_t
++.EE
++
++- Set files with the ndc_exec_t type, if you want to transition an executable to the ndc_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
++.PP
++The following process types are defined for ndc:
++
++.EX
++.B ndc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/netlabel_selinux.8 b/man/man8/netlabel_selinux.8
+new file mode 100644
+index 0000000..8d7e496
+--- /dev/null
++++ b/man/man8/netlabel_selinux.8
+@@ -0,0 +1,81 @@
++.TH "netlabel_selinux" "8" "netlabel" "dwalsh at redhat.com" "netlabel SELinux Policy documentation"
++.SH "NAME"
++netlabel_selinux \- Security Enhanced Linux Policy for the netlabel processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B netlabel
++(NetLabel/CIPSO labeled networking management)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux netlabel policy is very flexible allowing users to setup their netlabel processes in as secure a method as possible.
++.PP
++The following file types are defined for netlabel:
++
++
++.EX
++.PP
++.B netlabel_mgmt_exec_t
++.EE
++
++- Set files with the netlabel_mgmt_exec_t type, if you want to transition an executable to the netlabel_mgmt_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/netlabelctl, /usr/sbin/netlabelctl
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netlabel policy is very flexible allowing users to setup their netlabel processes in as secure a method as possible.
++.PP
++The following process types are defined for netlabel:
++
++.EX
++.B netlabel_mgmt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), netlabel(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8
+new file mode 100644
+index 0000000..3e7dc32
+--- /dev/null
++++ b/man/man8/netlogond_selinux.8
+@@ -0,0 +1,99 @@
++.TH "netlogond_selinux" "8" "netlogond" "dwalsh at redhat.com" "netlogond SELinux Policy documentation"
++.SH "NAME"
++netlogond_selinux \- Security Enhanced Linux Policy for the netlogond processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
++.PP
++The following file types are defined for netlogond:
++
++
++.EX
++.PP
++.B netlogond_exec_t
++.EE
++
++- Set files with the netlogond_exec_t type, if you want to transition an executable to the netlogond_t domain.
++
++
++.EX
++.PP
++.B netlogond_var_lib_t
++.EE
++
++- Set files with the netlogond_var_lib_t type, if you want to store the netlogond files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/likewise-open/krb5-affinity.conf, /var/lib/likewise-open/LWNetsd\.err
++
++.EX
++.PP
++.B netlogond_var_run_t
++.EE
++
++- Set files with the netlogond_var_run_t type, if you want to store the netlogond files under the /run directory.
++
++
++.EX
++.PP
++.B netlogond_var_socket_t
++.EE
++
++- Set files with the netlogond_var_socket_t type, if you want to treat the files as netlogond var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
++.PP
++The following process types are defined for netlogond:
++
++.EX
++.B netlogond_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8
+new file mode 100644
+index 0000000..55eb6c1
+--- /dev/null
++++ b/man/man8/netutils_selinux.8
+@@ -0,0 +1,89 @@
++.TH "netutils_selinux" "8" "netutils" "dwalsh at redhat.com" "netutils SELinux Policy documentation"
++.SH "NAME"
++netutils_selinux \- Security Enhanced Linux Policy for the netutils processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B netutils
++(Network analysis utilities)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
++.PP
++The following file types are defined for netutils:
++
++
++.EX
++.PP
++.B netutils_exec_t
++.EE
++
++- Set files with the netutils_exec_t type, if you want to transition an executable to the netutils_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/arping, /usr/sbin/arping, /usr/sbin/tcpdump
++
++.EX
++.PP
++.B netutils_tmp_t
++.EE
++
++- Set files with the netutils_tmp_t type, if you want to store netutils temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
++.PP
++The following process types are defined for netutils:
++
++.EX
++.B netutils_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8
+new file mode 100644
+index 0000000..bdc4376
+--- /dev/null
++++ b/man/man8/newrole_selinux.8
+@@ -0,0 +1,71 @@
++.TH "newrole_selinux" "8" "newrole" "dwalsh at redhat.com" "newrole SELinux Policy documentation"
++.SH "NAME"
++newrole_selinux \- Security Enhanced Linux Policy for the newrole processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
++.PP
++The following file types are defined for newrole:
++
++
++.EX
++.PP
++.B newrole_exec_t
++.EE
++
++- Set files with the newrole_exec_t type, if you want to transition an executable to the newrole_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
++.PP
++The following process types are defined for newrole:
++
++.EX
++.B newrole_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8
+new file mode 100644
+index 0000000..e664bc1
+--- /dev/null
++++ b/man/man8/nfsd_selinux.8
+@@ -0,0 +1,284 @@
++.TH "nfsd_selinux" "8" "nfsd" "dwalsh at redhat.com" "nfsd SELinux Policy documentation"
++.SH "NAME"
++nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. nfsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nfsd with the tightest access possible.
++
++
++.PP
++If you want to allow xen to manage nfs file, you must turn on the xen_use_nfs boolean.
++
++.EX
++.B setsebool -P xen_use_nfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the allow_ftpd_use_nfs boolean.
++
++.EX
++.B setsebool -P allow_ftpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow Git daemon system to access nfs file systems, you must turn on the git_system_use_nfs boolean.
++
++.EX
++.B setsebool -P git_system_use_nfs 1
++.EE
++
++.PP
++If you want to allow qemu to use nfs file system, you must turn on the qemu_use_nfs boolean.
++
++.EX
++.B setsebool -P qemu_use_nfs 1
++.EE
++
++.PP
++If you want to allow rsync servers to share nfs files system, you must turn on the rsync_use_nfs boolean.
++
++.EX
++.B setsebool -P rsync_use_nfs 1
++.EE
++
++.PP
++If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean.
++
++.EX
++.B setsebool -P cobbler_use_nfs 1
++.EE
++
++.PP
++If you want to allow httpd to access nfs file system, you must turn on the httpd_use_nfs boolean.
++
++.EX
++.B setsebool -P httpd_use_nfs 1
++.EE
++
++.PP
++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean.
++
++.EX
++.B setsebool -P sge_use_nfs 1
++.EE
++
++.PP
++If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean.
++
++.EX
++.B setsebool -P nfs_export_all_rw 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs file, you must turn on the sanlock_use_nfs boolean.
++
++.EX
++.B setsebool -P sanlock_use_nfs 1
++.EE
++
++.PP
++If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
++
++.EX
++.B setsebool -P samba_share_nfs 1
++.EE
++
++.PP
++If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
++
++.EX
++.B setsebool -P polipo_use_nfs 1
++.EE
++
++.PP
++If you want to support NFS home directorie, you must turn on the use_nfs_home_dirs boolean.
++
++.EX
++.B setsebool -P use_nfs_home_dirs 1
++.EE
++
++.PP
++If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean.
++
++.EX
++.B setsebool -P nfs_export_all_ro 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow nfsd servers to read the /var/nfsd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?"
++.br
++.B restorecon -F -R -v /var/nfsd
++.pp
++.TP
++Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/nfsd/incoming
++
++
++.PP
++If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the allow_nfsd_anon_write boolean.
++
++.EX
++.B setsebool -P allow_nfsd_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
++.PP
++The following file types are defined for nfsd:
++
++
++.EX
++.PP
++.B nfs_t
++.EE
++
++- Set files with the nfs_t type, if you want to treat the files as nfs data.
++
++
++.EX
++.PP
++.B nfsd_exec_t
++.EE
++
++- Set files with the nfsd_exec_t type, if you want to transition an executable to the nfsd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/rpc\.mountd, /usr/sbin/rpc\.nfsd
++
++.EX
++.PP
++.B nfsd_initrc_exec_t
++.EE
++
++- Set files with the nfsd_initrc_exec_t type, if you want to transition an executable to the nfsd_initrc_t domain.
++
++
++.EX
++.PP
++.B nfsd_ro_t
++.EE
++
++- Set files with the nfsd_ro_t type, if you want to treat the files as nfsd read/only content.
++
++
++.EX
++.PP
++.B nfsd_rw_t
++.EE
++
++- Set files with the nfsd_rw_t type, if you want to treat the files as nfsd read/write content.
++
++
++.EX
++.PP
++.B nfsd_unit_file_t
++.EE
++
++- Set files with the nfsd_unit_file_t type, if you want to treat the files as nfsd unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/nfs.*, /usr/lib/systemd/system/nfs.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
++.PP
++The following port types are defined for nfsd:
++
++.EX
++.TP 5
++.B nfs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
++.PP
++The following process types are defined for nfsd:
++
++.EX
++.B nfsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nfsd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/nginx_selinux.8 b/man/man8/nginx_selinux.8
+new file mode 100644
+index 0000000..87983d6
+--- /dev/null
++++ b/man/man8/nginx_selinux.8
+@@ -0,0 +1,103 @@
++.TH "nginx_selinux" "8" "nginx" "dwalsh at redhat.com" "nginx SELinux Policy documentation"
++.SH "NAME"
++nginx_selinux \- Security Enhanced Linux Policy for the nginx processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nginx policy is very flexible allowing users to setup their nginx processes in as secure a method as possible.
++.PP
++The following file types are defined for nginx:
++
++
++.EX
++.PP
++.B nginx_exec_t
++.EE
++
++- Set files with the nginx_exec_t type, if you want to transition an executable to the nginx_t domain.
++
++
++.EX
++.PP
++.B nginx_initrc_exec_t
++.EE
++
++- Set files with the nginx_initrc_exec_t type, if you want to transition an executable to the nginx_initrc_t domain.
++
++
++.EX
++.PP
++.B nginx_log_t
++.EE
++
++- Set files with the nginx_log_t type, if you want to treat the data as nginx log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B nginx_var_lib_t
++.EE
++
++- Set files with the nginx_var_lib_t type, if you want to store the nginx files under the /var/lib directory.
++
++
++.EX
++.PP
++.B nginx_var_run_t
++.EE
++
++- Set files with the nginx_var_run_t type, if you want to store the nginx files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nginx policy is very flexible allowing users to setup their nginx processes in as secure a method as possible.
++.PP
++The following process types are defined for nginx:
++
++.EX
++.B nginx_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nginx(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8
+new file mode 100644
+index 0000000..bfcd1db
+--- /dev/null
++++ b/man/man8/nmbd_selinux.8
+@@ -0,0 +1,109 @@
++.TH "nmbd_selinux" "8" "nmbd" "dwalsh at redhat.com" "nmbd SELinux Policy documentation"
++.SH "NAME"
++nmbd_selinux \- Security Enhanced Linux Policy for the nmbd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
++.PP
++The following file types are defined for nmbd:
++
++
++.EX
++.PP
++.B nmbd_exec_t
++.EE
++
++- Set files with the nmbd_exec_t type, if you want to transition an executable to the nmbd_t domain.
++
++
++.EX
++.PP
++.B nmbd_var_run_t
++.EE
++
++- Set files with the nmbd_var_run_t type, if you want to store the nmbd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/samba/messages\.tdb, /var/run/samba/namelist\.debug, /var/run/nmbd(/.*)?, /var/run/samba/unexpected\.tdb, /var/run/samba/nmbd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
++.PP
++The following port types are defined for nmbd:
++
++.EX
++.TP 5
++.B nmbd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
++.PP
++The following process types are defined for nmbd:
++
++.EX
++.B nmbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nova_selinux.8 b/man/man8/nova_selinux.8
+new file mode 100644
+index 0000000..c55585f
+--- /dev/null
++++ b/man/man8/nova_selinux.8
+@@ -0,0 +1,365 @@
++.TH "nova_selinux" "8" "nova" "dwalsh at redhat.com" "nova SELinux Policy documentation"
++.SH "NAME"
++nova_selinux \- Security Enhanced Linux Policy for the nova processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B nova
++(openstack-nova)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nova policy is very flexible allowing users to setup their nova processes in as secure a method as possible.
++.PP
++The following file types are defined for nova:
++
++
++.EX
++.PP
++.B nova_ajax_exec_t
++.EE
++
++- Set files with the nova_ajax_exec_t type, if you want to transition an executable to the nova_ajax_t domain.
++
++
++.EX
++.PP
++.B nova_ajax_tmp_t
++.EE
++
++- Set files with the nova_ajax_tmp_t type, if you want to store nova ajax temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_ajax_unit_file_t
++.EE
++
++- Set files with the nova_ajax_unit_file_t type, if you want to treat the files as nova ajax unit content.
++
++
++.EX
++.PP
++.B nova_api_exec_t
++.EE
++
++- Set files with the nova_api_exec_t type, if you want to transition an executable to the nova_api_t domain.
++
++
++.EX
++.PP
++.B nova_api_tmp_t
++.EE
++
++- Set files with the nova_api_tmp_t type, if you want to store nova api temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_api_unit_file_t
++.EE
++
++- Set files with the nova_api_unit_file_t type, if you want to treat the files as nova api unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-api\.service, /lib/systemd/system/openstack-nova-api\.service
++
++.EX
++.PP
++.B nova_cert_exec_t
++.EE
++
++- Set files with the nova_cert_exec_t type, if you want to transition an executable to the nova_cert_t domain.
++
++
++.EX
++.PP
++.B nova_cert_tmp_t
++.EE
++
++- Set files with the nova_cert_tmp_t type, if you want to store nova cert temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_cert_unit_file_t
++.EE
++
++- Set files with the nova_cert_unit_file_t type, if you want to treat the files as nova cert unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-cert\.service, /lib/systemd/system/openstack-nova-cert\.service
++
++.EX
++.PP
++.B nova_compute_exec_t
++.EE
++
++- Set files with the nova_compute_exec_t type, if you want to transition an executable to the nova_compute_t domain.
++
++
++.EX
++.PP
++.B nova_compute_tmp_t
++.EE
++
++- Set files with the nova_compute_tmp_t type, if you want to store nova compute temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_compute_unit_file_t
++.EE
++
++- Set files with the nova_compute_unit_file_t type, if you want to treat the files as nova compute unit content.
++
++
++.EX
++.PP
++.B nova_direct_exec_t
++.EE
++
++- Set files with the nova_direct_exec_t type, if you want to transition an executable to the nova_direct_t domain.
++
++
++.EX
++.PP
++.B nova_direct_tmp_t
++.EE
++
++- Set files with the nova_direct_tmp_t type, if you want to store nova direct temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_direct_unit_file_t
++.EE
++
++- Set files with the nova_direct_unit_file_t type, if you want to treat the files as nova direct unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /lib/systemd/system/openstack-nova-direct-api\.service, /lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /usr/lib/systemd/system/openstack-nova-direct-api\.service
++
++.EX
++.PP
++.B nova_log_t
++.EE
++
++- Set files with the nova_log_t type, if you want to treat the data as nova log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B nova_network_exec_t
++.EE
++
++- Set files with the nova_network_exec_t type, if you want to transition an executable to the nova_network_t domain.
++
++
++.EX
++.PP
++.B nova_network_tmp_t
++.EE
++
++- Set files with the nova_network_tmp_t type, if you want to store nova network temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_network_unit_file_t
++.EE
++
++- Set files with the nova_network_unit_file_t type, if you want to treat the files as nova network unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/openstack-nova-network\.service, /usr/lib/systemd/system/openstack-nova-network\.service
++
++.EX
++.PP
++.B nova_objectstore_exec_t
++.EE
++
++- Set files with the nova_objectstore_exec_t type, if you want to transition an executable to the nova_objectstore_t domain.
++
++
++.EX
++.PP
++.B nova_objectstore_tmp_t
++.EE
++
++- Set files with the nova_objectstore_tmp_t type, if you want to store nova objectstore temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_objectstore_unit_file_t
++.EE
++
++- Set files with the nova_objectstore_unit_file_t type, if you want to treat the files as nova objectstore unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-objectstore\.service, /lib/systemd/system/openstack-nova-objectstore\.service
++
++.EX
++.PP
++.B nova_scheduler_exec_t
++.EE
++
++- Set files with the nova_scheduler_exec_t type, if you want to transition an executable to the nova_scheduler_t domain.
++
++
++.EX
++.PP
++.B nova_scheduler_tmp_t
++.EE
++
++- Set files with the nova_scheduler_tmp_t type, if you want to store nova scheduler temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_scheduler_unit_file_t
++.EE
++
++- Set files with the nova_scheduler_unit_file_t type, if you want to treat the files as nova scheduler unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-scheduler\.service, /lib/systemd/system/openstack-nova-scheduler\.service
++
++.EX
++.PP
++.B nova_var_lib_t
++.EE
++
++- Set files with the nova_var_lib_t type, if you want to store the nova files under the /var/lib directory.
++
++
++.EX
++.PP
++.B nova_var_run_t
++.EE
++
++- Set files with the nova_var_run_t type, if you want to store the nova files under the /run directory.
++
++
++.EX
++.PP
++.B nova_vncproxy_exec_t
++.EE
++
++- Set files with the nova_vncproxy_exec_t type, if you want to transition an executable to the nova_vncproxy_t domain.
++
++
++.EX
++.PP
++.B nova_vncproxy_tmp_t
++.EE
++
++- Set files with the nova_vncproxy_tmp_t type, if you want to store nova vncproxy temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_vncproxy_unit_file_t
++.EE
++
++- Set files with the nova_vncproxy_unit_file_t type, if you want to treat the files as nova vncproxy unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/openstack-nova-vncproxy\.service, /usr/lib/systemd/system/openstack-nova-vncproxy\.service
++
++.EX
++.PP
++.B nova_volume_exec_t
++.EE
++
++- Set files with the nova_volume_exec_t type, if you want to transition an executable to the nova_volume_t domain.
++
++
++.EX
++.PP
++.B nova_volume_tmp_t
++.EE
++
++- Set files with the nova_volume_tmp_t type, if you want to store nova volume temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_volume_unit_file_t
++.EE
++
++- Set files with the nova_volume_unit_file_t type, if you want to treat the files as nova volume unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/openstack-nova-volume\.service, /usr/lib/systemd/system/openstack-nova-volume\.service
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova policy is very flexible allowing users to setup their nova processes in as secure a method as possible.
++.PP
++The following process types are defined for nova:
++
++.EX
++.B nova_api_t, nova_compute_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_cert_t, nova_direct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nova(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8
+new file mode 100644
+index 0000000..f6a3c05
+--- /dev/null
++++ b/man/man8/nrpe_selinux.8
+@@ -0,0 +1,87 @@
++.TH "nrpe_selinux" "8" "nrpe" "dwalsh at redhat.com" "nrpe SELinux Policy documentation"
++.SH "NAME"
++nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
++.PP
++The following file types are defined for nrpe:
++
++
++.EX
++.PP
++.B nrpe_etc_t
++.EE
++
++- Set files with the nrpe_etc_t type, if you want to store nrpe files in the /etc directories.
++
++
++.EX
++.PP
++.B nrpe_exec_t
++.EE
++
++- Set files with the nrpe_exec_t type, if you want to transition an executable to the nrpe_t domain.
++
++
++.EX
++.PP
++.B nrpe_var_run_t
++.EE
++
++- Set files with the nrpe_var_run_t type, if you want to store the nrpe files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
++.PP
++The following process types are defined for nrpe:
++
++.EX
++.B nrpe_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8
+new file mode 100644
+index 0000000..01045df
+--- /dev/null
++++ b/man/man8/nscd_selinux.8
+@@ -0,0 +1,128 @@
++.TH "nscd_selinux" "8" "nscd" "dwalsh at redhat.com" "nscd SELinux Policy documentation"
++.SH "NAME"
++nscd_selinux \- Security Enhanced Linux Policy for the nscd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B nscd
++(Name service cache daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible.
++
++
++.PP
++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean.
++
++.EX
++.B setsebool -P nscd_use_shm 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
++.PP
++The following file types are defined for nscd:
++
++
++.EX
++.PP
++.B nscd_exec_t
++.EE
++
++- Set files with the nscd_exec_t type, if you want to transition an executable to the nscd_t domain.
++
++
++.EX
++.PP
++.B nscd_initrc_exec_t
++.EE
++
++- Set files with the nscd_initrc_exec_t type, if you want to transition an executable to the nscd_initrc_t domain.
++
++
++.EX
++.PP
++.B nscd_log_t
++.EE
++
++- Set files with the nscd_log_t type, if you want to treat the data as nscd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B nscd_unit_file_t
++.EE
++
++- Set files with the nscd_unit_file_t type, if you want to treat the files as nscd unit content.
++
++
++.EX
++.PP
++.B nscd_var_run_t
++.EE
++
++- Set files with the nscd_var_run_t type, if you want to store the nscd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/nscd\.pid, /var/run/nscd(/.*)?, /var/db/nscd(/.*)?, /var/run/\.nscd_socket, /var/cache/nscd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
++.PP
++The following process types are defined for nscd:
++
++.EX
++.B nscd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nscd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8
+new file mode 100644
+index 0000000..a9a427d
+--- /dev/null
++++ b/man/man8/nslcd_selinux.8
+@@ -0,0 +1,101 @@
++.TH "nslcd_selinux" "8" "nslcd" "dwalsh at redhat.com" "nslcd SELinux Policy documentation"
++.SH "NAME"
++nslcd_selinux \- Security Enhanced Linux Policy for the nslcd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B nslcd
++(nslcd - local LDAP name service daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
++.PP
++The following file types are defined for nslcd:
++
++
++.EX
++.PP
++.B nslcd_conf_t
++.EE
++
++- Set files with the nslcd_conf_t type, if you want to treat the files as nslcd configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B nslcd_exec_t
++.EE
++
++- Set files with the nslcd_exec_t type, if you want to transition an executable to the nslcd_t domain.
++
++
++.EX
++.PP
++.B nslcd_initrc_exec_t
++.EE
++
++- Set files with the nslcd_initrc_exec_t type, if you want to transition an executable to the nslcd_initrc_t domain.
++
++
++.EX
++.PP
++.B nslcd_var_run_t
++.EE
++
++- Set files with the nslcd_var_run_t type, if you want to store the nslcd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
++.PP
++The following process types are defined for nslcd:
++
++.EX
++.B nslcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8
+new file mode 100644
+index 0000000..cb7f3a4
+--- /dev/null
++++ b/man/man8/ntop_selinux.8
+@@ -0,0 +1,143 @@
++.TH "ntop_selinux" "8" "ntop" "dwalsh at redhat.com" "ntop SELinux Policy documentation"
++.SH "NAME"
++ntop_selinux \- Security Enhanced Linux Policy for the ntop processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ntop
++(Network Top)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
++.PP
++The following file types are defined for ntop:
++
++
++.EX
++.PP
++.B ntop_etc_t
++.EE
++
++- Set files with the ntop_etc_t type, if you want to store ntop files in the /etc directories.
++
++
++.EX
++.PP
++.B ntop_exec_t
++.EE
++
++- Set files with the ntop_exec_t type, if you want to transition an executable to the ntop_t domain.
++
++
++.EX
++.PP
++.B ntop_initrc_exec_t
++.EE
++
++- Set files with the ntop_initrc_exec_t type, if you want to transition an executable to the ntop_initrc_t domain.
++
++
++.EX
++.PP
++.B ntop_tmp_t
++.EE
++
++- Set files with the ntop_tmp_t type, if you want to store ntop temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ntop_var_lib_t
++.EE
++
++- Set files with the ntop_var_lib_t type, if you want to store the ntop files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ntop_var_run_t
++.EE
++
++- Set files with the ntop_var_run_t type, if you want to store the ntop files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
++.PP
++The following port types are defined for ntop:
++
++.EX
++.TP 5
++.B ntop_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
++.PP
++The following process types are defined for ntop:
++
++.EX
++.B ntop_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8
+new file mode 100644
+index 0000000..515419d
+--- /dev/null
++++ b/man/man8/ntpd_selinux.8
+@@ -0,0 +1,189 @@
++.TH "ntpd_selinux" "8" "ntpd" "dwalsh at redhat.com" "ntpd SELinux Policy documentation"
++.SH "NAME"
++ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
++.PP
++The following file types are defined for ntpd:
++
++
++.EX
++.PP
++.B ntp_drift_t
++.EE
++
++- Set files with the ntp_drift_t type, if you want to treat the files as ntp drift data.
++
++.br
++.TP 5
++Paths:
++/var/lib/ntp(/.*)?, /etc/ntp/data(/.*)?
++
++.EX
++.PP
++.B ntpd_exec_t
++.EE
++
++- Set files with the ntpd_exec_t type, if you want to transition an executable to the ntpd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ntpd, /etc/cron\.(daily|weekly)/ntp-server, /etc/cron\.(daily|weekly)/ntp-simple
++
++.EX
++.PP
++.B ntpd_initrc_exec_t
++.EE
++
++- Set files with the ntpd_initrc_exec_t type, if you want to transition an executable to the ntpd_initrc_t domain.
++
++
++.EX
++.PP
++.B ntpd_key_t
++.EE
++
++- Set files with the ntpd_key_t type, if you want to treat the files as ntpd key data.
++
++.br
++.TP 5
++Paths:
++/etc/ntp/crypto(/.*)?, /etc/ntp/keys
++
++.EX
++.PP
++.B ntpd_log_t
++.EE
++
++- Set files with the ntpd_log_t type, if you want to treat the data as ntpd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/ntpstats(/.*)?, /var/log/xntpd.*, /var/log/ntp.*
++
++.EX
++.PP
++.B ntpd_tmp_t
++.EE
++
++- Set files with the ntpd_tmp_t type, if you want to store ntpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ntpd_tmpfs_t
++.EE
++
++- Set files with the ntpd_tmpfs_t type, if you want to store ntpd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ntpd_unit_file_t
++.EE
++
++- Set files with the ntpd_unit_file_t type, if you want to treat the files as ntpd unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/ntpd\.service, /usr/lib/systemd/system/ntpd\.service
++
++.EX
++.PP
++.B ntpd_var_run_t
++.EE
++
++- Set files with the ntpd_var_run_t type, if you want to store the ntpd files under the /run directory.
++
++
++.EX
++.PP
++.B ntpdate_exec_t
++.EE
++
++- Set files with the ntpdate_exec_t type, if you want to transition an executable to the ntpdate_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
++.PP
++The following port types are defined for ntpd:
++
++.EX
++.TP 5
++.B ntp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
++.PP
++The following process types are defined for ntpd:
++
++.EX
++.B ntpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8
+new file mode 100644
+index 0000000..7a63255
+--- /dev/null
++++ b/man/man8/numad_selinux.8
+@@ -0,0 +1,101 @@
++.TH "numad_selinux" "8" "numad" "dwalsh at redhat.com" "numad SELinux Policy documentation"
++.SH "NAME"
++numad_selinux \- Security Enhanced Linux Policy for the numad processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B numad
++(policy for numad)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
++.PP
++The following file types are defined for numad:
++
++
++.EX
++.PP
++.B numad_exec_t
++.EE
++
++- Set files with the numad_exec_t type, if you want to transition an executable to the numad_t domain.
++
++
++.EX
++.PP
++.B numad_unit_file_t
++.EE
++
++- Set files with the numad_unit_file_t type, if you want to treat the files as numad unit content.
++
++
++.EX
++.PP
++.B numad_var_log_t
++.EE
++
++- Set files with the numad_var_log_t type, if you want to treat the data as numad var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B numad_var_run_t
++.EE
++
++- Set files with the numad_var_run_t type, if you want to store the numad files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
++.PP
++The following process types are defined for numad:
++
++.EX
++.B numad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), numad(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nut_selinux.8 b/man/man8/nut_selinux.8
+new file mode 100644
+index 0000000..fe354e5
+--- /dev/null
++++ b/man/man8/nut_selinux.8
+@@ -0,0 +1,113 @@
++.TH "nut_selinux" "8" "nut" "dwalsh at redhat.com" "nut SELinux Policy documentation"
++.SH "NAME"
++nut_selinux \- Security Enhanced Linux Policy for the nut processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B nut
++(nut - Network UPS Tools )
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nut policy is very flexible allowing users to setup their nut processes in as secure a method as possible.
++.PP
++The following file types are defined for nut:
++
++
++.EX
++.PP
++.B nut_conf_t
++.EE
++
++- Set files with the nut_conf_t type, if you want to treat the files as nut configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B nut_upsd_exec_t
++.EE
++
++- Set files with the nut_upsd_exec_t type, if you want to transition an executable to the nut_upsd_t domain.
++
++
++.EX
++.PP
++.B nut_upsdrvctl_exec_t
++.EE
++
++- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/upsdrvctl, /sbin/upsdrvctl
++
++.EX
++.PP
++.B nut_upsmon_exec_t
++.EE
++
++- Set files with the nut_upsmon_exec_t type, if you want to transition an executable to the nut_upsmon_t domain.
++
++
++.EX
++.PP
++.B nut_var_run_t
++.EE
++
++- Set files with the nut_var_run_t type, if you want to store the nut files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nut policy is very flexible allowing users to setup their nut processes in as secure a method as possible.
++.PP
++The following process types are defined for nut:
++
++.EX
++.B nut_upsd_t, nut_upsmon_t, nut_upsdrvctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nut(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nx_selinux.8 b/man/man8/nx_selinux.8
+new file mode 100644
+index 0000000..ef2c5aa
+--- /dev/null
++++ b/man/man8/nx_selinux.8
+@@ -0,0 +1,121 @@
++.TH "nx_selinux" "8" "nx" "dwalsh at redhat.com" "nx SELinux Policy documentation"
++.SH "NAME"
++nx_selinux \- Security Enhanced Linux Policy for the nx processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B nx
++(NX remote desktop)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux nx policy is very flexible allowing users to setup their nx processes in as secure a method as possible.
++.PP
++The following file types are defined for nx:
++
++
++.EX
++.PP
++.B nx_server_exec_t
++.EE
++
++- Set files with the nx_server_exec_t type, if you want to transition an executable to the nx_server_t domain.
++
++.br
++.TP 5
++Paths:
++/opt/NX/bin/nxserver, /usr/NX/bin/nxserver, /usr/libexec/nx/nxserver
++
++.EX
++.PP
++.B nx_server_home_ssh_t
++.EE
++
++- Set files with the nx_server_home_ssh_t type, if you want to treat the files as nx server home ssh data.
++
++.br
++.TP 5
++Paths:
++/opt/NX/home/nx/\.ssh(/.*)?, /usr/NX/home/nx/\.ssh(/.*)?, /var/lib/nxserver/home/.ssh(/.*)?
++
++.EX
++.PP
++.B nx_server_tmp_t
++.EE
++
++- Set files with the nx_server_tmp_t type, if you want to store nx server temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nx_server_var_lib_t
++.EE
++
++- Set files with the nx_server_var_lib_t type, if you want to store the nx server files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/usr/NX/home(/.*)?, /opt/NX/home(/.*)?, /var/lib/nxserver(/.*)?
++
++.EX
++.PP
++.B nx_server_var_run_t
++.EE
++
++- Set files with the nx_server_var_run_t type, if you want to store the nx server files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nx policy is very flexible allowing users to setup their nx processes in as secure a method as possible.
++.PP
++The following process types are defined for nx:
++
++.EX
++.B nx_server_t, nx_server_ssh_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), nx(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/nx_server_selinux.8 b/man/man8/nx_server_selinux.8
+new file mode 100644
+index 0000000..2746ea3
+--- /dev/null
++++ b/man/man8/nx_server_selinux.8
+@@ -0,0 +1,56 @@
++.TH "nx_server_selinux" "8" "nx_server" "mgrepl at redhat.com" "nx_server SELinux Policy documentation"
++.SH "NAME"
++nx_server_r \- \fBnx_server user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control, some Linux roles are login roles, while other roles need to be transition to.
++
++Note: The examples in the man page will user the staff_u user.
++
++Non login roles are usually used for administrative tasks.
++
++Roles usually have default types assigned to them.
++
++The default type for the nx_server_r role is nx_server_t.
++
++You can use the
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r nx_server_r -t nx_server_t
++
++.B sudo
++can also be setup to transition to this role using the visudo command.
++
++USERNAME ALL=(ALL) ROLE=nx_server_r TYPE=nx_server_t COMMAND
++.br
++sudo will run COMMAND as staff_u:nx_server_r:nx_server_t:LEVEL
++
++If you want to use a non login role, you need to make sure the SELinux user you are using can reach this role.
++
++You can see all of the assigned SELinux roles using the following
++
++.B semanage user -l
++
++If you wanted to add nx_server_r to the staff_u user, you would execute:
++
++.B $ semanage user -m -R 'staff_r nx_server_r' staff_u
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8
+new file mode 100644
+index 0000000..a6b6598
+--- /dev/null
++++ b/man/man8/obex_selinux.8
+@@ -0,0 +1,77 @@
++.TH "obex_selinux" "8" "obex" "dwalsh at redhat.com" "obex SELinux Policy documentation"
++.SH "NAME"
++obex_selinux \- Security Enhanced Linux Policy for the obex processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B obex
++(SELinux policy for obex-data-server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
++.PP
++The following file types are defined for obex:
++
++
++.EX
++.PP
++.B obex_exec_t
++.EE
++
++- Set files with the obex_exec_t type, if you want to transition an executable to the obex_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
++.PP
++The following process types are defined for obex:
++
++.EX
++.B obex_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), obex(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8
+new file mode 100644
+index 0000000..88a1ce7
+--- /dev/null
++++ b/man/man8/oddjob_selinux.8
+@@ -0,0 +1,101 @@
++.TH "oddjob_selinux" "8" "oddjob" "dwalsh at redhat.com" "oddjob SELinux Policy documentation"
++.SH "NAME"
++oddjob_selinux \- Security Enhanced Linux Policy for the oddjob processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B oddjob
++(
++Oddjob provides a mechanism by which unprivileged applications can
++request that specified privileged operations be performed on their
++behalf.
++)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
++.PP
++The following file types are defined for oddjob:
++
++
++.EX
++.PP
++.B oddjob_exec_t
++.EE
++
++- Set files with the oddjob_exec_t type, if you want to transition an executable to the oddjob_t domain.
++
++
++.EX
++.PP
++.B oddjob_mkhomedir_exec_t
++.EE
++
++- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/oddjob/mkhomedir, /usr/lib/oddjob/mkhomedir
++
++.EX
++.PP
++.B oddjob_var_run_t
++.EE
++
++- Set files with the oddjob_var_run_t type, if you want to store the oddjob files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
++.PP
++The following process types are defined for oddjob:
++
++.EX
++.B oddjob_mkhomedir_t, oddjob_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), oddjob(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8
+new file mode 100644
+index 0000000..b21e586
+--- /dev/null
++++ b/man/man8/openct_selinux.8
+@@ -0,0 +1,89 @@
++.TH "openct_selinux" "8" "openct" "dwalsh at redhat.com" "openct SELinux Policy documentation"
++.SH "NAME"
++openct_selinux \- Security Enhanced Linux Policy for the openct processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B openct
++(Service for handling smart card readers)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
++.PP
++The following file types are defined for openct:
++
++
++.EX
++.PP
++.B openct_exec_t
++.EE
++
++- Set files with the openct_exec_t type, if you want to transition an executable to the openct_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ifdhandler, /usr/sbin/openct-control
++
++.EX
++.PP
++.B openct_var_run_t
++.EE
++
++- Set files with the openct_var_run_t type, if you want to store the openct files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
++.PP
++The following process types are defined for openct:
++
++.EX
++.B openct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), openct(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8
+new file mode 100644
+index 0000000..9a9b8b8
+--- /dev/null
++++ b/man/man8/openvpn_selinux.8
+@@ -0,0 +1,166 @@
++.TH "openvpn_selinux" "8" "openvpn" "dwalsh at redhat.com" "openvpn SELinux Policy documentation"
++.SH "NAME"
++openvpn_selinux \- Security Enhanced Linux Policy for the openvpn processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B openvpn
++(full-featured SSL VPN solution)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible.
++
++
++.PP
++If you want to allow openvpn to read home directorie, you must turn on the openvpn_enable_homedirs boolean.
++
++.EX
++.B setsebool -P openvpn_enable_homedirs 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
++.PP
++The following file types are defined for openvpn:
++
++
++.EX
++.PP
++.B openvpn_etc_rw_t
++.EE
++
++- Set files with the openvpn_etc_rw_t type, if you want to treat the files as openvpn etc read/write content.
++
++
++.EX
++.PP
++.B openvpn_etc_t
++.EE
++
++- Set files with the openvpn_etc_t type, if you want to store openvpn files in the /etc directories.
++
++
++.EX
++.PP
++.B openvpn_exec_t
++.EE
++
++- Set files with the openvpn_exec_t type, if you want to transition an executable to the openvpn_t domain.
++
++
++.EX
++.PP
++.B openvpn_initrc_exec_t
++.EE
++
++- Set files with the openvpn_initrc_exec_t type, if you want to transition an executable to the openvpn_initrc_t domain.
++
++
++.EX
++.PP
++.B openvpn_tmp_t
++.EE
++
++- Set files with the openvpn_tmp_t type, if you want to store openvpn temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B openvpn_var_log_t
++.EE
++
++- Set files with the openvpn_var_log_t type, if you want to treat the data as openvpn var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B openvpn_var_run_t
++.EE
++
++- Set files with the openvpn_var_run_t type, if you want to store the openvpn files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
++.PP
++The following port types are defined for openvpn:
++
++.EX
++.TP 5
++.B openvpn_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
++.PP
++The following process types are defined for openvpn:
++
++.EX
++.B openvpn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), openvpn(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8
+new file mode 100644
+index 0000000..a43fb5b
+--- /dev/null
++++ b/man/man8/pacemaker_selinux.8
+@@ -0,0 +1,113 @@
++.TH "pacemaker_selinux" "8" "pacemaker" "dwalsh at redhat.com" "pacemaker SELinux Policy documentation"
++.SH "NAME"
++pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pacemaker
++(policy for pacemaker)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
++.PP
++The following file types are defined for pacemaker:
++
++
++.EX
++.PP
++.B pacemaker_exec_t
++.EE
++
++- Set files with the pacemaker_exec_t type, if you want to transition an executable to the pacemaker_t domain.
++
++
++.EX
++.PP
++.B pacemaker_initrc_exec_t
++.EE
++
++- Set files with the pacemaker_initrc_exec_t type, if you want to transition an executable to the pacemaker_initrc_t domain.
++
++
++.EX
++.PP
++.B pacemaker_unit_file_t
++.EE
++
++- Set files with the pacemaker_unit_file_t type, if you want to treat the files as pacemaker unit content.
++
++
++.EX
++.PP
++.B pacemaker_var_lib_t
++.EE
++
++- Set files with the pacemaker_var_lib_t type, if you want to store the pacemaker files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/pengine(/.*)?, /var/lib/heartbeat/crm(/.*)?
++
++.EX
++.PP
++.B pacemaker_var_run_t
++.EE
++
++- Set files with the pacemaker_var_run_t type, if you want to store the pacemaker files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
++.PP
++The following process types are defined for pacemaker:
++
++.EX
++.B pacemaker_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8
+new file mode 100644
+index 0000000..f2bc8e8
+--- /dev/null
++++ b/man/man8/pads_selinux.8
+@@ -0,0 +1,105 @@
++.TH "pads_selinux" "8" "pads" "dwalsh at redhat.com" "pads SELinux Policy documentation"
++.SH "NAME"
++pads_selinux \- Security Enhanced Linux Policy for the pads processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pads
++(Passive Asset Detection System)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
++.PP
++The following file types are defined for pads:
++
++
++.EX
++.PP
++.B pads_config_t
++.EE
++
++- Set files with the pads_config_t type, if you want to treat the files as pads configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/pads-assets.csv, /etc/pads-ether-codes, /etc/pads\.conf, /etc/pads-signature-list
++
++.EX
++.PP
++.B pads_exec_t
++.EE
++
++- Set files with the pads_exec_t type, if you want to transition an executable to the pads_t domain.
++
++
++.EX
++.PP
++.B pads_initrc_exec_t
++.EE
++
++- Set files with the pads_initrc_exec_t type, if you want to transition an executable to the pads_initrc_t domain.
++
++
++.EX
++.PP
++.B pads_var_run_t
++.EE
++
++- Set files with the pads_var_run_t type, if you want to store the pads files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
++.PP
++The following process types are defined for pads:
++
++.EX
++.B pads_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pads(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8
+new file mode 100644
+index 0000000..872ce91
+--- /dev/null
++++ b/man/man8/passenger_selinux.8
+@@ -0,0 +1,117 @@
++.TH "passenger_selinux" "8" "passenger" "dwalsh at redhat.com" "passenger SELinux Policy documentation"
++.SH "NAME"
++passenger_selinux \- Security Enhanced Linux Policy for the passenger processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B passenger
++(Ruby on rails deployment for Apache and Nginx servers)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
++.PP
++The following file types are defined for passenger:
++
++
++.EX
++.PP
++.B passenger_exec_t
++.EE
++
++- Set files with the passenger_exec_t type, if you want to transition an executable to the passenger_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent, /usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent, /usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog, /usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable
++
++.EX
++.PP
++.B passenger_log_t
++.EE
++
++- Set files with the passenger_log_t type, if you want to treat the data as passenger log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/passenger.*, /var/log/passenger(/.*)?
++
++.EX
++.PP
++.B passenger_tmp_t
++.EE
++
++- Set files with the passenger_tmp_t type, if you want to store passenger temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B passenger_var_lib_t
++.EE
++
++- Set files with the passenger_var_lib_t type, if you want to store the passenger files under the /var/lib directory.
++
++
++.EX
++.PP
++.B passenger_var_run_t
++.EE
++
++- Set files with the passenger_var_run_t type, if you want to store the passenger files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
++.PP
++The following process types are defined for passenger:
++
++.EX
++.B passenger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8
+new file mode 100644
+index 0000000..71d4cc4
+--- /dev/null
++++ b/man/man8/passwd_selinux.8
+@@ -0,0 +1,87 @@
++.TH "passwd_selinux" "8" "passwd" "dwalsh at redhat.com" "passwd SELinux Policy documentation"
++.SH "NAME"
++passwd_selinux \- Security Enhanced Linux Policy for the passwd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
++.PP
++The following file types are defined for passwd:
++
++
++.EX
++.PP
++.B passwd_exec_t
++.EE
++
++- Set files with the passwd_exec_t type, if you want to transition an executable to the passwd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/passwd, /usr/bin/chage
++
++.EX
++.PP
++.B passwd_file_t
++.EE
++
++- Set files with the passwd_file_t type, if you want to treat the files as passwd content.
++
++.br
++.TP 5
++Paths:
++/etc/passwd\.OLD, /etc/ptmptmp, /etc/passwd-?, /etc/group-?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
++.PP
++The following process types are defined for passwd:
++
++.EX
++.B passwd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8
+new file mode 100644
+index 0000000..07f91c9
+--- /dev/null
++++ b/man/man8/pcscd_selinux.8
+@@ -0,0 +1,89 @@
++.TH "pcscd_selinux" "8" "pcscd" "dwalsh at redhat.com" "pcscd SELinux Policy documentation"
++.SH "NAME"
++pcscd_selinux \- Security Enhanced Linux Policy for the pcscd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pcscd
++(PCSC smart card service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
++.PP
++The following file types are defined for pcscd:
++
++
++.EX
++.PP
++.B pcscd_exec_t
++.EE
++
++- Set files with the pcscd_exec_t type, if you want to transition an executable to the pcscd_t domain.
++
++
++.EX
++.PP
++.B pcscd_var_run_t
++.EE
++
++- Set files with the pcscd_var_run_t type, if you want to store the pcscd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/pcscd\.pid, /var/run/pcscd\.comm, /var/run/pcscd\.events(/.*)?, /var/run/pcscd\.pub, /var/run/pcscd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
++.PP
++The following process types are defined for pcscd:
++
++.EX
++.B pcscd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8
+new file mode 100644
+index 0000000..b015c87
+--- /dev/null
++++ b/man/man8/pegasus_selinux.8
+@@ -0,0 +1,162 @@
++.TH "pegasus_selinux" "8" "pegasus" "dwalsh at redhat.com" "pegasus SELinux Policy documentation"
++.SH "NAME"
++pegasus_selinux \- Security Enhanced Linux Policy for the pegasus processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pegasus
++(The Open Group Pegasus CIM/WBEM Server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
++.PP
++The following file types are defined for pegasus:
++
++
++.EX
++.PP
++.B pegasus_conf_t
++.EE
++
++- Set files with the pegasus_conf_t type, if you want to treat the files as pegasus configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B pegasus_data_t
++.EE
++
++- Set files with the pegasus_data_t type, if you want to treat the files as pegasus content.
++
++.br
++.TP 5
++Paths:
++/etc/Pegasus/pegasus_current\.conf, /var/lib/Pegasus(/.*)?
++
++.EX
++.PP
++.B pegasus_exec_t
++.EE
++
++- Set files with the pegasus_exec_t type, if you want to transition an executable to the pegasus_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/init_repository, /usr/sbin/cimserver
++
++.EX
++.PP
++.B pegasus_mof_t
++.EE
++
++- Set files with the pegasus_mof_t type, if you want to treat the files as pegasus mof data.
++
++
++.EX
++.PP
++.B pegasus_tmp_t
++.EE
++
++- Set files with the pegasus_tmp_t type, if you want to store pegasus temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B pegasus_var_run_t
++.EE
++
++- Set files with the pegasus_var_run_t type, if you want to store the pegasus files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
++.PP
++The following port types are defined for pegasus:
++
++.EX
++.TP 5
++.B pegasus_http_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B pegasus_https_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
++.PP
++The following process types are defined for pegasus:
++
++.EX
++.B pegasus_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8
+new file mode 100644
+index 0000000..bda0235
+--- /dev/null
++++ b/man/man8/ping_selinux.8
+@@ -0,0 +1,148 @@
++.TH "ping_selinux" "8" "ping" "dwalsh at redhat.com" "ping SELinux Policy documentation"
++.SH "NAME"
++ping_selinux \- Security Enhanced Linux Policy for the ping processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible.
++
++
++.PP
++If you want to control users use of ping and tracerout, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
++.PP
++The following file types are defined for ping:
++
++
++.EX
++.PP
++.B ping_exec_t
++.EE
++
++- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp
++
++.EX
++.PP
++.B pingd_etc_t
++.EE
++
++- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories.
++
++
++.EX
++.PP
++.B pingd_exec_t
++.EE
++
++- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain.
++
++
++.EX
++.PP
++.B pingd_initrc_exec_t
++.EE
++
++- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain.
++
++
++.EX
++.PP
++.B pingd_modules_t
++.EE
++
++- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
++.PP
++The following port types are defined for ping:
++
++.EX
++.TP 5
++.B pingd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
++.PP
++The following process types are defined for ping:
++
++.EX
++.B ping_t, pingd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ping(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8
+new file mode 100644
+index 0000000..1259587
+--- /dev/null
++++ b/man/man8/pingd_selinux.8
+@@ -0,0 +1,154 @@
++.TH "pingd_selinux" "8" "pingd" "dwalsh at redhat.com" "pingd SELinux Policy documentation"
++.SH "NAME"
++pingd_selinux \- Security Enhanced Linux Policy for the pingd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pingd
++(Pingd of the Whatsup cluster node up/down detection utility)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible.
++
++
++.PP
++If you want to control users use of ping and tracerout, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
++.PP
++The following file types are defined for pingd:
++
++
++.EX
++.PP
++.B ping_exec_t
++.EE
++
++- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp
++
++.EX
++.PP
++.B pingd_etc_t
++.EE
++
++- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories.
++
++
++.EX
++.PP
++.B pingd_exec_t
++.EE
++
++- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain.
++
++
++.EX
++.PP
++.B pingd_initrc_exec_t
++.EE
++
++- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain.
++
++
++.EX
++.PP
++.B pingd_modules_t
++.EE
++
++- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
++.PP
++The following port types are defined for pingd:
++
++.EX
++.TP 5
++.B pingd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
++.PP
++The following process types are defined for pingd:
++
++.EX
++.B ping_t, pingd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pingd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/piranha_selinux.8 b/man/man8/piranha_selinux.8
+new file mode 100644
+index 0000000..cbd1451
+--- /dev/null
++++ b/man/man8/piranha_selinux.8
+@@ -0,0 +1,238 @@
++.TH "piranha_selinux" "8" "piranha" "dwalsh at redhat.com" "piranha SELinux Policy documentation"
++.SH "NAME"
++piranha_selinux \- Security Enhanced Linux Policy for the piranha processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B piranha
++(policy for piranha)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. piranha policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha with the tightest access possible.
++
++
++.PP
++If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean.
++
++.EX
++.B setsebool -P piranha_lvs_can_network_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux piranha policy is very flexible allowing users to setup their piranha processes in as secure a method as possible.
++.PP
++The following file types are defined for piranha:
++
++
++.EX
++.PP
++.B piranha_etc_rw_t
++.EE
++
++- Set files with the piranha_etc_rw_t type, if you want to treat the files as piranha etc read/write content.
++
++
++.EX
++.PP
++.B piranha_fos_exec_t
++.EE
++
++- Set files with the piranha_fos_exec_t type, if you want to transition an executable to the piranha_fos_t domain.
++
++
++.EX
++.PP
++.B piranha_fos_var_run_t
++.EE
++
++- Set files with the piranha_fos_var_run_t type, if you want to store the piranha fos files under the /run directory.
++
++
++.EX
++.PP
++.B piranha_log_t
++.EE
++
++- Set files with the piranha_log_t type, if you want to treat the data as piranha log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B piranha_lvs_exec_t
++.EE
++
++- Set files with the piranha_lvs_exec_t type, if you want to transition an executable to the piranha_lvs_t domain.
++
++
++.EX
++.PP
++.B piranha_lvs_var_run_t
++.EE
++
++- Set files with the piranha_lvs_var_run_t type, if you want to store the piranha lvs files under the /run directory.
++
++
++.EX
++.PP
++.B piranha_pulse_exec_t
++.EE
++
++- Set files with the piranha_pulse_exec_t type, if you want to transition an executable to the piranha_pulse_t domain.
++
++
++.EX
++.PP
++.B piranha_pulse_initrc_exec_t
++.EE
++
++- Set files with the piranha_pulse_initrc_exec_t type, if you want to transition an executable to the piranha_pulse_initrc_t domain.
++
++
++.EX
++.PP
++.B piranha_pulse_var_run_t
++.EE
++
++- Set files with the piranha_pulse_var_run_t type, if you want to store the piranha pulse files under the /run directory.
++
++
++.EX
++.PP
++.B piranha_web_conf_t
++.EE
++
++- Set files with the piranha_web_conf_t type, if you want to treat the files as piranha web configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/luci/etc(/.*)?, /var/lib/luci/cert(/.*)?
++
++.EX
++.PP
++.B piranha_web_data_t
++.EE
++
++- Set files with the piranha_web_data_t type, if you want to treat the files as piranha web content.
++
++
++.EX
++.PP
++.B piranha_web_exec_t
++.EE
++
++- Set files with the piranha_web_exec_t type, if you want to transition an executable to the piranha_web_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/piranha_gui, /usr/bin/paster
++
++.EX
++.PP
++.B piranha_web_tmp_t
++.EE
++
++- Set files with the piranha_web_tmp_t type, if you want to store piranha web temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B piranha_web_tmpfs_t
++.EE
++
++- Set files with the piranha_web_tmpfs_t type, if you want to store piranha web files on a tmpfs file system.
++
++
++.EX
++.PP
++.B piranha_web_var_run_t
++.EE
++
++- Set files with the piranha_web_var_run_t type, if you want to store the piranha web files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux piranha policy is very flexible allowing users to setup their piranha processes in as secure a method as possible.
++.PP
++The following port types are defined for piranha:
++
++.EX
++.TP 5
++.B piranha_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha policy is very flexible allowing users to setup their piranha processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha:
++
++.EX
++.B piranha_pulse_t, piranha_fos_t, piranha_lvs_t, piranha_web_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), piranha(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/pki_selinux.8 b/man/man8/pki_selinux.8
+new file mode 100644
+index 0000000..2272c46
+--- /dev/null
++++ b/man/man8/pki_selinux.8
+@@ -0,0 +1,504 @@
++.TH "pki_selinux" "8" "pki" "dwalsh at redhat.com" "pki SELinux Policy documentation"
++.SH "NAME"
++pki_selinux \- Security Enhanced Linux Policy for the pki processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pki policy is very flexible allowing users to setup their pki processes in as secure a method as possible.
++.PP
++The following file types are defined for pki:
++
++
++.EX
++.PP
++.B pki_ca_etc_rw_t
++.EE
++
++- Set files with the pki_ca_etc_rw_t type, if you want to treat the files as pki ca etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/pki-ca(/.*)?, /etc/sysconfig/pki/ca(/.*)?
++
++.EX
++.PP
++.B pki_ca_exec_t
++.EE
++
++- Set files with the pki_ca_exec_t type, if you want to transition an executable to the pki_ca_t domain.
++
++
++.EX
++.PP
++.B pki_ca_log_t
++.EE
++
++- Set files with the pki_ca_log_t type, if you want to treat the data as pki ca log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_ca_tomcat_exec_t
++.EE
++
++- Set files with the pki_ca_tomcat_exec_t type, if you want to transition an executable to the pki_ca_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_ca_var_lib_t
++.EE
++
++- Set files with the pki_ca_var_lib_t type, if you want to store the pki ca files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_ca_var_run_t
++.EE
++
++- Set files with the pki_ca_var_run_t type, if you want to store the pki ca files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/pki-ca.pid, /var/run/pki/ca(/.*)?
++
++.EX
++.PP
++.B pki_common_dev_t
++.EE
++
++- Set files with the pki_common_dev_t type, if you want to treat the files as pki common dev data.
++
++
++.EX
++.PP
++.B pki_common_t
++.EE
++
++- Set files with the pki_common_t type, if you want to treat the files as pki common data.
++
++
++.EX
++.PP
++.B pki_kra_etc_rw_t
++.EE
++
++- Set files with the pki_kra_etc_rw_t type, if you want to treat the files as pki kra etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/pki-kra(/.*)?, /etc/sysconfig/pki/kra(/.*)?
++
++.EX
++.PP
++.B pki_kra_exec_t
++.EE
++
++- Set files with the pki_kra_exec_t type, if you want to transition an executable to the pki_kra_t domain.
++
++
++.EX
++.PP
++.B pki_kra_log_t
++.EE
++
++- Set files with the pki_kra_log_t type, if you want to treat the data as pki kra log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_kra_tomcat_exec_t
++.EE
++
++- Set files with the pki_kra_tomcat_exec_t type, if you want to transition an executable to the pki_kra_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_kra_var_lib_t
++.EE
++
++- Set files with the pki_kra_var_lib_t type, if you want to store the pki kra files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_kra_var_run_t
++.EE
++
++- Set files with the pki_kra_var_run_t type, if you want to store the pki kra files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/pki-kra.pid, /var/run/pki/kra(/.*)?
++
++.EX
++.PP
++.B pki_ocsp_etc_rw_t
++.EE
++
++- Set files with the pki_ocsp_etc_rw_t type, if you want to treat the files as pki ocsp etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/pki-ocsp(/.*)?, /etc/sysconfig/pki/ocsp(/.*)?
++
++.EX
++.PP
++.B pki_ocsp_exec_t
++.EE
++
++- Set files with the pki_ocsp_exec_t type, if you want to transition an executable to the pki_ocsp_t domain.
++
++
++.EX
++.PP
++.B pki_ocsp_log_t
++.EE
++
++- Set files with the pki_ocsp_log_t type, if you want to treat the data as pki ocsp log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_ocsp_tomcat_exec_t
++.EE
++
++- Set files with the pki_ocsp_tomcat_exec_t type, if you want to transition an executable to the pki_ocsp_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_ocsp_var_lib_t
++.EE
++
++- Set files with the pki_ocsp_var_lib_t type, if you want to store the pki ocsp files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_ocsp_var_run_t
++.EE
++
++- Set files with the pki_ocsp_var_run_t type, if you want to store the pki ocsp files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/pki-ocsp.pid, /var/run/pki/ocsp(/.*)?
++
++.EX
++.PP
++.B pki_ra_etc_rw_t
++.EE
++
++- Set files with the pki_ra_etc_rw_t type, if you want to treat the files as pki ra etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/sysconfig/pki/ra(/.*)?, /etc/pki-ra(/.*)?
++
++.EX
++.PP
++.B pki_ra_exec_t
++.EE
++
++- Set files with the pki_ra_exec_t type, if you want to transition an executable to the pki_ra_t domain.
++
++
++.EX
++.PP
++.B pki_ra_log_t
++.EE
++
++- Set files with the pki_ra_log_t type, if you want to treat the data as pki ra log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_ra_script_exec_t
++.EE
++
++- Set files with the pki_ra_script_exec_t type, if you want to transition an executable to the pki_ra_script_t domain.
++
++
++.EX
++.PP
++.B pki_ra_tomcat_exec_t
++.EE
++
++- Set files with the pki_ra_tomcat_exec_t type, if you want to transition an executable to the pki_ra_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_ra_var_lib_t
++.EE
++
++- Set files with the pki_ra_var_lib_t type, if you want to store the pki ra files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_ra_var_run_t
++.EE
++
++- Set files with the pki_ra_var_run_t type, if you want to store the pki ra files under the /run directory.
++
++
++.EX
++.PP
++.B pki_tks_etc_rw_t
++.EE
++
++- Set files with the pki_tks_etc_rw_t type, if you want to treat the files as pki tks etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/sysconfig/pki/tks(/.*)?, /etc/pki-tks(/.*)?
++
++.EX
++.PP
++.B pki_tks_exec_t
++.EE
++
++- Set files with the pki_tks_exec_t type, if you want to transition an executable to the pki_tks_t domain.
++
++
++.EX
++.PP
++.B pki_tks_log_t
++.EE
++
++- Set files with the pki_tks_log_t type, if you want to treat the data as pki tks log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_tks_tomcat_exec_t
++.EE
++
++- Set files with the pki_tks_tomcat_exec_t type, if you want to transition an executable to the pki_tks_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_tks_var_lib_t
++.EE
++
++- Set files with the pki_tks_var_lib_t type, if you want to store the pki tks files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_tks_var_run_t
++.EE
++
++- Set files with the pki_tks_var_run_t type, if you want to store the pki tks files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/pki-tks.pid, /var/run/pki/tks(/.*)?
++
++.EX
++.PP
++.B pki_tps_etc_rw_t
++.EE
++
++- Set files with the pki_tps_etc_rw_t type, if you want to treat the files as pki tps etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/sysconfig/pki/tps(/.*)?, /etc/pki-tps(/.*)?
++
++.EX
++.PP
++.B pki_tps_exec_t
++.EE
++
++- Set files with the pki_tps_exec_t type, if you want to transition an executable to the pki_tps_t domain.
++
++
++.EX
++.PP
++.B pki_tps_log_t
++.EE
++
++- Set files with the pki_tps_log_t type, if you want to treat the data as pki tps log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pki_tps_script_exec_t
++.EE
++
++- Set files with the pki_tps_script_exec_t type, if you want to transition an executable to the pki_tps_script_t domain.
++
++
++.EX
++.PP
++.B pki_tps_tomcat_exec_t
++.EE
++
++- Set files with the pki_tps_tomcat_exec_t type, if you want to transition an executable to the pki_tps_tomcat_t domain.
++
++
++.EX
++.PP
++.B pki_tps_var_lib_t
++.EE
++
++- Set files with the pki_tps_var_lib_t type, if you want to store the pki tps files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pki_tps_var_run_t
++.EE
++
++- Set files with the pki_tps_var_run_t type, if you want to store the pki tps files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pki policy is very flexible allowing users to setup their pki processes in as secure a method as possible.
++.PP
++The following port types are defined for pki:
++
++.EX
++.TP 5
++.B pki_ca_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B pki_kra_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B pki_ocsp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B pki_ra_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B pki_tks_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B pki_tps_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pki policy is very flexible allowing users to setup their pki processes in as secure a method as possible.
++.PP
++The following process types are defined for pki:
++
++.EX
++.B pki_ca_t, pki_ra_t, pki_ca_script_t, pki_ocsp_t, pki_kra_t, pki_tks_t, pki_tps_t, pki_ocsp_script_t, pki_kra_script_t, pki_tks_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pki(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8
+new file mode 100644
+index 0000000..581c9cb
+--- /dev/null
++++ b/man/man8/plymouth_selinux.8
+@@ -0,0 +1,119 @@
++.TH "plymouth_selinux" "8" "plymouth" "dwalsh at redhat.com" "plymouth SELinux Policy documentation"
++.SH "NAME"
++plymouth_selinux \- Security Enhanced Linux Policy for the plymouth processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
++.PP
++The following file types are defined for plymouth:
++
++
++.EX
++.PP
++.B plymouth_exec_t
++.EE
++
++- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/plymouth, /bin/plymouth
++
++.EX
++.PP
++.B plymouthd_exec_t
++.EE
++
++- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/plymouthd, /sbin/plymouthd
++
++.EX
++.PP
++.B plymouthd_spool_t
++.EE
++
++- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B plymouthd_var_lib_t
++.EE
++
++- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B plymouthd_var_log_t
++.EE
++
++- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B plymouthd_var_run_t
++.EE
++
++- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
++.PP
++The following process types are defined for plymouth:
++
++.EX
++.B plymouth_t, plymouthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8
+new file mode 100644
+index 0000000..a9addd8
+--- /dev/null
++++ b/man/man8/plymouthd_selinux.8
+@@ -0,0 +1,125 @@
++.TH "plymouthd_selinux" "8" "plymouthd" "dwalsh at redhat.com" "plymouthd SELinux Policy documentation"
++.SH "NAME"
++plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B plymouthd
++(Plymouth graphical boot)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
++.PP
++The following file types are defined for plymouthd:
++
++
++.EX
++.PP
++.B plymouth_exec_t
++.EE
++
++- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/plymouth, /bin/plymouth
++
++.EX
++.PP
++.B plymouthd_exec_t
++.EE
++
++- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/plymouthd, /sbin/plymouthd
++
++.EX
++.PP
++.B plymouthd_spool_t
++.EE
++
++- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory.
++
++
++.EX
++.PP
++.B plymouthd_var_lib_t
++.EE
++
++- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B plymouthd_var_log_t
++.EE
++
++- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B plymouthd_var_run_t
++.EE
++
++- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
++.PP
++The following process types are defined for plymouthd:
++
++.EX
++.B plymouth_t, plymouthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), plymouthd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8
+new file mode 100644
+index 0000000..413dd33
+--- /dev/null
++++ b/man/man8/podsleuth_selinux.8
+@@ -0,0 +1,105 @@
++.TH "podsleuth_selinux" "8" "podsleuth" "dwalsh at redhat.com" "podsleuth SELinux Policy documentation"
++.SH "NAME"
++podsleuth_selinux \- Security Enhanced Linux Policy for the podsleuth processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B podsleuth
++(Podsleuth is a tool to get information about an Apple (TM) iPod (TM))
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
++.PP
++The following file types are defined for podsleuth:
++
++
++.EX
++.PP
++.B podsleuth_cache_t
++.EE
++
++- Set files with the podsleuth_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B podsleuth_exec_t
++.EE
++
++- Set files with the podsleuth_exec_t type, if you want to transition an executable to the podsleuth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/podsleuth, /usr/libexec/hal-podsleuth
++
++.EX
++.PP
++.B podsleuth_tmp_t
++.EE
++
++- Set files with the podsleuth_tmp_t type, if you want to store podsleuth temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B podsleuth_tmpfs_t
++.EE
++
++- Set files with the podsleuth_tmpfs_t type, if you want to store podsleuth files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
++.PP
++The following process types are defined for podsleuth:
++
++.EX
++.B podsleuth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8
+new file mode 100644
+index 0000000..b14cbf9
+--- /dev/null
++++ b/man/man8/policykit_selinux.8
+@@ -0,0 +1,153 @@
++.TH "policykit_selinux" "8" "policykit" "dwalsh at redhat.com" "policykit SELinux Policy documentation"
++.SH "NAME"
++policykit_selinux \- Security Enhanced Linux Policy for the policykit processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B policykit
++(Policy framework for controlling privileges for system-wide services)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
++.PP
++The following file types are defined for policykit:
++
++
++.EX
++.PP
++.B policykit_auth_exec_t
++.EE
++
++- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/polkit-read-auth-helper, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1
++
++.EX
++.PP
++.B policykit_exec_t
++.EE
++
++- Set files with the policykit_exec_t type, if you want to transition an executable to the policykit_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/policykit/polkitd
++
++.EX
++.PP
++.B policykit_grant_exec_t
++.EE
++
++- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/polkit-grant-helper.*, /usr/lib/policykit/polkit-grant-helper.*
++
++.EX
++.PP
++.B policykit_reload_t
++.EE
++
++- Set files with the policykit_reload_t type, if you want to treat the files as policykit reload data.
++
++
++.EX
++.PP
++.B policykit_resolve_exec_t
++.EE
++
++- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/policykit/polkit-resolve-exe-helper.*, /usr/libexec/polkit-resolve-exe-helper.*
++
++.EX
++.PP
++.B policykit_tmp_t
++.EE
++
++- Set files with the policykit_tmp_t type, if you want to store policykit temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B policykit_var_lib_t
++.EE
++
++- Set files with the policykit_var_lib_t type, if you want to store the policykit files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/PolicyKit-public(/.*)?, /var/lib/PolicyKit(/.*)?, /var/lib/polkit-1(/.*)?
++
++.EX
++.PP
++.B policykit_var_run_t
++.EE
++
++- Set files with the policykit_var_run_t type, if you want to store the policykit files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit:
++
++.EX
++.B policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8
+new file mode 100644
+index 0000000..ada080b
+--- /dev/null
++++ b/man/man8/polipo_selinux.8
+@@ -0,0 +1,191 @@
++.TH "polipo_selinux" "8" "polipo" "dwalsh at redhat.com" "polipo SELinux Policy documentation"
++.SH "NAME"
++polipo_selinux \- Security Enhanced Linux Policy for the polipo processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B polipo
++(Caching web proxy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. polipo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo with the tightest access possible.
++
++
++.PP
++If you want to allow polipo to connect to all ports > 102, you must turn on the polipo_connect_all_unreserved boolean.
++
++.EX
++.B setsebool -P polipo_connect_all_unreserved 1
++.EE
++
++.PP
++If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean.
++
++.EX
++.B setsebool -P polipo_use_cifs 1
++.EE
++
++.PP
++If you want to determine whether Polipo session daemon can send syslog messages, you must turn on the polipo_session_send_syslog_msg boolean.
++
++.EX
++.B setsebool -P polipo_session_send_syslog_msg 1
++.EE
++
++.PP
++If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean.
++
++.EX
++.B setsebool -P polipo_session_bind_all_unreserved_ports 1
++.EE
++
++.PP
++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
++
++.EX
++.B setsebool -P polipo_session_users 1
++.EE
++
++.PP
++If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean.
++
++.EX
++.B setsebool -P polipo_use_nfs 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
++.PP
++The following file types are defined for polipo:
++
++
++.EX
++.PP
++.B polipo_cache_home_t
++.EE
++
++- Set files with the polipo_cache_home_t type, if you want to store polipo cache files in the users home directory.
++
++
++.EX
++.PP
++.B polipo_cache_t
++.EE
++
++- Set files with the polipo_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B polipo_config_home_t
++.EE
++
++- Set files with the polipo_config_home_t type, if you want to store polipo config files in the users home directory.
++
++
++.EX
++.PP
++.B polipo_etc_t
++.EE
++
++- Set files with the polipo_etc_t type, if you want to store polipo files in the /etc directories.
++
++
++.EX
++.PP
++.B polipo_exec_t
++.EE
++
++- Set files with the polipo_exec_t type, if you want to transition an executable to the polipo_t domain.
++
++
++.EX
++.PP
++.B polipo_initrc_exec_t
++.EE
++
++- Set files with the polipo_initrc_exec_t type, if you want to transition an executable to the polipo_initrc_t domain.
++
++
++.EX
++.PP
++.B polipo_log_t
++.EE
++
++- Set files with the polipo_log_t type, if you want to treat the data as polipo log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B polipo_pid_t
++.EE
++
++- Set files with the polipo_pid_t type, if you want to store the polipo files under the /run directory.
++
++
++.EX
++.PP
++.B polipo_unit_file_t
++.EE
++
++- Set files with the polipo_unit_file_t type, if you want to treat the files as polipo unit content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
++.PP
++The following process types are defined for polipo:
++
++.EX
++.B polipo_t, polipo_session_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), polipo(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8
+new file mode 100644
+index 0000000..7513001
+--- /dev/null
++++ b/man/man8/portmap_selinux.8
+@@ -0,0 +1,150 @@
++.TH "portmap_selinux" "8" "portmap" "dwalsh at redhat.com" "portmap SELinux Policy documentation"
++.SH "NAME"
++portmap_selinux \- Security Enhanced Linux Policy for the portmap processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B portmap
++(RPC port mapping service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible.
++
++
++.PP
++If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
++.PP
++The following file types are defined for portmap:
++
++
++.EX
++.PP
++.B portmap_exec_t
++.EE
++
++- Set files with the portmap_exec_t type, if you want to transition an executable to the portmap_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/portmap, /usr/sbin/portmap
++
++.EX
++.PP
++.B portmap_helper_exec_t
++.EE
++
++- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/pmap_set, /usr/sbin/pmap_dump
++
++.EX
++.PP
++.B portmap_tmp_t
++.EE
++
++- Set files with the portmap_tmp_t type, if you want to store portmap temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B portmap_var_run_t
++.EE
++
++- Set files with the portmap_var_run_t type, if you want to store the portmap files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
++.PP
++The following port types are defined for portmap:
++
++.EX
++.TP 5
++.B portmap_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
++.PP
++The following process types are defined for portmap:
++
++.EX
++.B portmap_helper_t, portmap_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), portmap(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8
+new file mode 100644
+index 0000000..909a5da
+--- /dev/null
++++ b/man/man8/portreserve_selinux.8
+@@ -0,0 +1,105 @@
++.TH "portreserve_selinux" "8" "portreserve" "dwalsh at redhat.com" "portreserve SELinux Policy documentation"
++.SH "NAME"
++portreserve_selinux \- Security Enhanced Linux Policy for the portreserve processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B portreserve
++(Reserve well-known ports in the RPC port range)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
++.PP
++The following file types are defined for portreserve:
++
++
++.EX
++.PP
++.B portreserve_etc_t
++.EE
++
++- Set files with the portreserve_etc_t type, if you want to store portreserve files in the /etc directories.
++
++
++.EX
++.PP
++.B portreserve_exec_t
++.EE
++
++- Set files with the portreserve_exec_t type, if you want to transition an executable to the portreserve_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/portreserve, /sbin/portreserve
++
++.EX
++.PP
++.B portreserve_initrc_exec_t
++.EE
++
++- Set files with the portreserve_initrc_exec_t type, if you want to transition an executable to the portreserve_initrc_t domain.
++
++
++.EX
++.PP
++.B portreserve_var_run_t
++.EE
++
++- Set files with the portreserve_var_run_t type, if you want to store the portreserve files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
++.PP
++The following process types are defined for portreserve:
++
++.EX
++.B portreserve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/postfix_selinux.8 b/man/man8/postfix_selinux.8
+new file mode 100644
+index 0000000..bb778bf
+--- /dev/null
++++ b/man/man8/postfix_selinux.8
+@@ -0,0 +1,422 @@
++.TH "postfix_selinux" "8" "postfix" "dwalsh at redhat.com" "postfix SELinux Policy documentation"
++.SH "NAME"
++postfix_selinux \- Security Enhanced Linux Policy for the postfix processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B postfix
++(Postfix email server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. postfix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix with the tightest access possible.
++
++
++.PP
++If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the allow_postfix_local_write_mail_spool boolean.
++
++.EX
++.B setsebool -P allow_postfix_local_write_mail_spool 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postfix policy is very flexible allowing users to setup their postfix processes in as secure a method as possible.
++.PP
++The following file types are defined for postfix:
++
++
++.EX
++.PP
++.B postfix_bounce_exec_t
++.EE
++
++- Set files with the postfix_bounce_exec_t type, if you want to transition an executable to the postfix_bounce_t domain.
++
++
++.EX
++.PP
++.B postfix_bounce_tmp_t
++.EE
++
++- Set files with the postfix_bounce_tmp_t type, if you want to store postfix bounce temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_cleanup_exec_t
++.EE
++
++- Set files with the postfix_cleanup_exec_t type, if you want to transition an executable to the postfix_cleanup_t domain.
++
++
++.EX
++.PP
++.B postfix_cleanup_tmp_t
++.EE
++
++- Set files with the postfix_cleanup_tmp_t type, if you want to store postfix cleanup temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_data_t
++.EE
++
++- Set files with the postfix_data_t type, if you want to treat the files as postfix content.
++
++
++.EX
++.PP
++.B postfix_etc_t
++.EE
++
++- Set files with the postfix_etc_t type, if you want to store postfix files in the /etc directories.
++
++
++.EX
++.PP
++.B postfix_exec_t
++.EE
++
++- Set files with the postfix_exec_t type, if you want to transition an executable to the postfix_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/postfix/postfix-script.*, /usr/libexec/postfix/.*
++
++.EX
++.PP
++.B postfix_initrc_exec_t
++.EE
++
++- Set files with the postfix_initrc_exec_t type, if you want to transition an executable to the postfix_initrc_t domain.
++
++
++.EX
++.PP
++.B postfix_keytab_t
++.EE
++
++- Set files with the postfix_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B postfix_local_exec_t
++.EE
++
++- Set files with the postfix_local_exec_t type, if you want to transition an executable to the postfix_local_t domain.
++
++
++.EX
++.PP
++.B postfix_local_tmp_t
++.EE
++
++- Set files with the postfix_local_tmp_t type, if you want to store postfix local temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_map_exec_t
++.EE
++
++- Set files with the postfix_map_exec_t type, if you want to transition an executable to the postfix_map_t domain.
++
++
++.EX
++.PP
++.B postfix_map_tmp_t
++.EE
++
++- Set files with the postfix_map_tmp_t type, if you want to store postfix map temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_master_exec_t
++.EE
++
++- Set files with the postfix_master_exec_t type, if you want to transition an executable to the postfix_master_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/postcat, /usr/sbin/postfix, /usr/libexec/postfix/master, /usr/sbin/postkick, /usr/sbin/postsuper, /usr/sbin/postalias, /usr/sbin/postlock, /usr/sbin/postlog
++
++.EX
++.PP
++.B postfix_pickup_exec_t
++.EE
++
++- Set files with the postfix_pickup_exec_t type, if you want to transition an executable to the postfix_pickup_t domain.
++
++
++.EX
++.PP
++.B postfix_pickup_tmp_t
++.EE
++
++- Set files with the postfix_pickup_tmp_t type, if you want to store postfix pickup temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_pipe_exec_t
++.EE
++
++- Set files with the postfix_pipe_exec_t type, if you want to transition an executable to the postfix_pipe_t domain.
++
++
++.EX
++.PP
++.B postfix_pipe_tmp_t
++.EE
++
++- Set files with the postfix_pipe_tmp_t type, if you want to store postfix pipe temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_postdrop_exec_t
++.EE
++
++- Set files with the postfix_postdrop_exec_t type, if you want to transition an executable to the postfix_postdrop_t domain.
++
++
++.EX
++.PP
++.B postfix_postqueue_exec_t
++.EE
++
++- Set files with the postfix_postqueue_exec_t type, if you want to transition an executable to the postfix_postqueue_t domain.
++
++
++.EX
++.PP
++.B postfix_private_t
++.EE
++
++- Set files with the postfix_private_t type, if you want to treat the files as postfix private data.
++
++
++.EX
++.PP
++.B postfix_prng_t
++.EE
++
++- Set files with the postfix_prng_t type, if you want to treat the files as postfix prng data.
++
++
++.EX
++.PP
++.B postfix_public_t
++.EE
++
++- Set files with the postfix_public_t type, if you want to treat the files as postfix public data.
++
++
++.EX
++.PP
++.B postfix_qmgr_exec_t
++.EE
++
++- Set files with the postfix_qmgr_exec_t type, if you want to transition an executable to the postfix_qmgr_t domain.
++
++
++.EX
++.PP
++.B postfix_qmgr_tmp_t
++.EE
++
++- Set files with the postfix_qmgr_tmp_t type, if you want to store postfix qmgr temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_showq_exec_t
++.EE
++
++- Set files with the postfix_showq_exec_t type, if you want to transition an executable to the postfix_showq_t domain.
++
++
++.EX
++.PP
++.B postfix_smtp_exec_t
++.EE
++
++- Set files with the postfix_smtp_exec_t type, if you want to transition an executable to the postfix_smtp_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/postfix/smtp, /usr/libexec/postfix/scache, /usr/libexec/postfix/lmtp
++
++.EX
++.PP
++.B postfix_smtp_tmp_t
++.EE
++
++- Set files with the postfix_smtp_tmp_t type, if you want to store postfix smtp temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_smtpd_exec_t
++.EE
++
++- Set files with the postfix_smtpd_exec_t type, if you want to transition an executable to the postfix_smtpd_t domain.
++
++
++.EX
++.PP
++.B postfix_smtpd_tmp_t
++.EE
++
++- Set files with the postfix_smtpd_tmp_t type, if you want to store postfix smtpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postfix_spool_bounce_t
++.EE
++
++- Set files with the postfix_spool_bounce_t type, if you want to treat the files as postfix spool bounce data.
++
++
++.EX
++.PP
++.B postfix_spool_flush_t
++.EE
++
++- Set files with the postfix_spool_flush_t type, if you want to treat the files as postfix spool flush data.
++
++
++.EX
++.PP
++.B postfix_spool_maildrop_t
++.EE
++
++- Set files with the postfix_spool_maildrop_t type, if you want to treat the files as postfix spool maildrop data.
++
++.br
++.TP 5
++Paths:
++/var/spool/postfix/defer(/.*)?, /var/spool/postfix/deferred(/.*)?, /var/spool/postfix/maildrop(/.*)?
++
++.EX
++.PP
++.B postfix_spool_t
++.EE
++
++- Set files with the postfix_spool_t type, if you want to store the postfix files under the /var/spool directory.
++
++
++.EX
++.PP
++.B postfix_var_run_t
++.EE
++
++- Set files with the postfix_var_run_t type, if you want to store the postfix files under the /run directory.
++
++
++.EX
++.PP
++.B postfix_virtual_exec_t
++.EE
++
++- Set files with the postfix_virtual_exec_t type, if you want to transition an executable to the postfix_virtual_t domain.
++
++
++.EX
++.PP
++.B postfix_virtual_tmp_t
++.EE
++
++- Set files with the postfix_virtual_tmp_t type, if you want to store postfix virtual temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux postfix policy is very flexible allowing users to setup their postfix processes in as secure a method as possible.
++.PP
++The following port types are defined for postfix:
++
++.EX
++.TP 5
++.B postfix_policyd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix policy is very flexible allowing users to setup their postfix processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix:
++
++.EX
++.B postfix_bounce_t, postfix_cleanup_t, postfix_showq_t, postfix_virtual_t, postfix_postdrop_t, postfix_postqueue_t, postfix_pipe_t, postfix_master_t, postfix_pickup_t, postfix_local_t, postfix_smtpd_t, postfix_qmgr_t, postfix_smtp_t, postfix_map_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), postfix(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8
+new file mode 100644
+index 0000000..da21d07
+--- /dev/null
++++ b/man/man8/postgresql_selinux.8
+@@ -0,0 +1,194 @@
++.TH "postgresql_selinux" "8" "postgresql" "dwalsh at redhat.com" "postgresql SELinux Policy documentation"
++.SH "NAME"
++postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B postgresql
++(PostgreSQL relational database)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. postgresql policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgresql with the tightest access possible.
++
++
++.PP
++If you want to allow users to connect to PostgreSQ, you must turn on the allow_user_postgresql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_postgresql_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
++.PP
++The following file types are defined for postgresql:
++
++
++.EX
++.PP
++.B postgresql_db_t
++.EE
++
++- Set files with the postgresql_db_t type, if you want to treat the files as postgresql database content.
++
++.br
++.TP 5
++Paths:
++/var/lib/pgsql/data(/.*)?, /usr/share/jonas/pgsql(/.*)?, /var/lib/postgres(ql)?(/.*)?, /var/lib/sepgsql(/.*)?, /usr/lib/pgsql/test/regress(/.*)?
++
++.EX
++.PP
++.B postgresql_etc_t
++.EE
++
++- Set files with the postgresql_etc_t type, if you want to store postgresql files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/sysconfig/pgsql(/.*)?, /etc/postgresql(/.*)?
++
++.EX
++.PP
++.B postgresql_exec_t
++.EE
++
++- Set files with the postgresql_exec_t type, if you want to transition an executable to the postgresql_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/(se)?postgres, /usr/lib/postgresql/bin/.*, /usr/lib/pgsql/test/regress/pg_regress, /usr/bin/initdb(\.sepgsql)?
++
++.EX
++.PP
++.B postgresql_initrc_exec_t
++.EE
++
++- Set files with the postgresql_initrc_exec_t type, if you want to transition an executable to the postgresql_initrc_t domain.
++
++
++.EX
++.PP
++.B postgresql_lock_t
++.EE
++
++- Set files with the postgresql_lock_t type, if you want to treat the files as postgresql lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B postgresql_log_t
++.EE
++
++- Set files with the postgresql_log_t type, if you want to treat the data as postgresql log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/pgsql/logfile(/.*)?, /var/lib/pgsql/pgstartup\.log, /var/log/postgresql(/.*)?, /var/log/postgres\.log.*, /var/lib/sepgsql/pgstartup\.log, /var/log/rhdb/rhdb(/.*)?, /var/log/sepostgresql\.log.*
++
++.EX
++.PP
++.B postgresql_tmp_t
++.EE
++
++- Set files with the postgresql_tmp_t type, if you want to store postgresql temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B postgresql_var_run_t
++.EE
++
++- Set files with the postgresql_var_run_t type, if you want to store the postgresql files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/postmaster.*, /var/run/postgresql(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
++.PP
++The following port types are defined for postgresql:
++
++.EX
++.TP 5
++.B postgresql_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
++.PP
++The following process types are defined for postgresql:
++
++.EX
++.B postgresql_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), postgresql(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8
+new file mode 100644
+index 0000000..0d3079a
+--- /dev/null
++++ b/man/man8/postgrey_selinux.8
+@@ -0,0 +1,147 @@
++.TH "postgrey_selinux" "8" "postgrey" "dwalsh at redhat.com" "postgrey SELinux Policy documentation"
++.SH "NAME"
++postgrey_selinux \- Security Enhanced Linux Policy for the postgrey processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B postgrey
++(Postfix grey-listing server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
++.PP
++The following file types are defined for postgrey:
++
++
++.EX
++.PP
++.B postgrey_etc_t
++.EE
++
++- Set files with the postgrey_etc_t type, if you want to store postgrey files in the /etc directories.
++
++
++.EX
++.PP
++.B postgrey_exec_t
++.EE
++
++- Set files with the postgrey_exec_t type, if you want to transition an executable to the postgrey_t domain.
++
++
++.EX
++.PP
++.B postgrey_initrc_exec_t
++.EE
++
++- Set files with the postgrey_initrc_exec_t type, if you want to transition an executable to the postgrey_initrc_t domain.
++
++
++.EX
++.PP
++.B postgrey_spool_t
++.EE
++
++- Set files with the postgrey_spool_t type, if you want to store the postgrey files under the /var/spool directory.
++
++
++.EX
++.PP
++.B postgrey_var_lib_t
++.EE
++
++- Set files with the postgrey_var_lib_t type, if you want to store the postgrey files under the /var/lib directory.
++
++
++.EX
++.PP
++.B postgrey_var_run_t
++.EE
++
++- Set files with the postgrey_var_run_t type, if you want to store the postgrey files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/postgrey\.pid, /var/run/postgrey(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
++.PP
++The following port types are defined for postgrey:
++
++.EX
++.TP 5
++.B postgrey_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
++.PP
++The following process types are defined for postgrey:
++
++.EX
++.B postgrey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8
+new file mode 100644
+index 0000000..7b27311
+--- /dev/null
++++ b/man/man8/pppd_selinux.8
+@@ -0,0 +1,189 @@
++.TH "pppd_selinux" "8" "pppd" "dwalsh at redhat.com" "pppd SELinux Policy documentation"
++.SH "NAME"
++pppd_selinux \- Security Enhanced Linux Policy for the pppd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible.
++
++
++.PP
++If you want to allow pppd to be run for a regular use, you must turn on the pppd_for_user boolean.
++
++.EX
++.B setsebool -P pppd_for_user 1
++.EE
++
++.PP
++If you want to allow pppd to load kernel modules for certain modem, you must turn on the pppd_can_insmod boolean.
++
++.EX
++.B setsebool -P pppd_can_insmod 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
++.PP
++The following file types are defined for pppd:
++
++
++.EX
++.PP
++.B pppd_etc_rw_t
++.EE
++
++- Set files with the pppd_etc_rw_t type, if you want to treat the files as pppd etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv\.conf
++
++.EX
++.PP
++.B pppd_etc_t
++.EE
++
++- Set files with the pppd_etc_t type, if you want to store pppd files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/ppp, /root/.ppprc
++
++.EX
++.PP
++.B pppd_exec_t
++.EE
++
++- Set files with the pppd_exec_t type, if you want to transition an executable to the pppd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/pppd, /usr/sbin/ipppd, /usr/sbin/pppoe-server, /usr/sbin/ppp-watch, /sbin/pppoe-server, /sbin/ppp-watch
++
++.EX
++.PP
++.B pppd_initrc_exec_t
++.EE
++
++- Set files with the pppd_initrc_exec_t type, if you want to transition an executable to the pppd_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/ppp, /etc/ppp/(auth|ip(v6|x)?)-(up|down)
++
++.EX
++.PP
++.B pppd_lock_t
++.EE
++
++- Set files with the pppd_lock_t type, if you want to treat the files as pppd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B pppd_log_t
++.EE
++
++- Set files with the pppd_log_t type, if you want to treat the data as pppd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/ppp(/.*)?, /var/log/ppp-connect-errors.*
++
++.EX
++.PP
++.B pppd_secret_t
++.EE
++
++- Set files with the pppd_secret_t type, if you want to treat the files as pppd se secret data.
++
++
++.EX
++.PP
++.B pppd_tmp_t
++.EE
++
++- Set files with the pppd_tmp_t type, if you want to store pppd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B pppd_unit_file_t
++.EE
++
++- Set files with the pppd_unit_file_t type, if you want to treat the files as pppd unit content.
++
++
++.EX
++.PP
++.B pppd_var_run_t
++.EE
++
++- Set files with the pppd_var_run_t type, if you want to store the pppd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/pppd[0-9]*\.tdb, /var/run/ppp(/.*)?, /var/run/(i)?ppp.*pid[^/]*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
++.PP
++The following process types are defined for pppd:
++
++.EX
++.B pppd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pppd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8
+new file mode 100644
+index 0000000..4f2fc1c
+--- /dev/null
++++ b/man/man8/pptp_selinux.8
+@@ -0,0 +1,113 @@
++.TH "pptp_selinux" "8" "pptp" "dwalsh at redhat.com" "pptp SELinux Policy documentation"
++.SH "NAME"
++pptp_selinux \- Security Enhanced Linux Policy for the pptp processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
++.PP
++The following file types are defined for pptp:
++
++
++.EX
++.PP
++.B pptp_exec_t
++.EE
++
++- Set files with the pptp_exec_t type, if you want to transition an executable to the pptp_t domain.
++
++
++.EX
++.PP
++.B pptp_log_t
++.EE
++
++- Set files with the pptp_log_t type, if you want to treat the data as pptp log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pptp_var_run_t
++.EE
++
++- Set files with the pptp_var_run_t type, if you want to store the pptp files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
++.PP
++The following port types are defined for pptp:
++
++.EX
++.TP 5
++.B pptp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
++.PP
++The following process types are defined for pptp:
++
++.EX
++.B pptp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8
+new file mode 100644
+index 0000000..0be2626
+--- /dev/null
++++ b/man/man8/prelink_selinux.8
+@@ -0,0 +1,133 @@
++.TH "prelink_selinux" "8" "prelink" "dwalsh at redhat.com" "prelink SELinux Policy documentation"
++.SH "NAME"
++prelink_selinux \- Security Enhanced Linux Policy for the prelink processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B prelink
++(Prelink ELF shared library mappings)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
++.PP
++The following file types are defined for prelink:
++
++
++.EX
++.PP
++.B prelink_cache_t
++.EE
++
++- Set files with the prelink_cache_t type, if you want to store the files under the /var/cache directory.
++
++
++.EX
++.PP
++.B prelink_cron_system_exec_t
++.EE
++
++- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain.
++
++
++.EX
++.PP
++.B prelink_exec_t
++.EE
++
++- Set files with the prelink_exec_t type, if you want to transition an executable to the prelink_t domain.
++
++
++.EX
++.PP
++.B prelink_log_t
++.EE
++
++- Set files with the prelink_log_t type, if you want to treat the data as prelink log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/prelink(/.*)?, /var/log/prelink\.log
++
++.EX
++.PP
++.B prelink_tmp_t
++.EE
++
++- Set files with the prelink_tmp_t type, if you want to store prelink temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B prelink_tmpfs_t
++.EE
++
++- Set files with the prelink_tmpfs_t type, if you want to store prelink files on a tmpfs file system.
++
++
++.EX
++.PP
++.B prelink_var_lib_t
++.EE
++
++- Set files with the prelink_var_lib_t type, if you want to store the prelink files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/prelink(/.*)?, /var/lib/misc/prelink.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
++.PP
++The following process types are defined for prelink:
++
++.EX
++.B prelink_cron_system_t, prelink_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8
+new file mode 100644
+index 0000000..3955442
+--- /dev/null
++++ b/man/man8/prelude_selinux.8
+@@ -0,0 +1,211 @@
++.TH "prelude_selinux" "8" "prelude" "dwalsh at redhat.com" "prelude SELinux Policy documentation"
++.SH "NAME"
++prelude_selinux \- Security Enhanced Linux Policy for the prelude processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B prelude
++(Prelude hybrid intrusion detection system)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
++.PP
++The following file types are defined for prelude:
++
++
++.EX
++.PP
++.B prelude_audisp_exec_t
++.EE
++
++- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/audisp-prelude, /usr/sbin/audisp-prelude
++
++.EX
++.PP
++.B prelude_audisp_var_run_t
++.EE
++
++- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run directory.
++
++
++.EX
++.PP
++.B prelude_correlator_config_t
++.EE
++
++- Set files with the prelude_correlator_config_t type, if you want to treat the files as prelude correlator configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B prelude_correlator_exec_t
++.EE
++
++- Set files with the prelude_correlator_exec_t type, if you want to transition an executable to the prelude_correlator_t domain.
++
++
++.EX
++.PP
++.B prelude_exec_t
++.EE
++
++- Set files with the prelude_exec_t type, if you want to transition an executable to the prelude_t domain.
++
++
++.EX
++.PP
++.B prelude_initrc_exec_t
++.EE
++
++- Set files with the prelude_initrc_exec_t type, if you want to transition an executable to the prelude_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/prelude-correlator, /etc/rc\.d/init\.d/prelude-manager, /etc/rc\.d/init\.d/prelude-lml
++
++.EX
++.PP
++.B prelude_lml_exec_t
++.EE
++
++- Set files with the prelude_lml_exec_t type, if you want to transition an executable to the prelude_lml_t domain.
++
++
++.EX
++.PP
++.B prelude_lml_tmp_t
++.EE
++
++- Set files with the prelude_lml_tmp_t type, if you want to store prelude lml temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B prelude_lml_var_run_t
++.EE
++
++- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run directory.
++
++
++.EX
++.PP
++.B prelude_log_t
++.EE
++
++- Set files with the prelude_log_t type, if you want to treat the data as prelude log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B prelude_spool_t
++.EE
++
++- Set files with the prelude_spool_t type, if you want to store the prelude files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/prelude(/.*)?, /var/spool/prelude-manager(/.*)?
++
++.EX
++.PP
++.B prelude_var_lib_t
++.EE
++
++- Set files with the prelude_var_lib_t type, if you want to store the prelude files under the /var/lib directory.
++
++
++.EX
++.PP
++.B prelude_var_run_t
++.EE
++
++- Set files with the prelude_var_run_t type, if you want to store the prelude files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
++.PP
++The following port types are defined for prelude:
++
++.EX
++.TP 5
++.B prelude_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude:
++
++.EX
++.B prelude_lml_t, prelude_t, prelude_audisp_t, prelude_correlator_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), prelude(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8
+new file mode 100644
+index 0000000..4371077
+--- /dev/null
++++ b/man/man8/privoxy_selinux.8
+@@ -0,0 +1,124 @@
++.TH "privoxy_selinux" "8" "privoxy" "dwalsh at redhat.com" "privoxy SELinux Policy documentation"
++.SH "NAME"
++privoxy_selinux \- Security Enhanced Linux Policy for the privoxy processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B privoxy
++(Privacy enhancing web proxy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible.
++
++
++.PP
++If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean.
++
++.EX
++.B setsebool -P privoxy_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
++.PP
++The following file types are defined for privoxy:
++
++
++.EX
++.PP
++.B privoxy_etc_rw_t
++.EE
++
++- Set files with the privoxy_etc_rw_t type, if you want to treat the files as privoxy etc read/write content.
++
++
++.EX
++.PP
++.B privoxy_exec_t
++.EE
++
++- Set files with the privoxy_exec_t type, if you want to transition an executable to the privoxy_t domain.
++
++
++.EX
++.PP
++.B privoxy_initrc_exec_t
++.EE
++
++- Set files with the privoxy_initrc_exec_t type, if you want to transition an executable to the privoxy_initrc_t domain.
++
++
++.EX
++.PP
++.B privoxy_log_t
++.EE
++
++- Set files with the privoxy_log_t type, if you want to treat the data as privoxy log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B privoxy_var_run_t
++.EE
++
++- Set files with the privoxy_var_run_t type, if you want to store the privoxy files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
++.PP
++The following process types are defined for privoxy:
++
++.EX
++.B privoxy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), privoxy(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8
+new file mode 100644
+index 0000000..7a080ee
+--- /dev/null
++++ b/man/man8/procmail_selinux.8
+@@ -0,0 +1,105 @@
++.TH "procmail_selinux" "8" "procmail" "dwalsh at redhat.com" "procmail SELinux Policy documentation"
++.SH "NAME"
++procmail_selinux \- Security Enhanced Linux Policy for the procmail processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B procmail
++(Procmail mail delivery agent)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
++.PP
++The following file types are defined for procmail:
++
++
++.EX
++.PP
++.B procmail_exec_t
++.EE
++
++- Set files with the procmail_exec_t type, if you want to transition an executable to the procmail_t domain.
++
++
++.EX
++.PP
++.B procmail_home_t
++.EE
++
++- Set files with the procmail_home_t type, if you want to store procmail files in the users home directory.
++
++
++.EX
++.PP
++.B procmail_log_t
++.EE
++
++- Set files with the procmail_log_t type, if you want to treat the data as procmail log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/procmail\.log.*, /var/log/procmail(/.*)?
++
++.EX
++.PP
++.B procmail_tmp_t
++.EE
++
++- Set files with the procmail_tmp_t type, if you want to store procmail temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
++.PP
++The following process types are defined for procmail:
++
++.EX
++.B procmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8
+new file mode 100644
+index 0000000..f5331cf
+--- /dev/null
++++ b/man/man8/psad_selinux.8
+@@ -0,0 +1,125 @@
++.TH "psad_selinux" "8" "psad" "dwalsh at redhat.com" "psad SELinux Policy documentation"
++.SH "NAME"
++psad_selinux \- Security Enhanced Linux Policy for the psad processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B psad
++(Intrusion Detection and Log Analysis with iptables)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
++.PP
++The following file types are defined for psad:
++
++
++.EX
++.PP
++.B psad_etc_t
++.EE
++
++- Set files with the psad_etc_t type, if you want to store psad files in the /etc directories.
++
++
++.EX
++.PP
++.B psad_exec_t
++.EE
++
++- Set files with the psad_exec_t type, if you want to transition an executable to the psad_t domain.
++
++
++.EX
++.PP
++.B psad_initrc_exec_t
++.EE
++
++- Set files with the psad_initrc_exec_t type, if you want to transition an executable to the psad_initrc_t domain.
++
++
++.EX
++.PP
++.B psad_tmp_t
++.EE
++
++- Set files with the psad_tmp_t type, if you want to store psad temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B psad_var_lib_t
++.EE
++
++- Set files with the psad_var_lib_t type, if you want to store the psad files under the /var/lib directory.
++
++
++.EX
++.PP
++.B psad_var_log_t
++.EE
++
++- Set files with the psad_var_log_t type, if you want to treat the data as psad var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B psad_var_run_t
++.EE
++
++- Set files with the psad_var_run_t type, if you want to store the psad files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
++.PP
++The following process types are defined for psad:
++
++.EX
++.B psad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), psad(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8
+new file mode 100644
+index 0000000..679eb3c
+--- /dev/null
++++ b/man/man8/ptal_selinux.8
+@@ -0,0 +1,121 @@
++.TH "ptal_selinux" "8" "ptal" "dwalsh at redhat.com" "ptal SELinux Policy documentation"
++.SH "NAME"
++ptal_selinux \- Security Enhanced Linux Policy for the ptal processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
++.PP
++The following file types are defined for ptal:
++
++
++.EX
++.PP
++.B ptal_etc_t
++.EE
++
++- Set files with the ptal_etc_t type, if you want to store ptal files in the /etc directories.
++
++
++.EX
++.PP
++.B ptal_exec_t
++.EE
++
++- Set files with the ptal_exec_t type, if you want to transition an executable to the ptal_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ptal-photod, /usr/sbin/ptal-mlcd, /usr/sbin/ptal-printd
++
++.EX
++.PP
++.B ptal_var_run_t
++.EE
++
++- Set files with the ptal_var_run_t type, if you want to store the ptal files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/ptal-mlcd(/.*)?, /var/run/ptal-printd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
++.PP
++The following port types are defined for ptal:
++
++.EX
++.TP 5
++.B ptal_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
++.PP
++The following process types are defined for ptal:
++
++.EX
++.B ptal_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8
+new file mode 100644
+index 0000000..3e1f7ab
+--- /dev/null
++++ b/man/man8/ptchown_selinux.8
+@@ -0,0 +1,77 @@
++.TH "ptchown_selinux" "8" "ptchown" "dwalsh at redhat.com" "ptchown SELinux Policy documentation"
++.SH "NAME"
++ptchown_selinux \- Security Enhanced Linux Policy for the ptchown processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ptchown
++(helper function for grantpt(3), changes ownship and permissions of pseudotty)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
++.PP
++The following file types are defined for ptchown:
++
++
++.EX
++.PP
++.B ptchown_exec_t
++.EE
++
++- Set files with the ptchown_exec_t type, if you want to transition an executable to the ptchown_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
++.PP
++The following process types are defined for ptchown:
++
++.EX
++.B ptchown_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8
+new file mode 100644
+index 0000000..0235c45
+--- /dev/null
++++ b/man/man8/publicfile_selinux.8
+@@ -0,0 +1,89 @@
++.TH "publicfile_selinux" "8" "publicfile" "dwalsh at redhat.com" "publicfile SELinux Policy documentation"
++.SH "NAME"
++publicfile_selinux \- Security Enhanced Linux Policy for the publicfile processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B publicfile
++(publicfile supplies files to the public through HTTP and FTP)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
++.PP
++The following file types are defined for publicfile:
++
++
++.EX
++.PP
++.B publicfile_content_t
++.EE
++
++- Set files with the publicfile_content_t type, if you want to treat the files as publicfile content.
++
++
++.EX
++.PP
++.B publicfile_exec_t
++.EE
++
++- Set files with the publicfile_exec_t type, if you want to transition an executable to the publicfile_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/httpd, /usr/bin/ftpd
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
++.PP
++The following process types are defined for publicfile:
++
++.EX
++.B publicfile_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8
+new file mode 100644
+index 0000000..8ca72d3
+--- /dev/null
++++ b/man/man8/pulseaudio_selinux.8
+@@ -0,0 +1,139 @@
++.TH "pulseaudio_selinux" "8" "pulseaudio" "dwalsh at redhat.com" "pulseaudio SELinux Policy documentation"
++.SH "NAME"
++pulseaudio_selinux \- Security Enhanced Linux Policy for the pulseaudio processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pulseaudio
++(Pulseaudio network sound server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
++.PP
++The following file types are defined for pulseaudio:
++
++
++.EX
++.PP
++.B pulseaudio_exec_t
++.EE
++
++- Set files with the pulseaudio_exec_t type, if you want to transition an executable to the pulseaudio_t domain.
++
++
++.EX
++.PP
++.B pulseaudio_home_t
++.EE
++
++- Set files with the pulseaudio_home_t type, if you want to store pulseaudio files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.pulse-cookie, /root/\.pulse(/.*)?
++
++.EX
++.PP
++.B pulseaudio_tmpfs_t
++.EE
++
++- Set files with the pulseaudio_tmpfs_t type, if you want to store pulseaudio files on a tmpfs file system.
++
++
++.EX
++.PP
++.B pulseaudio_var_lib_t
++.EE
++
++- Set files with the pulseaudio_var_lib_t type, if you want to store the pulseaudio files under the /var/lib directory.
++
++
++.EX
++.PP
++.B pulseaudio_var_run_t
++.EE
++
++- Set files with the pulseaudio_var_run_t type, if you want to store the pulseaudio files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
++.PP
++The following port types are defined for pulseaudio:
++
++.EX
++.TP 5
++.B pulseaudio_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
++.PP
++The following process types are defined for pulseaudio:
++
++.EX
++.B pulseaudio_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8
+new file mode 100644
+index 0000000..c558047
+--- /dev/null
++++ b/man/man8/puppet_selinux.8
+@@ -0,0 +1,205 @@
++.TH "puppet_selinux" "8" "puppet" "dwalsh at redhat.com" "puppet SELinux Policy documentation"
++.SH "NAME"
++puppet_selinux \- Security Enhanced Linux Policy for the puppet processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B puppet
++(Puppet client daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible.
++
++
++.PP
++If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean.
++
++.EX
++.B setsebool -P puppet_manage_all_files 1
++.EE
++
++.PP
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL databas, you must turn on the puppetmaster_use_db boolean.
++
++.EX
++.B setsebool -P puppetmaster_use_db 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
++.PP
++The following file types are defined for puppet:
++
++
++.EX
++.PP
++.B puppet_etc_t
++.EE
++
++- Set files with the puppet_etc_t type, if you want to store puppet files in the /etc directories.
++
++
++.EX
++.PP
++.B puppet_exec_t
++.EE
++
++- Set files with the puppet_exec_t type, if you want to transition an executable to the puppet_t domain.
++
++
++.EX
++.PP
++.B puppet_initrc_exec_t
++.EE
++
++- Set files with the puppet_initrc_exec_t type, if you want to transition an executable to the puppet_initrc_t domain.
++
++
++.EX
++.PP
++.B puppet_log_t
++.EE
++
++- Set files with the puppet_log_t type, if you want to treat the data as puppet log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B puppet_tmp_t
++.EE
++
++- Set files with the puppet_tmp_t type, if you want to store puppet temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B puppet_var_lib_t
++.EE
++
++- Set files with the puppet_var_lib_t type, if you want to store the puppet files under the /var/lib directory.
++
++
++.EX
++.PP
++.B puppet_var_run_t
++.EE
++
++- Set files with the puppet_var_run_t type, if you want to store the puppet files under the /run directory.
++
++
++.EX
++.PP
++.B puppetca_exec_t
++.EE
++
++- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_exec_t
++.EE
++
++- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_initrc_exec_t
++.EE
++
++- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_tmp_t
++.EE
++
++- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
++.PP
++The following port types are defined for puppet:
++
++.EX
++.TP 5
++.B puppet_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
++.PP
++The following process types are defined for puppet:
++
++.EX
++.B puppet_t, puppetmaster_t, puppetca_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), puppet(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8
+new file mode 100644
+index 0000000..eb647c7
+--- /dev/null
++++ b/man/man8/puppetca_selinux.8
+@@ -0,0 +1,71 @@
++.TH "puppetca_selinux" "8" "puppetca" "dwalsh at redhat.com" "puppetca SELinux Policy documentation"
++.SH "NAME"
++puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
++.PP
++The following file types are defined for puppetca:
++
++
++.EX
++.PP
++.B puppetca_exec_t
++.EE
++
++- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
++.PP
++The following process types are defined for puppetca:
++
++.EX
++.B puppetca_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8
+new file mode 100644
+index 0000000..5d07daa
+--- /dev/null
++++ b/man/man8/puppetmaster_selinux.8
+@@ -0,0 +1,102 @@
++.TH "puppetmaster_selinux" "8" "puppetmaster" "dwalsh at redhat.com" "puppetmaster SELinux Policy documentation"
++.SH "NAME"
++puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible.
++
++
++.PP
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL databas, you must turn on the puppetmaster_use_db boolean.
++
++.EX
++.B setsebool -P puppetmaster_use_db 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
++.PP
++The following file types are defined for puppetmaster:
++
++
++.EX
++.PP
++.B puppetmaster_exec_t
++.EE
++
++- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_initrc_exec_t
++.EE
++
++- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain.
++
++
++.EX
++.PP
++.B puppetmaster_tmp_t
++.EE
++
++- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
++.PP
++The following process types are defined for puppetmaster:
++
++.EX
++.B puppetmaster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), puppetmaster(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8
+new file mode 100644
+index 0000000..7c291ab
+--- /dev/null
++++ b/man/man8/pyicqt_selinux.8
+@@ -0,0 +1,101 @@
++.TH "pyicqt_selinux" "8" "pyicqt" "dwalsh at redhat.com" "pyicqt SELinux Policy documentation"
++.SH "NAME"
++pyicqt_selinux \- Security Enhanced Linux Policy for the pyicqt processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B pyicqt
++(PyICQt is an ICQ transport for XMPP server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
++.PP
++The following file types are defined for pyicqt:
++
++
++.EX
++.PP
++.B pyicqt_exec_t
++.EE
++
++- Set files with the pyicqt_exec_t type, if you want to transition an executable to the pyicqt_t domain.
++
++
++.EX
++.PP
++.B pyicqt_log_t
++.EE
++
++- Set files with the pyicqt_log_t type, if you want to treat the data as pyicqt log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B pyicqt_var_run_t
++.EE
++
++- Set files with the pyicqt_var_run_t type, if you want to store the pyicqt files under the /run directory.
++
++
++.EX
++.PP
++.B pyicqt_var_spool_t
++.EE
++
++- Set files with the pyicqt_var_spool_t type, if you want to store the pyicqt var files under the /var/spool directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
++.PP
++The following process types are defined for pyicqt:
++
++.EX
++.B pyicqt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8
+new file mode 100644
+index 0000000..fe306cf
+--- /dev/null
++++ b/man/man8/qdiskd_selinux.8
+@@ -0,0 +1,103 @@
++.TH "qdiskd_selinux" "8" "qdiskd" "dwalsh at redhat.com" "qdiskd SELinux Policy documentation"
++.SH "NAME"
++qdiskd_selinux \- Security Enhanced Linux Policy for the qdiskd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
++.PP
++The following file types are defined for qdiskd:
++
++
++.EX
++.PP
++.B qdiskd_exec_t
++.EE
++
++- Set files with the qdiskd_exec_t type, if you want to transition an executable to the qdiskd_t domain.
++
++
++.EX
++.PP
++.B qdiskd_tmpfs_t
++.EE
++
++- Set files with the qdiskd_tmpfs_t type, if you want to store qdiskd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B qdiskd_var_lib_t
++.EE
++
++- Set files with the qdiskd_var_lib_t type, if you want to store the qdiskd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B qdiskd_var_log_t
++.EE
++
++- Set files with the qdiskd_var_log_t type, if you want to treat the data as qdiskd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B qdiskd_var_run_t
++.EE
++
++- Set files with the qdiskd_var_run_t type, if you want to store the qdiskd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
++.PP
++The following process types are defined for qdiskd:
++
++.EX
++.B qdiskd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/qemu_selinux.8 b/man/man8/qemu_selinux.8
+new file mode 100644
+index 0000000..1ca4c43
+--- /dev/null
++++ b/man/man8/qemu_selinux.8
+@@ -0,0 +1,151 @@
++.TH "qemu_selinux" "8" "qemu" "dwalsh at redhat.com" "qemu SELinux Policy documentation"
++.SH "NAME"
++qemu_selinux \- Security Enhanced Linux Policy for the qemu processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B qemu
++(QEMU machine emulator and virtualizer)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. qemu policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qemu with the tightest access possible.
++
++
++.PP
++If you want to allow qemu to use cifs/Samba file system, you must turn on the qemu_use_cifs boolean.
++
++.EX
++.B setsebool -P qemu_use_cifs 1
++.EE
++
++.PP
++If you want to allow qemu to use serial/parallel communication port, you must turn on the qemu_use_comm boolean.
++
++.EX
++.B setsebool -P qemu_use_comm 1
++.EE
++
++.PP
++If you want to allow qemu to use nfs file system, you must turn on the qemu_use_nfs boolean.
++
++.EX
++.B setsebool -P qemu_use_nfs 1
++.EE
++
++.PP
++If you want to allow qemu to use usb device, you must turn on the qemu_use_usb boolean.
++
++.EX
++.B setsebool -P qemu_use_usb 1
++.EE
++
++.PP
++If you want to allow qemu to connect fully to the networ, you must turn on the qemu_full_network boolean.
++
++.EX
++.B setsebool -P qemu_full_network 1
++.EE
++
++.PP
++If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean.
++
++.EX
++.B setsebool -P xend_run_qemu 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qemu policy is very flexible allowing users to setup their qemu processes in as secure a method as possible.
++.PP
++The following file types are defined for qemu:
++
++
++.EX
++.PP
++.B qemu_dm_exec_t
++.EE
++
++- Set files with the qemu_dm_exec_t type, if you want to transition an executable to the qemu_dm_t domain.
++
++
++.EX
++.PP
++.B qemu_exec_t
++.EE
++
++- Set files with the qemu_exec_t type, if you want to transition an executable to the qemu_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/qemu-system-.*, /usr/libexec/qemu.*, /usr/bin/qemu, /usr/bin/qemu-kvm
++
++.EX
++.PP
++.B qemu_var_run_t
++.EE
++
++- Set files with the qemu_var_run_t type, if you want to store the qemu files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/libvirt/qemu(/.*)?, /var/lib/libvirt/qemu(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qemu policy is very flexible allowing users to setup their qemu processes in as secure a method as possible.
++.PP
++The following process types are defined for qemu:
++
++.EX
++.B qemu_dm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), qemu(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/qmail_selinux.8 b/man/man8/qmail_selinux.8
+new file mode 100644
+index 0000000..d0f7752
+--- /dev/null
++++ b/man/man8/qmail_selinux.8
+@@ -0,0 +1,213 @@
++.TH "qmail_selinux" "8" "qmail" "dwalsh at redhat.com" "qmail SELinux Policy documentation"
++.SH "NAME"
++qmail_selinux \- Security Enhanced Linux Policy for the qmail processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B qmail
++(Qmail Mail Server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qmail policy is very flexible allowing users to setup their qmail processes in as secure a method as possible.
++.PP
++The following file types are defined for qmail:
++
++
++.EX
++.PP
++.B qmail_alias_home_t
++.EE
++
++- Set files with the qmail_alias_home_t type, if you want to store qmail alias files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/var/qmail/alias, /var/qmail/alias(/.*)?
++
++.EX
++.PP
++.B qmail_clean_exec_t
++.EE
++
++- Set files with the qmail_clean_exec_t type, if you want to transition an executable to the qmail_clean_t domain.
++
++
++.EX
++.PP
++.B qmail_etc_t
++.EE
++
++- Set files with the qmail_etc_t type, if you want to store qmail files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/var/qmail/owners(/.*)?, /var/qmail/control(/.*)?
++
++.EX
++.PP
++.B qmail_exec_t
++.EE
++
++- Set files with the qmail_exec_t type, if you want to transition an executable to the qmail_t domain.
++
++
++.EX
++.PP
++.B qmail_inject_exec_t
++.EE
++
++- Set files with the qmail_inject_exec_t type, if you want to transition an executable to the qmail_inject_t domain.
++
++
++.EX
++.PP
++.B qmail_keytab_t
++.EE
++
++- Set files with the qmail_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B qmail_local_exec_t
++.EE
++
++- Set files with the qmail_local_exec_t type, if you want to transition an executable to the qmail_local_t domain.
++
++
++.EX
++.PP
++.B qmail_lspawn_exec_t
++.EE
++
++- Set files with the qmail_lspawn_exec_t type, if you want to transition an executable to the qmail_lspawn_t domain.
++
++
++.EX
++.PP
++.B qmail_queue_exec_t
++.EE
++
++- Set files with the qmail_queue_exec_t type, if you want to transition an executable to the qmail_queue_t domain.
++
++
++.EX
++.PP
++.B qmail_remote_exec_t
++.EE
++
++- Set files with the qmail_remote_exec_t type, if you want to transition an executable to the qmail_remote_t domain.
++
++
++.EX
++.PP
++.B qmail_rspawn_exec_t
++.EE
++
++- Set files with the qmail_rspawn_exec_t type, if you want to transition an executable to the qmail_rspawn_t domain.
++
++
++.EX
++.PP
++.B qmail_send_exec_t
++.EE
++
++- Set files with the qmail_send_exec_t type, if you want to transition an executable to the qmail_send_t domain.
++
++
++.EX
++.PP
++.B qmail_smtpd_exec_t
++.EE
++
++- Set files with the qmail_smtpd_exec_t type, if you want to transition an executable to the qmail_smtpd_t domain.
++
++
++.EX
++.PP
++.B qmail_splogger_exec_t
++.EE
++
++- Set files with the qmail_splogger_exec_t type, if you want to transition an executable to the qmail_splogger_t domain.
++
++
++.EX
++.PP
++.B qmail_spool_t
++.EE
++
++- Set files with the qmail_spool_t type, if you want to store the qmail files under the /var/spool directory.
++
++
++.EX
++.PP
++.B qmail_start_exec_t
++.EE
++
++- Set files with the qmail_start_exec_t type, if you want to transition an executable to the qmail_start_t domain.
++
++
++.EX
++.PP
++.B qmail_tcp_env_exec_t
++.EE
++
++- Set files with the qmail_tcp_env_exec_t type, if you want to transition an executable to the qmail_tcp_env_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail policy is very flexible allowing users to setup their qmail processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail:
++
++.EX
++.B qmail_tcp_env_t, qmail_rspawn_t, qmail_inject_t, qmail_lspawn_t, qmail_clean_t, qmail_local_t, qmail_smtpd_t, qmail_start_t, qmail_send_t, qmail_remote_t, qmail_queue_t, qmail_splogger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), qmail(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8
+new file mode 100644
+index 0000000..712a06e
+--- /dev/null
++++ b/man/man8/qpidd_selinux.8
+@@ -0,0 +1,107 @@
++.TH "qpidd_selinux" "8" "qpidd" "dwalsh at redhat.com" "qpidd SELinux Policy documentation"
++.SH "NAME"
++qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
++.PP
++The following file types are defined for qpidd:
++
++
++.EX
++.PP
++.B qpidd_exec_t
++.EE
++
++- Set files with the qpidd_exec_t type, if you want to transition an executable to the qpidd_t domain.
++
++
++.EX
++.PP
++.B qpidd_initrc_exec_t
++.EE
++
++- Set files with the qpidd_initrc_exec_t type, if you want to transition an executable to the qpidd_initrc_t domain.
++
++
++.EX
++.PP
++.B qpidd_tmpfs_t
++.EE
++
++- Set files with the qpidd_tmpfs_t type, if you want to store qpidd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B qpidd_var_lib_t
++.EE
++
++- Set files with the qpidd_var_lib_t type, if you want to store the qpidd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B qpidd_var_run_t
++.EE
++
++- Set files with the qpidd_var_run_t type, if you want to store the qpidd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/qpidd(/.*)?, /var/run/qpidd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
++.PP
++The following process types are defined for qpidd:
++
++.EX
++.B qpidd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8
+new file mode 100644
+index 0000000..779196e
+--- /dev/null
++++ b/man/man8/quantum_selinux.8
+@@ -0,0 +1,107 @@
++.TH "quantum_selinux" "8" "quantum" "dwalsh at redhat.com" "quantum SELinux Policy documentation"
++.SH "NAME"
++quantum_selinux \- Security Enhanced Linux Policy for the quantum processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following file types are defined for quantum:
++
++
++.EX
++.PP
++.B quantum_exec_t
++.EE
++
++- Set files with the quantum_exec_t type, if you want to transition an executable to the quantum_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-linuxbridge-agent, /usr/bin/quantum-openvswitch-agent
++
++.EX
++.PP
++.B quantum_log_t
++.EE
++
++- Set files with the quantum_log_t type, if you want to treat the data as quantum log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B quantum_tmp_t
++.EE
++
++- Set files with the quantum_tmp_t type, if you want to store quantum temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B quantum_unit_file_t
++.EE
++
++- Set files with the quantum_unit_file_t type, if you want to treat the files as quantum unit content.
++
++
++.EX
++.PP
++.B quantum_var_lib_t
++.EE
++
++- Set files with the quantum_var_lib_t type, if you want to store the quantum files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following process types are defined for quantum:
++
++.EX
++.B quantum_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8
+new file mode 100644
+index 0000000..b90411d
+--- /dev/null
++++ b/man/man8/quota_selinux.8
+@@ -0,0 +1,117 @@
++.TH "quota_selinux" "8" "quota" "dwalsh at redhat.com" "quota SELinux Policy documentation"
++.SH "NAME"
++quota_selinux \- Security Enhanced Linux Policy for the quota processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B quota
++(File system quota management)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
++.PP
++The following file types are defined for quota:
++
++
++.EX
++.PP
++.B quota_db_t
++.EE
++
++- Set files with the quota_db_t type, if you want to treat the files as quota database content.
++
++.br
++.TP 5
++Paths:
++/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /var/lib/stickshift/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group)
++
++.EX
++.PP
++.B quota_exec_t
++.EE
++
++- Set files with the quota_exec_t type, if you want to transition an executable to the quota_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/convertquota, /usr/sbin/quota(check|on), /sbin/quota(check|on)
++
++.EX
++.PP
++.B quota_flag_t
++.EE
++
++- Set files with the quota_flag_t type, if you want to treat the files as quota flag data.
++
++
++.EX
++.PP
++.B quota_nld_exec_t
++.EE
++
++- Set files with the quota_nld_exec_t type, if you want to transition an executable to the quota_nld_t domain.
++
++
++.EX
++.PP
++.B quota_nld_var_run_t
++.EE
++
++- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
++.PP
++The following process types are defined for quota:
++
++.EX
++.B quota_t, quota_nld_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), quota(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rabbitmq_selinux.8 b/man/man8/rabbitmq_selinux.8
+new file mode 100644
+index 0000000..dc1fda5
+--- /dev/null
++++ b/man/man8/rabbitmq_selinux.8
+@@ -0,0 +1,101 @@
++.TH "rabbitmq_selinux" "8" "rabbitmq" "dwalsh at redhat.com" "rabbitmq SELinux Policy documentation"
++.SH "NAME"
++rabbitmq_selinux \- Security Enhanced Linux Policy for the rabbitmq processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rabbitmq
++(policy for rabbitmq)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rabbitmq policy is very flexible allowing users to setup their rabbitmq processes in as secure a method as possible.
++.PP
++The following file types are defined for rabbitmq:
++
++
++.EX
++.PP
++.B rabbitmq_beam_exec_t
++.EE
++
++- Set files with the rabbitmq_beam_exec_t type, if you want to transition an executable to the rabbitmq_beam_t domain.
++
++
++.EX
++.PP
++.B rabbitmq_epmd_exec_t
++.EE
++
++- Set files with the rabbitmq_epmd_exec_t type, if you want to transition an executable to the rabbitmq_epmd_t domain.
++
++
++.EX
++.PP
++.B rabbitmq_var_lib_t
++.EE
++
++- Set files with the rabbitmq_var_lib_t type, if you want to store the rabbitmq files under the /var/lib directory.
++
++
++.EX
++.PP
++.B rabbitmq_var_log_t
++.EE
++
++- Set files with the rabbitmq_var_log_t type, if you want to treat the data as rabbitmq var log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rabbitmq policy is very flexible allowing users to setup their rabbitmq processes in as secure a method as possible.
++.PP
++The following process types are defined for rabbitmq:
++
++.EX
++.B rabbitmq_beam_t, rabbitmq_epmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rabbitmq(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8
+new file mode 100644
+index 0000000..d573221
+--- /dev/null
++++ b/man/man8/racoon_selinux.8
+@@ -0,0 +1,94 @@
++.TH "racoon_selinux" "8" "racoon" "dwalsh at redhat.com" "racoon SELinux Policy documentation"
++.SH "NAME"
++racoon_selinux \- Security Enhanced Linux Policy for the racoon processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible.
++
++
++.PP
++If you want to allow racoon to read shado, you must turn on the racoon_read_shadow boolean.
++
++.EX
++.B setsebool -P racoon_read_shadow 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
++.PP
++The following file types are defined for racoon:
++
++
++.EX
++.PP
++.B racoon_exec_t
++.EE
++
++- Set files with the racoon_exec_t type, if you want to transition an executable to the racoon_t domain.
++
++
++.EX
++.PP
++.B racoon_tmp_t
++.EE
++
++- Set files with the racoon_tmp_t type, if you want to store racoon temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
++.PP
++The following process types are defined for racoon:
++
++.EX
++.B racoon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), racoon(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8
+new file mode 100644
+index 0000000..6494aab
+--- /dev/null
++++ b/man/man8/radiusd_selinux.8
+@@ -0,0 +1,172 @@
++.TH "radiusd_selinux" "8" "radiusd" "dwalsh at redhat.com" "radiusd SELinux Policy documentation"
++.SH "NAME"
++radiusd_selinux \- Security Enhanced Linux Policy for the radiusd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible.
++
++
++.PP
++If you want to allow users to login using a radius serve, you must turn on the authlogin_radius boolean.
++
++.EX
++.B setsebool -P authlogin_radius 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
++.PP
++The following file types are defined for radiusd:
++
++
++.EX
++.PP
++.B radiusd_etc_rw_t
++.EE
++
++- Set files with the radiusd_etc_rw_t type, if you want to treat the files as radiusd etc read/write content.
++
++
++.EX
++.PP
++.B radiusd_etc_t
++.EE
++
++- Set files with the radiusd_etc_t type, if you want to store radiusd files in the /etc directories.
++
++
++.EX
++.PP
++.B radiusd_exec_t
++.EE
++
++- Set files with the radiusd_exec_t type, if you want to transition an executable to the radiusd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/freeradius, /etc/cron\.(daily|monthly)/radiusd, /usr/sbin/radiusd, /etc/cron\.(daily|weekly|monthly)/freeradius
++
++.EX
++.PP
++.B radiusd_initrc_exec_t
++.EE
++
++- Set files with the radiusd_initrc_exec_t type, if you want to transition an executable to the radiusd_initrc_t domain.
++
++
++.EX
++.PP
++.B radiusd_log_t
++.EE
++
++- Set files with the radiusd_log_t type, if you want to treat the data as radiusd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/radacct(/.*)?, /var/log/radiusd-freeradius(/.*)?, /var/log/radius\.log.*, /var/log/radutmp, /var/log/radwtmp.*, /var/log/radius(/.*)?, /var/log/freeradius(/.*)?
++
++.EX
++.PP
++.B radiusd_var_lib_t
++.EE
++
++- Set files with the radiusd_var_lib_t type, if you want to store the radiusd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B radiusd_var_run_t
++.EE
++
++- Set files with the radiusd_var_run_t type, if you want to store the radiusd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/radiusd\.pid, /var/run/radiusd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
++.PP
++The following port types are defined for radiusd:
++
++.EX
++.TP 5
++.B radius_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
++.PP
++The following process types are defined for radiusd:
++
++.EX
++.B radiusd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), radiusd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8
+new file mode 100644
+index 0000000..e7f45e9
+--- /dev/null
++++ b/man/man8/radvd_selinux.8
+@@ -0,0 +1,105 @@
++.TH "radvd_selinux" "8" "radvd" "dwalsh at redhat.com" "radvd SELinux Policy documentation"
++.SH "NAME"
++radvd_selinux \- Security Enhanced Linux Policy for the radvd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B radvd
++(IPv6 router advertisement daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
++.PP
++The following file types are defined for radvd:
++
++
++.EX
++.PP
++.B radvd_etc_t
++.EE
++
++- Set files with the radvd_etc_t type, if you want to store radvd files in the /etc directories.
++
++
++.EX
++.PP
++.B radvd_exec_t
++.EE
++
++- Set files with the radvd_exec_t type, if you want to transition an executable to the radvd_t domain.
++
++
++.EX
++.PP
++.B radvd_initrc_exec_t
++.EE
++
++- Set files with the radvd_initrc_exec_t type, if you want to transition an executable to the radvd_initrc_t domain.
++
++
++.EX
++.PP
++.B radvd_var_run_t
++.EE
++
++- Set files with the radvd_var_run_t type, if you want to store the radvd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/radvd(/.*)?, /var/run/radvd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
++.PP
++The following process types are defined for radvd:
++
++.EX
++.B radvd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8
+new file mode 100644
+index 0000000..f04f9bd
+--- /dev/null
++++ b/man/man8/rdisc_selinux.8
+@@ -0,0 +1,81 @@
++.TH "rdisc_selinux" "8" "rdisc" "dwalsh at redhat.com" "rdisc SELinux Policy documentation"
++.SH "NAME"
++rdisc_selinux \- Security Enhanced Linux Policy for the rdisc processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rdisc
++(Network router discovery daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
++.PP
++The following file types are defined for rdisc:
++
++
++.EX
++.PP
++.B rdisc_exec_t
++.EE
++
++- Set files with the rdisc_exec_t type, if you want to transition an executable to the rdisc_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/rdisc, /usr/sbin/rdisc
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
++.PP
++The following process types are defined for rdisc:
++
++.EX
++.B rdisc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8
+new file mode 100644
+index 0000000..7966b58
+--- /dev/null
++++ b/man/man8/readahead_selinux.8
+@@ -0,0 +1,101 @@
++.TH "readahead_selinux" "8" "readahead" "dwalsh at redhat.com" "readahead SELinux Policy documentation"
++.SH "NAME"
++readahead_selinux \- Security Enhanced Linux Policy for the readahead processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B readahead
++(Readahead, read files into page cache for improved performance)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
++.PP
++The following file types are defined for readahead:
++
++
++.EX
++.PP
++.B readahead_exec_t
++.EE
++
++- Set files with the readahead_exec_t type, if you want to transition an executable to the readahead_t domain.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/systemd-readahead.*, /sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*, /usr/sbin/readahead.*
++
++.EX
++.PP
++.B readahead_var_lib_t
++.EE
++
++- Set files with the readahead_var_lib_t type, if you want to store the readahead files under the /var/lib directory.
++
++
++.EX
++.PP
++.B readahead_var_run_t
++.EE
++
++- Set files with the readahead_var_run_t type, if you want to store the readahead files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/systemd/readahead(/.*)?, /dev/\.systemd/readahead(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
++.PP
++The following process types are defined for readahead:
++
++.EX
++.B readahead_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/regex_selinux.8 b/man/man8/regex_selinux.8
+new file mode 100644
+index 0000000..529dc44
+--- /dev/null
++++ b/man/man8/regex_selinux.8
+@@ -0,0 +1,79 @@
++.TH "regex_selinux" "8" "regex" "dwalsh at redhat.com" "regex SELinux Policy documentation"
++.SH "NAME"
++regex_selinux \- Security Enhanced Linux Policy for the regex processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux regex policy is very flexible allowing users to setup their regex processes in as secure a method as possible.
++.PP
++The following file types are defined for regex:
++
++
++.EX
++.PP
++.B regex_milter_data_t
++.EE
++
++- Set files with the regex_milter_data_t type, if you want to treat the files as regex milter content.
++
++
++.EX
++.PP
++.B regex_milter_exec_t
++.EE
++
++- Set files with the regex_milter_exec_t type, if you want to transition an executable to the regex_milter_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux regex policy is very flexible allowing users to setup their regex processes in as secure a method as possible.
++.PP
++The following process types are defined for regex:
++
++.EX
++.B regex_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), regex(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8
+new file mode 100644
+index 0000000..5258999
+--- /dev/null
++++ b/man/man8/restorecond_selinux.8
+@@ -0,0 +1,79 @@
++.TH "restorecond_selinux" "8" "restorecond" "dwalsh at redhat.com" "restorecond SELinux Policy documentation"
++.SH "NAME"
++restorecond_selinux \- Security Enhanced Linux Policy for the restorecond processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
++.PP
++The following file types are defined for restorecond:
++
++
++.EX
++.PP
++.B restorecond_exec_t
++.EE
++
++- Set files with the restorecond_exec_t type, if you want to transition an executable to the restorecond_t domain.
++
++
++.EX
++.PP
++.B restorecond_var_run_t
++.EE
++
++- Set files with the restorecond_var_run_t type, if you want to store the restorecond files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
++.PP
++The following process types are defined for restorecond:
++
++.EX
++.B restorecond_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8
+new file mode 100644
+index 0000000..b003935
+--- /dev/null
++++ b/man/man8/rgmanager_selinux.8
+@@ -0,0 +1,136 @@
++.TH "rgmanager_selinux" "8" "rgmanager" "dwalsh at redhat.com" "rgmanager SELinux Policy documentation"
++.SH "NAME"
++rgmanager_selinux \- Security Enhanced Linux Policy for the rgmanager processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rgmanager
++(rgmanager - Resource Group Manager)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible.
++
++
++.PP
++If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean.
++
++.EX
++.B setsebool -P rgmanager_can_network_connect 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
++.PP
++The following file types are defined for rgmanager:
++
++
++.EX
++.PP
++.B rgmanager_exec_t
++.EE
++
++- Set files with the rgmanager_exec_t type, if you want to transition an executable to the rgmanager_t domain.
++
++
++.EX
++.PP
++.B rgmanager_initrc_exec_t
++.EE
++
++- Set files with the rgmanager_initrc_exec_t type, if you want to transition an executable to the rgmanager_initrc_t domain.
++
++
++.EX
++.PP
++.B rgmanager_tmp_t
++.EE
++
++- Set files with the rgmanager_tmp_t type, if you want to store rgmanager temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rgmanager_tmpfs_t
++.EE
++
++- Set files with the rgmanager_tmpfs_t type, if you want to store rgmanager files on a tmpfs file system.
++
++
++.EX
++.PP
++.B rgmanager_var_log_t
++.EE
++
++- Set files with the rgmanager_var_log_t type, if you want to treat the data as rgmanager var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rgmanager_var_run_t
++.EE
++
++- Set files with the rgmanager_var_run_t type, if you want to store the rgmanager files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/rgmanager\.pid, /var/run/cluster/rgmanager\.sk
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
++.PP
++The following process types are defined for rgmanager:
++
++.EX
++.B rgmanager_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rgmanager(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/rhev_selinux.8 b/man/man8/rhev_selinux.8
+new file mode 100644
+index 0000000..36bcd5b
+--- /dev/null
++++ b/man/man8/rhev_selinux.8
+@@ -0,0 +1,117 @@
++.TH "rhev_selinux" "8" "rhev" "dwalsh at redhat.com" "rhev SELinux Policy documentation"
++.SH "NAME"
++rhev_selinux \- Security Enhanced Linux Policy for the rhev processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rhev
++(rhev polic module contains policies for rhev apps)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rhev policy is very flexible allowing users to setup their rhev processes in as secure a method as possible.
++.PP
++The following file types are defined for rhev:
++
++
++.EX
++.PP
++.B rhev_agentd_exec_t
++.EE
++
++- Set files with the rhev_agentd_exec_t type, if you want to transition an executable to the rhev_agentd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/rhev-agent/rhev-agentd\.py, /usr/share/ovirt-guest-agent
++
++.EX
++.PP
++.B rhev_agentd_log_t
++.EE
++
++- Set files with the rhev_agentd_log_t type, if you want to treat the data as rhev agentd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rhev_agentd_tmp_t
++.EE
++
++- Set files with the rhev_agentd_tmp_t type, if you want to store rhev agentd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rhev_agentd_unit_file_t
++.EE
++
++- Set files with the rhev_agentd_unit_file_t type, if you want to treat the files as rhev agentd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/ovirt-guest-agent\.serviceservice, /lib/systemd/system/ovirt-guest-agent\.service
++
++.EX
++.PP
++.B rhev_agentd_var_run_t
++.EE
++
++- Set files with the rhev_agentd_var_run_t type, if you want to store the rhev agentd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhev policy is very flexible allowing users to setup their rhev processes in as secure a method as possible.
++.PP
++The following process types are defined for rhev:
++
++.EX
++.B rhev_agentd_t, rhev_agentd_consolehelper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rhev(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8
+new file mode 100644
+index 0000000..af7a010
+--- /dev/null
++++ b/man/man8/rhgb_selinux.8
+@@ -0,0 +1,85 @@
++.TH "rhgb_selinux" "8" "rhgb" "dwalsh at redhat.com" "rhgb SELinux Policy documentation"
++.SH "NAME"
++rhgb_selinux \- Security Enhanced Linux Policy for the rhgb processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rhgb
++( Red Hat Graphical Boot )
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
++.PP
++The following file types are defined for rhgb:
++
++
++.EX
++.PP
++.B rhgb_exec_t
++.EE
++
++- Set files with the rhgb_exec_t type, if you want to transition an executable to the rhgb_t domain.
++
++
++.EX
++.PP
++.B rhgb_tmpfs_t
++.EE
++
++- Set files with the rhgb_tmpfs_t type, if you want to store rhgb files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
++.PP
++The following process types are defined for rhgb:
++
++.EX
++.B rhgb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8
+new file mode 100644
+index 0000000..0ba79be
+--- /dev/null
++++ b/man/man8/rhsmcertd_selinux.8
+@@ -0,0 +1,117 @@
++.TH "rhsmcertd_selinux" "8" "rhsmcertd" "dwalsh at redhat.com" "rhsmcertd SELinux Policy documentation"
++.SH "NAME"
++rhsmcertd_selinux \- Security Enhanced Linux Policy for the rhsmcertd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rhsmcertd
++(Subscription Management Certificate Daemon policy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
++.PP
++The following file types are defined for rhsmcertd:
++
++
++.EX
++.PP
++.B rhsmcertd_exec_t
++.EE
++
++- Set files with the rhsmcertd_exec_t type, if you want to transition an executable to the rhsmcertd_t domain.
++
++
++.EX
++.PP
++.B rhsmcertd_initrc_exec_t
++.EE
++
++- Set files with the rhsmcertd_initrc_exec_t type, if you want to transition an executable to the rhsmcertd_initrc_t domain.
++
++
++.EX
++.PP
++.B rhsmcertd_lock_t
++.EE
++
++- Set files with the rhsmcertd_lock_t type, if you want to treat the files as rhsmcertd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B rhsmcertd_log_t
++.EE
++
++- Set files with the rhsmcertd_log_t type, if you want to treat the data as rhsmcertd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rhsmcertd_var_lib_t
++.EE
++
++- Set files with the rhsmcertd_var_lib_t type, if you want to store the rhsmcertd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B rhsmcertd_var_run_t
++.EE
++
++- Set files with the rhsmcertd_var_run_t type, if you want to store the rhsmcertd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
++.PP
++The following process types are defined for rhsmcertd:
++
++.EX
++.B rhsmcertd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8
+new file mode 100644
+index 0000000..3a36033
+--- /dev/null
++++ b/man/man8/ricci_selinux.8
+@@ -0,0 +1,246 @@
++.TH "ricci_selinux" "8" "ricci" "dwalsh at redhat.com" "ricci SELinux Policy documentation"
++.SH "NAME"
++ricci_selinux \- Security Enhanced Linux Policy for the ricci processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ricci
++(Ricci cluster management agent)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
++.PP
++The following file types are defined for ricci:
++
++
++.EX
++.PP
++.B ricci_exec_t
++.EE
++
++- Set files with the ricci_exec_t type, if you want to transition an executable to the ricci_t domain.
++
++
++.EX
++.PP
++.B ricci_initrc_exec_t
++.EE
++
++- Set files with the ricci_initrc_exec_t type, if you want to transition an executable to the ricci_initrc_t domain.
++
++
++.EX
++.PP
++.B ricci_modcluster_exec_t
++.EE
++
++- Set files with the ricci_modcluster_exec_t type, if you want to transition an executable to the ricci_modcluster_t domain.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_lib_t
++.EE
++
++- Set files with the ricci_modcluster_var_lib_t type, if you want to store the ricci modcluster files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_log_t
++.EE
++
++- Set files with the ricci_modcluster_var_log_t type, if you want to treat the data as ricci modcluster var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ricci_modcluster_var_run_t
++.EE
++
++- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/modclusterd\.pid, /var/run/clumond\.sock
++
++.EX
++.PP
++.B ricci_modclusterd_exec_t
++.EE
++
++- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain.
++
++
++.EX
++.PP
++.B ricci_modclusterd_tmpfs_t
++.EE
++
++- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B ricci_modlog_exec_t
++.EE
++
++- Set files with the ricci_modlog_exec_t type, if you want to transition an executable to the ricci_modlog_t domain.
++
++
++.EX
++.PP
++.B ricci_modrpm_exec_t
++.EE
++
++- Set files with the ricci_modrpm_exec_t type, if you want to transition an executable to the ricci_modrpm_t domain.
++
++
++.EX
++.PP
++.B ricci_modservice_exec_t
++.EE
++
++- Set files with the ricci_modservice_exec_t type, if you want to transition an executable to the ricci_modservice_t domain.
++
++
++.EX
++.PP
++.B ricci_modstorage_exec_t
++.EE
++
++- Set files with the ricci_modstorage_exec_t type, if you want to transition an executable to the ricci_modstorage_t domain.
++
++
++.EX
++.PP
++.B ricci_modstorage_lock_t
++.EE
++
++- Set files with the ricci_modstorage_lock_t type, if you want to treat the files as ricci modstorage lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B ricci_tmp_t
++.EE
++
++- Set files with the ricci_tmp_t type, if you want to store ricci temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ricci_var_lib_t
++.EE
++
++- Set files with the ricci_var_lib_t type, if you want to store the ricci files under the /var/lib directory.
++
++
++.EX
++.PP
++.B ricci_var_log_t
++.EE
++
++- Set files with the ricci_var_log_t type, if you want to treat the data as ricci var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B ricci_var_run_t
++.EE
++
++- Set files with the ricci_var_run_t type, if you want to store the ricci files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
++.PP
++The following port types are defined for ricci:
++
++.EX
++.TP 5
++.B ricci_modcluster_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B ricci_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci:
++
++.EX
++.B ricci_t, ricci_modservice_t, ricci_modstorage_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modcluster_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8
+new file mode 100644
+index 0000000..b86f39b
+--- /dev/null
++++ b/man/man8/rlogind_selinux.8
+@@ -0,0 +1,137 @@
++.TH "rlogind_selinux" "8" "rlogind" "dwalsh at redhat.com" "rlogind SELinux Policy documentation"
++.SH "NAME"
++rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
++.PP
++The following file types are defined for rlogind:
++
++
++.EX
++.PP
++.B rlogind_exec_t
++.EE
++
++- Set files with the rlogind_exec_t type, if you want to transition an executable to the rlogind_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/telnetlogin, /usr/kerberos/sbin/klogind, /usr/sbin/in\.rlogind
++
++.EX
++.PP
++.B rlogind_home_t
++.EE
++
++- Set files with the rlogind_home_t type, if you want to store rlogind files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.rlogin, /root/\.rhosts
++
++.EX
++.PP
++.B rlogind_keytab_t
++.EE
++
++- Set files with the rlogind_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B rlogind_tmp_t
++.EE
++
++- Set files with the rlogind_tmp_t type, if you want to store rlogind temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rlogind_var_run_t
++.EE
++
++- Set files with the rlogind_var_run_t type, if you want to store the rlogind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
++.PP
++The following port types are defined for rlogind:
++
++.EX
++.TP 5
++.B rlogind_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
++.PP
++The following process types are defined for rlogind:
++
++.EX
++.B rlogind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8
+new file mode 100644
+index 0000000..5269077
+--- /dev/null
++++ b/man/man8/roundup_selinux.8
+@@ -0,0 +1,101 @@
++.TH "roundup_selinux" "8" "roundup" "dwalsh at redhat.com" "roundup SELinux Policy documentation"
++.SH "NAME"
++roundup_selinux \- Security Enhanced Linux Policy for the roundup processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B roundup
++(Roundup Issue Tracking System policy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
++.PP
++The following file types are defined for roundup:
++
++
++.EX
++.PP
++.B roundup_exec_t
++.EE
++
++- Set files with the roundup_exec_t type, if you want to transition an executable to the roundup_t domain.
++
++
++.EX
++.PP
++.B roundup_initrc_exec_t
++.EE
++
++- Set files with the roundup_initrc_exec_t type, if you want to transition an executable to the roundup_initrc_t domain.
++
++
++.EX
++.PP
++.B roundup_var_lib_t
++.EE
++
++- Set files with the roundup_var_lib_t type, if you want to store the roundup files under the /var/lib directory.
++
++
++.EX
++.PP
++.B roundup_var_run_t
++.EE
++
++- Set files with the roundup_var_run_t type, if you want to store the roundup files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
++.PP
++The following process types are defined for roundup:
++
++.EX
++.B roundup_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8
+new file mode 100644
+index 0000000..8fdfc21
+--- /dev/null
++++ b/man/man8/rpcbind_selinux.8
+@@ -0,0 +1,113 @@
++.TH "rpcbind_selinux" "8" "rpcbind" "dwalsh at redhat.com" "rpcbind SELinux Policy documentation"
++.SH "NAME"
++rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rpcbind
++(Universal Addresses to RPC Program Number Mapper)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
++.PP
++The following file types are defined for rpcbind:
++
++
++.EX
++.PP
++.B rpcbind_exec_t
++.EE
++
++- Set files with the rpcbind_exec_t type, if you want to transition an executable to the rpcbind_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/rpcbind, /sbin/rpcbind
++
++.EX
++.PP
++.B rpcbind_initrc_exec_t
++.EE
++
++- Set files with the rpcbind_initrc_exec_t type, if you want to transition an executable to the rpcbind_initrc_t domain.
++
++
++.EX
++.PP
++.B rpcbind_var_lib_t
++.EE
++
++- Set files with the rpcbind_var_lib_t type, if you want to store the rpcbind files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/rpcbind(/.*)?, /var/cache/rpcbind(/.*)?
++
++.EX
++.PP
++.B rpcbind_var_run_t
++.EE
++
++- Set files with the rpcbind_var_run_t type, if you want to store the rpcbind files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/rpcbind\.sock, /var/run/rpcbind\.lock, /var/run/rpc.statd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
++.PP
++The following process types are defined for rpcbind:
++
++.EX
++.B rpcbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8
+new file mode 100644
+index 0000000..f86ef74
+--- /dev/null
++++ b/man/man8/rpcd_selinux.8
+@@ -0,0 +1,119 @@
++.TH "rpcd_selinux" "8" "rpcd" "dwalsh at redhat.com" "rpcd SELinux Policy documentation"
++.SH "NAME"
++rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
++.PP
++The following file types are defined for rpcd:
++
++
++.EX
++.PP
++.B rpc_pipefs_t
++.EE
++
++- Set files with the rpc_pipefs_t type, if you want to treat the files as rpc pipefs data.
++
++
++.EX
++.PP
++.B rpcd_exec_t
++.EE
++
++- Set files with the rpcd_exec_t type, if you want to transition an executable to the rpcd_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/sm-notify, /usr/sbin/rpc\..*, /usr/sbin/rpc\.idmapd, /usr/sbin/sm-notify, /usr/sbin/rpc\.rquotad, /sbin/rpc\..*
++
++.EX
++.PP
++.B rpcd_initrc_exec_t
++.EE
++
++- Set files with the rpcd_initrc_exec_t type, if you want to transition an executable to the rpcd_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/nfslock, /etc/rc\.d/init\.d/rpcidmapd
++
++.EX
++.PP
++.B rpcd_unit_file_t
++.EE
++
++- Set files with the rpcd_unit_file_t type, if you want to treat the files as rpcd unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/rpc.*, /usr/lib/systemd/system/rpc.*
++
++.EX
++.PP
++.B rpcd_var_run_t
++.EE
++
++- Set files with the rpcd_var_run_t type, if you want to store the rpcd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/rpc\.statd(/.*)?, /var/run/rpc\.statd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
++.PP
++The following process types are defined for rpcd:
++
++.EX
++.B rpcd_t, rpcbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8
+new file mode 100644
+index 0000000..2c01fa3
+--- /dev/null
++++ b/man/man8/rpm_selinux.8
+@@ -0,0 +1,177 @@
++.TH "rpm_selinux" "8" "rpm" "dwalsh at redhat.com" "rpm SELinux Policy documentation"
++.SH "NAME"
++rpm_selinux \- Security Enhanced Linux Policy for the rpm processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rpm
++(Policy for the RPM package manager)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
++.PP
++The following file types are defined for rpm:
++
++
++.EX
++.PP
++.B rpm_exec_t
++.EE
++
++- Set files with the rpm_exec_t type, if you want to transition an executable to the rpm_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/apt-get, /usr/libexec/yumDBUSBackend.py, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/bin/apt-shell, /usr/sbin/pirut, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date
++
++.EX
++.PP
++.B rpm_file_t
++.EE
++
++- Set files with the rpm_file_t type, if you want to treat the files as rpm content.
++
++
++.EX
++.PP
++.B rpm_log_t
++.EE
++
++- Set files with the rpm_log_t type, if you want to treat the data as rpm log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/yum\.log.*, /var/log/rpmpkgs.*
++
++.EX
++.PP
++.B rpm_script_exec_t
++.EE
++
++- Set files with the rpm_script_exec_t type, if you want to transition an executable to the rpm_script_t domain.
++
++
++.EX
++.PP
++.B rpm_script_tmp_t
++.EE
++
++- Set files with the rpm_script_tmp_t type, if you want to store rpm script temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rpm_script_tmpfs_t
++.EE
++
++- Set files with the rpm_script_tmpfs_t type, if you want to store rpm script files on a tmpfs file system.
++
++
++.EX
++.PP
++.B rpm_tmp_t
++.EE
++
++- Set files with the rpm_tmp_t type, if you want to store rpm temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rpm_tmpfs_t
++.EE
++
++- Set files with the rpm_tmpfs_t type, if you want to store rpm files on a tmpfs file system.
++
++
++.EX
++.PP
++.B rpm_var_cache_t
++.EE
++
++- Set files with the rpm_var_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/PackageKit(/.*)?, /var/cache/yum(/.*)?, /var/spool/up2date(/.*)?
++
++.EX
++.PP
++.B rpm_var_lib_t
++.EE
++
++- Set files with the rpm_var_lib_t type, if you want to store the rpm files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/yum(/.*)?, /var/lib/rpm(/.*)?, /var/lib/alternatives(/.*)?
++
++.EX
++.PP
++.B rpm_var_run_t
++.EE
++
++- Set files with the rpm_var_run_t type, if you want to store the rpm files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/PackageKit(/.*)?, /var/run/yum.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
++.PP
++The following process types are defined for rpm:
++
++.EX
++.B rpm_t, rpm_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8
+new file mode 100644
+index 0000000..929f616
+--- /dev/null
++++ b/man/man8/rshd_selinux.8
+@@ -0,0 +1,115 @@
++.TH "rshd_selinux" "8" "rshd" "dwalsh at redhat.com" "rshd SELinux Policy documentation"
++.SH "NAME"
++rshd_selinux \- Security Enhanced Linux Policy for the rshd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rshd
++(Remote shell service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
++.PP
++The following file types are defined for rshd:
++
++
++.EX
++.PP
++.B rshd_exec_t
++.EE
++
++- Set files with the rshd_exec_t type, if you want to transition an executable to the rshd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/in\.rshd, /usr/kerberos/sbin/kshd, /usr/sbin/in\.rexecd
++
++.EX
++.PP
++.B rshd_keytab_t
++.EE
++
++- Set files with the rshd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
++.PP
++The following port types are defined for rshd:
++
++.EX
++.TP 5
++.B rsh_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
++.PP
++The following process types are defined for rshd:
++
++.EX
++.B rshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8
+new file mode 100644
+index 0000000..fea92f8
+--- /dev/null
++++ b/man/man8/rssh_selinux.8
+@@ -0,0 +1,101 @@
++.TH "rssh_selinux" "8" "rssh" "dwalsh at redhat.com" "rssh SELinux Policy documentation"
++.SH "NAME"
++rssh_selinux \- Security Enhanced Linux Policy for the rssh processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rssh
++(Restricted (scp/sftp) only shell)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
++.PP
++The following file types are defined for rssh:
++
++
++.EX
++.PP
++.B rssh_chroot_helper_exec_t
++.EE
++
++- Set files with the rssh_chroot_helper_exec_t type, if you want to transition an executable to the rssh_chroot_helper_t domain.
++
++
++.EX
++.PP
++.B rssh_exec_t
++.EE
++
++- Set files with the rssh_exec_t type, if you want to transition an executable to the rssh_t domain.
++
++
++.EX
++.PP
++.B rssh_ro_t
++.EE
++
++- Set files with the rssh_ro_t type, if you want to treat the files as rssh read/only content.
++
++
++.EX
++.PP
++.B rssh_rw_t
++.EE
++
++- Set files with the rssh_rw_t type, if you want to treat the files as rssh read/write content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
++.PP
++The following process types are defined for rssh:
++
++.EX
++.B rssh_t, rssh_chroot_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rssh(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
+index ad9ccf5..65a1b3e 100644
+--- a/man/man8/rsync_selinux.8
++++ b/man/man8/rsync_selinux.8
+@@ -1,52 +1,205 @@
+-.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "rsync Selinux Policy documentation"
+-.de EX
+-.nf
+-.ft CW
+-..
+-.de EE
+-.ft R
+-.fi
+-..
++.TH "rsync_selinux" "8" "rsync" "dwalsh at redhat.com" "rsync SELinux Policy documentation"
+ .SH "NAME"
+-rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
++rsync_selinux \- Security Enhanced Linux Policy for the rsync processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the rsync server via flexible mandatory access
++
++SELinux Linux secures
++.B rsync
++(Fast incremental file transfer for synchronization)
++processes via flexible mandatory access
+ control.
+-.SH FILE_CONTEXTS
+-SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
+-would need to label the directory with the chcon tool.
+-.TP
+-chcon -t public_content_t /var/rsync
+-.TP
+-.TP
+-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. rsync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rsync with the tightest access possible.
++
++
++.PP
++If you want to allow rsync to run as a clien, you must turn on the rsync_client boolean.
++
++.EX
++.B setsebool -P rsync_client 1
++.EE
++
++.PP
++If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean.
++
++.EX
++.B setsebool -P rsync_export_all_ro 1
++.EE
++
++.PP
++If you want to allow rsync servers to share nfs files system, you must turn on the rsync_use_nfs boolean.
++
++.EX
++.B setsebool -P rsync_use_nfs 1
++.EE
++
++.PP
++If you want to allow rsync servers to share cifs files system, you must turn on the rsync_use_cifs boolean.
++
++.EX
++.B setsebool -P rsync_use_cifs 1
++.EE
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+ .TP
++Allow rsync servers to read the /var/rsync directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
+ semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
++.br
++.B restorecon -F -R -v /var/rsync
++.pp
+ .TP
+-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+-.TP
+-/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
+-.TP
+-Run the restorecon command to apply the changes:
+-.TP
+-restorecon -R -v /var/rsync/
++Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsync_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/rsync/incoming
++
++
++.PP
++If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the allow_rsync_anon_write boolean.
++
++.EX
++.B setsebool -P allow_rsync_anon_write 1
.EE
--- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
-+- Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
+
+-.SH SHARING FILES
+-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
++.PP
++The following file types are defined for rsync:
++
+
.EX
- httpd_sys_content_ra_t
+-setsebool -P allow_rsync_anon_write=1
++.PP
++.B rsync_data_t
.EE
+
+-.SH BOOLEANS
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
++- Set files with the rsync_data_t type, if you want to treat the files as rsync content.
++
++
++.EX
++.PP
++.B rsync_etc_t
++.EE
++
++- Set files with the rsync_etc_t type, if you want to store rsync files in the /etc directories.
++
++
++.EX
++.PP
++.B rsync_exec_t
++.EE
++
++- Set files with the rsync_exec_t type, if you want to transition an executable to the rsync_t domain.
++
++
++.EX
++.PP
++.B rsync_log_t
++.EE
++
++- Set files with the rsync_log_t type, if you want to treat the data as rsync log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rsync_tmp_t
++.EE
++
++- Set files with the rsync_tmp_t type, if you want to store rsync temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B rsync_var_run_t
++.EE
++
++- Set files with the rsync_var_run_t type, if you want to store the rsync files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
++.PP
++The following port types are defined for rsync:
++
++.EX
++.TP 5
++.B rsync_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
++.PP
++The following process types are defined for rsync:
++
++.EX
++.B rsync_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
+ .SH AUTHOR
+-This manual page was written by Dan Walsh <dwalsh at redhat.com>.
++This manual page was autogenerated by genman.py.
+
+ .SH "SEE ALSO"
+-selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
++selinux(8), rsync(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/rtkit_selinux.8 b/man/man8/rtkit_selinux.8
+new file mode 100644
+index 0000000..50cb948
+--- /dev/null
++++ b/man/man8/rtkit_selinux.8
+@@ -0,0 +1,77 @@
++.TH "rtkit_selinux" "8" "rtkit" "dwalsh at redhat.com" "rtkit SELinux Policy documentation"
++.SH "NAME"
++rtkit_selinux \- Security Enhanced Linux Policy for the rtkit processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rtkit
++(Realtime scheduling for user processes)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rtkit policy is very flexible allowing users to setup their rtkit processes in as secure a method as possible.
++.PP
++The following file types are defined for rtkit:
++
++
++.EX
++.PP
++.B rtkit_daemon_exec_t
++.EE
++
++- Set files with the rtkit_daemon_exec_t type, if you want to transition an executable to the rtkit_daemon_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rtkit policy is very flexible allowing users to setup their rtkit processes in as secure a method as possible.
++.PP
++The following process types are defined for rtkit:
++
++.EX
++.B rtkit_daemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rtkit(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/run_selinux.8 b/man/man8/run_selinux.8
+new file mode 100644
+index 0000000..75796ad
+--- /dev/null
++++ b/man/man8/run_selinux.8
+@@ -0,0 +1,100 @@
++.TH "run_selinux" "8" "run" "dwalsh at redhat.com" "run SELinux Policy documentation"
++.SH "NAME"
++run_selinux \- Security Enhanced Linux Policy for the run processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. run policy is extremely flexible and has several booleans that allow you to manipulate the policy and run run with the tightest access possible.
++
++
++.PP
++If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean.
++
++.EX
++.B setsebool -P xend_run_qemu 1
++.EE
++
++.PP
++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
++
++.EX
++.B setsebool -P xend_run_blktap 1
++.EE
++
++.PP
++If you want to allow samba to run unconfined script, you must turn on the samba_run_unconfined boolean.
++
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux run policy is very flexible allowing users to setup their run processes in as secure a method as possible.
++.PP
++The following file types are defined for run:
++
++
++.EX
++.PP
++.B run_init_exec_t
++.EE
++
++- Set files with the run_init_exec_t type, if you want to transition an executable to the run_init_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux run policy is very flexible allowing users to setup their run processes in as secure a method as possible.
++.PP
++The following process types are defined for run:
++
++.EX
++.B run_init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), run(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8
+new file mode 100644
+index 0000000..65c182c
+--- /dev/null
++++ b/man/man8/rwho_selinux.8
+@@ -0,0 +1,127 @@
++.TH "rwho_selinux" "8" "rwho" "dwalsh at redhat.com" "rwho SELinux Policy documentation"
++.SH "NAME"
++rwho_selinux \- Security Enhanced Linux Policy for the rwho processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B rwho
++(Who is logged in on other machines?)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
++.PP
++The following file types are defined for rwho:
++
++
++.EX
++.PP
++.B rwho_exec_t
++.EE
++
++- Set files with the rwho_exec_t type, if you want to transition an executable to the rwho_t domain.
++
++
++.EX
++.PP
++.B rwho_initrc_exec_t
++.EE
++
++- Set files with the rwho_initrc_exec_t type, if you want to transition an executable to the rwho_initrc_t domain.
++
++
++.EX
++.PP
++.B rwho_log_t
++.EE
++
++- Set files with the rwho_log_t type, if you want to treat the data as rwho log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rwho_spool_t
++.EE
++
++- Set files with the rwho_spool_t type, if you want to store the rwho files under the /var/spool directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
++.PP
++The following port types are defined for rwho:
++
++.EX
++.TP 5
++.B rwho_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
++.PP
++The following process types are defined for rwho:
++
++.EX
++.B rwho_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
+index ca702c7..25316f0 100644
+--- a/man/man8/samba_selinux.8
++++ b/man/man8/samba_selinux.8
+@@ -1,56 +1,269 @@
+-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "Samba Selinux Policy documentation"
++.TH "samba_selinux" "8" "samba" "dwalsh at redhat.com" "samba SELinux Policy documentation"
+ .SH "NAME"
+-samba_selinux \- Security Enhanced Linux Policy for Samba
++samba_selinux \- Security Enhanced Linux Policy for the samba processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the Samba server via flexible mandatory access
++
++SELinux Linux secures
++.B samba
++(
++SMB and CIFS client/server programs for UNIX and
++name Service Switch daemon for resolving names
++from Windows NT servers.
++)
++processes via flexible mandatory access
+ control.
+-.SH FILE_CONTEXTS
+-SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-If you want to share files other than home directories, those files must be
+-labeled samba_share_t. So if you created a special directory /var/eng, you
+-would need to label the directory with the chcon tool.
+-.TP
+-chcon -t samba_share_t /var/eng
+-.TP
+-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+-.TP
+-semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
+-.TP
+-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+-.TP
+-/var/eng(/.*)? system_u:object_r:samba_share_t:s0
+-.TP
+-Run the restorecon command to apply the changes:
+-.TP
+-restorecon -R -v /var/eng/
+-
+-.SH SHARING FILES
+-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+-
+-setsebool -P allow_smbd_anon_write=1
++
++
+
+ .SH BOOLEANS
+-.br
+-SELinux policy is customizable based on least access required. So by
+-default SELinux policy turns off SELinux sharing of home directories and
+-the use of Samba shares from a remote machine as a home directory.
+-.TP
+-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
++SELinux policy is customizable based on least access required. samba policy is extremely flexible and has several booleans that allow you to manipulate the policy and run samba with the tightest access possible.
++
++
++.PP
++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean.
++
++.EX
++.B setsebool -P samba_domain_controller 1
++.EE
++
++.PP
++If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
++.PP
++If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean.
++
++.EX
++.B setsebool -P samba_export_all_ro 1
++.EE
++
++.PP
++If you want to support SAMBA home directorie, you must turn on the use_samba_home_dirs boolean.
++
++.EX
++.B setsebool -P use_samba_home_dirs 1
++.EE
++
++.PP
++If you want to allow samba to create new home directories (e.g. via PAM, you must turn on the samba_create_home_dirs boolean.
++
++.EX
++.B setsebool -P samba_create_home_dirs 1
++.EE
++
++.PP
++If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean.
++
++.EX
++.B setsebool -P samba_enable_home_dirs 1
++.EE
++
++.PP
++If you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean.
++
++.EX
++.B setsebool -P samba_share_fusefs 1
++.EE
++
++.PP
++If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
++
++.EX
++.B setsebool -P samba_share_nfs 1
++.EE
++
++.PP
++If you want to allow samba to run unconfined script, you must turn on the samba_run_unconfined boolean.
++
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs file, you must turn on the sanlock_use_samba boolean.
++
++.EX
++.B setsebool -P sanlock_use_samba 1
++.EE
++
++.PP
++If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean.
++
++.EX
++.B setsebool -P samba_export_all_rw 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux samba policy is very flexible allowing users to setup their samba processes in as secure a method as possible.
++.PP
++The following file types are defined for samba:
++
++
++.EX
++.PP
++.B samba_etc_t
++.EE
++
++- Set files with the samba_etc_t type, if you want to store samba files in the /etc directories.
++
++
++.EX
++.PP
++.B samba_initrc_exec_t
++.EE
++
++- Set files with the samba_initrc_exec_t type, if you want to transition an executable to the samba_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/nmb, /etc/rc\.d/init\.d/smb, /etc/rc\.d/init\.d/winbind
++
++.EX
++.PP
++.B samba_log_t
++.EE
++
++- Set files with the samba_log_t type, if you want to treat the data as samba log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B samba_net_exec_t
++.EE
++
++- Set files with the samba_net_exec_t type, if you want to transition an executable to the samba_net_t domain.
++
++
++.EX
++.PP
++.B samba_net_tmp_t
++.EE
++
++- Set files with the samba_net_tmp_t type, if you want to store samba net temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B samba_secrets_t
++.EE
++
++- Set files with the samba_secrets_t type, if you want to treat the files as samba secrets data.
++
++.br
++.TP 5
++Paths:
++/etc/samba/secrets\.tdb, /etc/samba/passdb\.tdb, /etc/samba/MACHINE\.SID, /etc/samba/smbpasswd
++
++.EX
++.PP
++.B samba_share_t
++.EE
++
++- Set files with the samba_share_t type, if you want to treat the files as samba share data.
++
++
++.EX
++.PP
++.B samba_unconfined_script_exec_t
++.EE
++
++- Set files with the samba_unconfined_script_exec_t type, if you want to transition an executable to the samba_unconfined_script_t domain.
++
++
++.EX
++.PP
++.B samba_unit_file_t
++.EE
++
++- Set files with the samba_unit_file_t type, if you want to treat the files as samba unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/smb.service, /usr/lib/systemd/system/smb.service
++
++.EX
++.PP
++.B samba_var_t
++.EE
++
++- Set files with the samba_var_t type, if you want to store the s files under the /var directory.
++
+ .br
++.TP 5
++Paths:
++/var/spool/samba(/.*)?, /var/cache/samba(/.*)?, /var/lib/samba(/.*)?
++
++.EX
++.PP
++.B sambagui_exec_t
++.EE
++
++- Set files with the sambagui_exec_t type, if you want to transition an executable to the sambagui_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux samba policy is very flexible allowing users to setup their samba processes in as secure a method as possible.
++.PP
++The following process types are defined for samba:
++
++.EX
++.B samba_net_t, samba_unconfined_script_t, sambagui_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
+
+-setsebool -P samba_enable_home_dirs 1
+-.TP
+-If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
+-.br
++.B semanage boolean
++can also be used to manipulate the booleans
+
+-setsebool -P use_samba_home_dirs 1
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
+
+ .SH AUTHOR
+-This manual page was written by Dan Walsh <dwalsh at redhat.com>.
++This manual page was autogenerated by genman.py.
+
+ .SH "SEE ALSO"
+-selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
++selinux(8), samba(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8
+new file mode 100644
+index 0000000..763d193
+--- /dev/null
++++ b/man/man8/sambagui_selinux.8
+@@ -0,0 +1,77 @@
++.TH "sambagui_selinux" "8" "sambagui" "dwalsh at redhat.com" "sambagui SELinux Policy documentation"
++.SH "NAME"
++sambagui_selinux \- Security Enhanced Linux Policy for the sambagui processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sambagui
++(system-config-samba dbus service policy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
++.PP
++The following file types are defined for sambagui:
++
++
++.EX
++.PP
++.B sambagui_exec_t
++.EE
++
++- Set files with the sambagui_exec_t type, if you want to transition an executable to the sambagui_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
++.PP
++The following process types are defined for sambagui:
++
++.EX
++.B sambagui_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sambagui(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/sandbox_selinux.8 b/man/man8/sandbox_selinux.8
+new file mode 100644
+index 0000000..437feff
+--- /dev/null
++++ b/man/man8/sandbox_selinux.8
+@@ -0,0 +1,148 @@
++.TH "sandbox_selinux" "8" "sandbox" "dwalsh at redhat.com" "sandbox SELinux Policy documentation"
++.SH "NAME"
++sandbox_selinux \- Security Enhanced Linux Policy for the sandbox processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sandbox
++(policy for sandbox)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox with the tightest access possible.
++
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbo, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sandbox policy is very flexible allowing users to setup their sandbox processes in as secure a method as possible.
++.PP
++The following file types are defined for sandbox:
++
++
++.EX
++.PP
++.B sandbox_devpts_t
++.EE
++
++- Set files with the sandbox_devpts_t type, if you want to treat the files as sandbox devpts data.
++
++
++.EX
++.PP
++.B sandbox_exec_t
++.EE
++
++- Set files with the sandbox_exec_t type, if you want to transition an executable to the sandbox_t domain.
++
++
++.EX
++.PP
++.B sandbox_file_t
++.EE
++
++- Set files with the sandbox_file_t type, if you want to treat the files as sandbox content.
++
++
++.EX
++.PP
++.B sandbox_min_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_min_client_tmpfs_t type, if you want to store sandbox min client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_net_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_net_client_tmpfs_t type, if you want to store sandbox net client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_web_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_web_client_tmpfs_t type, if you want to store sandbox web client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_x_client_tmpfs_t
++.EE
++
++- Set files with the sandbox_x_client_tmpfs_t type, if you want to store sandbox x client files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sandbox_xserver_tmpfs_t
++.EE
++
++- Set files with the sandbox_xserver_tmpfs_t type, if you want to store sandbox xserver files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sandbox policy is very flexible allowing users to setup their sandbox processes in as secure a method as possible.
++.PP
++The following process types are defined for sandbox:
++
++.EX
++.B sandbox_x_client_t, sandbox_net_client_t, sandbox_xserver_t, sandbox_x_t, sandbox_web_client_t, sandbox_min_t, sandbox_net_t, sandbox_web_t, sandbox_min_client_t, sandbox_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sandbox(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8
+new file mode 100644
+index 0000000..b15e691
+--- /dev/null
++++ b/man/man8/sanlock_selinux.8
+@@ -0,0 +1,130 @@
++.TH "sanlock_selinux" "8" "sanlock" "dwalsh at redhat.com" "sanlock SELinux Policy documentation"
++.SH "NAME"
++sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sanlock
++(policy for sanlock)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sanlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sanlock with the tightest access possible.
++
++
++.PP
++If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs file, you must turn on the sanlock_use_nfs boolean.
++
++.EX
++.B setsebool -P sanlock_use_nfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs file, you must turn on the sanlock_use_samba boolean.
++
++.EX
++.B setsebool -P sanlock_use_samba 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
++.PP
++The following file types are defined for sanlock:
++
++
++.EX
++.PP
++.B sanlock_exec_t
++.EE
++
++- Set files with the sanlock_exec_t type, if you want to transition an executable to the sanlock_t domain.
++
++
++.EX
++.PP
++.B sanlock_initrc_exec_t
++.EE
++
++- Set files with the sanlock_initrc_exec_t type, if you want to transition an executable to the sanlock_initrc_t domain.
++
++
++.EX
++.PP
++.B sanlock_log_t
++.EE
++
++- Set files with the sanlock_log_t type, if you want to treat the data as sanlock log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B sanlock_var_run_t
++.EE
++
++- Set files with the sanlock_var_run_t type, if you want to store the sanlock files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
++.PP
++The following process types are defined for sanlock:
++
++.EX
++.B sanlock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sanlock(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8
+new file mode 100644
+index 0000000..8a922b3
+--- /dev/null
++++ b/man/man8/saslauthd_selinux.8
+@@ -0,0 +1,114 @@
++.TH "saslauthd_selinux" "8" "saslauthd" "dwalsh at redhat.com" "saslauthd SELinux Policy documentation"
++.SH "NAME"
++saslauthd_selinux \- Security Enhanced Linux Policy for the saslauthd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible.
++
++
++.PP
++If you want to allow sasl to read shado, you must turn on the allow_saslauthd_read_shadow boolean.
++
++.EX
++.B setsebool -P allow_saslauthd_read_shadow 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
++.PP
++The following file types are defined for saslauthd:
++
++
++.EX
++.PP
++.B saslauthd_exec_t
++.EE
++
++- Set files with the saslauthd_exec_t type, if you want to transition an executable to the saslauthd_t domain.
++
++
++.EX
++.PP
++.B saslauthd_initrc_exec_t
++.EE
++
++- Set files with the saslauthd_initrc_exec_t type, if you want to transition an executable to the saslauthd_initrc_t domain.
++
++
++.EX
++.PP
++.B saslauthd_keytab_t
++.EE
++
++- Set files with the saslauthd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B saslauthd_var_run_t
++.EE
++
++- Set files with the saslauthd_var_run_t type, if you want to store the saslauthd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/sasl2(/.*)?, /var/run/saslauthd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
++.PP
++The following process types are defined for saslauthd:
++
++.EX
++.B saslauthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), saslauthd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sblim_selinux.8 b/man/man8/sblim_selinux.8
+new file mode 100644
+index 0000000..5c6807e
+--- /dev/null
++++ b/man/man8/sblim_selinux.8
+@@ -0,0 +1,93 @@
++.TH "sblim_selinux" "8" "sblim" "dwalsh at redhat.com" "sblim SELinux Policy documentation"
++.SH "NAME"
++sblim_selinux \- Security Enhanced Linux Policy for the sblim processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sblim
++( policy for SBLIM Gatherer )
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sblim policy is very flexible allowing users to setup their sblim processes in as secure a method as possible.
++.PP
++The following file types are defined for sblim:
++
++
++.EX
++.PP
++.B sblim_gatherd_exec_t
++.EE
++
++- Set files with the sblim_gatherd_exec_t type, if you want to transition an executable to the sblim_gatherd_t domain.
++
++
++.EX
++.PP
++.B sblim_reposd_exec_t
++.EE
++
++- Set files with the sblim_reposd_exec_t type, if you want to transition an executable to the sblim_reposd_t domain.
++
++
++.EX
++.PP
++.B sblim_var_run_t
++.EE
++
++- Set files with the sblim_var_run_t type, if you want to store the sblim files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sblim policy is very flexible allowing users to setup their sblim processes in as secure a method as possible.
++.PP
++The following process types are defined for sblim:
++
++.EX
++.B sblim_reposd_t, sblim_gatherd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sblim(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/secadm_selinux.8 b/man/man8/secadm_selinux.8
+new file mode 100644
+index 0000000..6bf3e2b
+--- /dev/null
++++ b/man/man8/secadm_selinux.8
+@@ -0,0 +1,65 @@
++.TH "secadm_selinux" "8" "secadm" "mgrepl at redhat.com" "secadm SELinux Policy documentation"
++.SH "NAME"
++secadm_r \- \fBSecurity administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control, some Linux roles are login roles, while other roles need to be transition to.
++
++Note: The examples in the man page will user the staff_u user.
++
++Non login roles are usually used for administrative tasks.
++
++Roles usually have default types assigned to them.
++
++The default type for the secadm_r role is secadm_t.
++
++You can use the
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r secadm_r -t secadm_t
++
++.B sudo
++can also be setup to transition to this role using the visudo command.
++
++USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
++
++If you want to use a non login role, you need to make sure the SELinux user you are using can reach this role.
++
++You can see all of the assigned SELinux roles using the following
++
++.B semanage user -l
++
++If you wanted to add secadm_r to the staff_u user, you would execute:
++
++.B $ semanage user -m -R 'staff_r secadm_r' staff_u
++
++
++
++SELinux policy also controls which roles can transition to a different role.
++You can list these rules using the following command.
++
++.B sesearch --role_allow
++
++SELinux policy allows the sysadm_r, staff_r, auditadm_r roles can transition to the secadm_r role.
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8
+new file mode 100644
+index 0000000..232ac2e
+--- /dev/null
++++ b/man/man8/sectoolm_selinux.8
+@@ -0,0 +1,77 @@
++.TH "sectoolm_selinux" "8" "sectoolm" "dwalsh at redhat.com" "sectoolm SELinux Policy documentation"
++.SH "NAME"
++sectoolm_selinux \- Security Enhanced Linux Policy for the sectoolm processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sectoolm
++(Sectool security audit tool)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
++.PP
++The following file types are defined for sectoolm:
++
++
++.EX
++.PP
++.B sectoolm_exec_t
++.EE
++
++- Set files with the sectoolm_exec_t type, if you want to transition an executable to the sectoolm_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
++.PP
++The following process types are defined for sectoolm:
++
++.EX
++.B sectoolm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/selinux_selinux.8 b/man/man8/selinux_selinux.8
+new file mode 100644
+index 0000000..42b09e3
+--- /dev/null
++++ b/man/man8/selinux_selinux.8
+@@ -0,0 +1,107 @@
++.TH "selinux_selinux" "8" "selinux" "dwalsh at redhat.com" "selinux SELinux Policy documentation"
++.SH "NAME"
++selinux_selinux \- Security Enhanced Linux Policy for the selinux processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B selinux
++(
++Policy for kernel security interface, in particular, selinuxfs.
++)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux selinux policy is very flexible allowing users to setup their selinux processes in as secure a method as possible.
++.PP
++The following file types are defined for selinux:
++
++
++.EX
++.PP
++.B selinux_config_t
++.EE
++
++- Set files with the selinux_config_t type, if you want to treat the files as selinux configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/selinux/([^/]*/)?users(/.*)?, /etc/selinux(/.*)?, /etc/selinux/([^/]*/)?seusers, /etc/selinux/([^/]*/)?setrans\.conf
++
++.EX
++.PP
++.B selinux_munin_plugin_exec_t
++.EE
++
++- Set files with the selinux_munin_plugin_exec_t type, if you want to transition an executable to the selinux_munin_plugin_t domain.
++
++
++.EX
++.PP
++.B selinux_munin_plugin_tmp_t
++.EE
++
++- Set files with the selinux_munin_plugin_tmp_t type, if you want to store selinux munin plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B selinux_var_lib_t
++.EE
++
++- Set files with the selinux_var_lib_t type, if you want to store the selinux files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux selinux policy is very flexible allowing users to setup their selinux processes in as secure a method as possible.
++.PP
++The following process types are defined for selinux:
++
++.EX
++.B selinux_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), selinux(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8
+new file mode 100644
+index 0000000..ad680da
+--- /dev/null
++++ b/man/man8/semanage_selinux.8
+@@ -0,0 +1,111 @@
++.TH "semanage_selinux" "8" "semanage" "dwalsh at redhat.com" "semanage SELinux Policy documentation"
++.SH "NAME"
++semanage_selinux \- Security Enhanced Linux Policy for the semanage processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
++.PP
++The following file types are defined for semanage:
++
++
++.EX
++.PP
++.B semanage_exec_t
++.EE
++
++- Set files with the semanage_exec_t type, if you want to transition an executable to the semanage_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/system-config-selinux/system-config-selinux-dbus\.py, /usr/sbin/semanage, /usr/sbin/semodule
++
++.EX
++.PP
++.B semanage_read_lock_t
++.EE
++
++- Set files with the semanage_read_lock_t type, if you want to treat the files as semanage read lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B semanage_store_t
++.EE
++
++- Set files with the semanage_store_t type, if you want to treat the files as semanage store data.
++
++.br
++.TP 5
++Paths:
++/etc/share/selinux/mls(/.*)?, /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?, /etc/selinux/([^/]*/)?policy(/.*)?, /etc/share/selinux/targeted(/.*)?
++
++.EX
++.PP
++.B semanage_tmp_t
++.EE
++
++- Set files with the semanage_tmp_t type, if you want to store semanage temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B semanage_trans_lock_t
++.EE
++
++- Set files with the semanage_trans_lock_t type, if you want to treat the files as semanage trans lock data, stored under the /var/lock directory
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
++.PP
++The following process types are defined for semanage:
++
++.EX
++.B semanage_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8
+new file mode 100644
+index 0000000..f2e3fa2
+--- /dev/null
++++ b/man/man8/sendmail_selinux.8
+@@ -0,0 +1,158 @@
++.TH "sendmail_selinux" "8" "sendmail" "dwalsh at redhat.com" "sendmail SELinux Policy documentation"
++.SH "NAME"
++sendmail_selinux \- Security Enhanced Linux Policy for the sendmail processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sendmail
++(Policy for sendmail)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sendmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sendmail with the tightest access possible.
++
++
++.PP
++If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean.
++
++.EX
++.B setsebool -P httpd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow syslogd daemon to send mai, you must turn on the logging_syslogd_can_sendmail boolean.
++
++.EX
++.B setsebool -P logging_syslogd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow gitisis daemon to send mai, you must turn on the gitosis_can_sendmail boolean.
++
++.EX
++.B setsebool -P gitosis_can_sendmail 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
++.PP
++The following file types are defined for sendmail:
++
++
++.EX
++.PP
++.B sendmail_exec_t
++.EE
++
++- Set files with the sendmail_exec_t type, if you want to transition an executable to the sendmail_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/mail(x)?, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/bin/esmtp, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail, /usr/lib/sendmail, /bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?
++
++.EX
++.PP
++.B sendmail_initrc_exec_t
++.EE
++
++- Set files with the sendmail_initrc_exec_t type, if you want to transition an executable to the sendmail_initrc_t domain.
++
++
++.EX
++.PP
++.B sendmail_keytab_t
++.EE
++
++- Set files with the sendmail_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B sendmail_log_t
++.EE
++
++- Set files with the sendmail_log_t type, if you want to treat the data as sendmail log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/sendmail\.st, /var/log/mail(/.*)?
++
++.EX
++.PP
++.B sendmail_tmp_t
++.EE
++
++- Set files with the sendmail_tmp_t type, if you want to store sendmail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B sendmail_var_run_t
++.EE
++
++- Set files with the sendmail_var_run_t type, if you want to store the sendmail files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/sendmail\.pid, /var/run/sm-client\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
++.PP
++The following process types are defined for sendmail:
++
++.EX
++.B sendmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sendmail(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/services_selinux.8 b/man/man8/services_selinux.8
+new file mode 100644
+index 0000000..08da721
+--- /dev/null
++++ b/man/man8/services_selinux.8
+@@ -0,0 +1,83 @@
++.TH "services_selinux" "8" "services" "dwalsh at redhat.com" "services SELinux Policy documentation"
++.SH "NAME"
++services_selinux \- Security Enhanced Linux Policy for the services processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux services policy is very flexible allowing users to setup their services processes in as secure a method as possible.
++.PP
++The following file types are defined for services:
++
++
++.EX
++.PP
++.B services_munin_plugin_exec_t
++.EE
++
++- Set files with the services_munin_plugin_exec_t type, if you want to transition an executable to the services_munin_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/http_loadtime
++
++.EX
++.PP
++.B services_munin_plugin_tmp_t
++.EE
++
++- Set files with the services_munin_plugin_tmp_t type, if you want to store services munin plugin temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux services policy is very flexible allowing users to setup their services processes in as secure a method as possible.
++.PP
++The following process types are defined for services:
++
++.EX
++.B services_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), services(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8
+new file mode 100644
+index 0000000..33dfb2f
+--- /dev/null
++++ b/man/man8/setfiles_selinux.8
+@@ -0,0 +1,75 @@
++.TH "setfiles_selinux" "8" "setfiles" "dwalsh at redhat.com" "setfiles SELinux Policy documentation"
++.SH "NAME"
++setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
++.PP
++The following file types are defined for setfiles:
++
++
++.EX
++.PP
++.B setfiles_exec_t
++.EE
++
++- Set files with the setfiles_exec_t type, if you want to transition an executable to the setfiles_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/setfiles.*, /usr/sbin/restorecon
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
++.PP
++The following process types are defined for setfiles:
++
++.EX
++.B setfiles_mac_t, setfiles_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8
+new file mode 100644
+index 0000000..8a21ecc
+--- /dev/null
++++ b/man/man8/setkey_selinux.8
+@@ -0,0 +1,75 @@
++.TH "setkey_selinux" "8" "setkey" "dwalsh at redhat.com" "setkey SELinux Policy documentation"
++.SH "NAME"
++setkey_selinux \- Security Enhanced Linux Policy for the setkey processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
++.PP
++The following file types are defined for setkey:
++
++
++.EX
++.PP
++.B setkey_exec_t
++.EE
++
++- Set files with the setkey_exec_t type, if you want to transition an executable to the setkey_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/setkey, /sbin/setkey
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
++.PP
++The following process types are defined for setkey:
++
++.EX
++.B setkey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8
+new file mode 100644
+index 0000000..99b5cda
+--- /dev/null
++++ b/man/man8/setrans_selinux.8
+@@ -0,0 +1,101 @@
++.TH "setrans_selinux" "8" "setrans" "dwalsh at redhat.com" "setrans SELinux Policy documentation"
++.SH "NAME"
++setrans_selinux \- Security Enhanced Linux Policy for the setrans processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B setrans
++(SELinux MLS/MCS label translation service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
++.PP
++The following file types are defined for setrans:
++
++
++.EX
++.PP
++.B setrans_exec_t
++.EE
++
++- Set files with the setrans_exec_t type, if you want to transition an executable to the setrans_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/mcstransd, /usr/sbin/mcstransd
++
++.EX
++.PP
++.B setrans_initrc_exec_t
++.EE
++
++- Set files with the setrans_initrc_exec_t type, if you want to transition an executable to the setrans_initrc_t domain.
++
++
++.EX
++.PP
++.B setrans_var_run_t
++.EE
++
++- Set files with the setrans_var_run_t type, if you want to store the setrans files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/mcstransd\.pid, /var/run/setrans(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
++.PP
++The following process types are defined for setrans:
++
++.EX
++.B setrans_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/setroubleshoot_selinux.8 b/man/man8/setroubleshoot_selinux.8
+new file mode 100644
+index 0000000..cbed8e8
+--- /dev/null
++++ b/man/man8/setroubleshoot_selinux.8
+@@ -0,0 +1,109 @@
++.TH "setroubleshoot_selinux" "8" "setroubleshoot" "dwalsh at redhat.com" "setroubleshoot SELinux Policy documentation"
++.SH "NAME"
++setroubleshoot_selinux \- Security Enhanced Linux Policy for the setroubleshoot processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B setroubleshoot
++(SELinux troubleshooting service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setroubleshoot policy is very flexible allowing users to setup their setroubleshoot processes in as secure a method as possible.
++.PP
++The following file types are defined for setroubleshoot:
++
++
++.EX
++.PP
++.B setroubleshoot_fixit_exec_t
++.EE
++
++- Set files with the setroubleshoot_fixit_exec_t type, if you want to transition an executable to the setroubleshoot_fixit_t domain.
++
++
++.EX
++.PP
++.B setroubleshoot_var_lib_t
++.EE
++
++- Set files with the setroubleshoot_var_lib_t type, if you want to store the setroubleshoot files under the /var/lib directory.
++
++
++.EX
++.PP
++.B setroubleshoot_var_log_t
++.EE
++
++- Set files with the setroubleshoot_var_log_t type, if you want to treat the data as setroubleshoot var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B setroubleshoot_var_run_t
++.EE
++
++- Set files with the setroubleshoot_var_run_t type, if you want to store the setroubleshoot files under the /run directory.
++
++
++.EX
++.PP
++.B setroubleshootd_exec_t
++.EE
++
++- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setroubleshoot policy is very flexible allowing users to setup their setroubleshoot processes in as secure a method as possible.
++.PP
++The following process types are defined for setroubleshoot:
++
++.EX
++.B setroubleshoot_fixit_t, setroubleshootd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), setroubleshoot(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8
+new file mode 100644
+index 0000000..924d3bc
+--- /dev/null
++++ b/man/man8/setroubleshootd_selinux.8
+@@ -0,0 +1,103 @@
++.TH "setroubleshootd_selinux" "8" "setroubleshootd" "dwalsh at redhat.com" "setroubleshootd SELinux Policy documentation"
++.SH "NAME"
++setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
++.PP
++The following file types are defined for setroubleshootd:
++
++
++.EX
++.PP
++.B setroubleshoot_fixit_exec_t
++.EE
++
++- Set files with the setroubleshoot_fixit_exec_t type, if you want to transition an executable to the setroubleshoot_fixit_t domain.
++
++
++.EX
++.PP
++.B setroubleshoot_var_lib_t
++.EE
++
++- Set files with the setroubleshoot_var_lib_t type, if you want to store the setroubleshoot files under the /var/lib directory.
++
++
++.EX
++.PP
++.B setroubleshoot_var_log_t
++.EE
++
++- Set files with the setroubleshoot_var_log_t type, if you want to treat the data as setroubleshoot var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B setroubleshoot_var_run_t
++.EE
++
++- Set files with the setroubleshoot_var_run_t type, if you want to store the setroubleshoot files under the /run directory.
++
++
++.EX
++.PP
++.B setroubleshootd_exec_t
++.EE
++
++- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
++.PP
++The following process types are defined for setroubleshootd:
++
++.EX
++.B setroubleshoot_fixit_t, setroubleshootd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8
+new file mode 100644
+index 0000000..0b850e8
+--- /dev/null
++++ b/man/man8/setsebool_selinux.8
+@@ -0,0 +1,71 @@
++.TH "setsebool_selinux" "8" "setsebool" "dwalsh at redhat.com" "setsebool SELinux Policy documentation"
++.SH "NAME"
++setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
++.PP
++The following file types are defined for setsebool:
++
++
++.EX
++.PP
++.B setsebool_exec_t
++.EE
++
++- Set files with the setsebool_exec_t type, if you want to transition an executable to the setsebool_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
++.PP
++The following process types are defined for setsebool:
++
++.EX
++.B setsebool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/sge_selinux.8 b/man/man8/sge_selinux.8
+new file mode 100644
+index 0000000..636d762
+--- /dev/null
++++ b/man/man8/sge_selinux.8
+@@ -0,0 +1,124 @@
++.TH "sge_selinux" "8" "sge" "dwalsh at redhat.com" "sge SELinux Policy documentation"
++.SH "NAME"
++sge_selinux \- Security Enhanced Linux Policy for the sge processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sge
++(Policy for gridengine MPI jobs)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sge policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge with the tightest access possible.
++
++
++.PP
++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean.
++
++.EX
++.B setsebool -P sge_use_nfs 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sge policy is very flexible allowing users to setup their sge processes in as secure a method as possible.
++.PP
++The following file types are defined for sge:
++
++
++.EX
++.PP
++.B sge_execd_exec_t
++.EE
++
++- Set files with the sge_execd_exec_t type, if you want to transition an executable to the sge_execd_t domain.
++
++
++.EX
++.PP
++.B sge_job_exec_t
++.EE
++
++- Set files with the sge_job_exec_t type, if you want to transition an executable to the sge_job_t domain.
++
++
++.EX
++.PP
++.B sge_shepherd_exec_t
++.EE
++
++- Set files with the sge_shepherd_exec_t type, if you want to transition an executable to the sge_shepherd_t domain.
++
++
++.EX
++.PP
++.B sge_spool_t
++.EE
++
++- Set files with the sge_spool_t type, if you want to store the sge files under the /var/spool directory.
++
++
++.EX
++.PP
++.B sge_tmp_t
++.EE
++
++- Set files with the sge_tmp_t type, if you want to store sge temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sge policy is very flexible allowing users to setup their sge processes in as secure a method as possible.
++.PP
++The following process types are defined for sge:
++
++.EX
++.B sge_execd_t, sge_job_ssh_t, sge_shepherd_t, sge_job_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sge(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8
+new file mode 100644
+index 0000000..b02195e
+--- /dev/null
++++ b/man/man8/shorewall_selinux.8
+@@ -0,0 +1,141 @@
++.TH "shorewall_selinux" "8" "shorewall" "dwalsh at redhat.com" "shorewall SELinux Policy documentation"
++.SH "NAME"
++shorewall_selinux \- Security Enhanced Linux Policy for the shorewall processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B shorewall
++(Shoreline Firewall high-level tool for configuring netfilter)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
++.PP
++The following file types are defined for shorewall:
++
++
++.EX
++.PP
++.B shorewall_etc_t
++.EE
++
++- Set files with the shorewall_etc_t type, if you want to store shorewall files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/shorewall-lite(/.*)?, /etc/shorewall(/.*)?
++
++.EX
++.PP
++.B shorewall_exec_t
++.EE
++
++- Set files with the shorewall_exec_t type, if you want to transition an executable to the shorewall_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite, /usr/sbin/shorewall6?
++
++.EX
++.PP
++.B shorewall_initrc_exec_t
++.EE
++
++- Set files with the shorewall_initrc_exec_t type, if you want to transition an executable to the shorewall_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/shorewall, /etc/rc\.d/init\.d/shorewall-lite
++
++.EX
++.PP
++.B shorewall_lock_t
++.EE
++
++- Set files with the shorewall_lock_t type, if you want to treat the files as shorewall lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B shorewall_log_t
++.EE
++
++- Set files with the shorewall_log_t type, if you want to treat the data as shorewall log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B shorewall_tmp_t
++.EE
++
++- Set files with the shorewall_tmp_t type, if you want to store shorewall temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B shorewall_var_lib_t
++.EE
++
++- Set files with the shorewall_var_lib_t type, if you want to store the shorewall files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/shorewall-lite(/.*)?, /var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
++.PP
++The following process types are defined for shorewall:
++
++.EX
++.B shorewall_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8
+new file mode 100644
+index 0000000..df89321
+--- /dev/null
++++ b/man/man8/showmount_selinux.8
+@@ -0,0 +1,71 @@
++.TH "showmount_selinux" "8" "showmount" "dwalsh at redhat.com" "showmount SELinux Policy documentation"
++.SH "NAME"
++showmount_selinux \- Security Enhanced Linux Policy for the showmount processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
++.PP
++The following file types are defined for showmount:
++
++
++.EX
++.PP
++.B showmount_exec_t
++.EE
++
++- Set files with the showmount_exec_t type, if you want to transition an executable to the showmount_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
++.PP
++The following process types are defined for showmount:
++
++.EX
++.B showmount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8
+new file mode 100644
+index 0000000..733dd9c
+--- /dev/null
++++ b/man/man8/shutdown_selinux.8
+@@ -0,0 +1,97 @@
++.TH "shutdown_selinux" "8" "shutdown" "dwalsh at redhat.com" "shutdown SELinux Policy documentation"
++.SH "NAME"
++shutdown_selinux \- Security Enhanced Linux Policy for the shutdown processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B shutdown
++(System shutdown command)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
++.PP
++The following file types are defined for shutdown:
++
++
++.EX
++.PP
++.B shutdown_etc_t
++.EE
++
++- Set files with the shutdown_etc_t type, if you want to store shutdown files in the /etc directories.
++
++
++.EX
++.PP
++.B shutdown_exec_t
++.EE
++
++- Set files with the shutdown_exec_t type, if you want to transition an executable to the shutdown_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/shutdown, /usr/sbin/shutdown, /usr/lib/upstart/shutdown, /lib/upstart/shutdown
++
++.EX
++.PP
++.B shutdown_var_run_t
++.EE
++
++- Set files with the shutdown_var_run_t type, if you want to store the shutdown files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
++.PP
++The following process types are defined for shutdown:
++
++.EX
++.B shutdown_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), shutdown(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8
+new file mode 100644
+index 0000000..4031380
+--- /dev/null
++++ b/man/man8/slapd_selinux.8
+@@ -0,0 +1,175 @@
++.TH "slapd_selinux" "8" "slapd" "dwalsh at redhat.com" "slapd SELinux Policy documentation"
++.SH "NAME"
++slapd_selinux \- Security Enhanced Linux Policy for the slapd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
++.PP
++The following file types are defined for slapd:
++
++
++.EX
++.PP
++.B slapd_cert_t
++.EE
++
++- Set files with the slapd_cert_t type, if you want to treat the files as slapd certificate data.
++
++
++.EX
++.PP
++.B slapd_db_t
++.EE
++
++- Set files with the slapd_db_t type, if you want to treat the files as slapd database content.
++
++.br
++.TP 5
++Paths:
++/etc/openldap/slapd\.d(/.*)?, /var/lib/ldap(/.*)?
++
++.EX
++.PP
++.B slapd_etc_t
++.EE
++
++- Set files with the slapd_etc_t type, if you want to store slapd files in the /etc directories.
++
++
++.EX
++.PP
++.B slapd_exec_t
++.EE
++
++- Set files with the slapd_exec_t type, if you want to transition an executable to the slapd_t domain.
++
++
++.EX
++.PP
++.B slapd_initrc_exec_t
++.EE
++
++- Set files with the slapd_initrc_exec_t type, if you want to transition an executable to the slapd_initrc_t domain.
++
++
++.EX
++.PP
++.B slapd_keytab_t
++.EE
++
++- Set files with the slapd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B slapd_lock_t
++.EE
++
++- Set files with the slapd_lock_t type, if you want to treat the files as slapd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B slapd_log_t
++.EE
++
++- Set files with the slapd_log_t type, if you want to treat the data as slapd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B slapd_replog_t
++.EE
++
++- Set files with the slapd_replog_t type, if you want to treat the files as slapd replog data.
++
++
++.EX
++.PP
++.B slapd_tmp_t
++.EE
++
++- Set files with the slapd_tmp_t type, if you want to store slapd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B slapd_tmpfs_t
++.EE
++
++- Set files with the slapd_tmpfs_t type, if you want to store slapd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B slapd_unit_file_t
++.EE
++
++- Set files with the slapd_unit_file_t type, if you want to treat the files as slapd unit content.
++
++
++.EX
++.PP
++.B slapd_var_run_t
++.EE
++
++- Set files with the slapd_var_run_t type, if you want to store the slapd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/slapd\.args, /var/run/openldap(/.*)?, /var/run/slapd\.pid, /var/run/ldapi, /var/run/slapd.*
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
++.PP
++The following process types are defined for slapd:
++
++.EX
++.B slapd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8
+new file mode 100644
+index 0000000..1f4a491
+--- /dev/null
++++ b/man/man8/smbcontrol_selinux.8
+@@ -0,0 +1,71 @@
++.TH "smbcontrol_selinux" "8" "smbcontrol" "dwalsh at redhat.com" "smbcontrol SELinux Policy documentation"
++.SH "NAME"
++smbcontrol_selinux \- Security Enhanced Linux Policy for the smbcontrol processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
++.PP
++The following file types are defined for smbcontrol:
++
++
++.EX
++.PP
++.B smbcontrol_exec_t
++.EE
++
++- Set files with the smbcontrol_exec_t type, if you want to transition an executable to the smbcontrol_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
++.PP
++The following process types are defined for smbcontrol:
++
++.EX
++.B smbcontrol_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8
+new file mode 100644
+index 0000000..78125d2
+--- /dev/null
++++ b/man/man8/smbd_selinux.8
+@@ -0,0 +1,151 @@
++.TH "smbd_selinux" "8" "smbd" "dwalsh at redhat.com" "smbd SELinux Policy documentation"
++.SH "NAME"
++smbd_selinux \- Security Enhanced Linux Policy for the smbd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow smbd servers to read the /var/smbd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/smbd(/.*)?"
++.br
++.B restorecon -F -R -v /var/smbd
++.pp
++.TP
++Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/smbd/incoming
++
++
++.PP
++If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the allow_smbd_anon_write boolean.
++
++.EX
++.B setsebool -P allow_smbd_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
++.PP
++The following file types are defined for smbd:
++
++
++.EX
++.PP
++.B smbd_exec_t
++.EE
++
++- Set files with the smbd_exec_t type, if you want to transition an executable to the smbd_t domain.
++
++
++.EX
++.PP
++.B smbd_keytab_t
++.EE
++
++- Set files with the smbd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B smbd_tmp_t
++.EE
++
++- Set files with the smbd_tmp_t type, if you want to store smbd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B smbd_var_run_t
++.EE
++
++- Set files with the smbd_var_run_t type, if you want to store the smbd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/samba/gencache\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba(/.*)?, /var/run/samba/locking\.tdb, /var/run/samba/connections\.tdb, /var/run/samba/smbd\.pid, /var/run/samba/sessionid\.tdb, /var/run/samba/brlock\.tdb
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
++.PP
++The following port types are defined for smbd:
++
++.EX
++.TP 5
++.B smbd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
++.PP
++The following process types are defined for smbd:
++
++.EX
++.B smbcontrol_t, smbmount_t, smbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8
+new file mode 100644
+index 0000000..e5fd258
+--- /dev/null
++++ b/man/man8/smbmount_selinux.8
+@@ -0,0 +1,75 @@
++.TH "smbmount_selinux" "8" "smbmount" "dwalsh at redhat.com" "smbmount SELinux Policy documentation"
++.SH "NAME"
++smbmount_selinux \- Security Enhanced Linux Policy for the smbmount processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
++.PP
++The following file types are defined for smbmount:
++
++
++.EX
++.PP
++.B smbmount_exec_t
++.EE
++
++- Set files with the smbmount_exec_t type, if you want to transition an executable to the smbmount_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/smbmnt, /usr/bin/smbmount
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
++.PP
++The following process types are defined for smbmount:
++
++.EX
++.B smbmount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8
+new file mode 100644
+index 0000000..6eb81ca
+--- /dev/null
++++ b/man/man8/smokeping_selinux.8
+@@ -0,0 +1,101 @@
++.TH "smokeping_selinux" "8" "smokeping" "dwalsh at redhat.com" "smokeping SELinux Policy documentation"
++.SH "NAME"
++smokeping_selinux \- Security Enhanced Linux Policy for the smokeping processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B smokeping
++(Smokeping network latency measurement)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
++.PP
++The following file types are defined for smokeping:
++
++
++.EX
++.PP
++.B smokeping_exec_t
++.EE
++
++- Set files with the smokeping_exec_t type, if you want to transition an executable to the smokeping_t domain.
++
++
++.EX
++.PP
++.B smokeping_initrc_exec_t
++.EE
++
++- Set files with the smokeping_initrc_exec_t type, if you want to transition an executable to the smokeping_initrc_t domain.
++
++
++.EX
++.PP
++.B smokeping_var_lib_t
++.EE
++
++- Set files with the smokeping_var_lib_t type, if you want to store the smokeping files under the /var/lib directory.
++
++
++.EX
++.PP
++.B smokeping_var_run_t
++.EE
++
++- Set files with the smokeping_var_run_t type, if you want to store the smokeping files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
++.PP
++The following process types are defined for smokeping:
++
++.EX
++.B smokeping_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8
+new file mode 100644
+index 0000000..7290f4e
+--- /dev/null
++++ b/man/man8/smoltclient_selinux.8
+@@ -0,0 +1,85 @@
++.TH "smoltclient_selinux" "8" "smoltclient" "dwalsh at redhat.com" "smoltclient SELinux Policy documentation"
++.SH "NAME"
++smoltclient_selinux \- Security Enhanced Linux Policy for the smoltclient processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B smoltclient
++(The Fedora hardware profiler client)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
++.PP
++The following file types are defined for smoltclient:
++
++
++.EX
++.PP
++.B smoltclient_exec_t
++.EE
++
++- Set files with the smoltclient_exec_t type, if you want to transition an executable to the smoltclient_t domain.
++
++
++.EX
++.PP
++.B smoltclient_tmp_t
++.EE
++
++- Set files with the smoltclient_tmp_t type, if you want to store smoltclient temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
++.PP
++The following process types are defined for smoltclient:
++
++.EX
++.B smoltclient_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8
+new file mode 100644
+index 0000000..ce8506a
+--- /dev/null
++++ b/man/man8/snmpd_selinux.8
+@@ -0,0 +1,141 @@
++.TH "snmpd_selinux" "8" "snmpd" "dwalsh at redhat.com" "snmpd SELinux Policy documentation"
++.SH "NAME"
++snmpd_selinux \- Security Enhanced Linux Policy for the snmpd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
++.PP
++The following file types are defined for snmpd:
++
++
++.EX
++.PP
++.B snmpd_exec_t
++.EE
++
++- Set files with the snmpd_exec_t type, if you want to transition an executable to the snmpd_t domain.
++
++
++.EX
++.PP
++.B snmpd_initrc_exec_t
++.EE
++
++- Set files with the snmpd_initrc_exec_t type, if you want to transition an executable to the snmpd_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/snmpd, /etc/rc\.d/init\.d/snmptrapd
++
++.EX
++.PP
++.B snmpd_log_t
++.EE
++
++- Set files with the snmpd_log_t type, if you want to treat the data as snmpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B snmpd_var_lib_t
++.EE
++
++- Set files with the snmpd_var_lib_t type, if you want to store the snmpd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/agentx(/.*)?, /usr/share/snmp/mibs/\.index, /var/net-snmp(/.*)?, /var/lib/net-snmp(/.*)?, /var/lib/snmp(/.*)?
++
++.EX
++.PP
++.B snmpd_var_run_t
++.EE
++
++- Set files with the snmpd_var_run_t type, if you want to store the snmpd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/net-snmpd(/.*)?, /var/run/snmpd\.pid, /var/run/snmpd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
++.PP
++The following port types are defined for snmpd:
++
++.EX
++.TP 5
++.B snmp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
++.PP
++The following process types are defined for snmpd:
++
++.EX
++.B snmpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8
+new file mode 100644
+index 0000000..4a3cd80
+--- /dev/null
++++ b/man/man8/snort_selinux.8
+@@ -0,0 +1,121 @@
++.TH "snort_selinux" "8" "snort" "dwalsh at redhat.com" "snort SELinux Policy documentation"
++.SH "NAME"
++snort_selinux \- Security Enhanced Linux Policy for the snort processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B snort
++(Snort network intrusion detection system)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
++.PP
++The following file types are defined for snort:
++
++
++.EX
++.PP
++.B snort_etc_t
++.EE
++
++- Set files with the snort_etc_t type, if you want to store snort files in the /etc directories.
++
++
++.EX
++.PP
++.B snort_exec_t
++.EE
++
++- Set files with the snort_exec_t type, if you want to transition an executable to the snort_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/snort-plain, /usr/s?bin/snort
++
++.EX
++.PP
++.B snort_initrc_exec_t
++.EE
++
++- Set files with the snort_initrc_exec_t type, if you want to transition an executable to the snort_initrc_t domain.
++
++
++.EX
++.PP
++.B snort_log_t
++.EE
++
++- Set files with the snort_log_t type, if you want to treat the data as snort log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B snort_tmp_t
++.EE
++
++- Set files with the snort_tmp_t type, if you want to store snort temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B snort_var_run_t
++.EE
++
++- Set files with the snort_var_run_t type, if you want to store the snort files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
++.PP
++The following process types are defined for snort:
++
++.EX
++.B snort_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), snort(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8
+new file mode 100644
+index 0000000..d92aa21
+--- /dev/null
++++ b/man/man8/sosreport_selinux.8
+@@ -0,0 +1,93 @@
++.TH "sosreport_selinux" "8" "sosreport" "dwalsh at redhat.com" "sosreport SELinux Policy documentation"
++.SH "NAME"
++sosreport_selinux \- Security Enhanced Linux Policy for the sosreport processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sosreport
++(sosreport - Generate debugging information for system)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
++.PP
++The following file types are defined for sosreport:
++
++
++.EX
++.PP
++.B sosreport_exec_t
++.EE
++
++- Set files with the sosreport_exec_t type, if you want to transition an executable to the sosreport_t domain.
++
++
++.EX
++.PP
++.B sosreport_tmp_t
++.EE
++
++- Set files with the sosreport_tmp_t type, if you want to store sosreport temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B sosreport_tmpfs_t
++.EE
++
++- Set files with the sosreport_tmpfs_t type, if you want to store sosreport files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
++.PP
++The following process types are defined for sosreport:
++
++.EX
++.B sosreport_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8
+new file mode 100644
+index 0000000..4c912c3
+--- /dev/null
++++ b/man/man8/soundd_selinux.8
+@@ -0,0 +1,157 @@
++.TH "soundd_selinux" "8" "soundd" "dwalsh at redhat.com" "soundd SELinux Policy documentation"
++.SH "NAME"
++soundd_selinux \- Security Enhanced Linux Policy for the soundd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
++.PP
++The following file types are defined for soundd:
++
++
++.EX
++.PP
++.B soundd_etc_t
++.EE
++
++- Set files with the soundd_etc_t type, if you want to store soundd files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/yiff(/.*)?, /etc/nas(/.*)?
++
++.EX
++.PP
++.B soundd_exec_t
++.EE
++
++- Set files with the soundd_exec_t type, if you want to transition an executable to the soundd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/gpe-soundserver, /usr/sbin/yiff, /usr/bin/nasd
++
++.EX
++.PP
++.B soundd_initrc_exec_t
++.EE
++
++- Set files with the soundd_initrc_exec_t type, if you want to transition an executable to the soundd_initrc_t domain.
++
++
++.EX
++.PP
++.B soundd_state_t
++.EE
++
++- Set files with the soundd_state_t type, if you want to treat the files as soundd state data.
++
++
++.EX
++.PP
++.B soundd_tmp_t
++.EE
++
++- Set files with the soundd_tmp_t type, if you want to store soundd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B soundd_tmpfs_t
++.EE
++
++- Set files with the soundd_tmpfs_t type, if you want to store soundd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B soundd_var_run_t
++.EE
++
++- Set files with the soundd_var_run_t type, if you want to store the soundd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/nasd(/.*)?, /var/run/yiff-[0-9]+\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
++.PP
++The following port types are defined for soundd:
++
++.EX
++.TP 5
++.B soundd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
++.PP
++The following process types are defined for soundd:
++
++.EX
++.B soundd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/spamass_selinux.8 b/man/man8/spamass_selinux.8
+new file mode 100644
+index 0000000..3285cb1
+--- /dev/null
++++ b/man/man8/spamass_selinux.8
+@@ -0,0 +1,106 @@
++.TH "spamass_selinux" "8" "spamass" "dwalsh at redhat.com" "spamass SELinux Policy documentation"
++.SH "NAME"
++spamass_selinux \- Security Enhanced Linux Policy for the spamass processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. spamass policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamass with the tightest access possible.
++
++
++.PP
++If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean.
++
++.EX
++.B setsebool -P spamassassin_can_network 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux spamass policy is very flexible allowing users to setup their spamass processes in as secure a method as possible.
++.PP
++The following file types are defined for spamass:
++
++
++.EX
++.PP
++.B spamass_milter_data_t
++.EE
++
++- Set files with the spamass_milter_data_t type, if you want to treat the files as spamass milter content.
++
++.br
++.TP 5
++Paths:
++/var/run/spamass-milter(/.*)?, /var/run/spamass-milter\.pid
++
++.EX
++.PP
++.B spamass_milter_exec_t
++.EE
++
++- Set files with the spamass_milter_exec_t type, if you want to transition an executable to the spamass_milter_t domain.
++
++
++.EX
++.PP
++.B spamass_milter_state_t
++.EE
++
++- Set files with the spamass_milter_state_t type, if you want to treat the files as spamass milter state data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamass policy is very flexible allowing users to setup their spamass processes in as secure a method as possible.
++.PP
++The following process types are defined for spamass:
++
++.EX
++.B spamass_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), spamass(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8
+new file mode 100644
+index 0000000..3be61d7
+--- /dev/null
++++ b/man/man8/spamc_selinux.8
+@@ -0,0 +1,95 @@
++.TH "spamc_selinux" "8" "spamc" "dwalsh at redhat.com" "spamc SELinux Policy documentation"
++.SH "NAME"
++spamc_selinux \- Security Enhanced Linux Policy for the spamc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
++.PP
++The following file types are defined for spamc:
++
++
++.EX
++.PP
++.B spamc_exec_t
++.EE
++
++- Set files with the spamc_exec_t type, if you want to transition an executable to the spamc_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/spamc, /usr/bin/razor.*, /usr/bin/sa-learn, /usr/bin/spamassassin
++
++.EX
++.PP
++.B spamc_home_t
++.EE
++
++- Set files with the spamc_home_t type, if you want to store spamc files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.razor(/.*)?, /root/\.spamassassin(/.*)?
++
++.EX
++.PP
++.B spamc_tmp_t
++.EE
++
++- Set files with the spamc_tmp_t type, if you want to store spamc temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
++.PP
++The following process types are defined for spamc:
++
++.EX
++.B spamc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8
+new file mode 100644
+index 0000000..cb40498
+--- /dev/null
++++ b/man/man8/spamd_selinux.8
+@@ -0,0 +1,222 @@
++.TH "spamd_selinux" "8" "spamd" "dwalsh at redhat.com" "spamd SELinux Policy documentation"
++.SH "NAME"
++spamd_selinux \- Security Enhanced Linux Policy for the spamd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. spamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd with the tightest access possible.
++
++
++.PP
++If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean.
++
++.EX
++.B setsebool -P spamassassin_can_network 1
++.EE
++
++.PP
++If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean.
++
++.EX
++.B setsebool -P spamd_enable_home_dirs 1
++.EE
++
++.PP
++If you want to allow http daemon to check spa, you must turn on the httpd_can_check_spam boolean.
++
++.EX
++.B setsebool -P httpd_can_check_spam 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
++.PP
++The following file types are defined for spamd:
++
++
++.EX
++.PP
++.B spamd_compiled_t
++.EE
++
++- Set files with the spamd_compiled_t type, if you want to treat the files as spamd compiled data.
++
++
++.EX
++.PP
++.B spamd_etc_t
++.EE
++
++- Set files with the spamd_etc_t type, if you want to store spamd files in the /etc directories.
++
++
++.EX
++.PP
++.B spamd_exec_t
++.EE
++
++- Set files with the spamd_exec_t type, if you want to transition an executable to the spamd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/spamd, /usr/bin/mimedefang-multiplexor, /usr/bin/spamd, /usr/bin/mimedefang
++
++.EX
++.PP
++.B spamd_initrc_exec_t
++.EE
++
++- Set files with the spamd_initrc_exec_t type, if you want to transition an executable to the spamd_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.*
++
++.EX
++.PP
++.B spamd_log_t
++.EE
++
++- Set files with the spamd_log_t type, if you want to treat the data as spamd log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/razor-agent\.log, /var/log/spamd\.log, /var/log/mimedefang
++
++.EX
++.PP
++.B spamd_spool_t
++.EE
++
++- Set files with the spamd_spool_t type, if you want to store the spamd files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/spamd(/.*)?, /var/spool/spamassassin(/.*)?
++
++.EX
++.PP
++.B spamd_tmp_t
++.EE
++
++- Set files with the spamd_tmp_t type, if you want to store spamd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B spamd_update_exec_t
++.EE
++
++- Set files with the spamd_update_exec_t type, if you want to transition an executable to the spamd_update_t domain.
++
++
++.EX
++.PP
++.B spamd_var_lib_t
++.EE
++
++- Set files with the spamd_var_lib_t type, if you want to store the spamd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/spamassassin(/.*)?, /var/lib/razor(/.*)?
++
++.EX
++.PP
++.B spamd_var_run_t
++.EE
++
++- Set files with the spamd_var_run_t type, if you want to store the spamd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/spamassassin(/.*)?, /var/spool/MIMEDefang(/.*)?, /var/spool/MD-Quarantine(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
++.PP
++The following port types are defined for spamd:
++
++.EX
++.TP 5
++.B spamd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
++.PP
++The following process types are defined for spamd:
++
++.EX
++.B spamc_t, spamd_t, spamd_update_t, spamass_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), spamd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8
+new file mode 100644
+index 0000000..5d1acc2
+--- /dev/null
++++ b/man/man8/squid_selinux.8
+@@ -0,0 +1,185 @@
++.TH "squid_selinux" "8" "squid" "dwalsh at redhat.com" "squid SELinux Policy documentation"
++.SH "NAME"
++squid_selinux \- Security Enhanced Linux Policy for the squid processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B squid
++(Squid caching http proxy server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible.
++
++
++.PP
++If you want to allow squid to run as a transparent proxy (TPROXY, you must turn on the squid_use_tproxy boolean.
++
++.EX
++.B setsebool -P squid_use_tproxy 1
++.EE
++
++.PP
++If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean.
++
++.EX
++.B setsebool -P squid_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
++.PP
++The following file types are defined for squid:
++
++
++.EX
++.PP
++.B squid_cache_t
++.EE
++
++- Set files with the squid_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/squid(/.*)?, /var/spool/squid(/.*)?, /var/squidGuard(/.*)?
++
++.EX
++.PP
++.B squid_conf_t
++.EE
++
++- Set files with the squid_conf_t type, if you want to treat the files as squid configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/squid(/.*)?, /usr/share/squid(/.*)?
++
++.EX
++.PP
++.B squid_exec_t
++.EE
++
++- Set files with the squid_exec_t type, if you want to transition an executable to the squid_t domain.
++
++
++.EX
++.PP
++.B squid_initrc_exec_t
++.EE
++
++- Set files with the squid_initrc_exec_t type, if you want to transition an executable to the squid_initrc_t domain.
++
++
++.EX
++.PP
++.B squid_log_t
++.EE
++
++- Set files with the squid_log_t type, if you want to treat the data as squid log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/squid(/.*)?, /var/log/squidGuard(/.*)?
++
++.EX
++.PP
++.B squid_tmpfs_t
++.EE
++
++- Set files with the squid_tmpfs_t type, if you want to store squid files on a tmpfs file system.
++
++
++.EX
++.PP
++.B squid_var_run_t
++.EE
++
++- Set files with the squid_var_run_t type, if you want to store the squid files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
++.PP
++The following port types are defined for squid:
++
++.EX
++.TP 5
++.B squid_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
++.PP
++The following process types are defined for squid:
++
++.EX
++.B squid_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), squid(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8
+new file mode 100644
+index 0000000..036f028
+--- /dev/null
++++ b/man/man8/srvsvcd_selinux.8
+@@ -0,0 +1,95 @@
++.TH "srvsvcd_selinux" "8" "srvsvcd" "dwalsh at redhat.com" "srvsvcd SELinux Policy documentation"
++.SH "NAME"
++srvsvcd_selinux \- Security Enhanced Linux Policy for the srvsvcd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
++.PP
++The following file types are defined for srvsvcd:
++
++
++.EX
++.PP
++.B srvsvcd_exec_t
++.EE
++
++- Set files with the srvsvcd_exec_t type, if you want to transition an executable to the srvsvcd_t domain.
++
++
++.EX
++.PP
++.B srvsvcd_var_lib_t
++.EE
++
++- Set files with the srvsvcd_var_lib_t type, if you want to store the srvsvcd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B srvsvcd_var_run_t
++.EE
++
++- Set files with the srvsvcd_var_run_t type, if you want to store the srvsvcd files under the /run directory.
++
++
++.EX
++.PP
++.B srvsvcd_var_socket_t
++.EE
++
++- Set files with the srvsvcd_var_socket_t type, if you want to treat the files as srvsvcd var socket data.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
++.PP
++The following process types are defined for srvsvcd:
++
++.EX
++.B srvsvcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8
+new file mode 100644
+index 0000000..a3beeec
+--- /dev/null
++++ b/man/man8/ssh_selinux.8
+@@ -0,0 +1,254 @@
++.TH "ssh_selinux" "8" "ssh" "dwalsh at redhat.com" "ssh SELinux Policy documentation"
++.SH "NAME"
++ssh_selinux \- Security Enhanced Linux Policy for the ssh processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ssh
++(Secure shell client and server policy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh with the tightest access possible.
++
++
++.PP
++If you want to allow ssh with chroot env to read and write files in the user home directorie, you must turn on the ssh_chroot_rw_homedirs boolean.
++
++.EX
++.B setsebool -P ssh_chroot_rw_homedirs 1
++.EE
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.PP
++If you want to allow host key based authenticatio, you must turn on the allow_ssh_keysign boolean.
++
++.EX
++.B setsebool -P allow_ssh_keysign 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
++.PP
++The following file types are defined for ssh:
++
++
++.EX
++.PP
++.B ssh_agent_exec_t
++.EE
++
++- Set files with the ssh_agent_exec_t type, if you want to transition an executable to the ssh_agent_t domain.
++
++
++.EX
++.PP
++.B ssh_agent_tmp_t
++.EE
++
++- Set files with the ssh_agent_tmp_t type, if you want to store ssh agent temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ssh_exec_t
++.EE
++
++- Set files with the ssh_exec_t type, if you want to transition an executable to the ssh_t domain.
++
++
++.EX
++.PP
++.B ssh_home_t
++.EE
++
++- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)?
++
++.EX
++.PP
++.B ssh_keygen_exec_t
++.EE
++
++- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain.
++
++
++.EX
++.PP
++.B ssh_keysign_exec_t
++.EE
++
++- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain.
++
++
++.EX
++.PP
++.B ssh_tmpfs_t
++.EE
++
++- Set files with the ssh_tmpfs_t type, if you want to store ssh files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sshd_exec_t
++.EE
++
++- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain.
++
++
++.EX
++.PP
++.B sshd_initrc_exec_t
++.EE
++
++- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain.
++
++
++.EX
++.PP
++.B sshd_key_t
++.EE
++
++- Set files with the sshd_key_t type, if you want to treat the files as sshd key data.
++
++.br
++.TP 5
++Paths:
++/etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key, /etc/ssh/primes
++
++.EX
++.PP
++.B sshd_keytab_t
++.EE
++
++- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B sshd_tmpfs_t
++.EE
++
++- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sshd_var_run_t
++.EE
++
++- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/sshd\.init\.pid, /var/run/sshd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
++.PP
++The following port types are defined for ssh:
++
++.EX
++.TP 5
++.B ssh_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
++.PP
++The following process types are defined for ssh:
++
++.EX
++.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8
+new file mode 100644
+index 0000000..b78c331
+--- /dev/null
++++ b/man/man8/sshd_selinux.8
+@@ -0,0 +1,248 @@
++.TH "sshd_selinux" "8" "sshd" "dwalsh at redhat.com" "sshd SELinux Policy documentation"
++.SH "NAME"
++sshd_selinux \- Security Enhanced Linux Policy for the sshd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd with the tightest access possible.
++
++
++.PP
++If you want to allow ssh with chroot env to read and write files in the user home directorie, you must turn on the ssh_chroot_rw_homedirs boolean.
++
++.EX
++.B setsebool -P ssh_chroot_rw_homedirs 1
++.EE
++
++.PP
++If you want to allow ssh logins as sysadm_r:sysadm_, you must turn on the ssh_sysadm_login boolean.
++
++.EX
++.B setsebool -P ssh_sysadm_login 1
++.EE
++
++.PP
++If you want to allow host key based authenticatio, you must turn on the allow_ssh_keysign boolean.
++
++.EX
++.B setsebool -P allow_ssh_keysign 1
++.EE
++
++.PP
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++
++.EX
++.B setsebool -P fenced_can_ssh 1
++.EE
++
++.PP
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++
++.EX
++.B setsebool -P sftpd_write_ssh_home 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
++.PP
++The following file types are defined for sshd:
++
++
++.EX
++.PP
++.B ssh_agent_exec_t
++.EE
++
++- Set files with the ssh_agent_exec_t type, if you want to transition an executable to the ssh_agent_t domain.
++
++
++.EX
++.PP
++.B ssh_agent_tmp_t
++.EE
++
++- Set files with the ssh_agent_tmp_t type, if you want to store ssh agent temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ssh_exec_t
++.EE
++
++- Set files with the ssh_exec_t type, if you want to transition an executable to the ssh_t domain.
++
++
++.EX
++.PP
++.B ssh_home_t
++.EE
++
++- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)?
++
++.EX
++.PP
++.B ssh_keygen_exec_t
++.EE
++
++- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain.
++
++
++.EX
++.PP
++.B ssh_keysign_exec_t
++.EE
++
++- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain.
++
++
++.EX
++.PP
++.B ssh_tmpfs_t
++.EE
++
++- Set files with the ssh_tmpfs_t type, if you want to store ssh files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sshd_exec_t
++.EE
++
++- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain.
++
++
++.EX
++.PP
++.B sshd_initrc_exec_t
++.EE
++
++- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain.
++
++
++.EX
++.PP
++.B sshd_key_t
++.EE
++
++- Set files with the sshd_key_t type, if you want to treat the files as sshd key data.
++
++.br
++.TP 5
++Paths:
++/etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key, /etc/ssh/primes
++
++.EX
++.PP
++.B sshd_keytab_t
++.EE
++
++- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B sshd_tmpfs_t
++.EE
++
++- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B sshd_var_run_t
++.EE
++
++- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/sshd\.init\.pid, /var/run/sshd\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
++.PP
++The following port types are defined for sshd:
++
++.EX
++.TP 5
++.B ssh_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
++.PP
++The following process types are defined for sshd:
++
++.EX
++.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sshd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8
+new file mode 100644
+index 0000000..d9a7d4a
+--- /dev/null
++++ b/man/man8/sssd_selinux.8
+@@ -0,0 +1,117 @@
++.TH "sssd_selinux" "8" "sssd" "dwalsh at redhat.com" "sssd SELinux Policy documentation"
++.SH "NAME"
++sssd_selinux \- Security Enhanced Linux Policy for the sssd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sssd
++(System Security Services Daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
++.PP
++The following file types are defined for sssd:
++
++
++.EX
++.PP
++.B sssd_exec_t
++.EE
++
++- Set files with the sssd_exec_t type, if you want to transition an executable to the sssd_t domain.
++
++
++.EX
++.PP
++.B sssd_initrc_exec_t
++.EE
++
++- Set files with the sssd_initrc_exec_t type, if you want to transition an executable to the sssd_initrc_t domain.
++
++
++.EX
++.PP
++.B sssd_public_t
++.EE
++
++- Set files with the sssd_public_t type, if you want to treat the files as sssd public data.
++
++
++.EX
++.PP
++.B sssd_var_lib_t
++.EE
++
++- Set files with the sssd_var_lib_t type, if you want to store the sssd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B sssd_var_log_t
++.EE
++
++- Set files with the sssd_var_log_t type, if you want to treat the data as sssd var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B sssd_var_run_t
++.EE
++
++- Set files with the sssd_var_run_t type, if you want to store the sssd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
++.PP
++The following process types are defined for sssd:
++
++.EX
++.B sssd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sssd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/staff_selinux.8 b/man/man8/staff_selinux.8
+new file mode 100644
+index 0000000..039dc00
+--- /dev/null
++++ b/man/man8/staff_selinux.8
+@@ -0,0 +1,244 @@
++.TH "staff_selinux" "8" "staff" "mgrepl at redhat.com" "staff SELinux Policy documentation"
++.SH "NAME"
++staff_u \- \fBAdministrator's unprivileged user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBstaff_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBstaff_r\fP. The
++default role has a default type, \fBstaff_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B staff_u:staff_r:staff_u:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the staff_u user, you would execute:
++
++.B semanage login -m -s staff_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user staff, you would execute:
++
++.B $ semanage login -a -s staff_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user staff_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++The SELinux user staff can execute sudo.
++
++You can set up sudo to allow staff to transition to an administrative domain:
++
++Add one or more of the following record to sudoers using visudo.
++
++
++USERNAME ALL=(ALL) ROLE=ftpadmin_r TYPE=ftpadmin_t COMMAND
++.br
++sudo will run COMMAND as staff_u:ftpadmin_r:ftpadmin_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:auditadm_r:auditadm_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=dbadm_r TYPE=dbadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:dbadm_r:dbadm_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=logadm_r TYPE=logadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:logadm_r:logadm_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:secadm_r:secadm_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:sysadm_r:sysadm_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
++.br
++sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add staff_r to this list.
++
++.B $ semanage user -m -R 'staff_r ftpadmin_r auditadm_r dbadm_r logadm_r secadm_r sysadm_r unconfined_r webadm_r' staff_u
++
++For more details you can see semanage man page.
++
++
++.SH X WINDOWS LOGIN
++
++The SELinux user staff_u is able to X Windows login.
++
++.SH TERMINAL LOGIN
++
++The SELinux user staff_u is able to terminal login.
++
++.SH NETWORK
++
++.TP
++The SELinux user staff_u is able to listen on the following tcp ports.
++
++.B xserver_port_t: 6000-6020
++
++.TP
++The SELinux user staff_u is able to listen on the following udp ports.
++
++.B all ports with out defined types
++
++.TP
++The SELinux user staff_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. staff_t policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_t with the tightest access possible.
++
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the allow_user_mysql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_mysql_connect 1
++.EE
++
++.PP
++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.PP
++If you want to allow w to display everyone, you must turn on the user_ttyfile_stat boolean.
++
++.EX
++.B setsebool -P user_ttyfile_stat 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the user_share_music boolean.
++
++.EX
++.B setsebool -P user_share_music 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the user_direct_dri boolean.
++
++.EX
++.B setsebool -P user_direct_dri 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the user_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P user_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++
++.EX
++.B setsebool -P user_tcp_server 1
++.EE
++
++.PP
++If you want to allow regular users direct mouse access, you must turn on the user_direct_mouse boolean.
++
++.EX
++.B setsebool -P user_direct_mouse 1
++.EE
++
++.PP
++If you want to allow user processes to change their priority, you must turn on the user_setrlimit boolean.
++
++.EX
++.B setsebool -P user_setrlimit 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the allow_user_postgresql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_postgresql_connect 1
++.EE
++
++.PP
++If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++
++.EX
++.B setsebool -P user_dmesg 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user staff_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when staff_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny staff_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow staff_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user staff_t can execute without transitioning:
++
++.B sesearch -A -s staff_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow staff_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user staff_t can execute and transition:
++
++.B $ sesearch -A -s staff_t -c process -p transition
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8
+new file mode 100644
+index 0000000..0af68a0
+--- /dev/null
++++ b/man/man8/stunnel_selinux.8
+@@ -0,0 +1,131 @@
++.TH "stunnel_selinux" "8" "stunnel" "dwalsh at redhat.com" "stunnel SELinux Policy documentation"
++.SH "NAME"
++stunnel_selinux \- Security Enhanced Linux Policy for the stunnel processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B stunnel
++(SSL Tunneling Proxy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
++.PP
++The following file types are defined for stunnel:
++
++
++.EX
++.PP
++.B stunnel_etc_t
++.EE
++
++- Set files with the stunnel_etc_t type, if you want to store stunnel files in the /etc directories.
++
++
++.EX
++.PP
++.B stunnel_exec_t
++.EE
++
++- Set files with the stunnel_exec_t type, if you want to transition an executable to the stunnel_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/stunnel, /usr/bin/stunnel
++
++.EX
++.PP
++.B stunnel_tmp_t
++.EE
++
++- Set files with the stunnel_tmp_t type, if you want to store stunnel temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B stunnel_var_run_t
++.EE
++
++- Set files with the stunnel_var_run_t type, if you want to store the stunnel files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
++.PP
++The following port types are defined for stunnel:
++
++.EX
++.TP 5
++.B stunnel_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
++.PP
++The following process types are defined for stunnel:
++
++.EX
++.B stunnel_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8
+new file mode 100644
+index 0000000..6cff947
+--- /dev/null
++++ b/man/man8/sulogin_selinux.8
+@@ -0,0 +1,75 @@
++.TH "sulogin_selinux" "8" "sulogin" "dwalsh at redhat.com" "sulogin SELinux Policy documentation"
++.SH "NAME"
++sulogin_selinux \- Security Enhanced Linux Policy for the sulogin processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
++.PP
++The following file types are defined for sulogin:
++
++
++.EX
++.PP
++.B sulogin_exec_t
++.EE
++
++- Set files with the sulogin_exec_t type, if you want to transition an executable to the sulogin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/sushell, /sbin/sulogin, /usr/sbin/sulogin, /sbin/sushell
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
++.PP
++The following process types are defined for sulogin:
++
++.EX
++.B sulogin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/svc_selinux.8 b/man/man8/svc_selinux.8
+new file mode 100644
+index 0000000..1c06ece
+--- /dev/null
++++ b/man/man8/svc_selinux.8
+@@ -0,0 +1,127 @@
++.TH "svc_selinux" "8" "svc" "dwalsh at redhat.com" "svc SELinux Policy documentation"
++.SH "NAME"
++svc_selinux \- Security Enhanced Linux Policy for the svc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux svc policy is very flexible allowing users to setup their svc processes in as secure a method as possible.
++.PP
++The following file types are defined for svc:
++
++
++.EX
++.PP
++.B svc_conf_t
++.EE
++
++- Set files with the svc_conf_t type, if you want to treat the files as svc configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/var/dnscache/env(/.*)?, /var/tinydns/env(/.*)?, /var/axfrdns/env(/.*)?, /var/service/.*/env(/.*)?
++
++.EX
++.PP
++.B svc_log_t
++.EE
++
++- Set files with the svc_log_t type, if you want to treat the data as svc log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B svc_multilog_exec_t
++.EE
++
++- Set files with the svc_multilog_exec_t type, if you want to transition an executable to the svc_multilog_t domain.
++
++
++.EX
++.PP
++.B svc_run_exec_t
++.EE
++
++- Set files with the svc_run_exec_t type, if you want to transition an executable to the svc_run_t domain.
++
++.br
++.TP 5
++Paths:
++/var/tinydns/run, /var/qmail/supervise/.*/run, /var/axfrdns/log/run, /usr/bin/setuidgid, /usr/bin/fghack, /var/tinydns/log/run, /var/service/.*/log/run, /var/axfrdns/run, /var/qmail/supervise/.*/log/run, /usr/bin/envuidgid, /usr/bin/envdir, /var/dnscache/run, /usr/bin/softlimit, /var/service/.*/run.*, /usr/bin/pgrphack, /var/dnscache/log/run, /usr/bin/setlock
++
++.EX
++.PP
++.B svc_start_exec_t
++.EE
++
++- Set files with the svc_start_exec_t type, if you want to transition an executable to the svc_start_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/svok, /usr/bin/svscan, /usr/bin/svc, /usr/bin/svscanboot, /usr/bin/supervise
++
++.EX
++.PP
++.B svc_svc_t
++.EE
++
++- Set files with the svc_svc_t type, if you want to treat the files as svc svc data.
++
++.br
++.TP 5
++Paths:
++/service, /var/tinydns(/.*)?, /service/.*, /var/service/.*, /var/qmail/supervise(/.*)?, /var/dnscache(/.*)?, /var/axfrdns(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svc policy is very flexible allowing users to setup their svc processes in as secure a method as possible.
++.PP
++The following process types are defined for svc:
++
++.EX
++.B svc_multilog_t, svc_start_t, svc_run_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), svc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8
+new file mode 100644
+index 0000000..bd9a083
+--- /dev/null
++++ b/man/man8/swat_selinux.8
+@@ -0,0 +1,113 @@
++.TH "swat_selinux" "8" "swat" "dwalsh at redhat.com" "swat SELinux Policy documentation"
++.SH "NAME"
++swat_selinux \- Security Enhanced Linux Policy for the swat processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
++.PP
++The following file types are defined for swat:
++
++
++.EX
++.PP
++.B swat_exec_t
++.EE
++
++- Set files with the swat_exec_t type, if you want to transition an executable to the swat_t domain.
++
++
++.EX
++.PP
++.B swat_tmp_t
++.EE
++
++- Set files with the swat_tmp_t type, if you want to store swat temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B swat_var_run_t
++.EE
++
++- Set files with the swat_var_run_t type, if you want to store the swat files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
++.PP
++The following port types are defined for swat:
++
++.EX
++.TP 5
++.B swat_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
++.PP
++The following process types are defined for swat:
++
++.EX
++.B swat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), swat(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/sysadm_selinux.8 b/man/man8/sysadm_selinux.8
+new file mode 100644
+index 0000000..679f836
+--- /dev/null
++++ b/man/man8/sysadm_selinux.8
+@@ -0,0 +1,230 @@
++.TH "sysadm_selinux" "8" "sysadm" "mgrepl at redhat.com" "sysadm SELinux Policy documentation"
++.SH "NAME"
++sysadm_u \- \fBGeneral system administration role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBsysadm_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBsysadm_r\fP. The
++default role has a default type, \fBsysadm_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B sysadm_u:sysadm_r:sysadm_u:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the sysadm_u user, you would execute:
++
++.B semanage login -m -s sysadm_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user sysadm, you would execute:
++
++.B $ semanage login -a -s sysadm_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user sysadm_u is an admin user. It means that a mapped Linux user to this SELinux user is intended for administrative actions. Usually this is assigned to a root Linux user.
++
++.SH SUDO
++
++The SELinux user sysadm can execute sudo.
++
++You can set up sudo to allow sysadm to transition to an administrative domain:
++
++Add one or more of the following record to sudoers using visudo.
++
++
++USERNAME ALL=(ALL) ROLE=auditadm_r TYPE=auditadm_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:auditadm_r:auditadm_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=secadm_r TYPE=secadm_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:secadm_r:secadm_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
++
++USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
++.br
++sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
++
++You might also need to add one or more of these new roles to your SELinux user record.
++
++List the SELinux roles your SELinux user can reach by executing:
++
++.B $ semanage user -l |grep selinux_name
++
++Modify the roles list and add sysadm_r to this list.
++
++.B $ semanage user -m -R 'sysadm_r auditadm_r secadm_r staff_r user_r' sysadm_u
++
++For more details you can see semanage man page.
++
++
++.SH X WINDOWS LOGIN
++
++The SELinux user sysadm_u is able to X Windows login.
++
++.SH TERMINAL LOGIN
++
++The SELinux user sysadm_u is able to terminal login.
++
++.SH NETWORK
++
++.TP
++The SELinux user sysadm_u is able to listen on the following tcp ports.
++
++.B all ports with out defined types
++
++.TP
++The SELinux user sysadm_u is able to listen on the following udp ports.
++
++.B ntp_port_t: 123
++
++.B all ports with out defined types
++
++.TP
++The SELinux user sysadm_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. sysadm_t policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_t with the tightest access possible.
++
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the allow_user_mysql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_mysql_connect 1
++.EE
++
++.PP
++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.PP
++If you want to allow w to display everyone, you must turn on the user_ttyfile_stat boolean.
++
++.EX
++.B setsebool -P user_ttyfile_stat 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the user_share_music boolean.
++
++.EX
++.B setsebool -P user_share_music 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the user_direct_dri boolean.
++
++.EX
++.B setsebool -P user_direct_dri 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the user_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P user_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++
++.EX
++.B setsebool -P user_tcp_server 1
++.EE
++
++.PP
++If you want to allow regular users direct mouse access, you must turn on the user_direct_mouse boolean.
++
++.EX
++.B setsebool -P user_direct_mouse 1
++.EE
++
++.PP
++If you want to allow user processes to change their priority, you must turn on the user_setrlimit boolean.
++
++.EX
++.B setsebool -P user_setrlimit 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the allow_user_postgresql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_postgresql_connect 1
++.EE
++
++.PP
++If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++
++.EX
++.B setsebool -P user_dmesg 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user sysadm_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when sysadm_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny sysadm_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow sysadm_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user sysadm_t can execute without transitioning:
++
++.B sesearch -A -s sysadm_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow sysadm_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user sysadm_t can execute and transition:
++
++.B $ sesearch -A -s sysadm_t -c process -p transition
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8
+new file mode 100644
+index 0000000..875440a
+--- /dev/null
++++ b/man/man8/syslogd_selinux.8
+@@ -0,0 +1,182 @@
++.TH "syslogd_selinux" "8" "syslogd" "dwalsh at redhat.com" "syslogd SELinux Policy documentation"
++.SH "NAME"
++syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible.
++
++
++.PP
++If you want to determine whether Polipo session daemon can send syslog messages, you must turn on the polipo_session_send_syslog_msg boolean.
++
++.EX
++.B setsebool -P polipo_session_send_syslog_msg 1
++.EE
++
++.PP
++If you want to allow syslogd daemon to send mai, you must turn on the logging_syslogd_can_sendmail boolean.
++
++.EX
++.B setsebool -P logging_syslogd_can_sendmail 1
++.EE
++
++.PP
++If you want to allow syslogd the ability to read/write terminal, you must turn on the logging_syslogd_use_tty boolean.
++
++.EX
++.B setsebool -P logging_syslogd_use_tty 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
++.PP
++The following file types are defined for syslogd:
++
++
++.EX
++.PP
++.B syslog_conf_t
++.EE
++
++- Set files with the syslog_conf_t type, if you want to treat the files as syslog configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/rsyslog.conf, /etc/syslog.conf
++
++.EX
++.PP
++.B syslogd_exec_t
++.EE
++
++- Set files with the syslogd_exec_t type, if you want to transition an executable to the syslogd_t domain.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/metalog, /usr/lib/systemd/systemd-journald, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /sbin/syslogd, /sbin/syslog-ng, /sbin/minilogd, /lib/systemd/systemd-journald
++
++.EX
++.PP
++.B syslogd_initrc_exec_t
++.EE
++
++- Set files with the syslogd_initrc_exec_t type, if you want to transition an executable to the syslogd_initrc_t domain.
++
++
++.EX
++.PP
++.B syslogd_tmp_t
++.EE
++
++- Set files with the syslogd_tmp_t type, if you want to store syslogd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B syslogd_var_lib_t
++.EE
++
++- Set files with the syslogd_var_lib_t type, if you want to store the syslogd files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/syslog-ng.persist, /var/lib/r?syslog(/.*)?, /var/lib/syslog-ng(/.*)?
++
++.EX
++.PP
++.B syslogd_var_run_t
++.EE
++
++- Set files with the syslogd_var_run_t type, if you want to store the syslogd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/log/syslog-ng(/.*)?, /var/run/syslog-ng(/.*)?, /var/run/metalog\.pid, /var/run/syslogd\.pid, /var/run/log(/.*)?, /var/run/syslog-ng.ctl
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
++.PP
++The following port types are defined for syslogd:
++
++.EX
++.TP 5
++.B syslogd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
++.PP
++The following process types are defined for syslogd:
++
++.EX
++.B syslogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), syslogd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8
+new file mode 100644
+index 0000000..79ea311
+--- /dev/null
++++ b/man/man8/sysstat_selinux.8
+@@ -0,0 +1,93 @@
++.TH "sysstat_selinux" "8" "sysstat" "dwalsh at redhat.com" "sysstat SELinux Policy documentation"
++.SH "NAME"
++sysstat_selinux \- Security Enhanced Linux Policy for the sysstat processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B sysstat
++(Policy for sysstat. Reports on various system states)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
++.PP
++The following file types are defined for sysstat:
++
++
++.EX
++.PP
++.B sysstat_exec_t
++.EE
++
++- Set files with the sysstat_exec_t type, if you want to transition an executable to the sysstat_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/sa/sa.*, /usr/lib/sysstat/sa.*, /usr/lib/atsar/atsa.*
++
++.EX
++.PP
++.B sysstat_log_t
++.EE
++
++- Set files with the sysstat_log_t type, if you want to treat the data as sysstat log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/sysstat(/.*)?, /var/log/sa(/.*)?, /var/log/atsar(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
++.PP
++The following process types are defined for sysstat:
++
++.EX
++.B sysstat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/system_selinux.8 b/man/man8/system_selinux.8
+new file mode 100644
+index 0000000..a08a3e0
+--- /dev/null
++++ b/man/man8/system_selinux.8
+@@ -0,0 +1,339 @@
++.TH "system_selinux" "8" "system" "dwalsh at redhat.com" "system SELinux Policy documentation"
++.SH "NAME"
++system_selinux \- Security Enhanced Linux Policy for the system processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. system policy is extremely flexible and has several booleans that allow you to manipulate the policy and run system with the tightest access possible.
++
++
++.PP
++If you want to allow Git daemon system to access cifs file systems, you must turn on the git_system_use_cifs boolean.
++
++.EX
++.B setsebool -P git_system_use_cifs 1
++.EE
++
++.PP
++If you want to allow Git daemon system to search home directories, you must turn on the git_system_enable_homedirs boolean.
++
++.EX
++.B setsebool -P git_system_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow Git daemon system to access nfs file systems, you must turn on the git_system_use_nfs boolean.
++
++.EX
++.B setsebool -P git_system_use_nfs 1
++.EE
++
++.PP
++If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean.
++
++.EX
++.B setsebool -P init_systemd 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux system policy is very flexible allowing users to setup their system processes in as secure a method as possible.
++.PP
++The following file types are defined for system:
++
++
++.EX
++.PP
++.B system_conf_t
++.EE
++
++- Set files with the system_conf_t type, if you want to treat the files as system configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/sysctl\.conf(\.old)?, /etc/sysconfig/ipvsadm.*, /etc/sysconfig/ebtables.*, /etc/sysconfig/ip6?tables.*, /etc/sysconfig/system-config-firewall.*
++
++.EX
++.PP
++.B system_cron_spool_t
++.EE
++
++- Set files with the system_cron_spool_t type, if you want to store the system cron files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/etc/crontab, /var/spool/anacron(/.*)?, /etc/cron\.d(/.*)?, /var/spool/fcron/systab\.orig, /var/spool/fcron/new\.systab, /var/spool/fcron/systab
++
++.EX
++.PP
++.B system_cronjob_lock_t
++.EE
++
++- Set files with the system_cronjob_lock_t type, if you want to treat the files as system cronjob lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B system_cronjob_tmp_t
++.EE
++
++- Set files with the system_cronjob_tmp_t type, if you want to store system cronjob temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_cronjob_var_lib_t
++.EE
++
++- Set files with the system_cronjob_var_lib_t type, if you want to store the system cronjob files under the /var/lib directory.
++
++
++.EX
++.PP
++.B system_cronjob_var_run_t
++.EE
++
++- Set files with the system_cronjob_var_run_t type, if you want to store the system cronjob files under the /run directory.
++
++
++.EX
++.PP
++.B system_dbusd_tmp_t
++.EE
++
++- Set files with the system_dbusd_tmp_t type, if you want to store system dbusd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_dbusd_var_lib_t
++.EE
++
++- Set files with the system_dbusd_var_lib_t type, if you want to store the system dbusd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B system_dbusd_var_run_t
++.EE
++
++- Set files with the system_dbusd_var_run_t type, if you want to store the system dbusd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/named/chroot/var/run/dbus(/.*)?, /var/run/dbus(/.*)?
++
++.EX
++.PP
++.B system_mail_tmp_t
++.EE
++
++- Set files with the system_mail_tmp_t type, if you want to store system mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_map_t
++.EE
++
++- Set files with the system_map_t type, if you want to treat the files as system map data.
++
++.br
++.TP 5
++Paths:
++/boot/System\.map(-.*)?, /boot/efi(/.*)?/System\.map(-.*)?
++
++.EX
++.PP
++.B system_munin_plugin_exec_t
++.EE
++
++- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files
++
++.EX
++.PP
++.B system_munin_plugin_tmp_t
++.EE
++
++- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B systemd_logger_exec_t
++.EE
++
++- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/systemd-logger, /usr/lib/systemd/systemd-logger
++
++.EX
++.PP
++.B systemd_logind_exec_t
++.EE
++
++- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-logind
++
++.EX
++.PP
++.B systemd_logind_sessions_t
++.EE
++
++- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data.
++
++
++.EX
++.PP
++.B systemd_logind_var_run_t
++.EE
++
++- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)?
++
++.EX
++.PP
++.B systemd_notify_exec_t
++.EE
++
++- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/systemd-notify, /bin/systemd-notify
++
++.EX
++.PP
++.B systemd_passwd_agent_exec_t
++.EE
++
++- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain.
++
++.br
++.TP 5
++Paths:
++/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent
++
++.EX
++.PP
++.B systemd_passwd_var_run_t
++.EE
++
++- Set files with the systemd_passwd_var_run_t type, if you want to store the systemd passwd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/systemd/ask-password(/.*)?, /var/run/systemd/ask-password-block(/.*)?
++
++.EX
++.PP
++.B systemd_systemctl_exec_t
++.EE
++
++- Set files with the systemd_systemctl_exec_t type, if you want to transition an executable to the systemd_systemctl_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/systemctl, /bin/systemctl
++
++.EX
++.PP
++.B systemd_tmpfiles_exec_t
++.EE
++
++- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles, /lib/systemd/systemd-tmpfiles
++
++.EX
++.PP
++.B systemd_unit_file_t
++.EE
++
++- Set files with the systemd_unit_file_t type, if you want to treat the files as systemd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system(/.*)?, /lib/systemd/system(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux system policy is very flexible allowing users to setup their system processes in as secure a method as possible.
++.PP
++The following process types are defined for system:
++
++.EX
++.B system_munin_plugin_t, systemd_logger_t, systemd_logind_t, system_cronjob_t, systemd_notify_t, system_mail_t, systemd_passwd_agent_t, system_dbusd_t, systemd_tmpfiles_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), system(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/systemd_selinux.8 b/man/man8/systemd_selinux.8
+new file mode 100644
+index 0000000..93fe832
+--- /dev/null
++++ b/man/man8/systemd_selinux.8
+@@ -0,0 +1,345 @@
++.TH "systemd_selinux" "8" "systemd" "dwalsh at redhat.com" "systemd SELinux Policy documentation"
++.SH "NAME"
++systemd_selinux \- Security Enhanced Linux Policy for the systemd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B systemd
++(SELinux policy for systemd components)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. systemd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd with the tightest access possible.
++
++
++.PP
++If you want to allow Git daemon system to access cifs file systems, you must turn on the git_system_use_cifs boolean.
++
++.EX
++.B setsebool -P git_system_use_cifs 1
++.EE
++
++.PP
++If you want to allow Git daemon system to search home directories, you must turn on the git_system_enable_homedirs boolean.
++
++.EX
++.B setsebool -P git_system_enable_homedirs 1
++.EE
++
++.PP
++If you want to allow Git daemon system to access nfs file systems, you must turn on the git_system_use_nfs boolean.
++
++.EX
++.B setsebool -P git_system_use_nfs 1
++.EE
++
++.PP
++If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean.
++
++.EX
++.B setsebool -P init_systemd 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible.
++.PP
++The following file types are defined for systemd:
++
++
++.EX
++.PP
++.B system_conf_t
++.EE
++
++- Set files with the system_conf_t type, if you want to treat the files as system configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/sysctl\.conf(\.old)?, /etc/sysconfig/ipvsadm.*, /etc/sysconfig/ebtables.*, /etc/sysconfig/ip6?tables.*, /etc/sysconfig/system-config-firewall.*
++
++.EX
++.PP
++.B system_cron_spool_t
++.EE
++
++- Set files with the system_cron_spool_t type, if you want to store the system cron files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/etc/crontab, /var/spool/anacron(/.*)?, /etc/cron\.d(/.*)?, /var/spool/fcron/systab\.orig, /var/spool/fcron/new\.systab, /var/spool/fcron/systab
++
++.EX
++.PP
++.B system_cronjob_lock_t
++.EE
++
++- Set files with the system_cronjob_lock_t type, if you want to treat the files as system cronjob lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B system_cronjob_tmp_t
++.EE
++
++- Set files with the system_cronjob_tmp_t type, if you want to store system cronjob temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_cronjob_var_lib_t
++.EE
++
++- Set files with the system_cronjob_var_lib_t type, if you want to store the system cronjob files under the /var/lib directory.
++
++
++.EX
++.PP
++.B system_cronjob_var_run_t
++.EE
++
++- Set files with the system_cronjob_var_run_t type, if you want to store the system cronjob files under the /run directory.
++
++
++.EX
++.PP
++.B system_dbusd_tmp_t
++.EE
++
++- Set files with the system_dbusd_tmp_t type, if you want to store system dbusd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_dbusd_var_lib_t
++.EE
++
++- Set files with the system_dbusd_var_lib_t type, if you want to store the system dbusd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B system_dbusd_var_run_t
++.EE
++
++- Set files with the system_dbusd_var_run_t type, if you want to store the system dbusd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/named/chroot/var/run/dbus(/.*)?, /var/run/dbus(/.*)?
++
++.EX
++.PP
++.B system_mail_tmp_t
++.EE
++
++- Set files with the system_mail_tmp_t type, if you want to store system mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_map_t
++.EE
++
++- Set files with the system_map_t type, if you want to treat the files as system map data.
++
++.br
++.TP 5
++Paths:
++/boot/System\.map(-.*)?, /boot/efi(/.*)?/System\.map(-.*)?
++
++.EX
++.PP
++.B system_munin_plugin_exec_t
++.EE
++
++- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files
++
++.EX
++.PP
++.B system_munin_plugin_tmp_t
++.EE
++
++- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B systemd_logger_exec_t
++.EE
++
++- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/systemd-logger, /usr/lib/systemd/systemd-logger
++
++.EX
++.PP
++.B systemd_logind_exec_t
++.EE
++
++- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-logind
++
++.EX
++.PP
++.B systemd_logind_sessions_t
++.EE
++
++- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data.
++
++
++.EX
++.PP
++.B systemd_logind_var_run_t
++.EE
++
++- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)?
++
++.EX
++.PP
++.B systemd_notify_exec_t
++.EE
++
++- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/systemd-notify, /bin/systemd-notify
++
++.EX
++.PP
++.B systemd_passwd_agent_exec_t
++.EE
++
++- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain.
++
++.br
++.TP 5
++Paths:
++/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent
++
++.EX
++.PP
++.B systemd_passwd_var_run_t
++.EE
++
++- Set files with the systemd_passwd_var_run_t type, if you want to store the systemd passwd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/systemd/ask-password(/.*)?, /var/run/systemd/ask-password-block(/.*)?
++
++.EX
++.PP
++.B systemd_systemctl_exec_t
++.EE
++
++- Set files with the systemd_systemctl_exec_t type, if you want to transition an executable to the systemd_systemctl_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/systemctl, /bin/systemctl
++
++.EX
++.PP
++.B systemd_tmpfiles_exec_t
++.EE
++
++- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles, /lib/systemd/systemd-tmpfiles
++
++.EX
++.PP
++.B systemd_unit_file_t
++.EE
++
++- Set files with the systemd_unit_file_t type, if you want to treat the files as systemd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system(/.*)?, /lib/systemd/system(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd:
++
++.EX
++.B system_munin_plugin_t, systemd_logger_t, systemd_logind_t, system_cronjob_t, systemd_notify_t, system_mail_t, systemd_passwd_agent_t, system_dbusd_t, systemd_tmpfiles_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), systemd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8
+new file mode 100644
+index 0000000..5543123
+--- /dev/null
++++ b/man/man8/tcpd_selinux.8
+@@ -0,0 +1,114 @@
++.TH "tcpd_selinux" "8" "tcpd" "dwalsh at redhat.com" "tcpd SELinux Policy documentation"
++.SH "NAME"
++tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B tcpd
++(Policy for TCP daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible.
++
++
++.PP
++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean.
++
++.EX
++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1
++.EE
++
++.PP
++If you want to allow all daemons to use tcp wrappers, you must turn on the allow_daemons_use_tcp_wrapper boolean.
++
++.EX
++.B setsebool -P allow_daemons_use_tcp_wrapper 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++
++.EX
++.B setsebool -P user_tcp_server 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
++.PP
++The following file types are defined for tcpd:
++
++
++.EX
++.PP
++.B tcpd_exec_t
++.EE
++
++- Set files with the tcpd_exec_t type, if you want to transition an executable to the tcpd_t domain.
++
++
++.EX
++.PP
++.B tcpd_tmp_t
++.EE
++
++- Set files with the tcpd_tmp_t type, if you want to store tcpd temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for tcpd:
++
++.EX
++.B tcpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tcpd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8
+new file mode 100644
+index 0000000..514ced5
+--- /dev/null
++++ b/man/man8/tcsd_selinux.8
+@@ -0,0 +1,119 @@
++.TH "tcsd_selinux" "8" "tcsd" "dwalsh at redhat.com" "tcsd SELinux Policy documentation"
++.SH "NAME"
++tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B tcsd
++(TSS Core Services (TCS) daemon (tcsd) policy)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
++.PP
++The following file types are defined for tcsd:
++
++
++.EX
++.PP
++.B tcsd_exec_t
++.EE
++
++- Set files with the tcsd_exec_t type, if you want to transition an executable to the tcsd_t domain.
++
++
++.EX
++.PP
++.B tcsd_initrc_exec_t
++.EE
++
++- Set files with the tcsd_initrc_exec_t type, if you want to transition an executable to the tcsd_initrc_t domain.
++
++
++.EX
++.PP
++.B tcsd_var_lib_t
++.EE
++
++- Set files with the tcsd_var_lib_t type, if you want to store the tcsd files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
++.PP
++The following port types are defined for tcsd:
++
++.EX
++.TP 5
++.B tcs_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
++.PP
++The following process types are defined for tcsd:
++
++.EX
++.B tcsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/telepathy_selinux.8 b/man/man8/telepathy_selinux.8
+new file mode 100644
+index 0000000..996878a
+--- /dev/null
++++ b/man/man8/telepathy_selinux.8
+@@ -0,0 +1,311 @@
++.TH "telepathy_selinux" "8" "telepathy" "dwalsh at redhat.com" "telepathy SELinux Policy documentation"
++.SH "NAME"
++telepathy_selinux \- Security Enhanced Linux Policy for the telepathy processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B telepathy
++(Telepathy communications framework)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. telepathy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy with the tightest access possible.
++
++
++.PP
++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean.
++
++.EX
++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1
++.EE
++
++.PP
++If you want to allow the Telepathy connection managers to connect to any network port, you must turn on the telepathy_connect_all_ports boolean.
++
++.EX
++.B setsebool -P telepathy_connect_all_ports 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telepathy policy is very flexible allowing users to setup their telepathy processes in as secure a method as possible.
++.PP
++The following file types are defined for telepathy:
++
++
++.EX
++.PP
++.B telepathy_cache_home_t
++.EE
++
++- Set files with the telepathy_cache_home_t type, if you want to store telepathy cache files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_data_home_t
++.EE
++
++- Set files with the telepathy_data_home_t type, if you want to store telepathy data files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_gabble_cache_home_t
++.EE
++
++- Set files with the telepathy_gabble_cache_home_t type, if you want to store telepathy gabble cache files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_gabble_exec_t
++.EE
++
++- Set files with the telepathy_gabble_exec_t type, if you want to transition an executable to the telepathy_gabble_t domain.
++
++
++.EX
++.PP
++.B telepathy_gabble_tmp_t
++.EE
++
++- Set files with the telepathy_gabble_tmp_t type, if you want to store telepathy gabble temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_idle_exec_t
++.EE
++
++- Set files with the telepathy_idle_exec_t type, if you want to transition an executable to the telepathy_idle_t domain.
++
++
++.EX
++.PP
++.B telepathy_idle_tmp_t
++.EE
++
++- Set files with the telepathy_idle_tmp_t type, if you want to store telepathy idle temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_logger_cache_home_t
++.EE
++
++- Set files with the telepathy_logger_cache_home_t type, if you want to store telepathy logger cache files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_logger_data_home_t
++.EE
++
++- Set files with the telepathy_logger_data_home_t type, if you want to store telepathy logger data files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_logger_exec_t
++.EE
++
++- Set files with the telepathy_logger_exec_t type, if you want to transition an executable to the telepathy_logger_t domain.
++
++
++.EX
++.PP
++.B telepathy_logger_tmp_t
++.EE
++
++- Set files with the telepathy_logger_tmp_t type, if you want to store telepathy logger temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_mission_control_cache_home_t
++.EE
++
++- Set files with the telepathy_mission_control_cache_home_t type, if you want to store telepathy mission control cache files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_mission_control_data_home_t
++.EE
++
++- Set files with the telepathy_mission_control_data_home_t type, if you want to store telepathy mission control data files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_mission_control_exec_t
++.EE
++
++- Set files with the telepathy_mission_control_exec_t type, if you want to transition an executable to the telepathy_mission_control_t domain.
++
++
++.EX
++.PP
++.B telepathy_mission_control_home_t
++.EE
++
++- Set files with the telepathy_mission_control_home_t type, if you want to store telepathy mission control files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_mission_control_tmp_t
++.EE
++
++- Set files with the telepathy_mission_control_tmp_t type, if you want to store telepathy mission control temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_msn_exec_t
++.EE
++
++- Set files with the telepathy_msn_exec_t type, if you want to transition an executable to the telepathy_msn_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/libexec/telepathy-butterfly, /usr/libexec/telepathy-haze
++
++.EX
++.PP
++.B telepathy_msn_tmp_t
++.EE
++
++- Set files with the telepathy_msn_tmp_t type, if you want to store telepathy msn temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_salut_exec_t
++.EE
++
++- Set files with the telepathy_salut_exec_t type, if you want to transition an executable to the telepathy_salut_t domain.
++
++
++.EX
++.PP
++.B telepathy_salut_tmp_t
++.EE
++
++- Set files with the telepathy_salut_tmp_t type, if you want to store telepathy salut temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_sofiasip_exec_t
++.EE
++
++- Set files with the telepathy_sofiasip_exec_t type, if you want to transition an executable to the telepathy_sofiasip_t domain.
++
++
++.EX
++.PP
++.B telepathy_sofiasip_tmp_t
++.EE
++
++- Set files with the telepathy_sofiasip_tmp_t type, if you want to store telepathy sofiasip temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_stream_engine_exec_t
++.EE
++
++- Set files with the telepathy_stream_engine_exec_t type, if you want to transition an executable to the telepathy_stream_engine_t domain.
++
++
++.EX
++.PP
++.B telepathy_stream_engine_tmp_t
++.EE
++
++- Set files with the telepathy_stream_engine_tmp_t type, if you want to store telepathy stream engine temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telepathy_sunshine_exec_t
++.EE
++
++- Set files with the telepathy_sunshine_exec_t type, if you want to transition an executable to the telepathy_sunshine_t domain.
++
++
++.EX
++.PP
++.B telepathy_sunshine_home_t
++.EE
++
++- Set files with the telepathy_sunshine_home_t type, if you want to store telepathy sunshine files in the users home directory.
++
++
++.EX
++.PP
++.B telepathy_sunshine_tmp_t
++.EE
++
++- Set files with the telepathy_sunshine_tmp_t type, if you want to store telepathy sunshine temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy policy is very flexible allowing users to setup their telepathy processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy:
++
++.EX
++.B telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t, telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t, telepathy_logger_t, telepathy_stream_engine_t, telepathy_msn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), telepathy(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8
+new file mode 100644
+index 0000000..34d5d8c
+--- /dev/null
++++ b/man/man8/telnetd_selinux.8
+@@ -0,0 +1,125 @@
++.TH "telnetd_selinux" "8" "telnetd" "dwalsh at redhat.com" "telnetd SELinux Policy documentation"
++.SH "NAME"
++telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
++.PP
++The following file types are defined for telnetd:
++
++
++.EX
++.PP
++.B telnetd_exec_t
++.EE
++
++- Set files with the telnetd_exec_t type, if you want to transition an executable to the telnetd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/kerberos/sbin/telnetd, /usr/sbin/in\.telnetd
++
++.EX
++.PP
++.B telnetd_keytab_t
++.EE
++
++- Set files with the telnetd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B telnetd_tmp_t
++.EE
++
++- Set files with the telnetd_tmp_t type, if you want to store telnetd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B telnetd_var_run_t
++.EE
++
++- Set files with the telnetd_var_run_t type, if you want to store the telnetd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
++.PP
++The following port types are defined for telnetd:
++
++.EX
++.TP 5
++.B telnetd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
++.PP
++The following process types are defined for telnetd:
++
++.EX
++.B telnetd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8
+new file mode 100644
+index 0000000..b7bdb6b
+--- /dev/null
++++ b/man/man8/tftpd_selinux.8
+@@ -0,0 +1,155 @@
++.TH "tftpd_selinux" "8" "tftpd" "dwalsh at redhat.com" "tftpd SELinux Policy documentation"
++.SH "NAME"
++tftpd_selinux \- Security Enhanced Linux Policy for the tftpd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow tftpd servers to read the /var/tftpd directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/tftpd(/.*)?"
++.br
++.B restorecon -F -R -v /var/tftpd
++.pp
++.TP
++Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpd_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/tftpd/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/tftpd/incoming
++
++
++.PP
++If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
++
++.EX
++.B setsebool -P tftp_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
++.PP
++The following file types are defined for tftpd:
++
++
++.EX
++.PP
++.B tftpd_exec_t
++.EE
++
++- Set files with the tftpd_exec_t type, if you want to transition an executable to the tftpd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/in\.tftpd, /usr/sbin/atftpd
++
++.EX
++.PP
++.B tftpd_var_run_t
++.EE
++
++- Set files with the tftpd_var_run_t type, if you want to store the tftpd files under the /run directory.
++
++
++.EX
++.PP
++.B tftpdir_rw_t
++.EE
++
++- Set files with the tftpdir_rw_t type, if you want to treat the files as tftpdir read/write content.
++
++
++.EX
++.PP
++.B tftpdir_t
++.EE
++
++- Set files with the tftpdir_t type, if you want to treat the files as tftpdir data.
++
++.br
++.TP 5
++Paths:
++/tftpboot/.*, /tftpboot
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
++.PP
++The following port types are defined for tftpd:
++
++.EX
++.TP 5
++.B tftp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
++.PP
++The following process types are defined for tftpd:
++
++.EX
++.B tftpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tftpd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8
+new file mode 100644
+index 0000000..ed0f28a
+--- /dev/null
++++ b/man/man8/tgtd_selinux.8
+@@ -0,0 +1,117 @@
++.TH "tgtd_selinux" "8" "tgtd" "dwalsh at redhat.com" "tgtd SELinux Policy documentation"
++.SH "NAME"
++tgtd_selinux \- Security Enhanced Linux Policy for the tgtd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B tgtd
++(Linux Target Framework Daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
++.PP
++The following file types are defined for tgtd:
++
++
++.EX
++.PP
++.B tgtd_exec_t
++.EE
++
++- Set files with the tgtd_exec_t type, if you want to transition an executable to the tgtd_t domain.
++
++
++.EX
++.PP
++.B tgtd_initrc_exec_t
++.EE
++
++- Set files with the tgtd_initrc_exec_t type, if you want to transition an executable to the tgtd_initrc_t domain.
++
++
++.EX
++.PP
++.B tgtd_tmp_t
++.EE
++
++- Set files with the tgtd_tmp_t type, if you want to store tgtd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B tgtd_tmpfs_t
++.EE
++
++- Set files with the tgtd_tmpfs_t type, if you want to store tgtd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B tgtd_var_lib_t
++.EE
++
++- Set files with the tgtd_var_lib_t type, if you want to store the tgtd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B tgtd_var_run_t
++.EE
++
++- Set files with the tgtd_var_run_t type, if you want to store the tgtd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
++.PP
++The following process types are defined for tgtd:
++
++.EX
++.B tgtd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tgtd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/thin_selinux.8 b/man/man8/thin_selinux.8
+new file mode 100644
+index 0000000..c7f6423
+--- /dev/null
++++ b/man/man8/thin_selinux.8
+@@ -0,0 +1,79 @@
++.TH "thin_selinux" "8" "thin" "dwalsh at redhat.com" "thin SELinux Policy documentation"
++.SH "NAME"
++thin_selinux \- Security Enhanced Linux Policy for the thin processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible.
++.PP
++The following file types are defined for thin:
++
++
++.EX
++.PP
++.B thin_exec_t
++.EE
++
++- Set files with the thin_exec_t type, if you want to transition an executable to the thin_t domain.
++
++
++.EX
++.PP
++.B thin_var_run_t
++.EE
++
++- Set files with the thin_var_run_t type, if you want to store the thin files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible.
++.PP
++The following process types are defined for thin:
++
++.EX
++.B thin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), thin(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8
+new file mode 100644
+index 0000000..b03036c
+--- /dev/null
++++ b/man/man8/thumb_selinux.8
+@@ -0,0 +1,89 @@
++.TH "thumb_selinux" "8" "thumb" "dwalsh at redhat.com" "thumb SELinux Policy documentation"
++.SH "NAME"
++thumb_selinux \- Security Enhanced Linux Policy for the thumb processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B thumb
++(policy for thumb)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
++.PP
++The following file types are defined for thumb:
++
++
++.EX
++.PP
++.B thumb_exec_t
++.EE
++
++- Set files with the thumb_exec_t type, if you want to transition an executable to the thumb_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/whaaw-thumbnailer, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/[^/]*thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/shotwell-video-thumbnailer, /usr/bin/gsf-office-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/totem-video-thumbnailer, /usr/bin/gnome-[^/]*-thumbnailer(.sh)?
++
++.EX
++.PP
++.B thumb_tmp_t
++.EE
++
++- Set files with the thumb_tmp_t type, if you want to store thumb temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
++.PP
++The following process types are defined for thumb:
++
++.EX
++.B thumb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8
+new file mode 100644
+index 0000000..53468d0
+--- /dev/null
++++ b/man/man8/tmpreaper_selinux.8
+@@ -0,0 +1,81 @@
++.TH "tmpreaper_selinux" "8" "tmpreaper" "dwalsh at redhat.com" "tmpreaper SELinux Policy documentation"
++.SH "NAME"
++tmpreaper_selinux \- Security Enhanced Linux Policy for the tmpreaper processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B tmpreaper
++(Manage temporary directory sizes and file ages)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
++.PP
++The following file types are defined for tmpreaper:
++
++
++.EX
++.PP
++.B tmpreaper_exec_t
++.EE
++
++- Set files with the tmpreaper_exec_t type, if you want to transition an executable to the tmpreaper_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/tmpwatch, /usr/sbin/tmpreaper
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
++.PP
++The following process types are defined for tmpreaper:
++
++.EX
++.B tmpreaper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8
+new file mode 100644
+index 0000000..8ec79ef
+--- /dev/null
++++ b/man/man8/tor_selinux.8
+@@ -0,0 +1,177 @@
++.TH "tor_selinux" "8" "tor" "dwalsh at redhat.com" "tor SELinux Policy documentation"
++.SH "NAME"
++tor_selinux \- Security Enhanced Linux Policy for the tor processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B tor
++(TOR, the onion router)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible.
++
++
++.PP
++If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean.
++
++.EX
++.B setsebool -P tor_bind_all_unreserved_ports 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
++.PP
++The following file types are defined for tor:
++
++
++.EX
++.PP
++.B tor_etc_t
++.EE
++
++- Set files with the tor_etc_t type, if you want to store tor files in the /etc directories.
++
++
++.EX
++.PP
++.B tor_exec_t
++.EE
++
++- Set files with the tor_exec_t type, if you want to transition an executable to the tor_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/tor, /usr/bin/tor
++
++.EX
++.PP
++.B tor_initrc_exec_t
++.EE
++
++- Set files with the tor_initrc_exec_t type, if you want to transition an executable to the tor_initrc_t domain.
++
++
++.EX
++.PP
++.B tor_var_lib_t
++.EE
++
++- Set files with the tor_var_lib_t type, if you want to store the tor files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/tor(/.*)?, /var/lib/tor-data(/.*)?
++
++.EX
++.PP
++.B tor_var_log_t
++.EE
++
++- Set files with the tor_var_log_t type, if you want to treat the data as tor var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B tor_var_run_t
++.EE
++
++- Set files with the tor_var_run_t type, if you want to store the tor files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
++.PP
++The following port types are defined for tor:
++
++.EX
++.TP 5
++.B tor_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B tor_socks_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
++.PP
++The following process types are defined for tor:
++
++.EX
++.B tor_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tor(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8
+new file mode 100644
+index 0000000..c4ea5dd
+--- /dev/null
++++ b/man/man8/traceroute_selinux.8
+@@ -0,0 +1,101 @@
++.TH "traceroute_selinux" "8" "traceroute" "dwalsh at redhat.com" "traceroute SELinux Policy documentation"
++.SH "NAME"
++traceroute_selinux \- Security Enhanced Linux Policy for the traceroute processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
++.PP
++The following file types are defined for traceroute:
++
++
++.EX
++.PP
++.B traceroute_exec_t
++.EE
++
++- Set files with the traceroute_exec_t type, if you want to transition an executable to the traceroute_t domain.
++
++.br
++.TP 5
++Paths:
++/bin/tracepath.*, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
++.PP
++The following port types are defined for traceroute:
++
++.EX
++.TP 5
++.B traceroute_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
++.PP
++The following process types are defined for traceroute:
++
++.EX
++.B traceroute_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8
+new file mode 100644
+index 0000000..824c519
+--- /dev/null
++++ b/man/man8/tuned_selinux.8
+@@ -0,0 +1,105 @@
++.TH "tuned_selinux" "8" "tuned" "dwalsh at redhat.com" "tuned SELinux Policy documentation"
++.SH "NAME"
++tuned_selinux \- Security Enhanced Linux Policy for the tuned processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B tuned
++(Dynamic adaptive system tuning daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
++.PP
++The following file types are defined for tuned:
++
++
++.EX
++.PP
++.B tuned_exec_t
++.EE
++
++- Set files with the tuned_exec_t type, if you want to transition an executable to the tuned_t domain.
++
++
++.EX
++.PP
++.B tuned_initrc_exec_t
++.EE
++
++- Set files with the tuned_initrc_exec_t type, if you want to transition an executable to the tuned_initrc_t domain.
++
++
++.EX
++.PP
++.B tuned_log_t
++.EE
++
++- Set files with the tuned_log_t type, if you want to treat the data as tuned log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/tuned(/.*)?, /var/log/tuned\.log
++
++.EX
++.PP
++.B tuned_var_run_t
++.EE
++
++- Set files with the tuned_var_run_t type, if you want to store the tuned files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
++.PP
++The following process types are defined for tuned:
++
++.EX
++.B tuned_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8
+new file mode 100644
+index 0000000..0694cf9
+--- /dev/null
++++ b/man/man8/tvtime_selinux.8
+@@ -0,0 +1,101 @@
++.TH "tvtime_selinux" "8" "tvtime" "dwalsh at redhat.com" "tvtime SELinux Policy documentation"
++.SH "NAME"
++tvtime_selinux \- Security Enhanced Linux Policy for the tvtime processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B tvtime
++( tvtime - a high quality television application )
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
++.PP
++The following file types are defined for tvtime:
++
++
++.EX
++.PP
++.B tvtime_exec_t
++.EE
++
++- Set files with the tvtime_exec_t type, if you want to transition an executable to the tvtime_t domain.
++
++
++.EX
++.PP
++.B tvtime_home_t
++.EE
++
++- Set files with the tvtime_home_t type, if you want to store tvtime files in the users home directory.
++
++
++.EX
++.PP
++.B tvtime_tmp_t
++.EE
++
++- Set files with the tvtime_tmp_t type, if you want to store tvtime temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B tvtime_tmpfs_t
++.EE
++
++- Set files with the tvtime_tmpfs_t type, if you want to store tvtime files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
++.PP
++The following process types are defined for tvtime:
++
++.EX
++.B tvtime_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8
+new file mode 100644
+index 0000000..e90dada
+--- /dev/null
++++ b/man/man8/udev_selinux.8
+@@ -0,0 +1,121 @@
++.TH "udev_selinux" "8" "udev" "dwalsh at redhat.com" "udev SELinux Policy documentation"
++.SH "NAME"
++udev_selinux \- Security Enhanced Linux Policy for the udev processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B udev
++(Policy for udev)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
++.PP
++The following file types are defined for udev:
++
++
++.EX
++.PP
++.B udev_etc_t
++.EE
++
++- Set files with the udev_etc_t type, if you want to store udev files in the /etc directories.
++
++
++.EX
++.PP
++.B udev_exec_t
++.EE
++
++- Set files with the udev_exec_t type, if you want to transition an executable to the udev_t domain.
++
++.br
++.TP 5
++Paths:
++/lib/udev/udevd, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/bin/udevinfo, /usr/sbin/start_udev, /usr/sbin/udev, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /sbin/wait_for_sysfs, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd
++
++.EX
++.PP
++.B udev_helper_exec_t
++.EE
++
++- Set files with the udev_helper_exec_t type, if you want to transition an executable to the udev_helper_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/udev/scripts/.+, /etc/hotplug\.d/default/udev.*, /etc/dev\.d/.+
++
++.EX
++.PP
++.B udev_rules_t
++.EE
++
++- Set files with the udev_rules_t type, if you want to treat the files as udev rules data.
++
++
++.EX
++.PP
++.B udev_var_run_t
++.EE
++
++- Set files with the udev_var_run_t type, if you want to store the udev files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/udev(/.*)?, /dev/\.udevdb, /var/run/PackageKit/udev(/.*)?, /dev/\.udev(/.*)?, /dev/udev\.tbl, /var/run/libgpod(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
++.PP
++The following process types are defined for udev:
++
++.EX
++.B udev_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), udev(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8
+new file mode 100644
+index 0000000..3ab14e4
+--- /dev/null
++++ b/man/man8/ulogd_selinux.8
+@@ -0,0 +1,109 @@
++.TH "ulogd_selinux" "8" "ulogd" "dwalsh at redhat.com" "ulogd SELinux Policy documentation"
++.SH "NAME"
++ulogd_selinux \- Security Enhanced Linux Policy for the ulogd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B ulogd
++(Iptables/netfilter userspace logging daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
++.PP
++The following file types are defined for ulogd:
++
++
++.EX
++.PP
++.B ulogd_etc_t
++.EE
++
++- Set files with the ulogd_etc_t type, if you want to store ulogd files in the /etc directories.
++
++
++.EX
++.PP
++.B ulogd_exec_t
++.EE
++
++- Set files with the ulogd_exec_t type, if you want to transition an executable to the ulogd_t domain.
++
++
++.EX
++.PP
++.B ulogd_initrc_exec_t
++.EE
++
++- Set files with the ulogd_initrc_exec_t type, if you want to transition an executable to the ulogd_initrc_t domain.
++
++
++.EX
++.PP
++.B ulogd_modules_t
++.EE
++
++- Set files with the ulogd_modules_t type, if you want to treat the files as ulogd modules.
++
++
++.EX
++.PP
++.B ulogd_var_log_t
++.EE
++
++- Set files with the ulogd_var_log_t type, if you want to treat the data as ulogd var log data, usually stored under the /var/log directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
++.PP
++The following process types are defined for ulogd:
++
++.EX
++.B ulogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8
+new file mode 100644
+index 0000000..34355cf
+--- /dev/null
++++ b/man/man8/uml_selinux.8
+@@ -0,0 +1,125 @@
++.TH "uml_selinux" "8" "uml" "dwalsh at redhat.com" "uml SELinux Policy documentation"
++.SH "NAME"
++uml_selinux \- Security Enhanced Linux Policy for the uml processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B uml
++(Policy for UML)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
++.PP
++The following file types are defined for uml:
++
++
++.EX
++.PP
++.B uml_exec_t
++.EE
++
++- Set files with the uml_exec_t type, if you want to transition an executable to the uml_t domain.
++
++
++.EX
++.PP
++.B uml_ro_t
++.EE
++
++- Set files with the uml_ro_t type, if you want to treat the files as uml read/only content.
++
++
++.EX
++.PP
++.B uml_rw_t
++.EE
++
++- Set files with the uml_rw_t type, if you want to treat the files as uml read/write content.
++
++
++.EX
++.PP
++.B uml_switch_exec_t
++.EE
++
++- Set files with the uml_switch_exec_t type, if you want to transition an executable to the uml_switch_t domain.
++
++
++.EX
++.PP
++.B uml_switch_var_run_t
++.EE
++
++- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run directory.
++
++
++.EX
++.PP
++.B uml_tmp_t
++.EE
++
++- Set files with the uml_tmp_t type, if you want to store uml temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B uml_tmpfs_t
++.EE
++
++- Set files with the uml_tmpfs_t type, if you want to store uml files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
++.PP
++The following process types are defined for uml:
++
++.EX
++.B uml_switch_t, uml_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), uml(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8
+new file mode 100644
+index 0000000..49f0e32
+--- /dev/null
++++ b/man/man8/unconfined_selinux.8
+@@ -0,0 +1,131 @@
++.TH "unconfined_selinux" "8" "unconfined" "dwalsh at redhat.com" "unconfined SELinux Policy documentation"
++.SH "NAME"
++unconfined_selinux \- Security Enhanced Linux Policy for the unconfined processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B unconfined
++(The unconfined domain)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. unconfined policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined with the tightest access possible.
++
++
++.PP
++If you want to allow database admins to execute DML statemen, you must turn on the sepgsql_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P sepgsql_unconfined_dbadm 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
++
++.PP
++If you want to allow a user to login as an unconfined domai, you must turn on the unconfined_login boolean.
++
++.EX
++.B setsebool -P unconfined_login 1
++.EE
++
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbo, you must turn on the unconfined_chrome_sandbox_transition boolean.
++
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
++
++.PP
++If you want to allow samba to run unconfined script, you must turn on the samba_run_unconfined boolean.
++
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
++
++.PP
++If you want to allow video playing tools to run unconfine, you must turn on the unconfined_mplayer boolean.
++
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux unconfined policy is very flexible allowing users to setup their unconfined processes in as secure a method as possible.
++.PP
++The following file types are defined for unconfined:
++
++
++.EX
++.PP
++.B unconfined_exec_t
++.EE
++
++- Set files with the unconfined_exec_t type, if you want to transition an executable to the unconfined_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/vncserver, /usr/sbin/xrdp, /usr/sbin/xrdp-sesman
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux unconfined policy is very flexible allowing users to setup their unconfined processes in as secure a method as possible.
++.PP
++The following process types are defined for unconfined:
++
++.EX
++.B unconfined_cronjob_t, unconfined_dbusd_t, unconfined_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), unconfined(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/update_selinux.8 b/man/man8/update_selinux.8
+new file mode 100644
+index 0000000..df3a1eb
+--- /dev/null
++++ b/man/man8/update_selinux.8
+@@ -0,0 +1,83 @@
++.TH "update_selinux" "8" "update" "dwalsh at redhat.com" "update SELinux Policy documentation"
++.SH "NAME"
++update_selinux \- Security Enhanced Linux Policy for the update processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux update policy is very flexible allowing users to setup their update processes in as secure a method as possible.
++.PP
++The following file types are defined for update:
++
++
++.EX
++.PP
++.B update_modules_exec_t
++.EE
++
++- Set files with the update_modules_exec_t type, if you want to transition an executable to the update_modules_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/modules-update, /usr/sbin/update-modules, /sbin/modules-update, /sbin/generate-modprobe\.conf, /sbin/update-modules, /usr/sbin/generate-modprobe\.conf
++
++.EX
++.PP
++.B update_modules_tmp_t
++.EE
++
++- Set files with the update_modules_tmp_t type, if you want to store update modules temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux update policy is very flexible allowing users to setup their update processes in as secure a method as possible.
++.PP
++The following process types are defined for update:
++
++.EX
++.B update_modules_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), update(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8
+new file mode 100644
+index 0000000..17c099b
+--- /dev/null
++++ b/man/man8/updfstab_selinux.8
+@@ -0,0 +1,81 @@
++.TH "updfstab_selinux" "8" "updfstab" "dwalsh at redhat.com" "updfstab SELinux Policy documentation"
++.SH "NAME"
++updfstab_selinux \- Security Enhanced Linux Policy for the updfstab processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B updfstab
++(Red Hat utility to change /etc/fstab)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
++.PP
++The following file types are defined for updfstab:
++
++
++.EX
++.PP
++.B updfstab_exec_t
++.EE
++
++- Set files with the updfstab_exec_t type, if you want to transition an executable to the updfstab_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/updfstab, /usr/sbin/fstab-sync
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
++.PP
++The following process types are defined for updfstab:
++
++.EX
++.B updfstab_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8
+new file mode 100644
+index 0000000..b48fb1b
+--- /dev/null
++++ b/man/man8/updpwd_selinux.8
+@@ -0,0 +1,75 @@
++.TH "updpwd_selinux" "8" "updpwd" "dwalsh at redhat.com" "updpwd SELinux Policy documentation"
++.SH "NAME"
++updpwd_selinux \- Security Enhanced Linux Policy for the updpwd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
++.PP
++The following file types are defined for updpwd:
++
++
++.EX
++.PP
++.B updpwd_exec_t
++.EE
++
++- Set files with the updpwd_exec_t type, if you want to transition an executable to the updpwd_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/unix_update, /usr/sbin/unix_update
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
++.PP
++The following process types are defined for updpwd:
++
++.EX
++.B updpwd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8
+new file mode 100644
+index 0000000..83e61e3
+--- /dev/null
++++ b/man/man8/usbmodules_selinux.8
+@@ -0,0 +1,81 @@
++.TH "usbmodules_selinux" "8" "usbmodules" "dwalsh at redhat.com" "usbmodules SELinux Policy documentation"
++.SH "NAME"
++usbmodules_selinux \- Security Enhanced Linux Policy for the usbmodules processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B usbmodules
++(List kernel modules of USB devices)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
++.PP
++The following file types are defined for usbmodules:
++
++
++.EX
++.PP
++.B usbmodules_exec_t
++.EE
++
++- Set files with the usbmodules_exec_t type, if you want to transition an executable to the usbmodules_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/usbmodules, /sbin/usbmodules
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
++.PP
++The following process types are defined for usbmodules:
++
++.EX
++.B usbmodules_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8
+new file mode 100644
+index 0000000..a8d74de
+--- /dev/null
++++ b/man/man8/usbmuxd_selinux.8
+@@ -0,0 +1,85 @@
++.TH "usbmuxd_selinux" "8" "usbmuxd" "dwalsh at redhat.com" "usbmuxd SELinux Policy documentation"
++.SH "NAME"
++usbmuxd_selinux \- Security Enhanced Linux Policy for the usbmuxd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B usbmuxd
++(USB multiplexing daemon for communicating with Apple iPod Touch and iPhone)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
++.PP
++The following file types are defined for usbmuxd:
++
++
++.EX
++.PP
++.B usbmuxd_exec_t
++.EE
++
++- Set files with the usbmuxd_exec_t type, if you want to transition an executable to the usbmuxd_t domain.
++
++
++.EX
++.PP
++.B usbmuxd_var_run_t
++.EE
++
++- Set files with the usbmuxd_var_run_t type, if you want to store the usbmuxd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
++.PP
++The following process types are defined for usbmuxd:
++
++.EX
++.B usbmuxd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), usbmuxd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/user_selinux.8 b/man/man8/user_selinux.8
+new file mode 100644
+index 0000000..a2082e9
+--- /dev/null
++++ b/man/man8/user_selinux.8
+@@ -0,0 +1,194 @@
++.TH "user_selinux" "8" "user" "mgrepl at redhat.com" "user SELinux Policy documentation"
++.SH "NAME"
++user_u \- \fBGeneric unprivileged user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBuser_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBuser_r\fP. The
++default role has a default type, \fBuser_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B user_u:user_r:user_u:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the user_u user, you would execute:
++
++.B semanage login -m -s user_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user user, you would execute:
++
++.B $ semanage login -a -s user_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user user_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++The SELinux type user_t is not allowed to execute sudo.
++
++.SH X WINDOWS LOGIN
++
++The SELinux user user_u is able to X Windows login.
++
++.SH TERMINAL LOGIN
++
++The SELinux user user_u is able to terminal login.
++
++.SH NETWORK
++
++.TP
++The SELinux user user_u is able to listen on the following tcp ports.
++
++.B xserver_port_t: 6000-6020
++
++.TP
++The SELinux user user_u is able to listen on the following udp ports.
++
++.B all ports with out defined types
++
++.TP
++The SELinux user user_u is able to connect to the following tcp ports.
++
++.B all ports
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. user_t policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_t with the tightest access possible.
++
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the allow_user_mysql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_mysql_connect 1
++.EE
++
++.PP
++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.PP
++If you want to allow w to display everyone, you must turn on the user_ttyfile_stat boolean.
++
++.EX
++.B setsebool -P user_ttyfile_stat 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the user_share_music boolean.
++
++.EX
++.B setsebool -P user_share_music 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the user_direct_dri boolean.
++
++.EX
++.B setsebool -P user_direct_dri 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the user_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P user_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++
++.EX
++.B setsebool -P user_tcp_server 1
++.EE
++
++.PP
++If you want to allow regular users direct mouse access, you must turn on the user_direct_mouse boolean.
++
++.EX
++.B setsebool -P user_direct_mouse 1
++.EE
++
++.PP
++If you want to allow user processes to change their priority, you must turn on the user_setrlimit boolean.
++
++.EX
++.B setsebool -P user_setrlimit 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the allow_user_postgresql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_postgresql_connect 1
++.EE
++
++.PP
++If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++
++.EX
++.B setsebool -P user_dmesg 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user user_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when user_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny user_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow user_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user user_t can execute without transitioning:
++
++.B sesearch -A -s user_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow user_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user user_t can execute and transition:
++
++.B $ sesearch -A -s user_t -c process -p transition
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8
+new file mode 100644
+index 0000000..8ad5cf6
+--- /dev/null
++++ b/man/man8/useradd_selinux.8
+@@ -0,0 +1,75 @@
++.TH "useradd_selinux" "8" "useradd" "dwalsh at redhat.com" "useradd SELinux Policy documentation"
++.SH "NAME"
++useradd_selinux \- Security Enhanced Linux Policy for the useradd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
++.PP
++The following file types are defined for useradd:
++
++
++.EX
++.PP
++.B useradd_exec_t
++.EE
++
++- Set files with the useradd_exec_t type, if you want to transition an executable to the useradd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
++.PP
++The following process types are defined for useradd:
++
++.EX
++.B useradd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8
+new file mode 100644
+index 0000000..8789d75
+--- /dev/null
++++ b/man/man8/usernetctl_selinux.8
+@@ -0,0 +1,77 @@
++.TH "usernetctl_selinux" "8" "usernetctl" "dwalsh at redhat.com" "usernetctl SELinux Policy documentation"
++.SH "NAME"
++usernetctl_selinux \- Security Enhanced Linux Policy for the usernetctl processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B usernetctl
++(User network interface configuration helper)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
++.PP
++The following file types are defined for usernetctl:
++
++
++.EX
++.PP
++.B usernetctl_exec_t
++.EE
++
++- Set files with the usernetctl_exec_t type, if you want to transition an executable to the usernetctl_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
++.PP
++The following process types are defined for usernetctl:
++
++.EX
++.B usernetctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), usernetctl(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8
+new file mode 100644
+index 0000000..a311394
+--- /dev/null
++++ b/man/man8/utempter_selinux.8
+@@ -0,0 +1,71 @@
++.TH "utempter_selinux" "8" "utempter" "dwalsh at redhat.com" "utempter SELinux Policy documentation"
++.SH "NAME"
++utempter_selinux \- Security Enhanced Linux Policy for the utempter processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
++.PP
++The following file types are defined for utempter:
++
++
++.EX
++.PP
++.B utempter_exec_t
++.EE
++
++- Set files with the utempter_exec_t type, if you want to transition an executable to the utempter_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
++.PP
++The following process types are defined for utempter:
++
++.EX
++.B utempter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8
+new file mode 100644
+index 0000000..10de0a8
+--- /dev/null
++++ b/man/man8/uucpd_selinux.8
+@@ -0,0 +1,157 @@
++.TH "uucpd_selinux" "8" "uucpd" "dwalsh at redhat.com" "uucpd SELinux Policy documentation"
++.SH "NAME"
++uucpd_selinux \- Security Enhanced Linux Policy for the uucpd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
++.PP
++The following file types are defined for uucpd:
++
++
++.EX
++.PP
++.B uucpd_exec_t
++.EE
++
++- Set files with the uucpd_exec_t type, if you want to transition an executable to the uucpd_t domain.
++
++
++.EX
++.PP
++.B uucpd_lock_t
++.EE
++
++- Set files with the uucpd_lock_t type, if you want to treat the files as uucpd lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B uucpd_log_t
++.EE
++
++- Set files with the uucpd_log_t type, if you want to treat the data as uucpd log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B uucpd_ro_t
++.EE
++
++- Set files with the uucpd_ro_t type, if you want to treat the files as uucpd read/only content.
++
++
++.EX
++.PP
++.B uucpd_rw_t
++.EE
++
++- Set files with the uucpd_rw_t type, if you want to treat the files as uucpd read/write content.
++
++
++.EX
++.PP
++.B uucpd_spool_t
++.EE
++
++- Set files with the uucpd_spool_t type, if you want to store the uucpd files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/uucppublic(/.*)?, /var/spool/uucp(/.*)?
++
++.EX
++.PP
++.B uucpd_tmp_t
++.EE
++
++- Set files with the uucpd_tmp_t type, if you want to store uucpd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B uucpd_var_run_t
++.EE
++
++- Set files with the uucpd_var_run_t type, if you want to store the uucpd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
++.PP
++The following port types are defined for uucpd:
++
++.EX
++.TP 5
++.B uucpd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
++.PP
++The following process types are defined for uucpd:
++
++.EX
++.B uucpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8
+new file mode 100644
+index 0000000..82a5e37
+--- /dev/null
++++ b/man/man8/uuidd_selinux.8
+@@ -0,0 +1,101 @@
++.TH "uuidd_selinux" "8" "uuidd" "dwalsh at redhat.com" "uuidd SELinux Policy documentation"
++.SH "NAME"
++uuidd_selinux \- Security Enhanced Linux Policy for the uuidd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B uuidd
++(policy for uuidd)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
++.PP
++The following file types are defined for uuidd:
++
++
++.EX
++.PP
++.B uuidd_exec_t
++.EE
++
++- Set files with the uuidd_exec_t type, if you want to transition an executable to the uuidd_t domain.
++
++
++.EX
++.PP
++.B uuidd_initrc_exec_t
++.EE
++
++- Set files with the uuidd_initrc_exec_t type, if you want to transition an executable to the uuidd_initrc_t domain.
++
++
++.EX
++.PP
++.B uuidd_var_lib_t
++.EE
++
++- Set files with the uuidd_var_lib_t type, if you want to store the uuidd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B uuidd_var_run_t
++.EE
++
++- Set files with the uuidd_var_run_t type, if you want to store the uuidd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
++.PP
++The following process types are defined for uuidd:
++
++.EX
++.B uuidd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8
+new file mode 100644
+index 0000000..c1913bf
+--- /dev/null
++++ b/man/man8/uux_selinux.8
+@@ -0,0 +1,71 @@
++.TH "uux_selinux" "8" "uux" "dwalsh at redhat.com" "uux SELinux Policy documentation"
++.SH "NAME"
++uux_selinux \- Security Enhanced Linux Policy for the uux processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
++.PP
++The following file types are defined for uux:
++
++
++.EX
++.PP
++.B uux_exec_t
++.EE
++
++- Set files with the uux_exec_t type, if you want to transition an executable to the uux_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
++.PP
++The following process types are defined for uux:
++
++.EX
++.B uux_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), uux(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8
+new file mode 100644
+index 0000000..97d1ed5
+--- /dev/null
++++ b/man/man8/varnishd_selinux.8
+@@ -0,0 +1,158 @@
++.TH "varnishd_selinux" "8" "varnishd" "dwalsh at redhat.com" "varnishd SELinux Policy documentation"
++.SH "NAME"
++varnishd_selinux \- Security Enhanced Linux Policy for the varnishd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B varnishd
++(Varnishd http accelerator daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible.
++
++
++.PP
++If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean.
++
++.EX
++.B setsebool -P varnishd_connect_any 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
++.PP
++The following file types are defined for varnishd:
++
++
++.EX
++.PP
++.B varnishd_etc_t
++.EE
++
++- Set files with the varnishd_etc_t type, if you want to store varnishd files in the /etc directories.
++
++
++.EX
++.PP
++.B varnishd_exec_t
++.EE
++
++- Set files with the varnishd_exec_t type, if you want to transition an executable to the varnishd_t domain.
++
++
++.EX
++.PP
++.B varnishd_initrc_exec_t
++.EE
++
++- Set files with the varnishd_initrc_exec_t type, if you want to transition an executable to the varnishd_initrc_t domain.
++
++
++.EX
++.PP
++.B varnishd_tmp_t
++.EE
++
++- Set files with the varnishd_tmp_t type, if you want to store varnishd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B varnishd_var_lib_t
++.EE
++
++- Set files with the varnishd_var_lib_t type, if you want to store the varnishd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B varnishd_var_run_t
++.EE
++
++- Set files with the varnishd_var_run_t type, if you want to store the varnishd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
++.PP
++The following port types are defined for varnishd:
++
++.EX
++.TP 5
++.B varnishd_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
++.PP
++The following process types are defined for varnishd:
++
++.EX
++.B varnishd_t, varnishlog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), varnishd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8
+new file mode 100644
+index 0000000..a761366
+--- /dev/null
++++ b/man/man8/varnishlog_selinux.8
+@@ -0,0 +1,107 @@
++.TH "varnishlog_selinux" "8" "varnishlog" "dwalsh at redhat.com" "varnishlog SELinux Policy documentation"
++.SH "NAME"
++varnishlog_selinux \- Security Enhanced Linux Policy for the varnishlog processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
++.PP
++The following file types are defined for varnishlog:
++
++
++.EX
++.PP
++.B varnishlog_exec_t
++.EE
++
++- Set files with the varnishlog_exec_t type, if you want to transition an executable to the varnishlog_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/varnisncsa, /usr/bin/varnishlog
++
++.EX
++.PP
++.B varnishlog_initrc_exec_t
++.EE
++
++- Set files with the varnishlog_initrc_exec_t type, if you want to transition an executable to the varnishlog_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/varnishlog, /etc/rc\.d/init\.d/varnishncsa
++
++.EX
++.PP
++.B varnishlog_log_t
++.EE
++
++- Set files with the varnishlog_log_t type, if you want to treat the data as varnishlog log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B varnishlog_var_run_t
++.EE
++
++- Set files with the varnishlog_var_run_t type, if you want to store the varnishlog files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/varnishncsa\.pid, /var/run/varnishlog\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
++.PP
++The following process types are defined for varnishlog:
++
++.EX
++.B varnishlog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8
+new file mode 100644
+index 0000000..690e094
+--- /dev/null
++++ b/man/man8/vbetool_selinux.8
+@@ -0,0 +1,92 @@
++.TH "vbetool_selinux" "8" "vbetool" "dwalsh at redhat.com" "vbetool SELinux Policy documentation"
++.SH "NAME"
++vbetool_selinux \- Security Enhanced Linux Policy for the vbetool processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B vbetool
++(run real-mode video BIOS code to alter hardware state)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. vbetool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vbetool with the tightest access possible.
++
++
++.PP
++If you want to ignore vbetool mmap_zero errors, you must turn on the vbetool_mmap_zero_ignore boolean.
++
++.EX
++.B setsebool -P vbetool_mmap_zero_ignore 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
++.PP
++The following file types are defined for vbetool:
++
++
++.EX
++.PP
++.B vbetool_exec_t
++.EE
++
++- Set files with the vbetool_exec_t type, if you want to transition an executable to the vbetool_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
++.PP
++The following process types are defined for vbetool:
++
++.EX
++.B vbetool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vbetool(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8
+new file mode 100644
+index 0000000..ef8444d
+--- /dev/null
++++ b/man/man8/vdagent_selinux.8
+@@ -0,0 +1,101 @@
++.TH "vdagent_selinux" "8" "vdagent" "dwalsh at redhat.com" "vdagent SELinux Policy documentation"
++.SH "NAME"
++vdagent_selinux \- Security Enhanced Linux Policy for the vdagent processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B vdagent
++(policy for vdagent)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
++.PP
++The following file types are defined for vdagent:
++
++
++.EX
++.PP
++.B vdagent_exec_t
++.EE
++
++- Set files with the vdagent_exec_t type, if you want to transition an executable to the vdagent_t domain.
++
++
++.EX
++.PP
++.B vdagent_log_t
++.EE
++
++- Set files with the vdagent_log_t type, if you want to treat the data as vdagent log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/spice-vdagentd(/.*)?, /var/log/spice-vdagentd\.log
++
++.EX
++.PP
++.B vdagent_var_run_t
++.EE
++
++- Set files with the vdagent_var_run_t type, if you want to store the vdagent files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/spice-vdagentd.\pid, /var/run/spice-vdagentd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
++.PP
++The following process types are defined for vdagent:
++
++.EX
++.B vdagent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8
+new file mode 100644
+index 0000000..1800dc6
+--- /dev/null
++++ b/man/man8/vhostmd_selinux.8
+@@ -0,0 +1,101 @@
++.TH "vhostmd_selinux" "8" "vhostmd" "dwalsh at redhat.com" "vhostmd SELinux Policy documentation"
++.SH "NAME"
++vhostmd_selinux \- Security Enhanced Linux Policy for the vhostmd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B vhostmd
++(Virtual host metrics daemon)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
++.PP
++The following file types are defined for vhostmd:
++
++
++.EX
++.PP
++.B vhostmd_exec_t
++.EE
++
++- Set files with the vhostmd_exec_t type, if you want to transition an executable to the vhostmd_t domain.
++
++
++.EX
++.PP
++.B vhostmd_initrc_exec_t
++.EE
++
++- Set files with the vhostmd_initrc_exec_t type, if you want to transition an executable to the vhostmd_initrc_t domain.
++
++
++.EX
++.PP
++.B vhostmd_tmpfs_t
++.EE
++
++- Set files with the vhostmd_tmpfs_t type, if you want to store vhostmd files on a tmpfs file system.
++
++
++.EX
++.PP
++.B vhostmd_var_run_t
++.EE
++
++- Set files with the vhostmd_var_run_t type, if you want to store the vhostmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
++.PP
++The following process types are defined for vhostmd:
++
++.EX
++.B vhostmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8
+new file mode 100644
+index 0000000..97dc9a2
+--- /dev/null
++++ b/man/man8/virsh_selinux.8
+@@ -0,0 +1,71 @@
++.TH "virsh_selinux" "8" "virsh" "dwalsh at redhat.com" "virsh SELinux Policy documentation"
++.SH "NAME"
++virsh_selinux \- Security Enhanced Linux Policy for the virsh processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
++.PP
++The following file types are defined for virsh:
++
++
++.EX
++.PP
++.B virsh_exec_t
++.EE
++
++- Set files with the virsh_exec_t type, if you want to transition an executable to the virsh_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
++.PP
++The following process types are defined for virsh:
++
++.EX
++.B virsh_ssh_t, virsh_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8
+new file mode 100644
+index 0000000..bc4a520
+--- /dev/null
++++ b/man/man8/virt_selinux.8
+@@ -0,0 +1,349 @@
++.TH "virt_selinux" "8" "virt" "dwalsh at redhat.com" "virt SELinux Policy documentation"
++.SH "NAME"
++virt_selinux \- Security Enhanced Linux Policy for the virt processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B virt
++(Libvirt virtualization API)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. virt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virt with the tightest access possible.
++
++
++.PP
++If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean.
++
++.EX
++.B setsebool -P virt_use_fusefs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use serial/parallel communication port, you must turn on the virt_use_comm boolean.
++
++.EX
++.B setsebool -P virt_use_comm 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage device configuration, (pci, you must turn on the virt_use_sysfs boolean.
++
++.EX
++.B setsebool -P virt_use_sysfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use executable memory and executable stac, you must turn on the virt_use_execmem boolean.
++
++.EX
++.B setsebool -P virt_use_execmem 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use usb device, you must turn on the virt_use_usb boolean.
++
++.EX
++.B setsebool -P virt_use_usb 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virt policy is very flexible allowing users to setup their virt processes in as secure a method as possible.
++.PP
++The following file types are defined for virt:
++
++
++.EX
++.PP
++.B virt_bridgehelper_exec_t
++.EE
++
++- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain.
++
++
++.EX
++.PP
++.B virt_cache_t
++.EE
++
++- Set files with the virt_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/oz(/.*)?, /var/cache/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_content_t
++.EE
++
++- Set files with the virt_content_t type, if you want to treat the files as virt content.
++
++.br
++.TP 5
++Paths:
++/var/lib/vdsm(/.*)?, /var/lib/oz/isos(/.*)?, /var/lib/libvirt/boot(/.*)?, /var/lib/libvirt/isos(/.*)?
++
++.EX
++.PP
++.B virt_etc_rw_t
++.EE
++
++- Set files with the virt_etc_rw_t type, if you want to treat the files as virt etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/libvirt/.*/.*, /etc/xen/.*/.*, /etc/xen/[^/]*, /etc/libvirt/[^/]*
++
++.EX
++.PP
++.B virt_etc_t
++.EE
++
++- Set files with the virt_etc_t type, if you want to store virt files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/libvirt/[^/]*, /etc/libvirt, /etc/xen/[^/]*, /etc/xen
++
++.EX
++.PP
++.B virt_home_t
++.EE
++
++- Set files with the virt_home_t type, if you want to store virt files in the users home directory.
++
++
++.EX
++.PP
++.B virt_image_t
++.EE
++
++- Set files with the virt_image_t type, if you want to treat the files as virt image data.
++
++.br
++.TP 5
++Paths:
++/var/lib/imagefactory/images(/.*)?, /var/lib/libvirt/images(/.*)?
++
++.EX
++.PP
++.B virt_log_t
++.EE
++
++- Set files with the virt_log_t type, if you want to treat the data as virt log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/log(/.*)?, /var/log/vdsm(/.*)?, /var/log/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_qmf_exec_t
++.EE
++
++- Set files with the virt_qmf_exec_t type, if you want to transition an executable to the virt_qmf_t domain.
++
++
++.EX
++.PP
++.B virt_tmp_t
++.EE
++
++- Set files with the virt_tmp_t type, if you want to store virt temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B virt_var_lib_t
++.EE
++
++- Set files with the virt_var_lib_t type, if you want to store the virt files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/oz(/.*)?, /var/lib/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_var_run_t
++.EE
++
++- Set files with the virt_var_run_t type, if you want to store the virt files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/vdsm(/.*)?, /var/vdsm(/.*)?, /var/run/libvirt(/.*)?
++
++.EX
++.PP
++.B virtd_exec_t
++.EE
++
++- Set files with the virtd_exec_t type, if you want to transition an executable to the virtd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd
++
++.EX
++.PP
++.B virtd_initrc_exec_t
++.EE
++
++- Set files with the virtd_initrc_exec_t type, if you want to transition an executable to the virtd_initrc_t domain.
++
++
++.EX
++.PP
++.B virtd_keytab_t
++.EE
++
++- Set files with the virtd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B virtd_lxc_exec_t
++.EE
++
++- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain.
++
++
++.EX
++.PP
++.B virtd_lxc_var_run_t
++.EE
++
++- Set files with the virtd_lxc_var_run_t type, if you want to store the virtd lxc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux virt policy is very flexible allowing users to setup their virt processes in as secure a method as possible.
++.PP
++The following port types are defined for virt:
++
++.EX
++.TP 5
++.B virt_migration_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B virt_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virt policy is very flexible allowing users to setup their virt processes in as secure a method as possible.
++.PP
++The following process types are defined for virt:
++
++.EX
++.B virtd_lxc_t, virt_qmf_t, virt_bridgehelper_t, virtd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), virt(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8
+new file mode 100644
+index 0000000..40dfb33
+--- /dev/null
++++ b/man/man8/virtd_selinux.8
+@@ -0,0 +1,343 @@
++.TH "virtd_selinux" "8" "virtd" "dwalsh at redhat.com" "virtd SELinux Policy documentation"
++.SH "NAME"
++virtd_selinux \- Security Enhanced Linux Policy for the virtd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible.
++
++
++.PP
++If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean.
++
++.EX
++.B setsebool -P virt_use_fusefs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean.
++
++.EX
++.B setsebool -P virt_use_nfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use serial/parallel communication port, you must turn on the virt_use_comm boolean.
++
++.EX
++.B setsebool -P virt_use_comm 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage device configuration, (pci, you must turn on the virt_use_sysfs boolean.
++
++.EX
++.B setsebool -P virt_use_sysfs 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use executable memory and executable stac, you must turn on the virt_use_execmem boolean.
++
++.EX
++.B setsebool -P virt_use_execmem 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean.
++
++.EX
++.B setsebool -P virt_use_sanlock 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to use usb device, you must turn on the virt_use_usb boolean.
++
++.EX
++.B setsebool -P virt_use_usb 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
++.PP
++The following file types are defined for virtd:
++
++
++.EX
++.PP
++.B virt_bridgehelper_exec_t
++.EE
++
++- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain.
++
++
++.EX
++.PP
++.B virt_cache_t
++.EE
++
++- Set files with the virt_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/oz(/.*)?, /var/cache/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_content_t
++.EE
++
++- Set files with the virt_content_t type, if you want to treat the files as virt content.
++
++.br
++.TP 5
++Paths:
++/var/lib/vdsm(/.*)?, /var/lib/oz/isos(/.*)?, /var/lib/libvirt/boot(/.*)?, /var/lib/libvirt/isos(/.*)?
++
++.EX
++.PP
++.B virt_etc_rw_t
++.EE
++
++- Set files with the virt_etc_rw_t type, if you want to treat the files as virt etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/libvirt/.*/.*, /etc/xen/.*/.*, /etc/xen/[^/]*, /etc/libvirt/[^/]*
++
++.EX
++.PP
++.B virt_etc_t
++.EE
++
++- Set files with the virt_etc_t type, if you want to store virt files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/libvirt/[^/]*, /etc/libvirt, /etc/xen/[^/]*, /etc/xen
++
++.EX
++.PP
++.B virt_home_t
++.EE
++
++- Set files with the virt_home_t type, if you want to store virt files in the users home directory.
++
++
++.EX
++.PP
++.B virt_image_t
++.EE
++
++- Set files with the virt_image_t type, if you want to treat the files as virt image data.
++
++.br
++.TP 5
++Paths:
++/var/lib/imagefactory/images(/.*)?, /var/lib/libvirt/images(/.*)?
++
++.EX
++.PP
++.B virt_log_t
++.EE
++
++- Set files with the virt_log_t type, if you want to treat the data as virt log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/log(/.*)?, /var/log/vdsm(/.*)?, /var/log/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_qmf_exec_t
++.EE
++
++- Set files with the virt_qmf_exec_t type, if you want to transition an executable to the virt_qmf_t domain.
++
++
++.EX
++.PP
++.B virt_tmp_t
++.EE
++
++- Set files with the virt_tmp_t type, if you want to store virt temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B virt_var_lib_t
++.EE
++
++- Set files with the virt_var_lib_t type, if you want to store the virt files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/oz(/.*)?, /var/lib/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_var_run_t
++.EE
++
++- Set files with the virt_var_run_t type, if you want to store the virt files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/vdsm(/.*)?, /var/vdsm(/.*)?, /var/run/libvirt(/.*)?
++
++.EX
++.PP
++.B virtd_exec_t
++.EE
++
++- Set files with the virtd_exec_t type, if you want to transition an executable to the virtd_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd
++
++.EX
++.PP
++.B virtd_initrc_exec_t
++.EE
++
++- Set files with the virtd_initrc_exec_t type, if you want to transition an executable to the virtd_initrc_t domain.
++
++
++.EX
++.PP
++.B virtd_keytab_t
++.EE
++
++- Set files with the virtd_keytab_t type, if you want to treat the files as kerberos keytab files.
++
++
++.EX
++.PP
++.B virtd_lxc_exec_t
++.EE
++
++- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain.
++
++
++.EX
++.PP
++.B virtd_lxc_var_run_t
++.EE
++
++- Set files with the virtd_lxc_var_run_t type, if you want to store the virtd lxc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
++.PP
++The following port types are defined for virtd:
++
++.EX
++.TP 5
++.B virt_migration_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B virt_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
++.PP
++The following process types are defined for virtd:
++
++.EX
++.B virtd_lxc_t, virt_qmf_t, virt_bridgehelper_t, virtd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), virtd(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8
+new file mode 100644
+index 0000000..c8e2a9e
+--- /dev/null
++++ b/man/man8/vlock_selinux.8
+@@ -0,0 +1,77 @@
++.TH "vlock_selinux" "8" "vlock" "dwalsh at redhat.com" "vlock SELinux Policy documentation"
++.SH "NAME"
++vlock_selinux \- Security Enhanced Linux Policy for the vlock processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B vlock
++(Lock one or more sessions on the Linux console)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
++.PP
++The following file types are defined for vlock:
++
++
++.EX
++.PP
++.B vlock_exec_t
++.EE
++
++- Set files with the vlock_exec_t type, if you want to transition an executable to the vlock_t domain.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
++.PP
++The following process types are defined for vlock:
++
++.EX
++.B vlock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8
+new file mode 100644
+index 0000000..735cd42
+--- /dev/null
++++ b/man/man8/vmware_selinux.8
+@@ -0,0 +1,173 @@
++.TH "vmware_selinux" "8" "vmware" "dwalsh at redhat.com" "vmware SELinux Policy documentation"
++.SH "NAME"
++vmware_selinux \- Security Enhanced Linux Policy for the vmware processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B vmware
++(VMWare Workstation virtual machines)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
++.PP
++The following file types are defined for vmware:
++
++
++.EX
++.PP
++.B vmware_conf_t
++.EE
++
++- Set files with the vmware_conf_t type, if you want to treat the files as vmware configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B vmware_exec_t
++.EE
++
++- Set files with the vmware_exec_t type, if you want to transition an executable to the vmware_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/bin/vmware, /usr/bin/vmware-wizard
++
++.EX
++.PP
++.B vmware_file_t
++.EE
++
++- Set files with the vmware_file_t type, if you want to treat the files as vmware content.
++
++
++.EX
++.PP
++.B vmware_host_exec_t
++.EE
++
++- Set files with the vmware_host_exec_t type, if you want to transition an executable to the vmware_host_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/vmware-smbpasswd\.bin, /usr/bin/vmware-smbd, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-dhcpd, /usr/bin/vmnet-bridge, /usr/bin/vmware-nmbd, /usr/bin/vmnet-netifup, /usr/sbin/vmware-guest.*, /usr/lib/vmware/bin/vmware-vmx, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmware-network, /usr/bin/vmnet-sniffer, /usr/bin/vmware-smbpasswd, /usr/lib/vmware-tools/sbin32/vmware.*
++
++.EX
++.PP
++.B vmware_host_pid_t
++.EE
++
++- Set files with the vmware_host_pid_t type, if you want to store the vmware host files under the /run directory.
++
++
++.EX
++.PP
++.B vmware_host_tmp_t
++.EE
++
++- Set files with the vmware_host_tmp_t type, if you want to store vmware host temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B vmware_log_t
++.EE
++
++- Set files with the vmware_log_t type, if you want to treat the data as vmware log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/vmware.*, /var/log/vnetlib.*
++
++.EX
++.PP
++.B vmware_pid_t
++.EE
++
++- Set files with the vmware_pid_t type, if you want to store the vmware files under the /run directory.
++
++
++.EX
++.PP
++.B vmware_sys_conf_t
++.EE
++
++- Set files with the vmware_sys_conf_t type, if you want to treat the files as vmware sys configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/usr/lib/vmware/config, /etc/vmware.*(/.*)?
++
++.EX
++.PP
++.B vmware_tmp_t
++.EE
++
++- Set files with the vmware_tmp_t type, if you want to store vmware temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B vmware_tmpfs_t
++.EE
++
++- Set files with the vmware_tmpfs_t type, if you want to store vmware files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
++.PP
++The following process types are defined for vmware:
++
++.EX
++.B vmware_t, vmware_host_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vmware(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8
+new file mode 100644
+index 0000000..254d3d4
+--- /dev/null
++++ b/man/man8/vnstat_selinux.8
+@@ -0,0 +1,95 @@
++.TH "vnstat_selinux" "8" "vnstat" "dwalsh at redhat.com" "vnstat SELinux Policy documentation"
++.SH "NAME"
++vnstat_selinux \- Security Enhanced Linux Policy for the vnstat processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
++.PP
++The following file types are defined for vnstat:
++
++
++.EX
++.PP
++.B vnstat_exec_t
++.EE
++
++- Set files with the vnstat_exec_t type, if you want to transition an executable to the vnstat_t domain.
++
++
++.EX
++.PP
++.B vnstatd_exec_t
++.EE
++
++- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain.
++
++
++.EX
++.PP
++.B vnstatd_var_lib_t
++.EE
++
++- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B vnstatd_var_run_t
++.EE
++
++- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
++.PP
++The following process types are defined for vnstat:
++
++.EX
++.B vnstat_t, vnstatd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8
+new file mode 100644
+index 0000000..1589eb8
+--- /dev/null
++++ b/man/man8/vnstatd_selinux.8
+@@ -0,0 +1,101 @@
++.TH "vnstatd_selinux" "8" "vnstatd" "dwalsh at redhat.com" "vnstatd SELinux Policy documentation"
++.SH "NAME"
++vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B vnstatd
++(Console network traffic monitor)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
++.PP
++The following file types are defined for vnstatd:
++
++
++.EX
++.PP
++.B vnstat_exec_t
++.EE
++
++- Set files with the vnstat_exec_t type, if you want to transition an executable to the vnstat_t domain.
++
++
++.EX
++.PP
++.B vnstatd_exec_t
++.EE
++
++- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain.
++
++
++.EX
++.PP
++.B vnstatd_var_lib_t
++.EE
++
++- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B vnstatd_var_run_t
++.EE
++
++- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
++.PP
++The following process types are defined for vnstatd:
++
++.EX
++.B vnstat_t, vnstatd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8
+new file mode 100644
+index 0000000..41a5246
+--- /dev/null
++++ b/man/man8/vpnc_selinux.8
+@@ -0,0 +1,91 @@
++.TH "vpnc_selinux" "8" "vpnc" "dwalsh at redhat.com" "vpnc SELinux Policy documentation"
++.SH "NAME"
++vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
++.PP
++The following file types are defined for vpnc:
++
++
++.EX
++.PP
++.B vpnc_exec_t
++.EE
++
++- Set files with the vpnc_exec_t type, if you want to transition an executable to the vpnc_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/vpnc, /usr/bin/openconnect, /sbin/vpnc
++
++.EX
++.PP
++.B vpnc_tmp_t
++.EE
++
++- Set files with the vpnc_tmp_t type, if you want to store vpnc temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B vpnc_var_run_t
++.EE
++
++- Set files with the vpnc_var_run_t type, if you want to store the vpnc files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
++.PP
++The following process types are defined for vpnc:
++
++.EX
++.B vpnc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8
+new file mode 100644
+index 0000000..a060bdb
+--- /dev/null
++++ b/man/man8/wdmd_selinux.8
+@@ -0,0 +1,93 @@
++.TH "wdmd_selinux" "8" "wdmd" "dwalsh at redhat.com" "wdmd SELinux Policy documentation"
++.SH "NAME"
++wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B wdmd
++(policy for wdmd)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
++.PP
++The following file types are defined for wdmd:
++
++
++.EX
++.PP
++.B wdmd_exec_t
++.EE
++
++- Set files with the wdmd_exec_t type, if you want to transition an executable to the wdmd_t domain.
++
++
++.EX
++.PP
++.B wdmd_initrc_exec_t
++.EE
++
++- Set files with the wdmd_initrc_exec_t type, if you want to transition an executable to the wdmd_initrc_t domain.
++
++
++.EX
++.PP
++.B wdmd_var_run_t
++.EE
++
++- Set files with the wdmd_var_run_t type, if you want to store the wdmd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
++.PP
++The following process types are defined for wdmd:
++
++.EX
++.B wdmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), wdmd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/webadm_selinux.8 b/man/man8/webadm_selinux.8
+new file mode 100644
+index 0000000..072a0c0
+--- /dev/null
++++ b/man/man8/webadm_selinux.8
+@@ -0,0 +1,65 @@
++.TH "webadm_selinux" "8" "webadm" "mgrepl at redhat.com" "webadm SELinux Policy documentation"
++.SH "NAME"
++webadm_r \- \fBWeb administrator role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++SELinux supports Roles Based Access Control, some Linux roles are login roles, while other roles need to be transition to.
++
++Note: The examples in the man page will user the staff_u user.
++
++Non login roles are usually used for administrative tasks.
++
++Roles usually have default types assigned to them.
++
++The default type for the webadm_r role is webadm_t.
++
++You can use the
++.B newrole
++program to transition directly to this role.
++
++.B newrole -r webadm_r -t webadm_t
++
++.B sudo
++can also be setup to transition to this role using the visudo command.
++
++USERNAME ALL=(ALL) ROLE=webadm_r TYPE=webadm_t COMMAND
++.br
++sudo will run COMMAND as staff_u:webadm_r:webadm_t:LEVEL
++
++If you want to use a non login role, you need to make sure the SELinux user you are using can reach this role.
++
++You can see all of the assigned SELinux roles using the following
++
++.B semanage user -l
++
++If you wanted to add webadm_r to the staff_u user, you would execute:
++
++.B $ semanage user -m -R 'staff_r webadm_r' staff_u
++
++
++
++SELinux policy also controls which roles can transition to a different role.
++You can list these rules using the following command.
++
++.B sesearch --role_allow
++
++SELinux policy allows the staff_r role can transition to the webadm_r role.
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8
+new file mode 100644
+index 0000000..ba0eb02
+--- /dev/null
++++ b/man/man8/webalizer_selinux.8
+@@ -0,0 +1,117 @@
++.TH "webalizer_selinux" "8" "webalizer" "dwalsh at redhat.com" "webalizer SELinux Policy documentation"
++.SH "NAME"
++webalizer_selinux \- Security Enhanced Linux Policy for the webalizer processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B webalizer
++(Web server log analysis)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
++.PP
++The following file types are defined for webalizer:
++
++
++.EX
++.PP
++.B webalizer_etc_t
++.EE
++
++- Set files with the webalizer_etc_t type, if you want to store webalizer files in the /etc directories.
++
++
++.EX
++.PP
++.B webalizer_exec_t
++.EE
++
++- Set files with the webalizer_exec_t type, if you want to transition an executable to the webalizer_t domain.
++
++
++.EX
++.PP
++.B webalizer_tmp_t
++.EE
++
++- Set files with the webalizer_tmp_t type, if you want to store webalizer temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B webalizer_usage_t
++.EE
++
++- Set files with the webalizer_usage_t type, if you want to treat the files as webalizer usage data.
++
++
++.EX
++.PP
++.B webalizer_var_lib_t
++.EE
++
++- Set files with the webalizer_var_lib_t type, if you want to store the webalizer files under the /var/lib directory.
++
++
++.EX
++.PP
++.B webalizer_write_t
++.EE
++
++- Set files with the webalizer_write_t type, if you want to treat the files as webalizer read/write content.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
++.PP
++The following process types are defined for webalizer:
++
++.EX
++.B webalizer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8
+new file mode 100644
+index 0000000..df63d07
+--- /dev/null
++++ b/man/man8/winbind_selinux.8
+@@ -0,0 +1,114 @@
++.TH "winbind_selinux" "8" "winbind" "dwalsh at redhat.com" "winbind SELinux Policy documentation"
++.SH "NAME"
++winbind_selinux \- Security Enhanced Linux Policy for the winbind processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible.
++
++
++.PP
++If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the allow_httpd_mod_auth_ntlm_winbind boolean.
++
++.EX
++.B setsebool -P allow_httpd_mod_auth_ntlm_winbind 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
++.PP
++The following file types are defined for winbind:
++
++
++.EX
++.PP
++.B winbind_exec_t
++.EE
++
++- Set files with the winbind_exec_t type, if you want to transition an executable to the winbind_t domain.
++
++
++.EX
++.PP
++.B winbind_helper_exec_t
++.EE
++
++- Set files with the winbind_helper_exec_t type, if you want to transition an executable to the winbind_helper_t domain.
++
++
++.EX
++.PP
++.B winbind_log_t
++.EE
++
++- Set files with the winbind_log_t type, if you want to treat the data as winbind log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B winbind_var_run_t
++.EE
++
++- Set files with the winbind_var_run_t type, if you want to store the winbind files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/samba/winbindd_privileged(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?, /var/run/winbindd(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
++.PP
++The following process types are defined for winbind:
++
++.EX
++.B winbind_helper_t, winbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), winbind(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8
+new file mode 100644
+index 0000000..c2107f1
+--- /dev/null
++++ b/man/man8/wine_selinux.8
+@@ -0,0 +1,104 @@
++.TH "wine_selinux" "8" "wine" "dwalsh at redhat.com" "wine SELinux Policy documentation"
++.SH "NAME"
++wine_selinux \- Security Enhanced Linux Policy for the wine processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B wine
++(Wine Is Not an Emulator. Run Windows programs in Linux)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wine with the tightest access possible.
++
++
++.PP
++If you want to ignore wine mmap_zero errors, you must turn on the wine_mmap_zero_ignore boolean.
++
++.EX
++.B setsebool -P wine_mmap_zero_ignore 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
++.PP
++The following file types are defined for wine:
++
++
++.EX
++.PP
++.B wine_exec_t
++.EE
++
++- Set files with the wine_exec_t type, if you want to transition an executable to the wine_t domain.
++
++.br
++.TP 5
++Paths:
++/opt/google/picasa(/.*)?/bin/msiexec, /usr/bin/regedit, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/regsvr32, /usr/bin/msiexec, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/teamviewer(/.*)?/bin/wine.*, /usr/bin/wine.*, /opt/google/picasa(/.*)?/bin/progman, /opt/picasa/wine/bin/wine.*, /usr/bin/notepad, /opt/cxoffice/bin/wine.*
++
++.EX
++.PP
++.B wine_tmp_t
++.EE
++
++- Set files with the wine_tmp_t type, if you want to store wine temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
++.PP
++The following process types are defined for wine:
++
++.EX
++.B wine_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), wine(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8
+new file mode 100644
+index 0000000..4536946
+--- /dev/null
++++ b/man/man8/wireshark_selinux.8
+@@ -0,0 +1,101 @@
++.TH "wireshark_selinux" "8" "wireshark" "dwalsh at redhat.com" "wireshark SELinux Policy documentation"
++.SH "NAME"
++wireshark_selinux \- Security Enhanced Linux Policy for the wireshark processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B wireshark
++(Wireshark packet capture tool)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
++.PP
++The following file types are defined for wireshark:
++
++
++.EX
++.PP
++.B wireshark_exec_t
++.EE
++
++- Set files with the wireshark_exec_t type, if you want to transition an executable to the wireshark_t domain.
++
++
++.EX
++.PP
++.B wireshark_home_t
++.EE
++
++- Set files with the wireshark_home_t type, if you want to store wireshark files in the users home directory.
++
++
++.EX
++.PP
++.B wireshark_tmp_t
++.EE
++
++- Set files with the wireshark_tmp_t type, if you want to store wireshark temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B wireshark_tmpfs_t
++.EE
++
++- Set files with the wireshark_tmpfs_t type, if you want to store wireshark files on a tmpfs file system.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
++.PP
++The following process types are defined for wireshark:
++
++.EX
++.B wireshark_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/wpa_selinux.8 b/man/man8/wpa_selinux.8
+new file mode 100644
+index 0000000..e8a5a9f
+--- /dev/null
++++ b/man/man8/wpa_selinux.8
+@@ -0,0 +1,75 @@
++.TH "wpa_selinux" "8" "wpa" "dwalsh at redhat.com" "wpa SELinux Policy documentation"
++.SH "NAME"
++wpa_selinux \- Security Enhanced Linux Policy for the wpa processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux wpa policy is very flexible allowing users to setup their wpa processes in as secure a method as possible.
++.PP
++The following file types are defined for wpa:
++
++
++.EX
++.PP
++.B wpa_cli_exec_t
++.EE
++
++- Set files with the wpa_cli_exec_t type, if you want to transition an executable to the wpa_cli_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/wpa_cli, /sbin/wpa_cli
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wpa policy is very flexible allowing users to setup their wpa processes in as secure a method as possible.
++.PP
++The following process types are defined for wpa:
++
++.EX
++.B wpa_cli_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), wpa(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8
+new file mode 100644
+index 0000000..85c91f3
+--- /dev/null
++++ b/man/man8/xauth_selinux.8
+@@ -0,0 +1,95 @@
++.TH "xauth_selinux" "8" "xauth" "dwalsh at redhat.com" "xauth SELinux Policy documentation"
++.SH "NAME"
++xauth_selinux \- Security Enhanced Linux Policy for the xauth processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
++.PP
++The following file types are defined for xauth:
++
++
++.EX
++.PP
++.B xauth_exec_t
++.EE
++
++- Set files with the xauth_exec_t type, if you want to transition an executable to the xauth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/xauth, /usr/X11R6/bin/xauth
++
++.EX
++.PP
++.B xauth_home_t
++.EE
++
++- Set files with the xauth_home_t type, if you want to store xauth files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/nxserver/home/\.xauth.*, /root/\.Xauth.*, /var/lib/nxserver/home/\.Xauthority.*, /root/\.Xauthority.*, /root/\.serverauth.*, /var/lib/pqsql/\.Xauthority.*, /root/\.xauth.*, /var/lib/pqsql/\.xauth.*
++
++.EX
++.PP
++.B xauth_tmp_t
++.EE
++
++- Set files with the xauth_tmp_t type, if you want to store xauth temporary files in the /tmp directories.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
++.PP
++The following process types are defined for xauth:
++
++.EX
++.B xauth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8
+new file mode 100644
+index 0000000..e377b25
+--- /dev/null
++++ b/man/man8/xdm_selinux.8
+@@ -0,0 +1,223 @@
++.TH "xdm_selinux" "8" "xdm" "dwalsh at redhat.com" "xdm SELinux Policy documentation"
++.SH "NAME"
++xdm_selinux \- Security Enhanced Linux Policy for the xdm processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible.
++
++
++.PP
++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_, you must turn on the xdm_sysadm_login boolean.
++
++.EX
++.B setsebool -P xdm_sysadm_login 1
++.EE
++
++.PP
++If you want to allow the graphical login program to execute bootloade, you must turn on the xdm_exec_bootloader boolean.
++
++.EX
++.B setsebool -P xdm_exec_bootloader 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
++.PP
++The following file types are defined for xdm:
++
++
++.EX
++.PP
++.B xdm_etc_t
++.EE
++
++- Set files with the xdm_etc_t type, if you want to store xdm files in the /etc directories.
++
++
++.EX
++.PP
++.B xdm_exec_t
++.EE
++
++- Set files with the xdm_exec_t type, if you want to transition an executable to the xdm_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/[xgkw]dm, /usr/bin/slim, /usr/sbin/[xgkw]dm, /usr/X11R6/bin/[xgkw]dm, /usr/sbin/lxdm, /usr/sbin/lxdm-binary, /usr/bin/lxdm-binary, /usr/bin/gpe-dm, /usr/bin/gdm-binary, /usr/bin/lxdm, /opt/kde3/bin/kdm, /usr/sbin/gdm-binary
++
++.EX
++.PP
++.B xdm_home_t
++.EE
++
++- Set files with the xdm_home_t type, if you want to store xdm files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.xsession-errors.*, /root/\.dmrc.*
++
++.EX
++.PP
++.B xdm_lock_t
++.EE
++
++- Set files with the xdm_lock_t type, if you want to treat the files as xdm lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B xdm_log_t
++.EE
++
++- Set files with the xdm_log_t type, if you want to treat the data as xdm log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/slim\.log.*, /var/log/(l)?xdm\.log.*, /var/log/gdm(/.*)?
++
++.EX
++.PP
++.B xdm_rw_etc_t
++.EE
++
++- Set files with the xdm_rw_etc_t type, if you want to store xdm rw files in the /etc directories.
++
++
++.EX
++.PP
++.B xdm_spool_t
++.EE
++
++- Set files with the xdm_spool_t type, if you want to store the xdm files under the /var/spool directory.
++
++
++.EX
++.PP
++.B xdm_tmp_t
++.EE
++
++- Set files with the xdm_tmp_t type, if you want to store xdm temporary files in the /tmp directories.
++
++.br
++.TP 5
++Paths:
++/tmp/\.X0-lock, /tmp/\.X11-unix(/.*)?, /tmp/\.ICE-unix(/.*)?
++
++.EX
++.PP
++.B xdm_tmpfs_t
++.EE
++
++- Set files with the xdm_tmpfs_t type, if you want to store xdm files on a tmpfs file system.
++
++
++.EX
++.PP
++.B xdm_var_lib_t
++.EE
++
++- Set files with the xdm_var_lib_t type, if you want to store the xdm files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/[gxkw]dm(/.*)?, /var/cache/gdm(/.*)?, /var/lib/lxdm(/.*)?
++
++.EX
++.PP
++.B xdm_var_run_t
++.EE
++
++- Set files with the xdm_var_run_t type, if you want to store the xdm files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/kdm(/.*)?, /var/run/slim.*, /var/run/lxdm(/.*)?, /var/run/gdm(/.*)?, /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/lxdm\.auth, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?, /var/run/[gx]dm\.pid, /var/run/slim(/.*)?, /var/run/gdm_socket, /etc/kde3?/kdm/backgroundrc, /var/run/lxdm\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
++.PP
++The following port types are defined for xdm:
++
++.EX
++.TP 5
++.B xdmcp_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
++.PP
++The following process types are defined for xdm:
++
++.EX
++.B xdm_t, xdm_dbusd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), xdm(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8
+new file mode 100644
+index 0000000..94ba970
+--- /dev/null
++++ b/man/man8/xenconsoled_selinux.8
+@@ -0,0 +1,79 @@
++.TH "xenconsoled_selinux" "8" "xenconsoled" "dwalsh at redhat.com" "xenconsoled SELinux Policy documentation"
++.SH "NAME"
++xenconsoled_selinux \- Security Enhanced Linux Policy for the xenconsoled processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
++.PP
++The following file types are defined for xenconsoled:
++
++
++.EX
++.PP
++.B xenconsoled_exec_t
++.EE
++
++- Set files with the xenconsoled_exec_t type, if you want to transition an executable to the xenconsoled_t domain.
++
++
++.EX
++.PP
++.B xenconsoled_var_run_t
++.EE
++
++- Set files with the xenconsoled_var_run_t type, if you want to store the xenconsoled files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
++.PP
++The following process types are defined for xenconsoled:
++
++.EX
++.B xenconsoled_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8
+new file mode 100644
+index 0000000..ef97b9c
+--- /dev/null
++++ b/man/man8/xend_selinux.8
+@@ -0,0 +1,190 @@
++.TH "xend_selinux" "8" "xend" "dwalsh at redhat.com" "xend SELinux Policy documentation"
++.SH "NAME"
++xend_selinux \- Security Enhanced Linux Policy for the xend processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xend policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xend with the tightest access possible.
++
++
++.PP
++If you want to allow xen to manage nfs file, you must turn on the xen_use_nfs boolean.
++
++.EX
++.B setsebool -P xen_use_nfs 1
++.EE
++
++.PP
++If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean.
++
++.EX
++.B setsebool -P xend_run_qemu 1
++.EE
++
++.PP
++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean.
++
++.EX
++.B setsebool -P xend_run_blktap 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
++.PP
++The following file types are defined for xend:
++
++
++.EX
++.PP
++.B xen_devpts_t
++.EE
++
++- Set files with the xen_devpts_t type, if you want to treat the files as xen devpts data.
++
++
++.EX
++.PP
++.B xen_image_t
++.EE
++
++- Set files with the xen_image_t type, if you want to treat the files as xen image data.
++
++.br
++.TP 5
++Paths:
++/xen(/.*)?, /var/lib/xen/images(/.*)?
++
++.EX
++.PP
++.B xend_exec_t
++.EE
++
++- Set files with the xend_exec_t type, if you want to transition an executable to the xend_t domain.
++
++
++.EX
++.PP
++.B xend_tmp_t
++.EE
++
++- Set files with the xend_tmp_t type, if you want to store xend temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B xend_var_lib_t
++.EE
++
++- Set files with the xend_var_lib_t type, if you want to store the xend files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/xen(/.*)?, /var/lib/xend(/.*)?
++
++.EX
++.PP
++.B xend_var_log_t
++.EE
++
++- Set files with the xend_var_log_t type, if you want to treat the data as xend var log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/xen(/.*)?, /var/log/xen-hotplug\.log, /var/log/xend\.log, /var/log/xend-debug\.log
++
++.EX
++.PP
++.B xend_var_run_t
++.EE
++
++- Set files with the xend_var_run_t type, if you want to store the xend files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/xenner(/.*)?, /var/run/xend(/.*)?, /var/run/xend\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
++.PP
++The following port types are defined for xend:
++
++.EX
++.TP 5
++.B xen_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
++.PP
++The following process types are defined for xend:
++
++.EX
++.B xend_t, xenstored_t, xenconsoled_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), xend(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8
+new file mode 100644
+index 0000000..0cf576a
+--- /dev/null
++++ b/man/man8/xenstored_selinux.8
+@@ -0,0 +1,107 @@
++.TH "xenstored_selinux" "8" "xenstored" "dwalsh at redhat.com" "xenstored SELinux Policy documentation"
++.SH "NAME"
++xenstored_selinux \- Security Enhanced Linux Policy for the xenstored processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
++.PP
++The following file types are defined for xenstored:
++
++
++.EX
++.PP
++.B xenstored_exec_t
++.EE
++
++- Set files with the xenstored_exec_t type, if you want to transition an executable to the xenstored_t domain.
++
++
++.EX
++.PP
++.B xenstored_tmp_t
++.EE
++
++- Set files with the xenstored_tmp_t type, if you want to store xenstored temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B xenstored_var_lib_t
++.EE
++
++- Set files with the xenstored_var_lib_t type, if you want to store the xenstored files under the /var/lib directory.
++
++
++.EX
++.PP
++.B xenstored_var_log_t
++.EE
++
++- Set files with the xenstored_var_log_t type, if you want to treat the data as xenstored var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B xenstored_var_run_t
++.EE
++
++- Set files with the xenstored_var_run_t type, if you want to store the xenstored files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/xenstore\.pid, /var/run/xenstored(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
++.PP
++The following process types are defined for xenstored:
++
++.EX
++.B xenstored_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), xenstored(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/xguest_selinux.8 b/man/man8/xguest_selinux.8
+new file mode 100644
+index 0000000..2478817
+--- /dev/null
++++ b/man/man8/xguest_selinux.8
+@@ -0,0 +1,231 @@
++.TH "xguest_selinux" "8" "xguest" "mgrepl at redhat.com" "xguest SELinux Policy documentation"
++.SH "NAME"
++xguest_u \- \fBLeast privledge xwindows user role\fP - Security Enhanced Linux Policy
++
++.SH DESCRIPTION
++
++\fBxguest_u\fP is an SELinux User defined in the SELinux
++policy. SELinux users have default roles, \fBxguest_r\fP. The
++default role has a default type, \fBxguest_t\fP, associated with it.
++
++The SELinux user will usually login to a system with a context that looks like:
++
++.B xguest_u:xguest_r:xguest_u:s0-s0:c0.c1023
++
++Linux users are automatically assigned an SELinux users at login.
++Login programs use the SELinux User to assign initial context to the user's shell.
++
++SELinux policy uses the context to control the user's access.
++
++By default all users are assigned to the SELinux user via the \fB__default__\fP flag
++
++On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user.
++
++You can list all Linux User to SELinux user mapping using:
++
++.B semanage login -l
++
++If you wanted to change the default user mapping to use the xguest_u user, you would execute:
++
++.B semanage login -m -s xguest_u __default__
++
++
++If you want to map the one Linux user (joe) to the SELinux user xguest, you would execute:
++
++.B $ semanage login -a -s xguest_u joe
++
++
++.SH USER DESCRIPTION
++
++The SELinux user xguest_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role.
++
++.SH SUDO
++
++The SELinux type xguest_t is not allowed to execute sudo.
++
++.SH X WINDOWS LOGIN
++
++The SELinux user xguest_u is able to X Windows login.
++
++.SH TERMINAL LOGIN
++
++The SELinux user xguest_u is able to terminal login.
++
++.SH NETWORK
++
++.TP
++The SELinux user xguest_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
++.B ipp_port_t: 631,8610-8614
++
++.B transproxy_port_t: 8081
++
++.B ocsp_port_t: 9080
++
++.B kerberos_port_t: 88,750,4444
++
++.B all ports with out defined types
++
++.B ftp_port_t: 21,990
++
++.B speech_port_t: 8036
++
++.B squid_port_t: 3128,3401,4827
++
++.B http_cache_port_t: 8080,8118,8123,10001-10010
++
++.B http_port_t: 80,443,488,8008,8009,8443
++
++.B flash_port_t: 843,1935
++
++.B pulseaudio_port_t: 4713
++
++.B soundd_port_t: 8000,9433,16001
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xguest_t policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest_t with the tightest access possible.
++
++
++.PP
++If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean.
++
++.EX
++.B setsebool -P xguest_connect_network 1
++.EE
++
++.PP
++If you want to allow users to connect to the local mysql server, you must turn on the allow_user_mysql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_mysql_connect 1
++.EE
++
++.PP
++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean.
++
++.EX
++.B setsebool -P user_ping 1
++.EE
++
++.PP
++If you want to allow w to display everyone, you must turn on the user_ttyfile_stat boolean.
++
++.EX
++.B setsebool -P user_ttyfile_stat 1
++.EE
++
++.PP
++If you want to allow user music sharing, you must turn on the user_share_music boolean.
++
++.EX
++.B setsebool -P user_share_music 1
++.EE
++
++.PP
++If you want to allow regular users direct dri device access, you must turn on the user_direct_dri boolean.
++
++.EX
++.B setsebool -P user_direct_dri 1
++.EE
++
++.PP
++If you want to allow xguest users to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++
++.EX
++.B setsebool -P xguest_use_bluetooth 1
++.EE
++
++.PP
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the user_rw_noexattrfile boolean.
++
++.EX
++.B setsebool -P user_rw_noexattrfile 1
++.EE
++
++.PP
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++
++.EX
++.B setsebool -P user_tcp_server 1
++.EE
++
++.PP
++If you want to allow regular users direct mouse access, you must turn on the user_direct_mouse boolean.
++
++.EX
++.B setsebool -P user_direct_mouse 1
++.EE
++
++.PP
++If you want to allow user processes to change their priority, you must turn on the user_setrlimit boolean.
++
++.EX
++.B setsebool -P user_setrlimit 1
++.EE
++
++.PP
++If you want to allow users to connect to PostgreSQL, you must turn on the allow_user_postgresql_connect boolean.
++
++.EX
++.B setsebool -P allow_user_postgresql_connect 1
++.EE
++
++.PP
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++
++.EX
++.B setsebool -P xguest_mount_media 1
++.EE
++
++.PP
++If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++
++.EX
++.B setsebool -P user_dmesg 1
++.EE
++
++.SH HOME_EXEC
++
++The SELinux user xguest_u is able execute home content files.
++
++.SH TRANSITIONS
++
++Three things can happen when xguest_t attempts to execute a program.
++
++\fB1.\fP SELinux Policy can deny xguest_t from executing the program.
++
++.TP
++
++\fB2.\fP SELinux Policy can allow xguest_t to execute the program in the current user type.
++
++Execute the following to see the types that the SELinux user xguest_t can execute without transitioning:
++
++.B sesearch -A -s xguest_t -c file -p execute_no_trans
++
++.TP
++
++\fB3.\fP SELinux can allow xguest_t to execute the program and transition to a new type.
++
++Execute the following to see the types that the SELinux user xguest_t can execute and transition:
++
++.B $ sesearch -A -s xguest_t -c process -p transition
++
++
++.SH "COMMANDS"
++
++.B semanage login
++can also be used to manipulate the Linux User to SELinux User mappings
++
++.B semanage user
++can also be used to manipulate SELinux user definitions.
++
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genuserman.py.
++
++.SH "SEE ALSO"
++selinux(8), semanage(8).
+diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8
+new file mode 100644
+index 0000000..868120f
+--- /dev/null
++++ b/man/man8/xserver_selinux.8
+@@ -0,0 +1,176 @@
++.TH "xserver_selinux" "8" "xserver" "dwalsh at redhat.com" "xserver SELinux Policy documentation"
++.SH "NAME"
++xserver_selinux \- Security Enhanced Linux Policy for the xserver processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B xserver
++(X Windows Server)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xserver with the tightest access possible.
++
++
++.PP
++If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean.
++
++.EX
++.B setsebool -P virt_use_xserver 1
++.EE
++
++.PP
++If you want to support X userspace object manage, you must turn on the xserver_object_manager boolean.
++
++.EX
++.B setsebool -P xserver_object_manager 1
++.EE
++
++.PP
++If you want to allows XServer to execute writable memor, you must turn on the allow_xserver_execmem boolean.
++
++.EX
++.B setsebool -P allow_xserver_execmem 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
++.PP
++The following file types are defined for xserver:
++
++
++.EX
++.PP
++.B xserver_exec_t
++.EE
++
++- Set files with the xserver_exec_t type, if you want to transition an executable to the xserver_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/Xair, /usr/bin/Xephyr, /usr/X11R6/bin/Xwrapper, /usr/X11R6/bin/XFree86, /etc/init\.d/xfree86-common, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/bin/Xorg, /usr/X11R6/bin/X
++
++.EX
++.PP
++.B xserver_log_t
++.EE
++
++- Set files with the xserver_log_t type, if you want to treat the data as xserver log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/usr/var/[xgkw]dm(/.*)?, /var/[xgk]dm(/.*)?, /var/log/nvidia-installer\.log.*, /var/log/XFree86.*, /var/log/Xorg.*, /var/log/[kw]dm\.log.*
++
++.EX
++.PP
++.B xserver_tmpfs_t
++.EE
++
++- Set files with the xserver_tmpfs_t type, if you want to store xserver files on a tmpfs file system.
++
++
++.EX
++.PP
++.B xserver_var_lib_t
++.EE
++
++- Set files with the xserver_var_lib_t type, if you want to store the xserver files under the /var/lib directory.
++
++
++.EX
++.PP
++.B xserver_var_run_t
++.EE
++
++- Set files with the xserver_var_run_t type, if you want to store the xserver files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/xorg(/.*)?, /var/run/video.rom
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
++.PP
++The following port types are defined for xserver:
++
++.EX
++.TP 5
++.B xserver_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
++.PP
++The following process types are defined for xserver:
++
++.EX
++.B xserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), xserver(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
+index 5061a5f..22c9968 100644
+--- a/man/man8/ypbind_selinux.8
++++ b/man/man8/ypbind_selinux.8
+@@ -1,19 +1,118 @@
+-.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "ypbind Selinux Policy documentation"
++.TH "ypbind_selinux" "8" "ypbind" "dwalsh at redhat.com" "ypbind SELinux Policy documentation"
+ .SH "NAME"
+-ypbind_selinux \- Security Enhanced Linux Policy for NIS.
++ypbind_selinux \- Security Enhanced Linux Policy for the ypbind processes
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the system via flexible mandatory access
+-control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
++
++
++
+ .SH BOOLEANS
+-.TP
+-You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
+-.TP
+-setsebool -P allow_ypbind 1
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
++SELinux policy is customizable based on least access required. ypbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ypbind with the tightest access possible.
++
++
++.PP
++If you want to allow system to run with NI, you must turn on the allow_ypbind boolean.
++
++.EX
++.B setsebool -P allow_ypbind 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
++.PP
++The following file types are defined for ypbind:
++
++
++.EX
++.PP
++.B ypbind_exec_t
++.EE
++
++- Set files with the ypbind_exec_t type, if you want to transition an executable to the ypbind_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/ypbind, /sbin/ypbind
++
++.EX
++.PP
++.B ypbind_initrc_exec_t
++.EE
++
++- Set files with the ypbind_initrc_exec_t type, if you want to transition an executable to the ypbind_initrc_t domain.
++
++
++.EX
++.PP
++.B ypbind_unit_file_t
++.EE
++
++- Set files with the ypbind_unit_file_t type, if you want to treat the files as ypbind unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/ypbind\.service, /lib/systemd/system/ypbind\.service
++
++.EX
++.PP
++.B ypbind_var_run_t
++.EE
++
++- Set files with the ypbind_var_run_t type, if you want to store the ypbind files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
++.PP
++The following process types are defined for ypbind:
++
++.EX
++.B ypbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
+ .SH AUTHOR
+-This manual page was written by Dan Walsh <dwalsh at redhat.com>.
++This manual page was autogenerated by genman.py.
+
+ .SH "SEE ALSO"
+-selinux(8), ypbind(8), chcon(1), setsebool(8)
++selinux(8), ypbind(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8
+new file mode 100644
+index 0000000..4b570b3
+--- /dev/null
++++ b/man/man8/yppasswdd_selinux.8
+@@ -0,0 +1,79 @@
++.TH "yppasswdd_selinux" "8" "yppasswdd" "dwalsh at redhat.com" "yppasswdd SELinux Policy documentation"
++.SH "NAME"
++yppasswdd_selinux \- Security Enhanced Linux Policy for the yppasswdd processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
++.PP
++The following file types are defined for yppasswdd:
++
++
++.EX
++.PP
++.B yppasswdd_exec_t
++.EE
++
++- Set files with the yppasswdd_exec_t type, if you want to transition an executable to the yppasswdd_t domain.
++
++
++.EX
++.PP
++.B yppasswdd_var_run_t
++.EE
++
++- Set files with the yppasswdd_var_run_t type, if you want to store the yppasswdd files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
++.PP
++The following process types are defined for yppasswdd:
++
++.EX
++.B yppasswdd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8
+new file mode 100644
+index 0000000..b5da81b
+--- /dev/null
++++ b/man/man8/ypserv_selinux.8
+@@ -0,0 +1,87 @@
++.TH "ypserv_selinux" "8" "ypserv" "dwalsh at redhat.com" "ypserv SELinux Policy documentation"
++.SH "NAME"
++ypserv_selinux \- Security Enhanced Linux Policy for the ypserv processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
++.PP
++The following file types are defined for ypserv:
++
++
++.EX
++.PP
++.B ypserv_conf_t
++.EE
++
++- Set files with the ypserv_conf_t type, if you want to treat the files as ypserv configuration data, usually stored under the /etc directory.
++
++
++.EX
++.PP
++.B ypserv_exec_t
++.EE
++
++- Set files with the ypserv_exec_t type, if you want to transition an executable to the ypserv_t domain.
++
++
++.EX
++.PP
++.B ypserv_var_run_t
++.EE
++
++- Set files with the ypserv_var_run_t type, if you want to store the ypserv files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
++.PP
++The following process types are defined for ypserv:
++
++.EX
++.B ypserv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8
+new file mode 100644
+index 0000000..3e761eb
+--- /dev/null
++++ b/man/man8/ypxfr_selinux.8
+@@ -0,0 +1,83 @@
++.TH "ypxfr_selinux" "8" "ypxfr" "dwalsh at redhat.com" "ypxfr SELinux Policy documentation"
++.SH "NAME"
++ypxfr_selinux \- Security Enhanced Linux Policy for the ypxfr processes
++.SH "DESCRIPTION"
++
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
++.PP
++The following file types are defined for ypxfr:
++
++
++.EX
++.PP
++.B ypxfr_exec_t
++.EE
++
++- Set files with the ypxfr_exec_t type, if you want to transition an executable to the ypxfr_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/lib/yp/ypxfr, /usr/sbin/rpc\.ypxfrd
++
++.EX
++.PP
++.B ypxfr_var_run_t
++.EE
++
++- Set files with the ypxfr_var_run_t type, if you want to store the ypxfr files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
++.PP
++The following process types are defined for ypxfr:
++
++.EX
++.B ypxfr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8
+new file mode 100644
+index 0000000..6f79276
+--- /dev/null
++++ b/man/man8/zabbix_selinux.8
+@@ -0,0 +1,200 @@
++.TH "zabbix_selinux" "8" "zabbix" "dwalsh at redhat.com" "zabbix SELinux Policy documentation"
++.SH "NAME"
++zabbix_selinux \- Security Enhanced Linux Policy for the zabbix processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B zabbix
++(Distributed infrastructure monitoring)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible.
++
++
++.PP
++If you want to allow zabbix to connect to unreserved port, you must turn on the zabbix_can_network boolean.
++
++.EX
++.B setsebool -P zabbix_can_network 1
++.EE
++
++.PP
++If you want to allow http daemon to connect to zabbi, you must turn on the httpd_can_connect_zabbix boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_zabbix 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
++.PP
++The following file types are defined for zabbix:
++
++
++.EX
++.PP
++.B zabbix_agent_exec_t
++.EE
++
++- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain.
++
++
++.EX
++.PP
++.B zabbix_agent_initrc_exec_t
++.EE
++
++- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain.
++
++
++.EX
++.PP
++.B zabbix_exec_t
++.EE
++
++- Set files with the zabbix_exec_t type, if you want to transition an executable to the zabbix_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/zabbix_server_sqlite3, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server
++
++.EX
++.PP
++.B zabbix_initrc_exec_t
++.EE
++
++- Set files with the zabbix_initrc_exec_t type, if you want to transition an executable to the zabbix_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/zabbix-server, /etc/rc\.d/init\.d/zabbix
++
++.EX
++.PP
++.B zabbix_log_t
++.EE
++
++- Set files with the zabbix_log_t type, if you want to treat the data as zabbix log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zabbix_tmp_t
++.EE
++
++- Set files with the zabbix_tmp_t type, if you want to store zabbix temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zabbix_tmpfs_t
++.EE
++
++- Set files with the zabbix_tmpfs_t type, if you want to store zabbix files on a tmpfs file system.
++
++
++.EX
++.PP
++.B zabbix_var_run_t
++.EE
++
++- Set files with the zabbix_var_run_t type, if you want to store the zabbix files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
++.PP
++The following port types are defined for zabbix:
++
++.EX
++.TP 5
++.B zabbix_agent_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++
++.EX
++.TP 5
++.B zabbix_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
++.PP
++The following process types are defined for zabbix:
++
++.EX
++.B zabbix_agent_t, zabbix_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), zabbix(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8
+new file mode 100644
+index 0000000..928b3c1
+--- /dev/null
++++ b/man/man8/zarafa_selinux.8
+@@ -0,0 +1,319 @@
++.TH "zarafa_selinux" "8" "zarafa" "dwalsh at redhat.com" "zarafa SELinux Policy documentation"
++.SH "NAME"
++zarafa_selinux \- Security Enhanced Linux Policy for the zarafa processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B zarafa
++(Zarafa collaboration platform)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa policy is very flexible allowing users to setup their zarafa processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa:
++
++
++.EX
++.PP
++.B zarafa_deliver_exec_t
++.EE
++
++- Set files with the zarafa_deliver_exec_t type, if you want to transition an executable to the zarafa_deliver_t domain.
++
++
++.EX
++.PP
++.B zarafa_deliver_log_t
++.EE
++
++- Set files with the zarafa_deliver_log_t type, if you want to treat the data as zarafa deliver log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_deliver_tmp_t
++.EE
++
++- Set files with the zarafa_deliver_tmp_t type, if you want to store zarafa deliver temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_deliver_var_run_t
++.EE
++
++- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_etc_t
++.EE
++
++- Set files with the zarafa_etc_t type, if you want to store zarafa files in the /etc directories.
++
++
++.EX
++.PP
++.B zarafa_gateway_exec_t
++.EE
++
++- Set files with the zarafa_gateway_exec_t type, if you want to transition an executable to the zarafa_gateway_t domain.
++
++
++.EX
++.PP
++.B zarafa_gateway_log_t
++.EE
++
++- Set files with the zarafa_gateway_log_t type, if you want to treat the data as zarafa gateway log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_gateway_var_run_t
++.EE
++
++- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_ical_exec_t
++.EE
++
++- Set files with the zarafa_ical_exec_t type, if you want to transition an executable to the zarafa_ical_t domain.
++
++
++.EX
++.PP
++.B zarafa_ical_log_t
++.EE
++
++- Set files with the zarafa_ical_log_t type, if you want to treat the data as zarafa ical log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_ical_var_run_t
++.EE
++
++- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_indexer_exec_t
++.EE
++
++- Set files with the zarafa_indexer_exec_t type, if you want to transition an executable to the zarafa_indexer_t domain.
++
++
++.EX
++.PP
++.B zarafa_indexer_log_t
++.EE
++
++- Set files with the zarafa_indexer_log_t type, if you want to treat the data as zarafa indexer log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_indexer_tmp_t
++.EE
++
++- Set files with the zarafa_indexer_tmp_t type, if you want to store zarafa indexer temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_indexer_var_run_t
++.EE
++
++- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_monitor_exec_t
++.EE
++
++- Set files with the zarafa_monitor_exec_t type, if you want to transition an executable to the zarafa_monitor_t domain.
++
++
++.EX
++.PP
++.B zarafa_monitor_log_t
++.EE
++
++- Set files with the zarafa_monitor_log_t type, if you want to treat the data as zarafa monitor log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_monitor_var_run_t
++.EE
++
++- Set files with the zarafa_monitor_var_run_t type, if you want to store the zarafa monitor files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_server_exec_t
++.EE
++
++- Set files with the zarafa_server_exec_t type, if you want to transition an executable to the zarafa_server_t domain.
++
++
++.EX
++.PP
++.B zarafa_server_log_t
++.EE
++
++- Set files with the zarafa_server_log_t type, if you want to treat the data as zarafa server log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_server_tmp_t
++.EE
++
++- Set files with the zarafa_server_tmp_t type, if you want to store zarafa server temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_server_var_run_t
++.EE
++
++- Set files with the zarafa_server_var_run_t type, if you want to store the zarafa server files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/zarafa, /var/run/zarafa-server\.pid
++
++.EX
++.PP
++.B zarafa_share_t
++.EE
++
++- Set files with the zarafa_share_t type, if you want to treat the files as zarafa share data.
++
++
++.EX
++.PP
++.B zarafa_spooler_exec_t
++.EE
++
++- Set files with the zarafa_spooler_exec_t type, if you want to transition an executable to the zarafa_spooler_t domain.
++
++
++.EX
++.PP
++.B zarafa_spooler_log_t
++.EE
++
++- Set files with the zarafa_spooler_log_t type, if you want to treat the data as zarafa spooler log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_spooler_var_run_t
++.EE
++
++- Set files with the zarafa_spooler_var_run_t type, if you want to store the zarafa spooler files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_var_lib_t
++.EE
++
++- Set files with the zarafa_var_lib_t type, if you want to store the zarafa files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/zarafa-webaccess(/.*)?, /var/lib/zarafa(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux zarafa policy is very flexible allowing users to setup their zarafa processes in as secure a method as possible.
++.PP
++The following port types are defined for zarafa:
++
++.EX
++.TP 5
++.B zarafa_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa policy is very flexible allowing users to setup their zarafa processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa:
++
++.EX
++.B zarafa_gateway_t, zarafa_spooler_t, zarafa_deliver_t, zarafa_monitor_t, zarafa_indexer_t, zarafa_server_t, zarafa_ical_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), zarafa(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8
+new file mode 100644
+index 0000000..705cdbc
+--- /dev/null
++++ b/man/man8/zebra_selinux.8
+@@ -0,0 +1,178 @@
++.TH "zebra_selinux" "8" "zebra" "dwalsh at redhat.com" "zebra SELinux Policy documentation"
++.SH "NAME"
++zebra_selinux \- Security Enhanced Linux Policy for the zebra processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B zebra
++(Zebra border gateway protocol network routing service)
++processes via flexible mandatory access
++control.
++
++
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. zebra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zebra with the tightest access possible.
++
++
++.PP
++If you want to allow zebra daemon to write it configuration file, you must turn on the allow_zebra_write_config boolean.
++
++.EX
++.B setsebool -P allow_zebra_write_config 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
++.PP
++The following file types are defined for zebra:
++
++
++.EX
++.PP
++.B zebra_conf_t
++.EE
++
++- Set files with the zebra_conf_t type, if you want to treat the files as zebra configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/zebra(/.*)?, /etc/quagga(/.*)?
++
++.EX
++.PP
++.B zebra_exec_t
++.EE
++
++- Set files with the zebra_exec_t type, if you want to transition an executable to the zebra_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/sbin/zebra, /usr/sbin/rip.*, /usr/sbin/bgpd, /usr/sbin/ospf.*
++
++.EX
++.PP
++.B zebra_initrc_exec_t
++.EE
++
++- Set files with the zebra_initrc_exec_t type, if you want to transition an executable to the zebra_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ospfd
++
++.EX
++.PP
++.B zebra_log_t
++.EE
++
++- Set files with the zebra_log_t type, if you want to treat the data as zebra log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/quagga(/.*)?, /var/log/zebra(/.*)?
++
++.EX
++.PP
++.B zebra_tmp_t
++.EE
++
++- Set files with the zebra_tmp_t type, if you want to store zebra temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zebra_var_run_t
++.EE
++
++- Set files with the zebra_var_run_t type, if you want to store the zebra files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/\.zserv, /var/run/\.zebra, /var/run/quagga(/.*)?
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PORT TYPES
++SELinux defines port types to represent TCP and UDP ports.
++.PP
++You can see the types associated with a port by using the following command:
++
++.B semanage port -l
++
++.PP
++Policy governs the access confined processes have to these ports.
++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
++.PP
++The following port types are defined for zebra:
++
++.EX
++.TP 5
++.B zebra_port_t
++.TP 10
++.EE
++
++
++Default Defined Ports:
++tcp 8021
++.EE
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
++.PP
++The following process types are defined for zebra:
++
++.EX
++.B zebra_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage port
++can also be used to manipulate the port definitions
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), zebra(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
+diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8
+new file mode 100644
+index 0000000..4f71f64
+--- /dev/null
++++ b/man/man8/zoneminder_selinux.8
+@@ -0,0 +1,163 @@
++.TH "zoneminder_selinux" "8" "zoneminder" "dwalsh at redhat.com" "zoneminder SELinux Policy documentation"
++.SH "NAME"
++zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B zoneminder
++(policy for zoneminder)
++processes via flexible mandatory access
++control.
++
++
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
++.TP
++Allow zoneminder servers to read the /var/zoneminder directory by adding the public_content_t file type to the directory and by restoring the file type.
++.PP
++.B
++semanage fcontext -a -t public_content_t "/var/zoneminder(/.*)?"
++.br
++.B restorecon -F -R -v /var/zoneminder
++.pp
++.TP
++Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminder_anon_write boolean to be set.
++.PP
++.B
++semanage fcontext -a -t public_content_rw_t "/var/zoneminder/incoming(/.*)?"
++.br
++.B restorecon -F -R -v /var/zoneminder/incoming
++
++
++.PP
++If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean.
++
++.EX
++.B setsebool -P zoneminder_anon_write 1
++.EE
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
++.PP
++The following file types are defined for zoneminder:
++
++
++.EX
++.PP
++.B zoneminder_exec_t
++.EE
++
++- Set files with the zoneminder_exec_t type, if you want to transition an executable to the zoneminder_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/zmpkg.pl, /usr/bin/motion
++
++.EX
++.PP
++.B zoneminder_initrc_exec_t
++.EE
++
++- Set files with the zoneminder_initrc_exec_t type, if you want to transition an executable to the zoneminder_initrc_t domain.
++
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder
++
++.EX
++.PP
++.B zoneminder_log_t
++.EE
++
++- Set files with the zoneminder_log_t type, if you want to treat the data as zoneminder log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/motion\.log, /var/log/zoneminder(/.*)?
++
++.EX
++.PP
++.B zoneminder_spool_t
++.EE
++
++- Set files with the zoneminder_spool_t type, if you want to store the zoneminder files under the /var/spool directory.
++
++
++.EX
++.PP
++.B zoneminder_tmpfs_t
++.EE
++
++- Set files with the zoneminder_tmpfs_t type, if you want to store zoneminder files on a tmpfs file system.
++
++
++.EX
++.PP
++.B zoneminder_var_lib_t
++.EE
++
++- Set files with the zoneminder_var_lib_t type, if you want to store the zoneminder files under the /var/lib directory.
++
++
++.EX
++.PP
++.B zoneminder_var_run_t
++.EE
++
++- Set files with the zoneminder_var_run_t type, if you want to store the zoneminder files under the /run directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
++.PP
++The following process types are defined for zoneminder:
++
++.EX
++.B zoneminder_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/zos_selinux.8 b/man/man8/zos_selinux.8
+new file mode 100644
+index 0000000..b9eb5b9
+--- /dev/null
++++ b/man/man8/zos_selinux.8
+@@ -0,0 +1,81 @@
++.TH "zos_selinux" "8" "zos" "dwalsh at redhat.com" "zos SELinux Policy documentation"
++.SH "NAME"
++zos_selinux \- Security Enhanced Linux Policy for the zos processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B zos
++(policy for z/OS Remote-services Audit dispatcher plugin)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zos policy is very flexible allowing users to setup their zos processes in as secure a method as possible.
++.PP
++The following file types are defined for zos:
++
++
++.EX
++.PP
++.B zos_remote_exec_t
++.EE
++
++- Set files with the zos_remote_exec_t type, if you want to transition an executable to the zos_remote_t domain.
++
++.br
++.TP 5
++Paths:
++/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zos policy is very flexible allowing users to setup their zos processes in as secure a method as possible.
++.PP
++The following process types are defined for zos:
++
++.EX
++.B zos_remote_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), zos(8), semanage(8), restorecon(8), chcon(1)
diff --git a/policy/constraints b/policy/constraints
index 1308871..c994c93 100644
--- a/policy/constraints
@@ -80,10 +58126,21 @@ index 1308871..c994c93 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index bf24160..468e0fd 100644
+index bf24160..4d0bdca 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
-@@ -862,3 +862,12 @@ inherits database
+@@ -393,6 +393,10 @@ class system
+ syslog_mod
+ syslog_console
+ module_request
++ halt
++ reboot
++ status
++ undefined
+ }
+
+ #
+@@ -862,3 +866,20 @@ inherits database
implement
execute
}
@@ -95,18 +58152,29 @@ index bf24160..468e0fd 100644
+ status
+ reload
+ kill
++ load
++ enable
++ disable
++}
++
++class proxy
++{
++ read
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
-index 14a4799..067ecfc 100644
+index 14a4799..db2e4a0 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
-@@ -131,4 +131,8 @@ class db_view # userspace
+@@ -131,4 +131,11 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
+# systemd services
+class service
+
++# gssd services
++class proxy
++
+
# FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
@@ -372,10 +58440,10 @@ index 63ef90e..a535b31 100644
')
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index d362d9c..10261ed 100644
+index d362d9c..230a2f6 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
-@@ -11,8 +11,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -386,8 +58454,12 @@ index d362d9c..10261ed 100644
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+ /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
++
++/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..407f9f7 100644
+index 1392679..25e02df 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
@@ -398,7 +58470,7 @@ index 1392679..407f9f7 100644
')
########################################
-@@ -206,3 +207,46 @@ interface(`alsa_read_lib',`
+@@ -206,3 +207,69 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
@@ -445,6 +58517,43 @@ index 1392679..407f9f7 100644
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
+')
++
++########################################
++## <summary>
++## Execute alsa server in the alsa domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`alsa_systemctl',`
++ gen_require(`
++ type alsa_t;
++ type alsa_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 alsa_unit_file_t:file read_file_perms;
++ allow $1 alsa_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, alsa_t)
++')
+diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
+index 54d0f14..413b6b6 100644
+--- a/policy/modules/admin/alsa.te
++++ b/policy/modules/admin/alsa.te
+@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t)
+ type alsa_home_t;
+ userdom_user_home_content(alsa_home_t)
+
++type alsa_unit_file_t;
++systemd_unit_file(alsa_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index e3e0701..3fd0282 100644
--- a/policy/modules/admin/amanda.fc
@@ -520,11 +58629,15 @@ index 057abb0..c75e9e9 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
-index e81bdbd..dd1522d 100644
+index e81bdbd..c3328eb 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
-@@ -26,10 +26,8 @@ libs_domtrans_ldconfig(anaconda_t)
+@@ -22,14 +22,10 @@ kernel_domtrans_to(anaconda_t, anaconda_exec_t)
+
+ init_domtrans_script(anaconda_t)
+-libs_domtrans_ldconfig(anaconda_t)
+-
logging_send_syslog_msg(anaconda_t)
-modutils_domtrans_insmod(anaconda_t)
@@ -535,7 +58648,7 @@ index e81bdbd..dd1522d 100644
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-@@ -38,6 +36,10 @@ optional_policy(`
+@@ -38,6 +34,10 @@ optional_policy(`
')
optional_policy(`
@@ -546,7 +58659,7 @@ index e81bdbd..dd1522d 100644
rpm_domtrans(anaconda_t)
rpm_domtrans_script(anaconda_t)
')
-@@ -51,7 +53,7 @@ optional_policy(`
+@@ -51,7 +51,7 @@ optional_policy(`
')
optional_policy(`
@@ -591,24 +58704,27 @@ index 0bfc958..af95b7a 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..3cf6457 100644
+index 7a6f06f..530d2df 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,11 @@
+@@ -1,9 +1,14 @@
-
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
++/etc/zipl\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 63eb96b..d7a6063 100644
--- a/policy/modules/admin/bootloader.if
@@ -1254,25 +59370,21 @@ index c4d8998..bd59f2e 100644
+ xserver_stream_connect(firstboot_t)
')
diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc
-index c66934f..b1d31d0 100644
+index c66934f..9f05409 100644
--- a/policy/modules/admin/kdump.fc
+++ b/policy/modules/admin/kdump.fc
-@@ -1,5 +1,13 @@
- /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
- /etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+@@ -3,3 +3,9 @@
-+/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
-+/usr/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/kdump.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
-index 4198ff5..419c7a9 100644
+index 4198ff5..9bf4898 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
@@ -1331,8 +59443,11 @@ index 4198ff5..419c7a9 100644
####################################
## <summary>
## Manage kdump configuration file.
-@@ -98,8 +140,11 @@ interface(`kdump_admin',`
+@@ -96,10 +138,14 @@ interface(`kdump_admin',`
+ gen_require(`
+ type kdump_t, kdump_etc_t;
type kdump_initrc_exec_t;
++ type kdump_unit_file_t;
')
- allow $1 kdump_t:process { ptrace signal_perms };
@@ -1344,8 +59459,17 @@ index 4198ff5..419c7a9 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -108,4 +154,8 @@ interface(`kdump_admin',`
+
+ files_search_etc($1)
+ admin_pattern($1, kdump_etc_t)
++
++ kdump_systemctl($1)
++ admin_pattern($1, kdump_unit_file_t)
++ allow $1 kdump_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
-index b29d8e2..bcd9273 100644
+index b29d8e2..ed79499 100644
--- a/policy/modules/admin/kdump.te
+++ b/policy/modules/admin/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
@@ -1358,6 +59482,14 @@ index b29d8e2..bcd9273 100644
#####################################
#
# kdump local policy
+@@ -24,6 +27,7 @@ allow kdump_t self:capability { sys_boot dac_override };
+
+ read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
++files_read_etc_files(kdump_t)
+ files_read_etc_runtime_files(kdump_t)
+ files_read_kernel_img(kdump_t)
+
diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
index c18c920..582f7f3 100644
--- a/policy/modules/admin/kismet.if
@@ -1447,7 +59579,7 @@ index 4f7bd3c..9143343 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..2b5c34d 100644
+index 7090dae..51123b2 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -1485,7 +59617,15 @@ index 7090dae..2b5c34d 100644
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
-@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -85,6 +86,7 @@ auth_use_nsswitch(logrotate_t)
+ # Run helper programs.
+ corecmd_exec_bin(logrotate_t)
+ corecmd_exec_shell(logrotate_t)
++corecmd_getattr_all_executables(logrotate_t)
+
+ domain_signal_all_domains(logrotate_t)
+ domain_use_interactive_fds(logrotate_t)
+@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -1493,7 +59633,7 @@ index 7090dae..2b5c34d 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +118,16 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +119,17 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -1510,6 +59650,7 @@ index 7090dae..2b5c34d 100644
-
-mta_send_mail(logrotate_t)
+userdom_dontaudit_list_admin_dir(logrotate_t)
++userdom_dontaudit_getattr_user_home_content(logrotate_t)
ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
@@ -1517,7 +59658,7 @@ index 7090dae..2b5c34d 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +139,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -1526,7 +59667,7 @@ index 7090dae..2b5c34d 100644
')
optional_policy(`
-@@ -154,6 +155,10 @@ optional_policy(`
+@@ -154,6 +157,10 @@ optional_policy(`
')
optional_policy(`
@@ -1537,7 +59678,7 @@ index 7090dae..2b5c34d 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +167,20 @@ optional_policy(`
+@@ -162,10 +169,20 @@ optional_policy(`
')
optional_policy(`
@@ -1558,7 +59699,7 @@ index 7090dae..2b5c34d 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +193,10 @@ optional_policy(`
+@@ -178,6 +195,10 @@ optional_policy(`
')
optional_policy(`
@@ -1569,7 +59710,14 @@ index 7090dae..2b5c34d 100644
icecast_signal(logrotate_t)
')
-@@ -200,9 +219,12 @@ optional_policy(`
+@@ -194,15 +215,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mysql_read_home_content(logrotate_t)
+ mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
+ mysql_stream_connect(logrotate_t)
')
optional_policy(`
@@ -1583,7 +59731,7 @@ index 7090dae..2b5c34d 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +250,14 @@ optional_policy(`
+@@ -228,3 +253,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -1615,10 +59763,18 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..63310a1 100644
+index 75ce30f..671d4e1 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
-@@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t)
+@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
+
+ type logwatch_t;
+ type logwatch_exec_t;
++init_daemon_domain(logwatch_t, logwatch_exec_t)
+ application_domain(logwatch_t, logwatch_exec_t)
+ role system_r types logwatch_t;
+
+@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t)
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -1631,7 +59787,7 @@ index 75ce30f..63310a1 100644
########################################
#
# Local policy
-@@ -39,6 +45,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
@@ -1641,7 +59797,7 @@ index 75ce30f..63310a1 100644
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -58,6 +67,7 @@ files_list_var(logwatch_t)
+@@ -58,6 +68,7 @@ files_list_var(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -1649,7 +59805,7 @@ index 75ce30f..63310a1 100644
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-@@ -70,6 +80,8 @@ fs_getattr_all_fs(logwatch_t)
+@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -1658,7 +59814,7 @@ index 75ce30f..63310a1 100644
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +104,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1674,7 +59830,7 @@ index 75ce30f..63310a1 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +160,24 @@ optional_policy(`
+@@ -145,3 +161,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -1710,7 +59866,7 @@ index 56c43c0..409bbfc 100644
+
+/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..8ddc091 100644
+index 5671977..a4a5f20 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
@@ -1729,7 +59885,7 @@ index 5671977..8ddc091 100644
########################################
#
-@@ -17,16 +23,34 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,16 +23,35 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
@@ -1744,6 +59900,7 @@ index 5671977..8ddc091 100644
+
kernel_read_system_state(mcelog_t)
++corecmd_exec_shell(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
@@ -1881,12 +60038,19 @@ index ec29391..28c9672 100644
optional_policy(`
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..b5a91f8 100644
+index 407078f..56cc947 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
-@@ -6,9 +6,12 @@
+@@ -1,15 +1,20 @@
+ /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
@@ -1897,7 +60061,9 @@ index 407078f..b5a91f8 100644
+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761..46e0767 100644
--- a/policy/modules/admin/netutils.if
@@ -2058,14 +60224,60 @@ index e0791b9..9f49d01 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..59ee69c 100644
+index f68b573..30b3188 100644
--- a/policy/modules/admin/passenger.if
+++ b/policy/modules/admin/passenger.if
-@@ -37,3 +37,25 @@ interface(`passenger_read_lib_files',`
+@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
+ ')
+
++######################################
++## <summary>
++## Execute passenger in the current domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`passenger_exec',`
++ gen_require(`
++ type passenger_exec_t;
++ ')
++
++ can_exec($1, passenger_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read passenger lib files
+@@ -37,3 +55,46 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
+
++########################################
++## <summary>
++## Manage passenger lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_manage_lib_files',`
++ gen_require(`
++ type passenger_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ files_search_var_lib($1)
++')
++
+#####################################
+## <summary>
+## Manage passenger var_run content.
@@ -2132,83 +60344,6 @@ index 3470036..41f736e 100644
+ puppet_search_log(passenger_t)
+ puppet_search_pid(passenger_t)
+')
-diff --git a/policy/modules/admin/permissivedomains.fc b/policy/modules/admin/permissivedomains.fc
-new file mode 100644
-index 0000000..6e6a8fc
---- /dev/null
-+++ b/policy/modules/admin/permissivedomains.fc
-@@ -0,0 +1 @@
-+# No file contexts
-diff --git a/policy/modules/admin/permissivedomains.if b/policy/modules/admin/permissivedomains.if
-new file mode 100644
-index 0000000..bd83148
---- /dev/null
-+++ b/policy/modules/admin/permissivedomains.if
-@@ -0,0 +1 @@
-+## <summary>No Interfaces</summary>
-diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
-new file mode 100644
-index 0000000..75c0f07
---- /dev/null
-+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,57 @@
-+policy_module(permissivedomains,17)
-+
-+
-+optional_policy(`
-+ gen_require(`
-+ type blueman_t;
-+ ')
-+
-+ permissive blueman_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type httpd_zoneminder_script_t, zoneminder_t;
-+ ')
-+
-+ permissive httpd_zoneminder_script_t;
-+ permissive zoneminder_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type selinux_munin_plugin_t;
-+ ')
-+
-+ permissive selinux_munin_plugin_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type dnssec_trigger_t;
-+ ')
-+
-+ permissive dnssec_trigger_t;
-+')
-+
-+
-+optional_policy(`
-+ gen_require(`
-+ type obex_t;
-+ ')
-+
-+ permissive obex_t;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type sge_shepherd_t;
-+ type sge_execd_t;
-+ type sge_job_t;
-+ ')
-+
-+ permissive sge_shepherd_t;
-+ permissive sge_execd_t;
-+ permissive sge_job_t;
-+
-+')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -2294,7 +60429,7 @@ index 93ec175..0e42018 100644
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..5d940f8 100644
+index af55369..437026a 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -2377,13 +60512,15 @@ index af55369..5d940f8 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +170,29 @@ optional_policy(`
+@@ -148,17 +170,31 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
- init_exec(prelink_cron_system_t)
+ fs_search_cgroup_dirs(prelink_cron_system_t)
+
++ auth_use_nsswitch(prelink_cron_system_t)
++
+ init_telinit(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
@@ -2439,10 +60576,61 @@ index f387230..e63f9c6 100644
+
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
-index bf75d99..d1af9cf 100644
+index bf75d99..3fb8575 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
-@@ -83,3 +83,59 @@ interface(`quota_manage_flags',`
+@@ -45,6 +45,24 @@ interface(`quota_run',`
+ role $2 types quota_t;
+ ')
+
++#######################################
++## <summary>
++## Alow to read of filesystem quota data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`quota_read_db',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ allow $1 quota_db_t:file read_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to get the attributes
+@@ -67,6 +85,25 @@ interface(`quota_dontaudit_getattr_db',`
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete quota
++## db files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`quota_manage_db',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ allow $1 quota_db_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete quota
+ ## flag files.
+ ## </summary>
+ ## <param name="domain">
+@@ -83,3 +120,59 @@ interface(`quota_manage_flags',`
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')
@@ -2503,10 +60691,20 @@ index bf75d99..d1af9cf 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
-index 5dd42f5..c0b7cd0 100644
+index 5dd42f5..b4ebb85 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
-@@ -15,6 +15,13 @@ files_type(quota_db_t)
+@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0)
+
+ type quota_t;
+ type quota_exec_t;
+-init_system_domain(quota_t, quota_exec_t)
++application_domain(quota_t, quota_exec_t)
++#init_system_domain(quota_t, quota_exec_t)
+
+ type quota_db_t;
+ files_type(quota_db_t)
+@@ -15,6 +16,13 @@ files_type(quota_db_t)
type quota_flag_t;
files_type(quota_flag_t)
@@ -2520,7 +60718,7 @@ index 5dd42f5..c0b7cd0 100644
########################################
#
# Local policy
-@@ -34,6 +41,13 @@ files_home_filetrans(quota_t, quota_db_t, file)
+@@ -34,6 +42,13 @@ files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
@@ -2534,7 +60732,7 @@ index 5dd42f5..c0b7cd0 100644
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
-@@ -72,7 +86,7 @@ init_use_script_ptys(quota_t)
+@@ -72,7 +87,7 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
@@ -2543,7 +60741,7 @@ index 5dd42f5..c0b7cd0 100644
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
-@@ -82,3 +96,34 @@ optional_policy(`
+@@ -82,3 +97,34 @@ optional_policy(`
optional_policy(`
udev_read_db(quota_t)
')
@@ -2579,15 +60777,13 @@ index 5dd42f5..c0b7cd0 100644
+ dbus_connect_system_bus(quota_nld_t)
+')
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
-index 7077413..8aa9c0e 100644
+index 7077413..0428aee 100644
--- a/policy/modules/admin/readahead.fc
+++ b/policy/modules/admin/readahead.fc
-@@ -1,3 +1,12 @@
+@@ -1,3 +1,10 @@
-/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+
-+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
@@ -2729,7 +60925,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..2ba67e7 100644
+index b206bf6..3d5caa1 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -6,7 +6,9 @@
@@ -2742,10 +60938,11 @@ index b206bf6..2ba67e7 100644
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -19,14 +21,20 @@
+@@ -19,23 +21,31 @@
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
++/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -2763,8 +60960,10 @@ index b206bf6..2ba67e7 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +44,8 @@ ifdef(`distro_redhat', `
- /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+ /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
@@ -2969,7 +61168,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..8bc5a27 100644
+index 47a8f7d..a609a22 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -3052,7 +61251,7 @@ index 47a8f7d..8bc5a27 100644
domain_use_interactive_fds(rpm_t)
domain_dontaudit_getattr_all_pipes(rpm_t)
domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -3066,7 +61265,7 @@ index 47a8f7d..8bc5a27 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -185,11 +206,13 @@ libs_domtrans_ldconfig(rpm_t)
+-libs_domtrans_ldconfig(rpm_t)
logging_send_syslog_msg(rpm_t)
@@ -3081,7 +61280,7 @@ index 47a8f7d..8bc5a27 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +230,7 @@ optional_policy(`
+@@ -207,6 +229,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -3089,7 +61288,7 @@ index 47a8f7d..8bc5a27 100644
')
optional_policy(`
-@@ -214,7 +238,7 @@ optional_policy(`
+@@ -214,7 +237,7 @@ optional_policy(`
')
optional_policy(`
@@ -3098,7 +61297,7 @@ index 47a8f7d..8bc5a27 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -225,7 +249,8 @@ optional_policy(`
+@@ -225,7 +248,8 @@ optional_policy(`
# rpm-script Local policy
#
@@ -3108,7 +61307,7 @@ index 47a8f7d..8bc5a27 100644
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
-@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -257,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -3127,7 +61326,7 @@ index 47a8f7d..8bc5a27 100644
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -282,7 +313,6 @@ fs_unmount_xattr_fs(rpm_script_t)
+@@ -282,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
mcs_killall(rpm_script_t)
@@ -3135,7 +61334,7 @@ index 47a8f7d..8bc5a27 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -299,19 +329,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -3160,7 +61359,12 @@ index 47a8f7d..8bc5a27 100644
domain_use_interactive_fds(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
-@@ -331,23 +362,24 @@ libs_domtrans_ldconfig(rpm_script_t)
+@@ -326,28 +356,28 @@ init_telinit(rpm_script_t)
+
+ libs_exec_ld_so(rpm_script_t)
+ libs_exec_lib_files(rpm_script_t)
+-libs_domtrans_ldconfig(rpm_script_t)
+
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -3189,7 +61393,18 @@ index 47a8f7d..8bc5a27 100644
allow rpm_script_t self:process execmem;
')
-@@ -368,6 +400,11 @@ optional_policy(`
+@@ -356,6 +386,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ cups_filetrans_named_content(rpm_script_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(rpm_script_t)
+ ')
+
+@@ -368,6 +402,11 @@ optional_policy(`
')
optional_policy(`
@@ -3201,7 +61416,7 @@ index 47a8f7d..8bc5a27 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,7 +414,7 @@ optional_policy(`
+@@ -377,7 +416,7 @@ optional_policy(`
')
optional_policy(`
@@ -3211,10 +61426,18 @@ index 47a8f7d..8bc5a27 100644
optional_policy(`
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
-index c8ef84b..eb4bd05 100644
+index c8ef84b..c761721 100644
--- a/policy/modules/admin/sectoolm.te
+++ b/policy/modules/admin/sectoolm.te
-@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
+@@ -8,6 +8,7 @@ policy_module(sectoolm, 1.0.0)
+ type sectoolm_t;
+ type sectoolm_exec_t;
+ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
++init_daemon_domain(sectoolm_t, sectoolm_exec_t)
+
+ type sectool_var_lib_t;
+ files_type(sectool_var_lib_t)
+@@ -23,7 +24,7 @@ files_tmp_file(sectool_tmp_t)
# sectool local policy
#
@@ -3223,7 +61446,7 @@ index c8ef84b..eb4bd05 100644
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
+@@ -70,12 +71,6 @@ application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
@@ -3236,7 +61459,7 @@ index c8ef84b..eb4bd05 100644
libs_exec_ld_so(sectoolm_t)
logging_send_syslog_msg(sectoolm_t)
-@@ -84,6 +78,17 @@ logging_send_syslog_msg(sectoolm_t)
+@@ -84,6 +79,17 @@ logging_send_syslog_msg(sectoolm_t)
sysnet_domtrans_ifconfig(sectoolm_t)
userdom_manage_user_tmp_sockets(sectoolm_t)
@@ -3429,16 +61652,21 @@ index 97671a3..eb84cd0 100644
+
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
-index d0604cf..95c53c5 100644
+index d0604cf..b66057c 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
-@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',`
+@@ -18,9 +18,18 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
++ init_reboot($1)
++ init_halt($1)
++
+ optional_policy(`
+ systemd_exec_systemctl($1)
+ init_stream_connect($1)
++ systemd_login_reboot($1)
++ systemd_login_halt($1)
+ ')
+
ifdef(`hide_broken_symptoms', `
@@ -3448,7 +61676,7 @@ index d0604cf..95c53c5 100644
')
')
-@@ -51,6 +55,73 @@ interface(`shutdown_run',`
+@@ -51,6 +60,73 @@ interface(`shutdown_run',`
########################################
## <summary>
@@ -3523,7 +61751,7 @@ index d0604cf..95c53c5 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 8966ec9..8fbe943 100644
+index 8966ec9..d3528a0 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@@ -3545,7 +61773,7 @@ index 8966ec9..8fbe943 100644
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
-@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+@@ -33,18 +34,22 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
@@ -3555,10 +61783,11 @@ index 8966ec9..8fbe943 100644
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
++files_delete_boot_flag(shutdown_t)
++
++mls_file_write_to_clearance(shutdown_t)
-term_use_all_terms(shutdown_t)
-+mls_file_write_to_clearance(shutdown_t)
-+
+term_use_all_inherited_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
@@ -3570,7 +61799,7 @@ index 8966ec9..8fbe943 100644
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t)
+@@ -54,10 +59,24 @@ logging_send_audit_msgs(shutdown_t)
miscfiles_read_localization(shutdown_t)
optional_policy(`
@@ -3785,7 +62014,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..748db5b 100644
+index 975af1a..0ae7660 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3829,7 +62058,7 @@ index 975af1a..748db5b 100644
allow $1_sudo_t $3:key search;
-@@ -76,88 +63,19 @@ template(`sudo_role_template',`
+@@ -76,86 +63,25 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
@@ -3912,19 +62141,19 @@ index 975af1a..748db5b 100644
- fs_manage_cifs_files($1_sudo_t)
- ')
-
-- optional_policy(`
+ optional_policy(`
- dbus_system_bus_client($1_sudo_t)
-- ')
--
-- optional_policy(`
++ mta_role($2, $1_sudo_t)
+ ')
+
+ optional_policy(`
- fprintd_dbus_chat($1_sudo_t)
-- ')
--
-+ mta_role($2, $1_sudo_t)
- ')
++ kerberos_manage_host_rcache($1_sudo_t)
++ kerberos_read_config($1_sudo_t)
+ ')
- ########################################
-@@ -177,3 +95,22 @@ interface(`sudo_sigchld',`
+ ')
+@@ -177,3 +103,22 @@ interface(`sudo_sigchld',`
allow $1 sudodomain:process sigchld;
')
@@ -3948,7 +62177,7 @@ index 975af1a..748db5b 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..9ce39dd 100644
+index 2731fa1..43d1362 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,104 @@ attribute sudodomain;
@@ -3995,6 +62224,7 @@ index 2731fa1..9ce39dd 100644
+dev_read_urand(sudodomain)
+dev_rw_generic_usb_dev(sudodomain)
+dev_read_sysfs(sudodomain)
++dev_dontaudit_getattr_all(sudodomain)
+
+domain_use_interactive_fds(sudodomain)
+domain_sigchld_interactive_fds(sudodomain)
@@ -4002,8 +62232,7 @@ index 2731fa1..9ce39dd 100644
+
+files_read_etc_files(sudodomain)
+files_read_var_files(sudodomain)
-+files_read_usr_symlinks(sudodomain)
-+files_getattr_usr_files(sudodomain)
++files_read_usr_files(sudodomain)
+# for some PAM modules and for cwd
+files_dontaudit_search_home(sudodomain)
+files_list_tmp(sudodomain)
@@ -4091,7 +62320,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..65681da 100644
+index 6a5004b..5f12852 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -4102,7 +62331,7 @@ index 6a5004b..65681da 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,6 +19,8 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,46 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -4111,7 +62340,8 @@ index 6a5004b..65681da 100644
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
-@@ -25,11 +28,15 @@ fs_getattr_xattr_fs(tmpreaper_t)
++fs_list_all(tmpreaper_t)
+
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@@ -4127,7 +62357,10 @@ index 6a5004b..65681da 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,13 +45,17 @@ logging_send_syslog_msg(tmpreaper_t)
++auth_use_nsswitch(tmpreaper_t)
++
+ logging_send_syslog_msg(tmpreaper_t)
+
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -4149,7 +62382,7 @@ index 6a5004b..65681da 100644
')
optional_policy(`
-@@ -52,7 +63,9 @@ optional_policy(`
+@@ -52,7 +66,9 @@ optional_policy(`
')
optional_policy(`
@@ -4159,7 +62392,7 @@ index 6a5004b..65681da 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +79,13 @@ optional_policy(`
+@@ -66,9 +82,13 @@ optional_policy(`
')
optional_policy(`
@@ -4425,7 +62658,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..3a9e8d5 100644
+index 441cf22..968fdbe 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4436,7 +62669,7 @@ index 441cf22..3a9e8d5 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
-@@ -79,25 +80,25 @@ selinux_compute_create_context(chfn_t)
+@@ -79,25 +80,26 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -4461,6 +62694,7 @@ index 441cf22..3a9e8d5 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
++corecmd_exec_bin(chfn_t)
domain_use_interactive_fds(chfn_t)
@@ -4468,7 +62702,7 @@ index 441cf22..3a9e8d5 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
-@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
+@@ -105,6 +107,7 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -4476,7 +62710,15 @@ index 441cf22..3a9e8d5 100644
miscfiles_read_localization(chfn_t)
-@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -113,11 +116,18 @@ logging_send_syslog_msg(chfn_t)
+ # uses unix_chkpwd for checking passwords
+ seutil_dontaudit_search_config(chfn_t)
+
++userdom_manage_user_tmp_files(chfn_t)
++userdom_tmp_filetrans_user_tmp(chfn_t, { file })
++
+ userdom_use_unpriv_users_fds(chfn_t)
+ # user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -4487,7 +62729,7 @@ index 441cf22..3a9e8d5 100644
########################################
#
# Crack local policy
-@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +204,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -4498,7 +62740,7 @@ index 441cf22..3a9e8d5 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -203,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -203,8 +213,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -4508,7 +62750,7 @@ index 441cf22..3a9e8d5 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -219,9 +225,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -219,9 +229,10 @@ miscfiles_read_localization(groupadd_t)
auth_domtrans_chk_passwd(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
@@ -4520,7 +62762,7 @@ index 441cf22..3a9e8d5 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -269,6 +276,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -269,6 +280,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -4528,7 +62770,7 @@ index 441cf22..3a9e8d5 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -277,6 +285,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +289,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -4536,7 +62778,7 @@ index 441cf22..3a9e8d5 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,26 +300,30 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +304,30 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -4572,7 +62814,7 @@ index 441cf22..3a9e8d5 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +336,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +340,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -4581,7 +62823,7 @@ index 441cf22..3a9e8d5 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +345,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +349,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -4589,7 +62831,7 @@ index 441cf22..3a9e8d5 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,9 +395,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +399,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -4602,7 +62844,7 @@ index 441cf22..3a9e8d5 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -396,7 +411,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -396,7 +415,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -4610,15 +62852,17 @@ index 441cf22..3a9e8d5 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -427,6 +441,7 @@ optional_policy(`
+@@ -426,7 +444,8 @@ optional_policy(`
+ # Useradd local policy
#
- allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource };
+
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,10 +463,13 @@ corecmd_exec_shell(useradd_t)
+@@ -448,10 +467,13 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -4633,7 +62877,7 @@ index 441cf22..3a9e8d5 100644
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
-@@ -460,17 +478,15 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +482,15 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -4658,7 +62902,7 @@ index 441cf22..3a9e8d5 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -478,6 +494,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +498,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -4666,7 +62910,7 @@ index 441cf22..3a9e8d5 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +512,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +516,19 @@ seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
@@ -4697,6 +62941,18 @@ index 441cf22..3a9e8d5 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
+@@ -531,6 +547,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpc_list_nfs_state_data(useradd_t)
++ rpc_read_nfs_state_data(useradd_t)
++')
++
++optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index ebf4b26..b58c822 100644
--- a/policy/modules/admin/vpn.te
@@ -4842,10 +63098,10 @@ index 0000000..5901e21
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..1553356
+index 0000000..efebae7
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,134 @@
+
+## <summary>policy for chrome</summary>
+
@@ -4933,6 +63189,7 @@ index 0000000..1553356
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
@@ -4981,10 +63238,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..8b8f735
+index 0000000..da7bbf7
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,182 @@
+@@ -0,0 +1,184 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -5015,7 +63272,7 @@ index 0000000..8b8f735
+#
+# chrome_sandbox local policy
+#
-+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
@@ -5058,6 +63315,7 @@ index 0000000..8b8f735
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
++dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
@@ -5161,14 +63419,15 @@ index 0000000..8b8f735
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
+
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
-index 37475dd..6026789 100644
+index 37475dd..130f87c 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -5183,7 +63442,7 @@ index 37475dd..6026789 100644
kernel_read_system_state(cpufreqselector_t)
-@@ -27,10 +28,12 @@ corecmd_search_bin(cpufreqselector_t)
+@@ -27,13 +28,16 @@ corecmd_search_bin(cpufreqselector_t)
dev_rw_sysfs(cpufreqselector_t)
@@ -5197,7 +63456,11 @@ index 37475dd..6026789 100644
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-@@ -53,3 +56,7 @@ optional_policy(`
++ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(cpufreqselector_t)
+@@ -53,3 +57,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
@@ -5378,10 +63641,10 @@ index 0000000..2bd5790
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..175de9d
+index 0000000..c97a6ea
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,75 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -5392,6 +63655,7 @@ index 0000000..175de9d
+type firewallgui_t;
+type firewallgui_exec_t;
+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
++init_daemon_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
@@ -5512,7 +63776,7 @@ index 6e4add5..5c81832 100644
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te
-index 4a2e63b..104206a 100644
+index 4a2e63b..e964f12 100644
--- a/policy/modules/apps/gitosis.te
+++ b/policy/modules/apps/gitosis.te
@@ -5,6 +5,13 @@ policy_module(gitosis, 1.2.0)
@@ -5534,38 +63798,46 @@ index 4a2e63b..104206a 100644
sysnet_read_config(gitosis_t)
+
-+corenet_tcp_bind_all_ports(nginx_t)
++corenet_tcp_bind_all_ports(gitosis_t)
+
+tunable_policy(`gitosis_can_sendmail',`
+ mta_send_mail(gitosis_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..9f6139c 100644
+index 00a19e3..d776f66 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,45 @@
+@@ -1,9 +1,53 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
++HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
++/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
++/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
@@ -5592,10 +63864,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..242b129 100644
+index f5afe78..581c9dd 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,880 @@
+@@ -1,44 +1,937 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -5747,31 +64019,13 @@ index f5afe78..242b129 100644
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
++ type cache_home_t;
+ ')
+
+ allow $1 gconf_tmp_t:dir search_dir_perms;
++ userdom_search_user_tmp_dirs($1)
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-+')
-+
-+########################################
-+## <summary>
-+## Connect to gkeyringd with a unix stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect_all_gkeyringd',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
-+ type gkeyringd_tmp_t;
-+ type gconf_tmp_t;
-+ ')
-+
-+ allow $1 gconf_tmp_t:dir search_dir_perms;
-+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
++ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
+')
+
+########################################
@@ -5987,6 +64241,25 @@ index f5afe78..242b129 100644
+
+########################################
+## <summary>
++## Manage cache home dir (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_cache_home_dir',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ manage_dirs_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
+## append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
@@ -6025,6 +64298,25 @@ index f5afe78..242b129 100644
+
+########################################
+## <summary>
++## Manage a sock_file in the generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_generic_cache_sockets',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
++')
++
++########################################
++## <summary>
+## Dontaudit read/write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
@@ -6337,6 +64629,25 @@ index f5afe78..242b129 100644
+
+########################################
+## <summary>
++## List gkeyringd temporary directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_list_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+## search gconf homedir (.local)
+## </summary>
+## <param name="domain">
@@ -6397,11 +64708,10 @@ index f5afe78..242b129 100644
+## Manage generic gnome home directories.
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
@@ -6416,6 +64726,25 @@ index f5afe78..242b129 100644
+## <summary>
+## Append gconf home files
+## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++#
++interface(`gnome_append_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++## <summary>
++## manage gconf home files
++## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
@@ -6424,7 +64753,7 @@ index f5afe78..242b129 100644
## </param>
#
-interface(`gnome_role',`
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_manage_gconf_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
@@ -6432,87 +64761,88 @@ index f5afe78..242b129 100644
')
- role $1 types gconfd_t;
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
-+## manage gconf home files
++## Connect to gnome over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
+#
-+interface(`gnome_manage_gconf_home_files',`
++interface(`gnome_stream_connect',`
+ gen_require(`
-+ type gconf_home_t;
++ attribute gnome_home_type;
+ ')
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
- ps_process_pattern($2, gconfd_t)
+########################################
+## <summary>
-+## Connect to gnome over a unix stream socket.
++## list gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="user_domain">
-+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
+#
-+interface(`gnome_stream_connect',`
++interface(`gnome_list_home_config',`
+ gen_require(`
-+ attribute gnome_home_type;
++ type config_home_t;
+ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++ allow $1 config_home_t:dir list_dir_perms;
')
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
-+## list gnome homedir content (.config)
++## Set attributes of gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +882,92 @@ interface(`gnome_role',`
+@@ -46,37 +939,74 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_setattr_home_config',`
gen_require(`
- type gconfd_exec_t;
+ type config_home_t;
')
- can_exec($1, gconfd_exec_t)
-+ allow $1 config_home_t:dir list_dir_perms;
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Read gconf config files.
-+## Set attributes of gnome homedir content (.config)
++## read gnome homedir content (.config)
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -6522,7 +64852,7 @@ index f5afe78..242b129 100644
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_read_home_config',`
gen_require(`
- type gconf_etc_t;
+ type config_home_t;
@@ -6531,25 +64861,6 @@ index f5afe78..242b129 100644
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## read gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_read_home_config',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
@@ -6598,7 +64909,7 @@ index f5afe78..242b129 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +975,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1014,53 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -6663,7 +64974,7 @@ index f5afe78..242b129 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1029,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1068,62 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -6676,6 +64987,51 @@ index f5afe78..242b129 100644
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
++ gnome_filetrans_gstreamer_home_content($1)
++')
++
++#######################################
++## <summary>
++## file name transition gstreamer home content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_filetrans_gstreamer_home_content',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
++ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
++')
++
++#######################################
++## <summary>
++## manage gstreamer home content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_gstreamer_home_dirs',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
')
########################################
@@ -6685,7 +65041,7 @@ index f5afe78..242b129 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1047,298 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1131,306 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -6911,14 +65267,22 @@ index f5afe78..242b129 100644
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".grl-bookmarks")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".grl-metadata-store")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
++
+ # ~/.color/icc: legacy
+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
++ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+')
+
+########################################
@@ -6943,6 +65307,7 @@ index f5afe78..242b129 100644
+ type icc_data_home_t;
+')
+
++ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
@@ -6951,8 +65316,7 @@ index f5afe78..242b129 100644
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
-+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
-+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ gnome_filetrans_gstreamer_home_content($1)
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
@@ -7001,10 +65365,10 @@ index f5afe78..242b129 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..3c5d792 100644
+index 2505654..6e75a73 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
-@@ -6,11 +6,28 @@ policy_module(gnome, 2.1.0)
+@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
#
attribute gnomedomain;
@@ -7027,6 +65391,9 @@ index 2505654..3c5d792 100644
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
++type dbus_home_t, gnome_home_type;
++userdom_user_home_content(dbus_home_t)
++
+type icc_data_home_t, gnome_home_type;
+userdom_user_home_content(icc_data_home_t)
+
@@ -7034,7 +65401,7 @@ index 2505654..3c5d792 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -30,12 +47,33 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -30,12 +50,35 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
@@ -7061,15 +65428,17 @@ index 2505654..3c5d792 100644
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
++init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
++init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+
##############################
#
# Local Policy
-@@ -75,3 +113,151 @@ optional_policy(`
+@@ -75,3 +118,157 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -7138,6 +65507,8 @@ index 2505654..3c5d792 100644
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
++logging_send_syslog_msg(gnomesystemmm_t)
++
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
@@ -7168,7 +65539,7 @@ index 2505654..3c5d792 100644
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
-+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
++dontaudit gkeyringd_domain config_home_t:file write;
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
@@ -7177,6 +65548,7 @@ index 2505654..3c5d792 100644
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
++userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
+
+kernel_read_system_state(gkeyringd_domain)
+kernel_read_crypto_sysctls(gkeyringd_domain)
@@ -7201,6 +65573,8 @@ index 2505654..3c5d792 100644
+
+miscfiles_read_localization(gkeyringd_domain)
+
++userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
++
+optional_policy(`
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
@@ -7211,6 +65585,8 @@ index 2505654..3c5d792 100644
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_read_generic_cache_files(gkeyringd_domain)
+ gnome_write_generic_cache_files(gkeyringd_domain)
++ gnome_manage_cache_home_dir(gkeyringd_domain)
++ gnome_manage_generic_cache_sockets(gkeyringd_domain)
+')
+
+optional_policy(`
@@ -7220,7 +65596,6 @@ index 2505654..3c5d792 100644
+domain_use_interactive_fds(gnomedomain)
+
+userdom_use_inherited_user_terminals(gnomedomain)
-+
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d4..6864b58 100644
--- a/policy/modules/apps/gpg.fc
@@ -7762,6 +66137,200 @@ index 66beb80..4bc18b6 100644
- nis_use_ypbind(irc_t)
+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
')
+diff --git a/policy/modules/apps/jockey.fc b/policy/modules/apps/jockey.fc
+new file mode 100644
+index 0000000..274cdec
+--- /dev/null
++++ b/policy/modules/apps/jockey.fc
+@@ -0,0 +1,6 @@
++/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
++
++/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
++
++/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
++/var/log/jockey\.log -- gen_context(system_u:object_r:jockey_var_log_t,s0)
+diff --git a/policy/modules/apps/jockey.if b/policy/modules/apps/jockey.if
+new file mode 100644
+index 0000000..fb58f33
+--- /dev/null
++++ b/policy/modules/apps/jockey.if
+@@ -0,0 +1,132 @@
++
++## <summary>policy for jockey</summary>
++
++########################################
++## <summary>
++## Transition to jockey.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jockey_domtrans',`
++ gen_require(`
++ type jockey_t, jockey_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, jockey_exec_t, jockey_t)
++')
++
++########################################
++## <summary>
++## Search jockey cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_search_cache',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read jockey cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_read_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## jockey cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_manage_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++## <summary>
++## Manage jockey cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_manage_cache_dirs',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an jockey environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`jockey_admin',`
++ gen_require(`
++ type jockey_t;
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_t:process { ptrace signal_perms };
++ ps_process_pattern($1, jockey_t)
++
++ files_search_var($1)
++ admin_pattern($1, jockey_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
+new file mode 100644
+index 0000000..b60050f
+--- /dev/null
++++ b/policy/modules/apps/jockey.te
+@@ -0,0 +1,38 @@
++policy_module(jockey, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type jockey_t;
++type jockey_exec_t;
++dbus_system_domain(jockey_t, jockey_exec_t)
++init_daemon_domain(jockey_t, jockey_exec_t)
++
++type jockey_cache_t;
++files_type(jockey_cache_t)
++
++type jockey_var_log_t;
++logging_log_file(jockey_var_log_t)
++
++########################################
++#
++# jockey local policy
++#
++allow jockey_t self:fifo_file rw_fifo_file_perms;
++
++manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
++
++manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
++
++domain_use_interactive_fds(jockey_t)
++
++files_read_etc_files(jockey_t)
++
++miscfiles_read_localization(jockey_t)
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
new file mode 100644
index 0000000..25e4b68
@@ -7799,10 +66368,10 @@ index 0000000..cf65577
+')
diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te
new file mode 100644
-index 0000000..169421f
+index 0000000..f9b9c0f
--- /dev/null
+++ b/policy/modules/apps/kde.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,41 @@
+policy_module(kde,1.0.0)
+
+########################################
@@ -7813,6 +66382,7 @@ index 0000000..169421f
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
+dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
++init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
+#
@@ -7844,20 +66414,21 @@ index 0000000..169421f
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..1b16fa4 100644
+index 2dde73a..6096f4d 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
-@@ -9,6 +9,9 @@ type kdumpgui_t;
+@@ -8,6 +8,10 @@ policy_module(kdumpgui, 1.0.1)
+ type kdumpgui_t;
type kdumpgui_exec_t;
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-
++init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
++
+type kdumpgui_tmp_t;
+files_tmp_file(kdumpgui_tmp_t)
-+
+
######################################
#
- # system-config-kdump local policy
-@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+@@ -18,6 +22,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7868,7 +66439,7 @@ index 2dde73a..1b16fa4 100644
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
-@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+@@ -36,6 +44,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
@@ -7877,7 +66448,7 @@ index 2dde73a..1b16fa4 100644
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
-@@ -45,8 +54,20 @@ logging_send_syslog_msg(kdumpgui_t)
+@@ -45,8 +55,20 @@ logging_send_syslog_msg(kdumpgui_t)
miscfiles_read_localization(kdumpgui_t)
@@ -7898,7 +66469,7 @@ index 2dde73a..1b16fa4 100644
optional_policy(`
consoletype_exec(kdumpgui_t)
')
-@@ -58,6 +79,7 @@ optional_policy(`
+@@ -58,6 +80,7 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -8057,6 +66628,192 @@ index 0bac996..ca2388d 100644
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+diff --git a/policy/modules/apps/man2html.fc b/policy/modules/apps/man2html.fc
+new file mode 100644
+index 0000000..2907017
+--- /dev/null
++++ b/policy/modules/apps/man2html.fc
+@@ -0,0 +1,5 @@
++/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++
++/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
+diff --git a/policy/modules/apps/man2html.if b/policy/modules/apps/man2html.if
+new file mode 100644
+index 0000000..68fddff
+--- /dev/null
++++ b/policy/modules/apps/man2html.if
+@@ -0,0 +1,133 @@
++
++## <summary>policy for httpd_man2html_script</summary>
++
++########################################
++## <summary>
++## Transition to httpd_man2html_script.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_domtrans',`
++ gen_require(`
++ type httpd_man2html_script_t, httpd_man2html_script_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
++')
++
++########################################
++## <summary>
++## Search httpd_man2html_script cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_search_cache',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read httpd_man2html_script cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_read_cache_files',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## httpd_man2html_script cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_manage_cache_files',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++########################################
++## <summary>
++## Manage httpd_man2html_script cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_manage_cache_dirs',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an httpd_man2html_script environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`httpd_man2html_script_admin',`
++ gen_require(`
++ type httpd_man2html_script_t;
++ type httpd_man2html_script_cache_t;
++ ')
++
++ allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, httpd_man2html_script_t)
++
++ files_search_var($1)
++ admin_pattern($1, httpd_man2html_script_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/apps/man2html.te b/policy/modules/apps/man2html.te
+new file mode 100644
+index 0000000..863c57c
+--- /dev/null
++++ b/policy/modules/apps/man2html.te
+@@ -0,0 +1,30 @@
++policy_module(man2html, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(man2html)
++
++type httpd_man2html_script_cache_t;
++files_type(httpd_man2html_script_cache_t)
++
++########################################
++#
++# httpd_man2html_script local policy
++#
++
++allow httpd_man2html_script_t self:process { fork };
++
++
++manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
++
++domain_use_interactive_fds(httpd_man2html_script_t)
++
++files_read_etc_files(httpd_man2html_script_t)
++
++miscfiles_read_localization(httpd_man2html_script_t)
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index dff0f12..ecab36d 100644
--- a/policy/modules/apps/mono.te
@@ -8071,10 +66828,10 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..4c0895e 100644
+index 93ac529..6e03a8c 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,14 @@
+@@ -1,8 +1,16 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -8086,10 +66843,12 @@ index 93ac529..4c0895e 100644
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
-@@ -14,16 +20,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +22,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -8128,7 +66887,7 @@ index 93ac529..4c0895e 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..ffeec16 100644
+index fbb5c5a..ce9aee0 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -8169,7 +66928,7 @@ index fbb5c5a..ffeec16 100644
')
########################################
-@@ -197,12 +209,31 @@ interface(`mozilla_domtrans',`
+@@ -197,12 +209,35 @@ interface(`mozilla_domtrans',`
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
@@ -8187,6 +66946,7 @@ index fbb5c5a..ffeec16 100644
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
++ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+
@@ -8198,15 +66958,22 @@ index fbb5c5a..ffeec16 100644
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ can_exec($1, mozilla_plugin_rw_t)
+
++ allow $1 mozilla_plugin_t:dbus send_msg;
++ allow mozilla_plugin_t $1:dbus send_msg;
++
+ #mozilla_filetrans_home_content($1)
')
########################################
-@@ -228,6 +259,27 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +263,35 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
+ role $2 types mozilla_plugin_config_t;
++
++ optional_policy(`
++ lpd_run_lpr(mozilla_plugin_t, $2)
++ ')
+')
+
+#######################################
@@ -8227,10 +66994,14 @@ index fbb5c5a..ffeec16 100644
+
+ role $1 types mozilla_plugin_t;
+ role $1 types mozilla_plugin_config_t;
++
++ optional_policy(`
++ lpd_run_lpr(mozilla_plugin_t, $1)
++ ')
')
########################################
-@@ -269,9 +321,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +333,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -8259,7 +67030,7 @@ index fbb5c5a..ffeec16 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +349,79 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,98 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -8295,6 +67066,24 @@ index fbb5c5a..ffeec16 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
++#######################################
++## <summary>
++## Dontaudit read/write to a mozilla_plugin tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type mozilla_plugin_tmp_t;
++ ')
++
++ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
++')
++
+########################################
+## <summary>
+## Create, read, write, and delete
@@ -8309,12 +67098,11 @@ index fbb5c5a..ffeec16 100644
+interface(`mozilla_plugin_manage_rw_files',`
+ gen_require(`
+ type mozilla_plugin_rw_t;
- ')
-
-- allow $1 mozilla_plugin_tmpfs_t:file unlink;
++ ')
++
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -8331,8 +67119,9 @@ index fbb5c5a..ffeec16 100644
+
+ gen_require(`
+ type mozilla_home_t;
-+ ')
-+
+ ')
+
+- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
@@ -8344,13 +67133,28 @@ index fbb5c5a..ffeec16 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
-+')
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ ')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..194857d 100644
+index 2e9318b..c5f9431 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
-@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
+@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
+ ## </desc>
+ gen_tunable(mozilla_read_content, false)
+
++## <desc>
++## <p>
++## Allow mozilla_plugins to create random content in the users home directory
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_enable_homedirs, false)
++
+ type mozilla_t;
+ type mozilla_exec_t;
+ typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+@@ -25,6 +32,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -8358,7 +67162,7 @@ index 2e9318b..194857d 100644
userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
-@@ -33,13 +34,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+@@ -33,13 +41,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
@@ -8381,7 +67185,7 @@ index 2e9318b..194857d 100644
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
-@@ -111,7 +121,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
+@@ -111,7 +128,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
@@ -8391,7 +67195,7 @@ index 2e9318b..194857d 100644
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -156,6 +168,8 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -156,6 +175,8 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -8400,7 +67204,7 @@ index 2e9318b..194857d 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,27 +179,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +186,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -8434,7 +67238,7 @@ index 2e9318b..194857d 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -262,6 +270,7 @@ optional_policy(`
+@@ -262,6 +277,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -8442,7 +67246,7 @@ index 2e9318b..194857d 100644
')
optional_policy(`
-@@ -278,10 +287,6 @@ optional_policy(`
+@@ -278,10 +294,6 @@ optional_policy(`
')
optional_policy(`
@@ -8453,16 +67257,17 @@ index 2e9318b..194857d 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +301,32 @@ optional_policy(`
+@@ -296,25 +308,34 @@ optional_policy(`
# mozilla_plugin local policy
#
-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
-+dontaudit mozilla_plugin_t self:capability sys_nice;
-+
- allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+-allow mozilla_plugin_t self:process { setsched signal_perms execmem };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
++dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config };
++
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;
@@ -8480,6 +67285,7 @@ index 2e9318b..194857d 100644
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++mozilla_filetrans_home_content(mozilla_plugin_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -8489,11 +67295,12 @@ index 2e9318b..194857d 100644
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +334,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,6 +343,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -8504,34 +67311,72 @@ index 2e9318b..194857d 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -332,11 +348,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,22 +356,31 @@ kernel_request_load_module(mozilla_plugin_t)
+
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
++corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
corenet_tcp_connect_generic_port(mozilla_plugin_t)
+-corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
-+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
- corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
++corenet_tcp_connect_ftp_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +358,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+-corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
++corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
++corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
-+corenet_tcp_connect_ftp_port(mozilla_plugin_t)
++corenet_tcp_connect_soundd_port(mozilla_plugin_t)
++corenet_tcp_connect_vnc_port(mozilla_plugin_t)
++corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
++corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,33 +404,30 @@ term_getattr_all_ttys(mozilla_plugin_t)
++dev_read_generic_usb_dev(mozilla_plugin_t)
+ dev_read_video_dev(mozilla_plugin_t)
+ dev_write_video_dev(mozilla_plugin_t)
+ dev_read_sysfs(mozilla_plugin_t)
+@@ -355,6 +389,7 @@ dev_write_sound(mozilla_plugin_t)
+ # for nvidia driver
+ dev_rw_xserver_misc(mozilla_plugin_t)
+ dev_dontaudit_rw_dri(mozilla_plugin_t)
++dev_dontaudit_getattr_all(mozilla_plugin_t)
+
+ domain_use_interactive_fds(mozilla_plugin_t)
+ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,11 +397,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+ files_read_config_files(mozilla_plugin_t)
+ files_read_usr_files(mozilla_plugin_t)
+ files_list_mnt(mozilla_plugin_t)
++files_exec_usr_files(mozilla_plugin_t)
++fs_dontaudit_read_tmpfs_files(mozilla_plugin_t)
+
+ fs_getattr_all_fs(mozilla_plugin_t)
+ fs_list_dos(mozilla_plugin_t)
+ fs_read_dos_files(mozilla_plugin_t)
+
++application_exec(mozilla_plugin_t)
+ application_dontaudit_signull(mozilla_plugin_t)
+
+ auth_use_nsswitch(mozilla_plugin_t)
+@@ -383,35 +421,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+
+ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
++term_getattr_ptmx(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
@@ -8540,6 +67385,8 @@ index 2e9318b..194857d 100644
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
++userdom_manage_home_certs(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
@@ -8547,16 +67394,13 @@ index 2e9318b..194857d 100644
userdom_read_user_home_content_files(mozilla_plugin_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
-+userdom_dontaudit_write_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
-+tunable_policy(`deny_execmem',`', `
-+ allow mozilla_plugin_t self:process execmem;
- ')
-
- tunable_policy(`allow_execstack',`
+-')
+-
+-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
-
@@ -8564,9 +67408,8 @@ index 2e9318b..194857d 100644
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-+ allow mozilla_plugin_t self:process execstack;
- ')
-
+-')
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
@@ -8576,7 +67419,12 @@ index 2e9318b..194857d 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -425,7 +441,13 @@ optional_policy(`
+@@ -421,11 +450,19 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
++ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
')
optional_policy(`
@@ -8587,10 +67435,11 @@ index 2e9318b..194857d 100644
+optional_policy(`
gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
')
optional_policy(`
-@@ -438,18 +460,97 @@ optional_policy(`
+@@ -438,18 +475,103 @@ optional_policy(`
')
optional_policy(`
@@ -8624,7 +67473,7 @@ index 2e9318b..194857d 100644
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t);
-+')
+ ')
+
+########################################
+#
@@ -8632,7 +67481,7 @@ index 2e9318b..194857d 100644
+#
+
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
@@ -8677,6 +67526,7 @@ index 2e9318b..194857d 100644
+userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
++userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
@@ -8691,7 +67541,12 @@ index 2e9318b..194857d 100644
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
- ')
++')
++
++tunable_policy(`mozilla_plugin_enable_homedirs',`
++ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
++')
++
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -8983,10 +67838,10 @@ index 0000000..8d7c751
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
-index 0000000..5ddf179
+index 0000000..2f7149c
--- /dev/null
+++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,45 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -9014,6 +67869,7 @@ index 0000000..5ddf179
+corecmd_exec_shell(namespace_init_t)
+
+domain_use_interactive_fds(namespace_init_t)
++domain_obj_id_change_exemption(namespace_init_t)
+
+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
@@ -9875,14 +68731,16 @@ index ccc15ab..9f88c3a 100644
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
-index 84f23dc..af5b87d 100644
+index 84f23dc..5be2738 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
-@@ -1,6 +1,9 @@
+@@ -1,6 +1,11 @@
-HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
++HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
++/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
@@ -9890,7 +68748,7 @@ index 84f23dc..af5b87d 100644
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index f40c64d..aa9e8e2 100644
+index f40c64d..a3352d3 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
@@ -9903,7 +68761,22 @@ index f40c64d..aa9e8e2 100644
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
-@@ -257,4 +260,66 @@ interface(`pulseaudio_manage_home_files',`
+@@ -151,12 +154,14 @@ interface(`pulseaudio_signull',`
+ interface(`pulseaudio_stream_connect',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_var_run_t;
++ type pulseaudio_home_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
++ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
+ ')
+
+ ########################################
+@@ -257,4 +262,68 @@ interface(`pulseaudio_manage_home_files',`
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
@@ -9949,6 +68822,7 @@ index f40c64d..aa9e8e2 100644
+
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+')
+
+########################################
@@ -9969,26 +68843,27 @@ index f40c64d..aa9e8e2 100644
+
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index d1eace5..3411497 100644
+index d1eace5..10be05f 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
-@@ -43,8 +43,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -43,7 +43,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs(pulseaudio_t)
-
++pulseaudio_filetrans_home_content(pulseaudio_t)
++
+# ~/.esd_auth - maybe we should label this pulseaudit_home_t?
+userdom_read_user_home_content_files(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
-+
+
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
- manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -53,7 +58,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+@@ -53,7 +59,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@@ -9997,7 +68872,7 @@ index d1eace5..3411497 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -85,8 +90,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
+@@ -85,8 +91,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
@@ -10008,7 +68883,7 @@ index d1eace5..3411497 100644
auth_use_nsswitch(pulseaudio_t)
-@@ -94,10 +99,29 @@ logging_send_syslog_msg(pulseaudio_t)
+@@ -94,10 +100,29 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@@ -10042,7 +68917,7 @@ index d1eace5..3411497 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -127,10 +151,24 @@ optional_policy(`
+@@ -127,16 +152,35 @@ optional_policy(`
')
optional_policy(`
@@ -10067,7 +68942,18 @@ index d1eace5..3411497 100644
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -148,3 +186,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_read_logind_sessions_files(pulseaudio_t)
++ systemd_login_read_pid_files(pulseaudio_t)
++')
++
++optional_policy(`
+ udev_read_state(pulseaudio_t)
+ udev_read_db(pulseaudio_t)
+ ')
+@@ -148,3 +192,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -10075,6 +68961,143 @@ index d1eace5..3411497 100644
+optional_policy(`
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
+diff --git a/policy/modules/apps/pwauth.fc b/policy/modules/apps/pwauth.fc
+new file mode 100644
+index 0000000..e2f8687
+--- /dev/null
++++ b/policy/modules/apps/pwauth.fc
+@@ -0,0 +1,3 @@
++/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
++
++/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
+diff --git a/policy/modules/apps/pwauth.if b/policy/modules/apps/pwauth.if
+new file mode 100644
+index 0000000..86d25ea
+--- /dev/null
++++ b/policy/modules/apps/pwauth.if
+@@ -0,0 +1,74 @@
++
++## <summary>policy for pwauth</summary>
++
++########################################
++## <summary>
++## Transition to pwauth.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pwauth_domtrans',`
++ gen_require(`
++ type pwauth_t, pwauth_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
++')
++
++########################################
++## <summary>
++## Execute pwauth in the pwauth domain, and
++## allow the specified role the pwauth domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the pwauth domain.
++## </summary>
++## </param>
++#
++interface(`pwauth_run',`
++ gen_require(`
++ type pwauth_t;
++ ')
++
++ pwauth_domtrans($1)
++ role $2 types pwauth_t;
++')
++
++########################################
++## <summary>
++## Role access for pwauth
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`pwauth_role',`
++ gen_require(`
++ type pwauth_t;
++ ')
++
++ role $1 types pwauth_t;
++
++ pwauth_domtrans($2)
++
++ ps_process_pattern($2, pwauth_t)
++ allow $2 pwauth_t:process signal;
++')
+diff --git a/policy/modules/apps/pwauth.te b/policy/modules/apps/pwauth.te
+new file mode 100644
+index 0000000..11bb8e1
+--- /dev/null
++++ b/policy/modules/apps/pwauth.te
+@@ -0,0 +1,42 @@
++policy_module(pwauth, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pwauth_t;
++type pwauth_exec_t;
++application_domain(pwauth_t, pwauth_exec_t)
++role system_r types pwauth_t;
++
++type pwauth_var_run_t;
++files_pid_file(pwauth_var_run_t)
++
++########################################
++#
++# pwauth local policy
++#
++allow pwauth_t self:capability setuid;
++allow pwauth_t self:process setrlimit;
++
++allow pwauth_t self:fifo_file manage_fifo_file_perms;
++allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
++files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
++
++domain_use_interactive_fds(pwauth_t)
++
++files_read_etc_files(pwauth_t)
++
++auth_domtrans_chkpwd(pwauth_t)
++auth_use_nsswitch(pwauth_t)
++auth_read_shadow(pwauth_t)
++
++init_read_utmp(pwauth_t)
++
++logging_send_syslog_msg(pwauth_t)
++logging_send_audit_msgs(pwauth_t)
++
++miscfiles_read_localization(pwauth_t)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 268d691..da3a26d 100644
--- a/policy/modules/apps/qemu.if
@@ -10324,10 +69347,10 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..2025c1f 100644
+index f594e12..e8f731d 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
-@@ -27,11 +27,13 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -10341,7 +69364,14 @@ index f594e12..2025c1f 100644
logging_send_syslog_msg(sambagui_t)
-@@ -56,6 +58,7 @@ optional_policy(`
+ miscfiles_read_localization(sambagui_t)
+
++sysnet_use_ldap(sambagui_t)
++
+ optional_policy(`
+ consoletype_exec(sambagui_t)
+ ')
+@@ -56,6 +60,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -10729,11 +69759,12 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..e8f0ef5
+index 0000000..3203ede
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,509 @@
+policy_module(sandbox,1.0.0)
++
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
@@ -10775,7 +69806,7 @@ index 0000000..e8f0ef5
+#
+# sandbox xserver policy
+#
-+allow sandbox_xserver_t self:process execstack;
++allow sandbox_xserver_t self:process { signal_perms execstack };
+
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem;
@@ -10843,6 +69874,7 @@ index 0000000..e8f0ef5
+
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
++userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
@@ -11041,6 +70073,7 @@ index 0000000..e8f0ef5
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
++userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
+
+fs_search_auto_mountpoints(sandbox_x_domain)
+
@@ -11087,6 +70120,10 @@ index 0000000..e8f0ef5
+auth_use_nsswitch(sandbox_x_client_t)
+
+optional_policy(`
++ colord_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
@@ -11578,10 +70615,10 @@ index 1dc7a85..a01511f 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..f40af5b 100644
+index 7590165..59539e8 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,63 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -11615,6 +70652,7 @@ index 7590165..f40af5b 100644
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
+dev_read_urand(seunshare_domain)
++dev_dontaudit_rw_dri(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
+files_search_all(seunshare_domain)
@@ -11635,6 +70673,7 @@ index 7590165..f40af5b 100644
-userdom_use_user_terminals(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
++userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain)
+userdom_use_inherited_user_terminals(seunshare_domain)
+userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
@@ -11870,7 +70909,7 @@ index 3cfb128..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..a36ed88 100644
+index 2533ea0..92f0ecb 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -11955,7 +70994,7 @@ index 2533ea0..a36ed88 100644
files_read_etc_files(telepathy_logger_t)
files_read_usr_files(telepathy_logger_t)
-@@ -158,14 +175,11 @@ files_search_pids(telepathy_logger_t)
+@@ -158,40 +175,58 @@ files_search_pids(telepathy_logger_t)
fs_getattr_all_fs(telepathy_logger_t)
@@ -11974,7 +71013,11 @@ index 2533ea0..a36ed88 100644
')
#######################################
-@@ -176,6 +190,13 @@ tunable_policy(`use_samba_home_dirs',`
+ #
+ # Telepathy Mission-Control local policy.
+ #
++allow telepathy_mission_control_t self:process setsched;
+
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -11988,7 +71031,9 @@ index 2533ea0..a36ed88 100644
dev_read_rand(telepathy_mission_control_t)
-@@ -184,14 +205,26 @@ fs_getattr_all_fs(telepathy_mission_control_t)
+ fs_getattr_all_fs(telepathy_mission_control_t)
+
++files_list_tmp(telepathy_mission_control_t)
files_read_etc_files(telepathy_mission_control_t)
files_read_usr_files(telepathy_mission_control_t)
@@ -12021,7 +71066,7 @@ index 2533ea0..a36ed88 100644
')
#######################################
-@@ -205,8 +238,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +240,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -12033,7 +71078,7 @@ index 2533ea0..a36ed88 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -228,6 +264,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
+@@ -228,6 +266,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
files_read_etc_files(telepathy_msn_t)
files_read_usr_files(telepathy_msn_t)
@@ -12042,7 +71087,7 @@ index 2533ea0..a36ed88 100644
libs_exec_ldconfig(telepathy_msn_t)
logging_send_syslog_msg(telepathy_msn_t)
-@@ -246,6 +284,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +286,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -12053,7 +71098,7 @@ index 2533ea0..a36ed88 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -361,14 +403,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,14 +405,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -12072,7 +71117,7 @@ index 2533ea0..a36ed88 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +420,23 @@ optional_policy(`
+@@ -376,5 +422,23 @@ optional_policy(`
')
optional_policy(`
@@ -12098,24 +71143,34 @@ index 2533ea0..a36ed88 100644
+')
diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
new file mode 100644
-index 0000000..a4be758
+index 0000000..3a7c395
--- /dev/null
+++ b/policy/modules/apps/thumb.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,15 @@
++HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
++HOME_DIR/missfont\.log gen_context(system_u:object_r:thumb_home_t,s0)
+
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++
++/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
new file mode 100644
-index 0000000..5554dc9
+index 0000000..9127cec
--- /dev/null
+++ b/policy/modules/apps/thumb.if
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,125 @@
+
+## <summary>policy for thumb</summary>
+
-+
+########################################
+## <summary>
+## Transition to thumb.
@@ -12194,14 +71249,56 @@ index 0000000..5554dc9
+
+ allow $2 thumb_t:dbus send_msg;
+ allow thumb_t $2:dbus send_msg;
++ thumb_filetrans_home_content($2)
+')
+
++########################################
++## <summary>
++## Send and receive messages from
++## thumb over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`thumb_dbus_chat',`
++ gen_require(`
++ type thumb_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 thumb_t:dbus send_msg;
++ allow thumb_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## Create thumb content in the user home directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`thumb_filetrans_home_content',`
++
++ gen_require(`
++ type thumb_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
++ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..b23b488
+index 0000000..5a84da4
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,104 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -12213,11 +71310,15 @@ index 0000000..b23b488
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
+ubac_constrained(thumb_t)
++userdom_home_manager(thumb_t)
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
+ubac_constrained(thumb_tmp_t)
+
++type thumb_home_t;
++userdom_user_home_content(thumb_home_t)
++
+########################################
+#
+# thumb local policy
@@ -12235,24 +71336,40 @@ index 0000000..b23b488
+allow thumb_t self:udp_socket create_socket_perms;
+allow thumb_t self:tcp_socket create_socket_perms;
+
++manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
++manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
++
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
-+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
++files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
++xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
++
++can_exec(thumb_t, thumb_exec_t)
+
+kernel_read_system_state(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
+corecmd_exec_bin(thumb_t)
++corecmd_exec_shell(thumb_t)
+
+dev_read_sysfs(thumb_t)
++dev_read_urand(thumb_t)
++dev_dontaudit_rw_dri(thumb_t)
++dev_rw_xserver_misc(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
++files_read_non_security_files(thumb_t)
++
++fs_read_dos_files(thumb_t)
+
+auth_use_nsswitch(thumb_t)
+
@@ -12265,6 +71382,7 @@ index 0000000..b23b488
+userdom_read_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
++userdom_home_reader(thumb_t)
+
+userdom_use_inherited_user_ptys(thumb_t)
+
@@ -12283,7 +71401,8 @@ index 0000000..b23b488
+ gnome_dontaudit_search_config(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
-+')
++ gnome_manage_gstreamer_home_dirs(thumb_t)
++')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index f50789e..9ba6da8 100644
--- a/policy/modules/apps/thunderbird.te
@@ -12382,7 +71501,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..bdfe8dd 100644
+index ced285a..d2e2ce8 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -12422,7 +71541,7 @@ index ced285a..bdfe8dd 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -256,3 +248,87 @@ interface(`userhelper_exec',`
+@@ -256,3 +248,88 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -12467,6 +71586,7 @@ index ced285a..bdfe8dd 100644
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
++ allow $3 $1_consolehelper_t:process signal;
+ allow $3 $1_consolehelper_t:dbus send_msg;
+ allow $1_consolehelper_t $3:dbus send_msg;
+
@@ -12728,10 +71848,10 @@ index 23066a1..dc73652 100644
# cjp: why?
userdom_read_user_home_content_files(vmware_t)
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
-index b11941a..93ec570 100644
+index b11941a..181c808 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
-@@ -75,13 +75,15 @@ files_read_etc_runtime_files(webalizer_t)
+@@ -75,33 +75,29 @@ files_read_etc_runtime_files(webalizer_t)
logging_list_logs(webalizer_t)
logging_send_syslog_msg(webalizer_t)
@@ -12748,20 +71868,30 @@ index b11941a..93ec570 100644
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
-@@ -97,13 +99,5 @@ optional_policy(`
+-apache_read_log(webalizer_t)
+-apache_manage_sys_content(webalizer_t)
+-
+ optional_policy(`
+- cron_system_entry(webalizer_t, webalizer_exec_t)
++ apache_read_log(webalizer_t)
++ apache_manage_sys_content(webalizer_t)
')
optional_policy(`
-- nis_use_ypbind(webalizer_t)
+- ftp_read_log(webalizer_t)
-')
-
-optional_policy(`
+- nis_use_ypbind(webalizer_t)
++ cron_system_entry(webalizer_t, webalizer_exec_t)
+ ')
+
+ optional_policy(`
- nscd_socket_use(webalizer_t)
--')
--
--optional_policy(`
- squid_read_log(webalizer_t)
++ ftp_read_log(webalizer_t)
')
+
+ optional_policy(`
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449..2666317 100644
--- a/policy/modules/apps/wine.fc
@@ -12848,7 +71978,7 @@ index f9a73d0..00a98f1 100644
xserver_role($1_r, $1_wine_t)
')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
-index be9246b..e3de8fa 100644
+index be9246b..90848c7 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -40,7 +40,7 @@ domain_mmap_low(wine_t)
@@ -12860,6 +71990,17 @@ index be9246b..e3de8fa 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
+@@ -55,6 +55,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rtkit_scheduled(wine_t)
++')
++
++optional_policy(`
+ unconfined_domain(wine_t)
+ ')
+
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 8bfe97d..356e2a1 100644
--- a/policy/modules/apps/wireshark.te
@@ -12979,10 +72120,10 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..3f5d339 100644
+index 3fae11a..f55e193 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
-@@ -1,7 +1,7 @@
+@@ -1,9 +1,10 @@
#
# /bin
#
@@ -12990,8 +72131,19 @@ index 3fae11a..3f5d339 100644
+/bin gen_context(system_u:object_r:bin_t,s0)
/bin/.* gen_context(system_u:object_r:bin_t,s0)
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -71,6 +71,13 @@ ifdef(`distro_redhat',`
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -46,6 +47,7 @@ ifdef(`distro_redhat',`
+ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -71,10 +73,18 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13005,7 +72157,12 @@ index 3fae11a..3f5d339 100644
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -97,8 +104,6 @@ ifdef(`distro_redhat',`
+ /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
++/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -97,8 +107,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -13014,7 +72171,7 @@ index 3fae11a..3f5d339 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +135,14 @@ ifdef(`distro_debian',`
+@@ -130,18 +138,14 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -13035,7 +72192,7 @@ index 3fae11a..3f5d339 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -152,7 +153,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +156,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -13044,7 +72201,7 @@ index 3fae11a..3f5d339 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +169,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +172,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13052,7 +72209,7 @@ index 3fae11a..3f5d339 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +181,92 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +184,93 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -13067,6 +72224,7 @@ index 3fae11a..3f5d339 100644
-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -13145,8 +72303,8 @@ index 3fae11a..3f5d339 100644
+/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mailman.*/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -13190,7 +72348,7 @@ index 3fae11a..3f5d339 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +274,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +278,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -13210,7 +72368,7 @@ index 3fae11a..3f5d339 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +301,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +305,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -13221,7 +72379,7 @@ index 3fae11a..3f5d339 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +324,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +328,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -13242,7 +72400,7 @@ index 3fae11a..3f5d339 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +348,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +352,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -13253,10 +72411,11 @@ index 3fae11a..3f5d339 100644
-/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +362,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +367,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13268,7 +72427,7 @@ index 3fae11a..3f5d339 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +408,7 @@ ifdef(`distro_redhat', `
+@@ -363,20 +413,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -13277,7 +72436,12 @@ index 3fae11a..3f5d339 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +420,9 @@ ifdef(`distro_suse', `
+ #
+ # /var
+ #
+-/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13289,7 +72453,7 @@ index 3fae11a..3f5d339 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +431,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +436,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -13298,15 +72462,32 @@ index 3fae11a..3f5d339 100644
+# /usr/lib
+#
+
-+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..650e796 100644
+index 9e9263a..ba59ffd 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
-@@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',`
+@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ search_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ list_dirs_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -13315,7 +72496,15 @@ index 9e9263a..650e796 100644
## </summary>
## </param>
#
-@@ -254,6 +254,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ read_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
########################################
## <summary>
@@ -13340,7 +72529,39 @@ index 9e9263a..650e796 100644
## Read symbolic links in bin directories.
## </summary>
## <param name="domain">
-@@ -954,6 +972,24 @@ interface(`corecmd_exec_chroot',`
+@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks(bin_t)
+ read_fifo_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ read_sock_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -362,6 +385,7 @@ interface(`corecmd_manage_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ manage_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -398,6 +422,7 @@ interface(`corecmd_mmap_bin_files',`
+ type bin_t;
+ ')
+
++ corecmd_read_bin_symlinks($1)
+ mmap_files_pattern($1, bin_t, bin_t)
+ ')
+
+@@ -954,6 +979,24 @@ interface(`corecmd_exec_chroot',`
########################################
## <summary>
@@ -13365,7 +72586,7 @@ index 9e9263a..650e796 100644
## Get the attributes of all executable files.
## </summary>
## <param name="domain">
-@@ -1049,6 +1085,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1092,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -13374,7 +72595,7 @@ index 9e9263a..650e796 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 23a1c3c..5354925 100644
+index 23a1c3c..e7f6216 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -13,7 +13,7 @@ attribute exec_type;
@@ -13382,7 +72603,7 @@ index 23a1c3c..5354925 100644
# bin_t is the type of files in the system bin/sbin directories.
#
-type bin_t alias { ls_exec_t sbin_t };
-+type bin_t alias { ls_exec_t sbin_t execmem_exec_t java_exec_t mono_exec_t };
++type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t };
corecmd_executable_file(bin_t)
dev_associate(bin_t) #For /dev/MAKEDEV
@@ -13398,10 +72619,26 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..f4e36ee 100644
+index 4f3b542..0ebac89 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
-@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
+@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
+ ')
+
+ typeattribute $1 reserved_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',`
+ ')
+
+ typeattribute $1 rpc_port_type;
++ corenet_port($1)
+ ')
+
+ ########################################
+@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',`
########################################
## <summary>
@@ -13426,7 +72663,7 @@ index 4f3b542..f4e36ee 100644
## Send and receive TCP network traffic on generic nodes.
## </summary>
## <desc>
-@@ -789,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
+@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
########################################
## <summary>
@@ -13451,7 +72688,7 @@ index 4f3b542..f4e36ee 100644
## Bind TCP sockets to generic nodes.
## </summary>
## <desc>
-@@ -928,6 +964,24 @@ interface(`corenet_inout_generic_node',`
+@@ -928,6 +966,24 @@ interface(`corenet_inout_generic_node',`
########################################
## <summary>
@@ -13476,7 +72713,7 @@ index 4f3b542..f4e36ee 100644
## Send and receive TCP network traffic on all nodes.
## </summary>
## <param name="domain">
-@@ -1102,6 +1156,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+@@ -1102,6 +1158,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
########################################
## <summary>
@@ -13501,7 +72738,7 @@ index 4f3b542..f4e36ee 100644
## Bind TCP sockets to all nodes.
## </summary>
## <param name="domain">
-@@ -1157,6 +1229,24 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1157,6 +1231,24 @@ interface(`corenet_raw_bind_all_nodes',`
########################################
## <summary>
@@ -13526,7 +72763,7 @@ index 4f3b542..f4e36ee 100644
## Send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
-@@ -1167,10 +1257,30 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1167,10 +1259,30 @@ interface(`corenet_raw_bind_all_nodes',`
#
interface(`corenet_tcp_sendrecv_generic_port',`
gen_require(`
@@ -13559,7 +72796,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -1185,10 +1295,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+@@ -1185,10 +1297,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
#
interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
gen_require(`
@@ -13572,7 +72809,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -1203,10 +1313,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+@@ -1203,10 +1315,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
#
interface(`corenet_udp_send_generic_port',`
gen_require(`
@@ -13585,7 +72822,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -1221,10 +1331,10 @@ interface(`corenet_udp_send_generic_port',`
+@@ -1221,10 +1333,10 @@ interface(`corenet_udp_send_generic_port',`
#
interface(`corenet_udp_receive_generic_port',`
gen_require(`
@@ -13598,7 +72835,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1244,6 +1356,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
## <summary>
@@ -13625,7 +72862,7 @@ index 4f3b542..f4e36ee 100644
## Bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1254,12 +1384,31 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1254,12 +1386,31 @@ interface(`corenet_udp_sendrecv_generic_port',`
#
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
@@ -13661,7 +72898,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -1274,10 +1423,10 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1274,10 +1425,10 @@ interface(`corenet_tcp_bind_generic_port',`
#
interface(`corenet_dontaudit_tcp_bind_generic_port',`
gen_require(`
@@ -13674,7 +72911,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -1292,12 +1441,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+@@ -1292,12 +1443,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
#
interface(`corenet_udp_bind_generic_port',`
gen_require(`
@@ -13682,8 +72919,10 @@ index 4f3b542..f4e36ee 100644
- attribute port_type;
+ type port_t, unreserved_port_t;
+ attribute defined_port_type;
-+ ')
-+
+ ')
+
+- allow $1 port_t:udp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
+ allow $1 { port_t unreserved_port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+')
@@ -13701,22 +72940,21 @@ index 4f3b542..f4e36ee 100644
+interface(`corenet_dccp_connect_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t;
- ')
-
-- allow $1 port_t:udp_socket name_bind;
-- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++ ')
++
+ allow $1 { port_t unreserved_port_t }:dccp_socket name_connect;
')
########################################
-@@ -1312,10 +1479,28 @@ interface(`corenet_udp_bind_generic_port',`
+@@ -1312,10 +1481,28 @@ interface(`corenet_udp_bind_generic_port',`
#
interface(`corenet_tcp_connect_generic_port',`
gen_require(`
- type port_t;
+ type port_t, unreserved_port_t;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
+ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect;
+')
+
@@ -13733,14 +72971,13 @@ index 4f3b542..f4e36ee 100644
+interface(`corenet_dccp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
- ')
-
-- allow $1 port_t:tcp_socket name_connect;
++ ')
++
+ allow $1 port_type:dccp_socket { send_msg recv_msg };
')
########################################
-@@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+@@ -1439,6 +1626,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
## <summary>
@@ -13766,7 +73003,7 @@ index 4f3b542..f4e36ee 100644
## Bind TCP sockets to all ports.
## </summary>
## <param name="domain">
-@@ -1458,6 +1662,24 @@ interface(`corenet_tcp_bind_all_ports',`
+@@ -1458,6 +1664,24 @@ interface(`corenet_tcp_bind_all_ports',`
########################################
## <summary>
@@ -13791,7 +73028,7 @@ index 4f3b542..f4e36ee 100644
## Do not audit attepts to bind TCP sockets to any ports.
## </summary>
## <param name="domain">
-@@ -1513,6 +1735,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+@@ -1513,6 +1737,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
########################################
## <summary>
@@ -13816,7 +73053,7 @@ index 4f3b542..f4e36ee 100644
## Connect TCP sockets to all ports.
## </summary>
## <desc>
-@@ -1559,6 +1799,25 @@ interface(`corenet_tcp_connect_all_ports',`
+@@ -1559,6 +1801,25 @@ interface(`corenet_tcp_connect_all_ports',`
########################################
## <summary>
@@ -13842,7 +73079,7 @@ index 4f3b542..f4e36ee 100644
## Do not audit attempts to connect TCP sockets
## to all ports.
## </summary>
-@@ -1578,6 +1837,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+@@ -1578,6 +1839,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
########################################
## <summary>
@@ -13867,142 +73104,96 @@ index 4f3b542..f4e36ee 100644
## Send and receive TCP network traffic on generic reserved ports.
## </summary>
## <param name="domain">
-@@ -1647,7 +1924,7 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,6 +1926,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
########################################
## <summary>
--## Bind TCP sockets to generic reserved ports.
+## Bind DCCP sockets to generic reserved ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1655,18 +1932,18 @@ interface(`corenet_udp_sendrecv_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_tcp_bind_reserved_port',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`corenet_dccp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
-- allow $1 reserved_port_t:tcp_socket name_bind;
++ gen_require(`
++ type reserved_port_t;
++ ')
++
+ allow $1 reserved_port_t:dccp_socket name_bind;
- allow $1 self:capability net_bind_service;
- ')
-
- ########################################
- ## <summary>
--## Bind UDP sockets to generic reserved ports.
-+## Bind TCP sockets to generic reserved ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1674,18 +1951,18 @@ interface(`corenet_tcp_bind_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_udp_bind_reserved_port',`
-+interface(`corenet_tcp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
-- allow $1 reserved_port_t:udp_socket name_bind;
-+ allow $1 reserved_port_t:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
- ')
-
- ########################################
- ## <summary>
--## Connect TCP sockets to generic reserved ports.
-+## Bind UDP sockets to generic reserved ports.
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
+ ## Bind TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1693,17 +1970,18 @@ interface(`corenet_udp_bind_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_tcp_connect_reserved_port',`
-+interface(`corenet_udp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
-- allow $1 reserved_port_t:tcp_socket name_connect;
-+ allow $1 reserved_port_t:udp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
- ')
+@@ -1685,6 +1983,24 @@ interface(`corenet_udp_bind_reserved_port',`
########################################
## <summary>
--## Send and receive TCP network traffic on all reserved ports.
+## Connect DCCP sockets to generic reserved ports.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1711,17 +1989,17 @@ interface(`corenet_tcp_connect_reserved_port',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_tcp_sendrecv_all_reserved_ports',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`corenet_dccp_connect_reserved_port',`
- gen_require(`
-- attribute reserved_port_type;
++ gen_require(`
+ type reserved_port_t;
- ')
-
-- allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
++ ')
++
+ allow $1 reserved_port_t:dccp_socket name_connect;
- ')
-
- ########################################
- ## <summary>
--## Send UDP network traffic on all reserved ports.
-+## Connect TCP sockets to generic reserved ports.
++')
++
++########################################
++## <summary>
+ ## Connect TCP sockets to generic reserved ports.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1729,17 +2007,17 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
- ## </summary>
- ## </param>
- #
--interface(`corenet_udp_send_all_reserved_ports',`
-+interface(`corenet_tcp_connect_reserved_port',`
- gen_require(`
-- attribute reserved_port_type;
-+ type reserved_port_t;
- ')
-
-- allow $1 reserved_port_type:udp_socket send_msg;
-+ allow $1 reserved_port_t:tcp_socket name_connect;
- ')
+@@ -1703,6 +2019,24 @@ interface(`corenet_tcp_connect_reserved_port',`
########################################
## <summary>
--## Receive UDP network traffic on all reserved ports.
+## Send and receive DCCP network traffic on all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
+ ## Send and receive TCP network traffic on all reserved ports.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1747,12 +2025,66 @@ interface(`corenet_udp_send_all_reserved_ports',`
- ## </summary>
- ## </param>
+@@ -1749,15 +2083,213 @@ interface(`corenet_udp_send_all_reserved_ports',`
#
--interface(`corenet_udp_receive_all_reserved_ports',`
-+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
+ interface(`corenet_udp_receive_all_reserved_ports',`
gen_require(`
- attribute reserved_port_type;
- ')
-
-- allow $1 reserved_port_type:udp_socket recv_msg;
-+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
+- attribute reserved_port_type;
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
-+## Send and receive TCP network traffic on all reserved ports.
++## Send and receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14010,17 +73201,88 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
++interface(`corenet_udp_sendrecv_all_reserved_ports',`
++ corenet_udp_send_all_reserved_ports($1)
++ corenet_udp_receive_all_reserved_ports($1)
++')
++
++########################################
++## <summary>
++## Bind DCCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dccp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:dccp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
++## Bind TCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ allow $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to bind DCCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
++ gen_require(`
++ attribute reserved_port_type;
++ ')
++
++ dontaudit $1 reserved_port_type:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to bind TCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
++ dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
-+## Send UDP network traffic on all reserved ports.
++## Bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14028,38 +73290,36 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_udp_send_all_reserved_ports',`
++interface(`corenet_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:udp_socket send_msg;
++ allow $1 reserved_port_type:udp_socket name_bind;
++ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
-+## Receive UDP network traffic on all reserved ports.
++## Do not audit attempts to bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`corenet_udp_receive_all_reserved_ports',`
++interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:udp_socket recv_msg;
- ')
-
- ########################################
-@@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
-
- ########################################
- ## <summary>
-+## Bind DCCP sockets to all reserved ports.
++ dontaudit $1 reserved_port_type:udp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Bind DCCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14067,50 +73327,35 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_dccp_bind_all_reserved_ports',`
++interface(`corenet_dccp_bind_all_unreserved_ports',`
+ gen_require(`
-+ attribute reserved_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:dccp_socket name_bind;
-+ allow $1 self:capability net_bind_service;
++ allow $1 unreserved_port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
- ## Bind TCP sockets to all reserved ports.
- ## </summary>
- ## <param name="domain">
-@@ -1791,6 +2142,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to bind DCCP sockets to all reserved ports.
++## Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
++interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
-+ attribute reserved_port_type;
++ attribute unreserved_port_type;
+ ')
+
-+ dontaudit $1 reserved_port_type:dccp_socket name_bind;
++ allow $1 unreserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to bind TCP sockets to all reserved ports.
- ## </summary>
- ## <param name="domain">
-@@ -1846,6 +2215,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
-
- ########################################
- ## <summary>
-+## Bind DCCP sockets to all ports > 1024.
++## Bind UDP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -14118,40 +73363,11 @@ index 4f3b542..f4e36ee 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_dccp_bind_all_unreserved_ports',`
++interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
-+ allow $1 unreserved_port_type:dccp_socket name_bind;
-+')
-+
-+########################################
-+## <summary>
- ## Bind TCP sockets to all ports > 1024.
- ## </summary>
- ## <param name="domain">
-@@ -1856,10 +2243,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
- #
- interface(`corenet_tcp_bind_all_unreserved_ports',`
- gen_require(`
-- attribute port_type, reserved_port_type;
-+ attribute unreserved_port_type;
- ')
-
-- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
-+ allow $1 unreserved_port_type:tcp_socket name_bind;
- ')
-
- ########################################
-@@ -1874,10 +2261,64 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
- #
- interface(`corenet_udp_bind_all_unreserved_ports',`
- gen_require(`
-- attribute port_type, reserved_port_type;
-+ attribute unreserved_port_type;
-+ ')
-+
+ allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
@@ -14168,66 +73384,98 @@ index 4f3b542..f4e36ee 100644
+interface(`corenet_tcp_bind_all_ephemeral_ports',`
+ gen_require(`
+ attribute ephemeral_port_type;
-+ ')
-+
+ ')
+
+- allow $1 reserved_port_type:udp_socket recv_msg;
+ allow $1 ephemeral_port_type:tcp_socket name_bind;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Send and receive UDP network traffic on all reserved ports.
+## Bind UDP sockets to all ports > 32768.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_udp_sendrecv_all_reserved_ports',`
+- corenet_udp_send_all_reserved_ports($1)
+- corenet_udp_receive_all_reserved_ports($1)
+interface(`corenet_udp_bind_all_ephemeral_ports',`
+ gen_require(`
+ attribute ephemeral_port_type;
+ ')
+
+ allow $1 ephemeral_port_type:udp_socket name_bind;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Bind TCP sockets to all reserved ports.
+## Connect DCCP sockets to reserved ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1780,36 +2315,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_bind_all_reserved_ports',`
+interface(`corenet_dccp_connect_all_reserved_ports',`
-+ gen_require(`
-+ attribute reserved_port_type;
+ gen_require(`
+ attribute reserved_port_type;
')
-- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+- allow $1 reserved_port_type:tcp_socket name_bind;
+- allow $1 self:capability net_bind_service;
+ allow $1 reserved_port_type:dccp_socket name_connect;
')
########################################
-@@ -1900,6 +2341,42 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ ## <summary>
+-## Do not audit attempts to bind TCP sockets to all reserved ports.
++## Connect TCP sockets to reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_bind;
++ allow $1 reserved_port_type:tcp_socket name_connect;
+ ')
########################################
## <summary>
+-## Bind UDP sockets to all reserved ports.
+## Connect DCCP sockets to all ports > 1024.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1817,36 +2351,53 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_udp_bind_all_reserved_ports',`
+interface(`corenet_dccp_connect_all_unreserved_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute reserved_port_type;
+ attribute unreserved_port_type;
-+ ')
-+
+ ')
+
+- allow $1 reserved_port_type:udp_socket name_bind;
+- allow $1 self:capability net_bind_service;
+ allow $1 unreserved_port_type:dccp_socket name_connect;
+')
+
@@ -14247,115 +73495,171 @@ index 4f3b542..f4e36ee 100644
+ ')
+
+ allow $1 unreserved_port_t:tcp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ## Connect TCP sockets to all ports > 1024.
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to bind UDP sockets to all reserved ports.
++## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
-@@ -1910,10 +2387,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
#
- interface(`corenet_tcp_connect_all_unreserved_ports',`
+-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
-- attribute port_type, reserved_port_type;
+- attribute reserved_port_type;
+ attribute unreserved_port_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 reserved_port_type:udp_socket name_bind;
+ allow $1 unreserved_port_type:tcp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Bind TCP sockets to all ports > 1024.
+## Connect TCP sockets to all ports > 32768.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1854,53 +2405,55 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_bind_all_unreserved_ports',`
+interface(`corenet_tcp_connect_all_ephemeral_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute port_type, reserved_port_type;
+ attribute ephemeral_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+ allow $1 ephemeral_port_type:tcp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Bind UDP sockets to all ports > 1024.
+## Do not audit attempts to connect DCCP sockets
+## all reserved ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_udp_bind_all_unreserved_ports',`
+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute port_type, reserved_port_type;
+ attribute reserved_port_type;
')
-- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
')
########################################
-@@ -1937,6 +2451,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ ## <summary>
+-## Connect TCP sockets to reserved ports.
++## Do not audit attempts to connect TCP sockets
++## all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_connect_all_reserved_ports',`
++interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:tcp_socket name_connect;
++ dontaudit $1 reserved_port_type:tcp_socket name_connect;
+ ')
########################################
## <summary>
+-## Connect TCP sockets to all ports > 1024.
+## Connect DCCP sockets to rpc ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1908,49 +2461,49 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_connect_all_unreserved_ports',`
+interface(`corenet_dccp_connect_all_rpc_ports',`
-+ gen_require(`
+ gen_require(`
+- attribute port_type, reserved_port_type;
+ attribute rpc_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+ allow $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ## Connect TCP sockets to rpc ports.
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to connect TCP sockets
+-## all reserved ports.
++## Connect TCP sockets to rpc ports.
## </summary>
## <param name="domain">
-@@ -1955,6 +2487,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
++interface(`corenet_tcp_connect_all_rpc_ports',`
+ gen_require(`
+- attribute reserved_port_type;
++ attribute rpc_port_type;
+ ')
+
+- dontaudit $1 reserved_port_type:tcp_socket name_connect;
++ allow $1 rpc_port_type:tcp_socket name_connect;
+ ')
########################################
## <summary>
+-## Connect TCP sockets to rpc ports.
+## Do not audit attempts to connect DCCP sockets
+## all rpc ports.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_connect_all_rpc_ports',`
+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
-+ gen_require(`
-+ attribute rpc_port_type;
-+ ')
-+
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+- allow $1 rpc_port_type:tcp_socket name_connect;
+ dontaudit $1 rpc_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to connect TCP sockets
- ## all rpc ports.
- ## </summary>
-@@ -1993,6 +2544,24 @@ interface(`corenet_rw_tun_tap_dev',`
+ ')
+
+ ########################################
+@@ -1993,6 +2546,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -14380,7 +73684,7 @@ index 4f3b542..f4e36ee 100644
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
-@@ -2049,6 +2618,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2620,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -14406,7 +73710,7 @@ index 4f3b542..f4e36ee 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2656,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2658,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -14431,7 +73735,7 @@ index 4f3b542..f4e36ee 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2800,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2802,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -14457,7 +73761,7 @@ index 4f3b542..f4e36ee 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,6 +2838,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,6 +2840,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -14489,7 +73793,7 @@ index 4f3b542..f4e36ee 100644
## Receive TCP packets from an unlabled connection.
## </summary>
## <param name="domain">
-@@ -2222,9 +2872,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2222,9 +2874,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -14504,7 +73808,7 @@ index 4f3b542..f4e36ee 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2904,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2906,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -14531,7 +73835,7 @@ index 4f3b542..f4e36ee 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2944,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2946,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -14559,7 +73863,7 @@ index 4f3b542..f4e36ee 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,6 +3229,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,6 +3231,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -14567,7 +73871,7 @@ index 4f3b542..f4e36ee 100644
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
-@@ -2571,7 +3268,31 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2571,7 +3270,31 @@ interface(`corenet_all_recvfrom_netlabel',`
')
allow $1 netlabel_peer_t:peer recv;
@@ -14600,7 +73904,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -2585,6 +3306,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3308,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -14608,7 +73912,7 @@ index 4f3b542..f4e36ee 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3335,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3337,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -14645,7 +73949,7 @@ index 4f3b542..f4e36ee 100644
')
########################################
-@@ -2727,6 +3477,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3479,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -14653,8 +73957,93 @@ index 4f3b542..f4e36ee 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
+@@ -3134,3 +3887,53 @@ interface(`corenet_unconfined',`
+
+ typeattribute $1 corenet_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Create all network named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_filetrans_all_named_dev',`
++
++ gen_require(`
++ type tun_tap_device_t;
++ type ppp_device_t;
++ ')
++
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
++ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
++')
+diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
+index 8e0f9cd..da3b374 100644
+--- a/policy/modules/kernel/corenetwork.if.m4
++++ b/policy/modules/kernel/corenetwork.if.m4
+@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to sbind to $1 port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_udp_bind_$1_port',`
++ gen_require(`
++ $3 $1_$2;
++ ')
++
++ dontaudit dollarsone $1_$2:udp_socket name_bind;
++ $4
++')
++
++########################################
++## <summary>
+ ## Make a TCP connection to the $1 port.
+ ## </summary>
+ ## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..63b5c4a 100644
+index 99b71cb..c4af8e2 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14718,7 +74107,7 @@ index 99b71cb..63b5c4a 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -65,30 +93,37 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,30 +93,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -14751,19 +74140,22 @@ index 99b71cb..63b5c4a 100644
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+network_port(cma, tcp,1050,s0, udp,1050,s0)
network_port(cobbler, tcp,25151,s0)
-+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
++network_port(commplex, tcp,5001,s0, udp,5001,s0)
network_port(comsat, udp,512,s0)
++network_port(condor, tcp, 9618,s0, udp, 9618,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +134,22 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,27 +136,39 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
+network_port(dogtag, tcp,7390,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(dnssec, tcp,8955,s0)
++network_port(echo, tcp,7,s0, udp,7,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(epmd, tcp,4369,s0, udp,4369,s0)
+network_port(festival, tcp,1314,s0)
@@ -14776,26 +74168,30 @@ index 99b71cb..63b5c4a 100644
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
++network_port(glance, tcp,9292,s0, udp,9292,s0)
+network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +158,13 @@ network_port(hddtemp, tcp,7634,s0)
+ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
++network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
- network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
+network_port(interwise, tcp,7778,s0, udp,7778,s0)
+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +174,27 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +178,31 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -14803,11 +74199,14 @@ index 99b71cb..63b5c4a 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
++network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
+network_port(jboss_debug, tcp,8787,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
++network_port(keystone, tcp,5000,s0, udp,5000,s0)
network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -14816,6 +74215,7 @@ index 99b71cb..63b5c4a 100644
+network_port(luci, tcp,8084,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
++network_port(l2tp, tcp,1701,s0, udp,1701,s0)
network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
@@ -14826,18 +74226,20 @@ index 99b71cb..63b5c4a 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +204,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,61 +212,82 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
++network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openhpid, tcp,4743,s0, udp,4743,s0)
+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -14859,10 +74261,18 @@ index 99b71cb..63b5c4a 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +241,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+ network_port(ptal, tcp,5703,s0)
+-network_port(pulseaudio, tcp,4713,s0)
++network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
+ network_port(puppet, tcp, 8140, s0)
+ network_port(pxe, udp,4011,s0)
+ network_port(pyzor, udp,24441,s0)
++network_port(quantum, tcp,9696,s0)
+ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
++network_port(time, tcp,37,s0, udp,37,s0)
+network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -14893,6 +74303,7 @@ index 99b71cb..63b5c4a 100644
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
++network_port(svn, tcp,3690,s0, udp,3690,s0)
network_port(swat, tcp,901,s0)
-network_port(syslogd, udp,514,s0)
+network_port(sype, tcp,9911,s0, udp,9911,s0)
@@ -14906,12 +74317,12 @@ index 99b71cb..63b5c4a 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +283,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +296,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
-+network_port(vnc, tcp,5900-5999,s0)
++network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
network_port(wccp, udp,2048,s0)
+network_port(websm, tcp,9090,s0, udp,9090,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
@@ -14920,7 +74331,7 @@ index 99b71cb..63b5c4a 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +300,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +313,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14928,7 +74339,7 @@ index 99b71cb..63b5c4a 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +310,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +323,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14941,7 +74352,7 @@ index 99b71cb..63b5c4a 100644
########################################
#
-@@ -282,9 +360,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +373,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -15005,7 +74416,7 @@ index 35fed4f..51ad69a 100644
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..2354089 100644
+index 6cf8784..21a5923 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,12 +15,14 @@
@@ -15050,7 +74461,7 @@ index 6cf8784..2354089 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -187,8 +193,6 @@ ifdef(`distro_suse', `
+@@ -187,12 +193,22 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -15059,9 +74470,10 @@ index 6cf8784..2354089 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +200,14 @@ ifdef(`distro_redhat',`
+ /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
++/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0)
')
+
+#
@@ -15075,7 +74487,7 @@ index 6cf8784..2354089 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..790494f 100644
+index f820f3b..36ef4e2 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15517,32 +74929,51 @@ index f820f3b..790494f 100644
')
########################################
-@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',`
+@@ -3210,7 +3466,7 @@ interface(`dev_rw_printer',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## Relabel the printer device node.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3218,12 +3474,31 @@ interface(`dev_rw_printer',`
+ ## </summary>
+ ## </param>
+ #
-interface(`dev_read_printk',`
-- gen_require(`
++interface(`dev_relabel_printer',`
+ gen_require(`
- type device_t, printk_device_t;
-- ')
--
++ type printer_device_t;
+ ')
+
- read_chr_files_pattern($1, device_t, printk_device_t)
--')
--
--########################################
--## <summary>
- ## Get the attributes of the QEMU
- ## microcode and id interfaces.
- ## </summary>
-@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',`
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write the printer device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_manage_printer',`
++ gen_require(`
++ type device_t, printer_device_t;
++ ')
++
++ manage_chr_files_pattern($1, device_t, printer_device_t)
++ dev_filetrans_printer_named_dev($1)
+ ')
+
+ ########################################
+@@ -3811,6 +4086,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -15585,7 +75016,7 @@ index f820f3b..790494f 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',`
+@@ -3860,6 +4171,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -15593,7 +75024,7 @@ index f820f3b..790494f 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3902,23 +4177,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,23 +4214,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -15614,7 +75045,7 @@ index f820f3b..790494f 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -15633,7 +75064,7 @@ index f820f3b..790494f 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -15647,7 +75078,7 @@ index f820f3b..790494f 100644
########################################
## <summary>
## Read hardware state information.
-@@ -3972,6 +4273,62 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4310,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -15710,7 +75141,7 @@ index f820f3b..790494f 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4426,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4463,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -15736,7 +75167,7 @@ index f820f3b..790494f 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4103,6 +4479,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4516,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -15761,7 +75192,7 @@ index f820f3b..790494f 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4495,6 +4889,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4926,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -15786,7 +75217,7 @@ index f820f3b..790494f 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4695,6 +5107,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5144,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -15813,7 +75244,7 @@ index f820f3b..790494f 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5216,843 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5253,861 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15847,6 +75278,64 @@ index f820f3b..790494f 100644
+## </summary>
+## </param>
+#
++interface(`dev_filetrans_printer_named_dev',`
++
++ gen_require(`
++ type printer_device_t;
++
++ ')
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
++')
++
++########################################
++## <summary>
++## Create all named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_filetrans_all_named_dev',`
+
+gen_require(`
@@ -15868,7 +75357,6 @@ index f820f3b..790494f 100644
+ type random_device_t;
+ type dri_device_t;
+ type ipmi_device_t;
-+ type printer_device_t;
+ type memory_device_t;
+ type kmsg_device_t;
+ type qemu_device_t;
@@ -15895,6 +75383,7 @@ index f820f3b..790494f 100644
+ type mtrr_device_t;
+')
+
++ dev_filetrans_printer_named_dev($1)
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
@@ -16132,16 +75621,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
@@ -16190,16 +75669,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
@@ -16263,16 +75732,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
@@ -16378,16 +75837,6 @@ index f820f3b..790494f 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
-+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
@@ -16717,7 +76166,7 @@ index 08f01e7..d8c1d48 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..3ded83e 100644
+index 6a1e4d1..ffaa90a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -75,34 +75,6 @@ interface(`domain_base_type',`
@@ -16773,7 +76222,32 @@ index 6a1e4d1..3ded83e 100644
## </summary>
## </param>
#
-@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',`
+@@ -1356,6 +1328,24 @@ interface(`domain_manage_all_entry_files',`
+
+ ########################################
+ ## <summary>
++## Relabel from domain types on files if a user managed to mislable
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`domain_relabelfrom',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:dir_file_class_set relabelfrom_file_perms;
++')
++
++########################################
++## <summary>
+ ## Relabel to and from all entry point
+ ## file types.
+ ## </summary>
+@@ -1530,4 +1520,29 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -16804,7 +76278,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..6a2f06f 100644
+index fae1ab1..0a5271f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -16829,9 +76303,12 @@ index fae1ab1..6a2f06f 100644
## <desc>
## <p>
-@@ -87,22 +102,36 @@ allow domain self:dir list_dir_perms;
+@@ -86,23 +101,39 @@ neverallow ~{ domain unlabeled_t } *:process *;
+ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
++allow domain self:fifo_file rw_fifo_file_perms;
++
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
@@ -16844,7 +76321,7 @@ index fae1ab1..6a2f06f 100644
# create child processes in the domain
-allow domain self:process { fork sigchld };
-+allow domain self:process { fork getsched sigchld };
++allow domain self:process { getcap fork getsched sigchld };
# Use trusted objects in /dev
+dev_read_cpu_online(domain)
@@ -16867,7 +76344,7 @@ index fae1ab1..6a2f06f 100644
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
-@@ -113,8 +142,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +144,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -16881,7 +76358,7 @@ index fae1ab1..6a2f06f 100644
')
optional_policy(`
-@@ -125,6 +159,8 @@ optional_policy(`
+@@ -125,6 +161,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -16890,7 +76367,7 @@ index fae1ab1..6a2f06f 100644
')
########################################
-@@ -143,8 +179,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,8 +181,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -16905,59 +76382,79 @@ index fae1ab1..6a2f06f 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +201,263 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
++corenet_filetrans_all_named_dev(unconfined_domain_type)
++
+dev_filetrans_all_named_dev(unconfined_domain_type)
+
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
++files_filetrans_named_content(unconfined_domain_type)
++files_filetrans_system_conf_named_files(unconfined_domain_type)
++
+storage_filetrans_all_named_dev(unconfined_domain_type)
+
+term_filetrans_all_named_dev(unconfined_domain_type)
+
+optional_policy(`
++ init_status(unconfined_domain_type)
++ init_reboot(unconfined_domain_type)
++ init_halt(unconfined_domain_type)
++ init_undefined(unconfined_domain_type)
++')
++
++optional_policy(`
+ auth_filetrans_named_content(unconfined_domain_type)
+ auth_filetrans_admin_home_content(unconfined_domain_type)
+ auth_filetrans_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ alsa_filetrans_named_content(unconfined_domain_type)
++ libs_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ apache_filetrans_home_content(unconfined_domain_type)
++ logging_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ bootloader_filetrans_config(unconfined_domain_type)
++ miscfiles_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ gnome_filetrans_admin_home_content(unconfined_domain_type)
++ alsa_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ devicekit_filetrans_named_content(unconfined_domain_type)
++ apache_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ dnsmasq_filetrans_named_content(unconfined_domain_type)
++ bootloader_filetrans_config(unconfined_domain_type)
+')
+
+optional_policy(`
-+ kerberos_filetrans_named_content(unconfined_domain_type)
++ cups_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ libs_filetrans_named_content(unconfined_domain_type)
++ gnome_filetrans_admin_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
-+ miscfiles_filetrans_named_content(unconfined_domain_type)
++ devicekit_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ dnsmasq_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -16973,6 +76470,10 @@ index fae1ab1..6a2f06f 100644
+')
+
+optional_policy(`
++ mysql_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ networkmanager_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -16998,11 +76499,27 @@ index fae1ab1..6a2f06f 100644
+')
+
+optional_policy(`
++ systemd_login_status(unconfined_domain_type)
++ systemd_login_reboot(unconfined_domain_type)
++ systemd_login_halt(unconfined_domain_type)
++ systemd_login_undefined(unconfined_domain_type)
++')
++
++optional_policy(`
++ thumb_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ tftp_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
+ userdom_filetrans_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
++ virt_filetrans_named_content(unconfined_domain_type)
+ virt_filetrans_home_content(unconfined_domain_type)
+')
+
@@ -17021,6 +76538,7 @@ index fae1ab1..6a2f06f 100644
+optional_policy(`
+ init_sigchld(domain)
+ init_signull(domain)
++ init_read_machineid(domain)
+')
+
+ifdef(`distro_redhat',`
@@ -17129,7 +76647,7 @@ index fae1ab1..6a2f06f 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..04ef731 100644
+index c19518a..7ace2f2 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -17140,13 +76658,12 @@ index c19518a..04ef731 100644
')
ifdef(`distro_suse',`
-@@ -53,10 +54,17 @@ ifdef(`distro_suse',`
+@@ -53,10 +54,16 @@ ifdef(`distro_suse',`
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -17160,7 +76677,7 @@ index c19518a..04ef731 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
+@@ -68,7 +75,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -17172,7 +76689,7 @@ index c19518a..04ef731 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -102,10 +112,9 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -17184,7 +76701,7 @@ index c19518a..04ef731 100644
#
# /lost+found
-@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -146,7 +155,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -17193,7 +76710,7 @@ index c19518a..04ef731 100644
#
# /proc
-@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -154,6 +163,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -17206,6 +76723,14 @@ index c19518a..04ef731 100644
#
# /run
#
+@@ -190,6 +205,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+ /usr -d gen_context(system_u:object_r:usr_t,s0)
+ /usr/.* gen_context(system_u:object_r:usr_t,s0)
+ /usr/\.journal <<none>>
++/export(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+ /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
@@ -206,6 +222,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
@@ -17251,7 +76776,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..b733da8 100644
+index ff006ea..95fcd54 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17262,7 +76787,7 @@ index ff006ea..b733da8 100644
## <li>files_tmp_file()</li>
## <li>files_tmpfs_file()</li>
## <li>logging_log_file()</li>
-@@ -663,12 +664,63 @@ interface(`files_read_non_security_files',`
+@@ -663,12 +664,82 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -17273,6 +76798,25 @@ index ff006ea..b733da8 100644
########################################
## <summary>
++## Read/Write all inherited non-security files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_rw_inherited_non_security_files',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ allow $1 non_security_file_type:file { read write };
++')
++
++########################################
++## <summary>
+## Manage all non-security files.
+## </summary>
+## <param name="domain">
@@ -17326,7 +76870,7 @@ index ff006ea..b733da8 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -1053,10 +1105,8 @@ interface(`files_relabel_all_files',`
+@@ -1053,10 +1124,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -17339,7 +76883,7 @@ index ff006ea..b733da8 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1482,6 +1532,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1482,6 +1551,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -17382,7 +76926,7 @@ index ff006ea..b733da8 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1562,7 +1648,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1667,7 @@ interface(`files_root_filetrans',`
type root_t;
')
@@ -17391,7 +76935,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -1660,6 +1746,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1660,6 +1765,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -17434,7 +76978,7 @@ index ff006ea..b733da8 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1678,6 +1800,24 @@ interface(`files_unmount_rootfs',`
+@@ -1678,6 +1819,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -17459,7 +77003,7 @@ index ff006ea..b733da8 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -1848,7 +1988,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +2007,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -17468,7 +77012,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -2372,6 +2512,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2531,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -17493,7 +77037,7 @@ index ff006ea..b733da8 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2609,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2628,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17502,7 +77046,7 @@ index ff006ea..b733da8 100644
## </summary>
## </param>
#
-@@ -2507,6 +2665,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2684,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -17528,7 +77072,7 @@ index ff006ea..b733da8 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2525,6 +2702,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2721,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -17553,7 +77097,7 @@ index ff006ea..b733da8 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2819,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2838,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -17562,7 +77106,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -2680,24 +2875,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2894,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -17587,7 +77131,7 @@ index ff006ea..b733da8 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2915,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2934,42 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -17609,10 +77153,28 @@ index ff006ea..b733da8 100644
+
+########################################
+## <summary>
++## Do not audit attempts to write etc_runtime files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file write;
++')
++
++########################################
++## <summary>
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2970,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +3007,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -17620,7 +77182,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -2796,6 +2992,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +3029,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -17628,7 +77190,33 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -3364,7 +3561,7 @@ interface(`files_home_filetrans',`
+@@ -3166,6 +3400,25 @@ interface(`files_rw_isid_type_blk_files',`
+
+ ########################################
+ ## <summary>
++## rw any files inherited from another process
++## on new filesystems that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_inherited_isid_type_files',`
++ gen_require(`
++ type file_t;
++ ')
++
++ allow $1 file_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete block device nodes
+ ## on new filesystems that have not yet been labeled.
+ ## </summary>
+@@ -3364,7 +3617,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -17637,7 +77225,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -3502,20 +3699,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3755,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -17681,7 +77269,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -3804,7 +4019,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4075,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -17690,12 +77278,14 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -3900,6 +4115,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,9 +4171,130 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Allow the specified type to associate
+## Read manageable system configuration files in /etc
+## </summary>
+## <param name="domain">
@@ -17730,6 +77320,34 @@ index ff006ea..b733da8 100644
+ ')
+
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++ files_filetrans_system_conf_named_files($1)
++')
++
++#####################################
++## <summary>
++## File name transition for system configuration files in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_filetrans_system_conf_named_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
+')
+
+######################################
@@ -17787,10 +77405,40 @@ index ff006ea..b733da8 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
++########################################
++## <summary>
++## Allow the specified type to associate
+ ## to a filesystem with the type of the
+ ## temporary directory (/tmp).
+ ## </summary>
+@@ -3922,6 +4314,26 @@ interface(`files_associate_tmp',`
+
########################################
## <summary>
- ## Allow the specified type to associate
-@@ -3945,7 +4253,7 @@ interface(`files_getattr_tmp_dirs',`
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## / file system
++## </summary>
++## <param name="file_type">
++## <summary>
++## Type of the file to associate.
++## </summary>
++## </param>
++#
++interface(`files_associate_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:filesystem associate;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+@@ -3945,7 +4357,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17799,7 +77447,7 @@ index ff006ea..b733da8 100644
## </summary>
## </param>
#
-@@ -4017,7 +4325,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4429,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -17808,14 +77456,12 @@ index ff006ea..b733da8 100644
## </summary>
## </param>
#
-@@ -4029,9 +4337,27 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4441,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
--########################################
+#######################################
- ## <summary>
--## Remove entries from the tmp directory.
++## <summary>
+## Allow read and write to the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
@@ -17832,13 +77478,10 @@ index ff006ea..b733da8 100644
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
-+########################################
-+## <summary>
-+## Remove entries from the tmp directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4085,6 +4411,32 @@ interface(`files_manage_generic_tmp_dirs',`
+ ########################################
+ ## <summary>
+ ## Remove entries from the tmp directory.
+@@ -4085,6 +4515,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -17871,7 +77514,7 @@ index ff006ea..b733da8 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4491,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4595,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -17914,7 +77557,7 @@ index ff006ea..b733da8 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4590,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4694,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -17923,7 +77566,7 @@ index ff006ea..b733da8 100644
## </summary>
## </param>
#
-@@ -4262,7 +4650,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4754,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -17932,7 +77575,7 @@ index ff006ea..b733da8 100644
## </summary>
## </param>
#
-@@ -4318,7 +4706,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4810,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -17941,7 +77584,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -4342,6 +4730,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4834,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -17958,7 +77601,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -4681,7 +5079,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5183,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -17967,7 +77610,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -4914,6 +5312,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5416,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -17992,7 +77635,7 @@ index ff006ea..b733da8 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5084,7 +5500,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5604,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -18001,7 +77644,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -5219,7 +5635,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5739,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18010,7 +77653,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -5259,6 +5675,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5779,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -18036,7 +77679,7 @@ index ff006ea..b733da8 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5739,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5843,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -18062,7 +77705,7 @@ index ff006ea..b733da8 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5771,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5875,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -18071,7 +77714,7 @@ index ff006ea..b733da8 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5792,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5896,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -18087,7 +77730,7 @@ index ff006ea..b733da8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5807,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5911,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -18120,7 +77763,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -5373,6 +5849,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5953,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -18128,7 +77771,7 @@ index ff006ea..b733da8 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5862,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5966,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -18136,7 +77779,7 @@ index ff006ea..b733da8 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5888,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5992,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -18145,7 +77788,7 @@ index ff006ea..b733da8 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5904,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +6008,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -18162,7 +77805,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -5452,7 +5928,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +6032,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -18171,7 +77814,7 @@ index ff006ea..b733da8 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5969,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6073,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -18180,7 +77823,7 @@ index ff006ea..b733da8 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5991,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6095,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -18189,7 +77832,7 @@ index ff006ea..b733da8 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6023,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6127,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -18200,7 +77843,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -5608,6 +6084,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6188,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -18244,7 +77887,7 @@ index ff006ea..b733da8 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,6 +6142,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6246,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -18270,7 +77913,7 @@ index ff006ea..b733da8 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6268,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6372,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18279,7 +77922,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -5815,29 +6347,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6451,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -18313,7 +77956,7 @@ index ff006ea..b733da8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6373,35 @@ interface(`files_read_all_pids',`
+@@ -5845,12 +6477,182 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -18326,262 +77969,29 @@ index ff006ea..b733da8 100644
- allow $1 polymember:dir mounton;
+ allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete all process IDs.
-+## Create all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
-+interface(`files_create_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+ allow $1 pidfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete all process ID directories.
-+## Create all pid named pipes
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5888,20 +6409,17 @@ interface(`files_delete_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
-+interface(`files_create_all_pid_pipes',`
- gen_require(`
- attribute pidfile;
-- type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Search the contents of generic spool
--## directories (/var/spool).
-+## Delete all pid named pipes
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5909,56 +6427,59 @@ interface(`files_delete_all_pid_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_search_spool',`
-+interface(`files_delete_all_pid_pipes',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search generic
--## spool directories.
-+## manage all pidfile directories
-+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_manage_all_pid_dirs',`
- gen_require(`
-- type var_spool_t;
-+ attribute pidfile;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
-+ manage_dirs_pattern($1,pidfile,pidfile)
- ')
-
-+
- ########################################
- ## <summary>
--## List the contents of generic spool
--## (/var/spool) directories.
-+## Read all process ID files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_list_spool',`
-+interface(`files_read_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
-+ type var_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
-+## Relable all pid files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5966,18 +6487,17 @@ interface(`files_list_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_spool_dirs',`
-+interface(`files_relabel_all_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+ relabel_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Read generic spool files.
-+## Execute generic programs in /var/run in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5985,19 +6505,18 @@ interface(`files_manage_generic_spool_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_spool',`
-+interface(`files_exec_generic_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ type var_run_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
-+ exec_files_pattern($1, var_run_t, var_run_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool files.
-+## manage all pidfiles
-+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6005,31 +6524,294 @@ interface(`files_read_generic_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_spool',`
-+interface(`files_manage_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
-+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create objects in the spool directory
--## with a private type with a type transition.
-+## Mount filesystems on all polyinstantiation
-+## member directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="file">
--## <summary>
--## Type to which the created node will be transitioned.
--## </summary>
--## </param>
--## <param name="class">
-+#
-+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
-+ attribute polymember;
-+ ')
-+
-+ allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
-+## Delete all process IDs.
++## Create all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_delete_all_pids',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
-+ type var_t, var_run_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete all process ID directories.
++## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18589,67 +77999,36 @@ index ff006ea..b733da8 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Make the specified type a file
-+## used for spool files.
++## Delete all pid named pipes
+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_spool_filetrans()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+## </p>
-+## <p>
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+## </p>
-+## </desc>
-+## <param name="file_type">
++## <param name="domain">
+## <summary>
-+## Type of the file to be used as a
-+## spool file.
++## Domain allowed access.
+## </summary>
+## </param>
-+## <infoflow type="none"/>
+#
-+interface(`files_spool_file',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
-+ attribute spoolfile;
++ attribute pidfile;
+ ')
+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Create all spool sockets
++## manage all pidfile directories
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18657,36 +78036,40 @@ index ff006ea..b733da8 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_spool_sockets',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
-+ attribute spoolfile;
++ attribute pidfile;
+ ')
+
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
++ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
++
+########################################
+## <summary>
-+## Delete all spool sockets
++## Read all process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_delete_all_spool_sockets',`
++interface(`files_read_all_pids',`
+ gen_require(`
-+ attribute spoolfile;
++ attribute pidfile;
++ type var_t;
+ ')
+
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Search the contents of generic spool
-+## directories (/var/spool).
++## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18694,37 +78077,36 @@ index ff006ea..b733da8 100644
+## </summary>
+## </param>
+#
-+interface(`files_search_spool',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ search_dirs_pattern($1, var_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to search generic
-+## spool directories.
++## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_spool',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
-+ type var_spool_t;
++ type var_run_t;
+ ')
+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
++ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## List the contents of generic spool
-+## (/var/spool) directories.
++## manage all pidfiles
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18732,18 +78114,18 @@ index ff006ea..b733da8 100644
+## </summary>
+## </param>
+#
-+interface(`files_list_spool',`
++interface(`files_manage_all_pids',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
++## Mount filesystems on all polyinstantiation
++## member directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18751,38 +78133,68 @@ index ff006ea..b733da8 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_generic_spool_dirs',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute polymember;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read generic spool files.
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+@@ -5900,6 +6702,90 @@ interface(`files_delete_all_pid_dirs',`
+
+ ########################################
+ ## <summary>
++## Make the specified type a file
++## used for spool files.
+## </summary>
-+## <param name="domain">
++## <desc>
++## <p>
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_spool_filetrans()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## </p>
++## </desc>
++## <param name="file_type">
+## <summary>
-+## Domain allowed access.
++## Type of the file to be used as a
++## spool file.
+## </summary>
+## </param>
++## <infoflow type="none"/>
+#
-+interface(`files_read_generic_spool',`
++interface(`files_spool_file',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute spoolfile;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
++ files_type($1)
++ typeattribute $1 spoolfile;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete generic
-+## spool files.
++## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18790,35 +78202,38 @@ index ff006ea..b733da8 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_generic_spool',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute spoolfile;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Create objects in the spool directory
-+## with a private type with a type transition.
++## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="file">
-+## <summary>
-+## Type to which the created node will be transitioned.
-+## </summary>
-+## </param>
-+## <param name="class">
- ## <summary>
- ## Object class(es) (single or set including {}) for which this
- ## the transition will occur.
-@@ -6042,7 +6824,7 @@ interface(`files_spool_filetrans',`
++#
++interface(`files_delete_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++## <summary>
+ ## Search the contents of generic spool
+ ## directories (/var/spool).
+ ## </summary>
+@@ -6042,7 +6928,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18827,7 +78242,7 @@ index ff006ea..b733da8 100644
')
########################################
-@@ -6117,3 +6899,302 @@ interface(`files_unconfined',`
+@@ -6117,3 +7003,332 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18987,7 +78402,11 @@ index ff006ea..b733da8 100644
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
++## <param name="object_type">
++## <summary>
++## Object type.
++## </summary>
++## </param>
+#
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
@@ -19130,8 +78549,34 @@ index ff006ea..b733da8 100644
+
+ allow $1 non_security_file_type:file_class_set unlink;
+')
++
++########################################
++## <summary>
++## Transition named content in the var_run_t directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_filetrans_named_content',`
++ gen_require(`
++ type mnt_t;
++ type usr_t;
++ type var_t;
++ ')
++
++ files_pid_filetrans($1, mnt_t, dir, "media")
++ files_root_filetrans($1, mnt_t, dir, "afs")
++ files_root_filetrans($1, mnt_t, dir, "misc")
++ files_root_filetrans($1, mnt_t, dir, "net")
++ files_root_filetrans($1, usr_t, dir, "export")
++ files_root_filetrans($1, usr_t, dir, "emul")
++ files_root_filetrans($1, var_t, dir, "nsr")
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 22821ff..4486d80 100644
+index 22821ff..2765a15 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
@@ -19175,7 +78620,14 @@ index 22821ff..4486d80 100644
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
#
-@@ -167,6 +179,7 @@ files_mountpoint(var_lib_t)
+@@ -161,12 +173,14 @@ files_mountpoint(var_t)
+ #
+ type var_lib_t;
+ files_mountpoint(var_lib_t)
++files_poly(var_lib_t)
+
+ #
+ # var_lock_t is tye type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)
@@ -19183,7 +78635,7 @@ index 22821ff..4486d80 100644
#
# var_run_t is the type of /var/run, usually
-@@ -181,6 +194,7 @@ files_mountpoint(var_run_t)
+@@ -181,6 +195,7 @@ files_mountpoint(var_run_t)
#
type var_spool_t;
files_tmp_file(var_spool_t)
@@ -19205,7 +78657,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..e8f904f 100644
+index 97fcdac..aa54b2c 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19278,7 +78730,7 @@ index 97fcdac..e8f904f 100644
+#######################################
+## <summary>
-+## Dontaudit search cgroup directories.
++## Do not audit attempts to search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -19373,6 +78825,15 @@ index 97fcdac..e8f904f 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
+@@ -1245,7 +1332,7 @@ interface(`fs_append_cifs_files',`
+
+ ########################################
+ ## <summary>
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a CIFS filesystem.
+ ## </summary>
+ ## <param name="domain">
@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
@@ -19476,7 +78937,33 @@ index 97fcdac..e8f904f 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -2025,6 +2185,24 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1679,6 +1839,25 @@ interface(`fs_relabelfrom_dos_fs',`
+
+ ########################################
+ ## <summary>
++## Allow changing of the label of a
++## tmpfs filesystem using the context= mount option.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_relabelfrom_tmpfs',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:filesystem relabelfrom;
++')
++
++########################################
++## <summary>
+ ## Search dosfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -2025,6 +2204,68 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -19498,10 +78985,54 @@ index 97fcdac..e8f904f 100644
+
+########################################
+## <summary>
++## Execute a file on a FUSE filesystem
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a file on a FUSE filesystem
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain. This is not suggested.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## <p>
++## This interface was added to handle
++## home directories on FUSE filesystems,
++## in particular used by the ssh-agent policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`fs_fusefs_domtrans',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir search_dir_perms;
++ domain_auto_transition_pattern($1, fusefs_t, $2)
++')
++
++########################################
++## <summary>
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2258,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2321,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -19526,7 +79057,7 @@ index 97fcdac..e8f904f 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,6 +2344,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2407,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -19534,7 +79065,13 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -2480,6 +2677,7 @@ interface(`fs_read_nfs_files',`
+ ## <summary>
+-## Dontaudit List inotifyfs filesystem.
++## Do not audit attempts to list inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2480,6 +2740,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -19542,7 +79079,7 @@ index 97fcdac..e8f904f 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2716,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2779,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -19550,7 +79087,7 @@ index 97fcdac..e8f904f 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2743,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2806,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -19576,7 +79113,16 @@ index 97fcdac..e8f904f 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2802,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2564,7 +2845,7 @@ interface(`fs_append_nfs_files',`
+
+ ########################################
+ ## <summary>
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -2584,6 +2865,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -19619,7 +79165,7 @@ index 97fcdac..e8f904f 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2852,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2915,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -19628,7 +79174,16 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -2736,7 +2990,7 @@ interface(`fs_search_removable',`
+@@ -2622,7 +2939,7 @@ interface(`fs_read_nfs_symlinks',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit read symbolic links on a NFS filesystem.
++## Do not audit attempts to read symbolic links on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2736,7 +3053,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -19637,7 +79192,7 @@ index 97fcdac..e8f904f 100644
## </summary>
## </param>
#
-@@ -2772,7 +3026,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3089,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -19646,7 +79201,7 @@ index 97fcdac..e8f904f 100644
## </summary>
## </param>
#
-@@ -2965,6 +3219,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3282,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -19654,7 +79209,7 @@ index 97fcdac..e8f904f 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3260,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3323,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -19662,7 +79217,7 @@ index 97fcdac..e8f904f 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3301,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3364,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -19670,7 +79225,7 @@ index 97fcdac..e8f904f 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3258,6 +3515,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3578,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -19695,7 +79250,59 @@ index 97fcdac..e8f904f 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3810,6 +4085,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3278,6 +3616,24 @@ interface(`fs_rw_nfsd_fs',`
+
+ ########################################
+ ## <summary>
++## Manage NFS server files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_manage_nfsd_fs',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
++########################################
++## <summary>
+ ## Allow the type to associate to ramfs filesystems.
+ ## </summary>
+ ## <param name="type">
+@@ -3387,7 +3743,7 @@ interface(`fs_search_ramfs',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit Search directories on a ramfs
++## Do not audit attempts to search directories on a ramfs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3424,7 +3780,7 @@ interface(`fs_manage_ramfs_dirs',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit read on a ramfs files.
++## Do not audit attempts to read on a ramfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3442,7 +3798,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit read on a ramfs fifo_files.
++## Do not audit attempts to read on a ramfs fifo_files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3810,6 +4166,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -19720,7 +79327,7 @@ index 97fcdac..e8f904f 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3958,6 +4251,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4332,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -19763,7 +79370,7 @@ index 97fcdac..e8f904f 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4059,7 +4388,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4059,7 +4469,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -19772,7 +79379,7 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -4119,6 +4448,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4119,6 +4529,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -19797,11 +79404,20 @@ index 97fcdac..e8f904f 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4175,6 +4522,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4156,7 +4584,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
-+## dontaudit Read and write block nodes on tmpfs filesystems.
+-## dontaudit Read and write character nodes on tmpfs filesystems.
++## Do not audit attempts to read and write character nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4175,6 +4603,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -19819,10 +79435,53 @@ index 97fcdac..e8f904f 100644
+
+########################################
+## <summary>
++## Do not audit attempts to read files on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_read_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read;
++')
++
++########################################
++## <summary>
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4251,6 +4616,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4232,6 +4696,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+
+ ########################################
+ ## <summary>
++## Delete generic files in tmpfs directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_delete_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file unlink;
++')
++
++########################################
++## <summary>
+ ## Read and write, create and delete generic
+ ## files on tmpfs filesystems.
+ ## </summary>
+@@ -4251,6 +4733,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -19848,7 +79507,7 @@ index 97fcdac..e8f904f 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4841,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4958,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19857,7 +79516,7 @@ index 97fcdac..e8f904f 100644
')
########################################
-@@ -4503,7 +4889,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +5006,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -19866,7 +79525,7 @@ index 97fcdac..e8f904f 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5252,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5369,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -19892,18 +79551,19 @@ index 97fcdac..e8f904f 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..f5e522e 100644
+index f125dc2..20c042d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
-@@ -52,6 +53,7 @@ type anon_inodefs_t;
+@@ -52,6 +54,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -19911,7 +79571,7 @@ index f125dc2..f5e522e 100644
type bdev_t;
fs_type(bdev_t)
-@@ -67,7 +69,7 @@ fs_type(capifs_t)
+@@ -67,7 +70,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -19920,7 +79580,7 @@ index f125dc2..f5e522e 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -96,6 +98,7 @@ type hugetlbfs_t;
+@@ -96,6 +99,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -19928,7 +79588,7 @@ index f125dc2..f5e522e 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -144,11 +147,6 @@ fs_type(spufs_t)
+@@ -144,11 +148,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -19940,7 +79600,7 @@ index f125dc2..f5e522e 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -175,6 +173,7 @@ fs_type(tmpfs_t)
+@@ -175,6 +174,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -19948,7 +79608,7 @@ index f125dc2..f5e522e 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +254,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -19957,7 +79617,7 @@ index f125dc2..f5e522e 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +275,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -19974,7 +79634,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..3bfb1f8 100644
+index 6346378..4221c9d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@@ -19991,7 +79651,32 @@ index 6346378..3bfb1f8 100644
')
########################################
-@@ -1464,6 +1459,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -791,6 +786,24 @@ interface(`kernel_unmount_proc',`
+
+ ########################################
+ ## <summary>
++## Mounton a proc filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the proc filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1464,6 +1477,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -20016,7 +79701,7 @@ index 6346378..3bfb1f8 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -2072,7 +2085,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2072,7 +2103,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -20025,7 +79710,7 @@ index 6346378..3bfb1f8 100644
')
########################################
-@@ -2293,7 +2306,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2293,7 +2324,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -20034,7 +79719,7 @@ index 6346378..3bfb1f8 100644
## </summary>
## </param>
#
-@@ -2475,6 +2488,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2475,6 +2506,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -20059,7 +79744,7 @@ index 6346378..3bfb1f8 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2619,7 +2650,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2619,7 +2668,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -20068,7 +79753,7 @@ index 6346378..3bfb1f8 100644
')
########################################
-@@ -2657,6 +2688,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2657,6 +2706,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -20093,7 +79778,7 @@ index 6346378..3bfb1f8 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2684,6 +2733,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2684,6 +2751,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -20119,7 +79804,7 @@ index 6346378..3bfb1f8 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2793,6 +2861,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2793,6 +2879,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -20153,7 +79838,7 @@ index 6346378..3bfb1f8 100644
########################################
## <summary>
-@@ -2948,6 +3043,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2948,6 +3061,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -20178,7 +79863,7 @@ index 6346378..3bfb1f8 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2962,4 +3075,43 @@ interface(`kernel_unconfined',`
+@@ -2962,4 +3093,43 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -20223,7 +79908,7 @@ index 6346378..3bfb1f8 100644
')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..8852535 100644
+index d91c62f..e6f3965 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,12 @@
@@ -20256,20 +79941,14 @@ index d91c62f..8852535 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -181,7 +191,11 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
- # kernel local policy
- #
-
--allow kernel_t self:capability *;
-+allow kernel_t self:capability ~{ sys_ptrace };
-+tunable_policy(`deny_ptrace',`',`
-+ allow kernel_t self:capability sys_ptrace;
-+')
-+
- allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow kernel_t self:shm create_shm_perms;
- allow kernel_t self:sem create_sem_perms;
-@@ -242,11 +256,14 @@ dev_search_usbfs(kernel_t)
+@@ -236,17 +246,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+ corenet_tcp_sendrecv_all_nodes(kernel_t)
+ corenet_raw_send_generic_node(kernel_t)
+ corenet_send_all_packets(kernel_t)
++corenet_filetrans_all_named_dev(kernel_t)
+
+ dev_read_sysfs(kernel_t)
+ dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
@@ -20288,7 +79967,7 @@ index d91c62f..8852535 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -255,7 +272,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -255,7 +269,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -20298,7 +79977,7 @@ index d91c62f..8852535 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,25 +287,47 @@ files_list_root(kernel_t)
+@@ -269,25 +284,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -20346,7 +80025,7 @@ index d91c62f..8852535 100644
')
optional_policy(`
-@@ -297,6 +337,19 @@ optional_policy(`
+@@ -297,6 +334,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -20366,7 +80045,7 @@ index d91c62f..8852535 100644
')
optional_policy(`
-@@ -334,9 +387,7 @@ optional_policy(`
+@@ -334,9 +384,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -20377,7 +80056,7 @@ index d91c62f..8852535 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -345,7 +396,7 @@ optional_policy(`
+@@ -345,7 +393,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -20386,7 +80065,7 @@ index d91c62f..8852535 100644
')
')
-@@ -358,6 +409,15 @@ optional_policy(`
+@@ -358,6 +406,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -20402,7 +80081,7 @@ index d91c62f..8852535 100644
########################################
#
# Unlabeled process local policy
-@@ -386,4 +446,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -386,4 +443,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -20880,19 +80559,20 @@ index d70e0b3..99ff2ac 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 57c4a6a..9b4bc77 100644
+index 57c4a6a..d323c74 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
-@@ -28,7 +28,7 @@
+@@ -28,7 +28,8 @@
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
-/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +81,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +82,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@@ -20900,7 +80580,7 @@ index 57c4a6a..9b4bc77 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..850d168 100644
+index 1700ef2..9282b84 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -20920,7 +80600,56 @@ index 1700ef2..850d168 100644
dev_add_entry_generic_dirs($1)
')
-@@ -808,3 +811,368 @@ interface(`storage_unconfined',`
+@@ -269,6 +272,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+ dev_filetrans($1, fixed_disk_device_t, blk_file)
+ ')
+
++#######################################
++## <summary>
++## Create block devices in /dev with the fixed disk type
++## via an automatic type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`storage_dev_filetrans_named_fixed_disk',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
++')
++
+ ########################################
+ ## <summary>
+ ## Create block devices in on a tmpfs filesystem with the
+@@ -808,3 +853,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -21139,6 +80868,7 @@ index 1700ef2..850d168 100644
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
+ dev_filetrans($1, removable_device_t, blk_file, "mcd")
+ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
@@ -22103,6 +81833,16 @@ index 1875064..2adc35f 100644
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
+diff --git a/policy/modules/roles/guest.if b/policy/modules/roles/guest.if
+index 8906a32..9defca0 100644
+--- a/policy/modules/roles/guest.if
++++ b/policy/modules/roles/guest.if
+@@ -1,4 +1,4 @@
+-## <summary>Least privledge terminal user role</summary>
++## <summary>Least privileged terminal user</summary>
+
+ ########################################
+ ## <summary>
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 1cb7311..1de82b2 100644
--- a/policy/modules/roles/guest.te
@@ -22159,18 +81899,25 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
+diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
+index 234a940..d340f20 100644
+--- a/policy/modules/roles/staff.if
++++ b/policy/modules/roles/staff.if
+@@ -1,4 +1,4 @@
+-## <summary>Administrator's unprivileged user role</summary>
++## <summary>Administrator's unprivileged user</summary>
+
+ ########################################
+ ## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..cdcc621 100644
+index 2be17d2..9c21943 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,52 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
-+
-+# needed for sandbox
-+allow staff_t self:process setexec;
########################################
#
@@ -22219,7 +81966,7 @@ index 2be17d2..cdcc621 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,23 +66,119 @@ optional_policy(`
+@@ -23,23 +63,119 @@ optional_policy(`
')
optional_policy(`
@@ -22341,10 +82088,15 @@ index 2be17d2..cdcc621 100644
')
optional_policy(`
-@@ -48,10 +187,52 @@ optional_policy(`
+@@ -48,10 +184,59 @@ optional_policy(`
')
optional_policy(`
++ systemd_read_unit_files(staff_t)
++ systemd_exec_systemctl(staff_t)
++')
++
++optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
@@ -22375,6 +82127,8 @@ index 2be17d2..cdcc621 100644
+')
+
+optional_policy(`
++ virt_getattr_exec(staff_t)
++ virt_search_images(staff_t)
+ virt_stream_connect(staff_t)
+')
+
@@ -22394,7 +82148,7 @@ index 2be17d2..cdcc621 100644
xserver_role(staff_r, staff_t)
')
-@@ -61,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -61,10 +246,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22405,7 +82159,7 @@ index 2be17d2..cdcc621 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -89,18 +266,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +270,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22424,7 +82178,7 @@ index 2be17d2..cdcc621 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +290,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +294,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22435,7 +82189,7 @@ index 2be17d2..cdcc621 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +302,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +306,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22446,7 +82200,7 @@ index 2be17d2..cdcc621 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +333,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +337,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -22483,10 +82237,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..aed3d37 100644
+index e14b961..34d3702 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,60 @@ policy_module(sysadm, 2.2.1)
+@@ -5,39 +5,69 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
@@ -22513,12 +82267,15 @@ index e14b961..aed3d37 100644
corecmd_exec_shell(sysadm_t)
++dev_filetrans_all_named_dev(sysadm_t)
++
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
++files_filetrans_named_content(sysadm_t)
+
-+dev_filetrans_all_named_dev(sysadm_t)
+storage_filetrans_all_named_dev(sysadm_t)
++
+term_filetrans_all_named_dev(sysadm_t)
+
mls_process_read_up(sysadm_t)
@@ -22537,6 +82294,12 @@ index e14b961..aed3d37 100644
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
++init_status(sysadm_t)
++init_reboot(sysadm_t)
++init_halt(sysadm_t)
++init_undefined(sysadm_t)
++
++logging_filetrans_named_content(sysadm_t)
+
+miscfiles_filetrans_named_content(sysadm_t)
+miscfiles_read_hwdata(sysadm_t)
@@ -22558,7 +82321,7 @@ index e14b961..aed3d37 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -51,13 +72,8 @@ ifdef(`direct_sysadm_daemon',`
+@@ -51,13 +81,8 @@ ifdef(`direct_sysadm_daemon',`
')
')
@@ -22573,18 +82336,18 @@ index e14b961..aed3d37 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -67,9 +83,9 @@ optional_policy(`
+@@ -67,9 +92,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
-+ apache_filetrans_home_content(sysadm_t)
++ apache_filetrans_named_content(sysadm_t)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
-@@ -98,6 +114,10 @@ optional_policy(`
+@@ -98,6 +123,10 @@ optional_policy(`
')
optional_policy(`
@@ -22595,7 +82358,7 @@ index e14b961..aed3d37 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +130,20 @@ optional_policy(`
+@@ -110,11 +139,20 @@ optional_policy(`
')
optional_policy(`
@@ -22606,19 +82369,19 @@ index e14b961..aed3d37 100644
+
+optional_policy(`
+ consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
++ daemonstools_run_start(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
-+ daemonstools_run_start(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
-@@ -128,6 +157,10 @@ optional_policy(`
+@@ -128,6 +166,10 @@ optional_policy(`
')
optional_policy(`
@@ -22629,7 +82392,18 @@ index e14b961..aed3d37 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +196,13 @@ optional_policy(`
+@@ -144,6 +186,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ firewalld_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ fstools_run(sysadm_t, sysadm_r)
+ ')
+
+@@ -163,6 +209,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -22643,7 +82417,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -170,15 +210,20 @@ optional_policy(`
+@@ -170,15 +223,20 @@ optional_policy(`
')
optional_policy(`
@@ -22667,7 +82441,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -198,22 +243,20 @@ optional_policy(`
+@@ -198,22 +256,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -22696,7 +82470,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -225,25 +268,47 @@ optional_policy(`
+@@ -225,25 +281,47 @@ optional_policy(`
')
optional_policy(`
@@ -22744,7 +82518,7 @@ index e14b961..aed3d37 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +318,32 @@ optional_policy(`
+@@ -253,31 +331,32 @@ optional_policy(`
')
optional_policy(`
@@ -22764,7 +82538,7 @@ index e14b961..aed3d37 100644
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-+ quota_run(sysadm_t, sysadm_r)
++ quota_filetrans_named_content(sysadm_t)
')
optional_policy(`
@@ -22784,7 +82558,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -302,12 +368,18 @@ optional_policy(`
+@@ -302,12 +381,18 @@ optional_policy(`
')
optional_policy(`
@@ -22804,7 +82578,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -332,7 +404,10 @@ optional_policy(`
+@@ -332,7 +417,18 @@ optional_policy(`
')
optional_policy(`
@@ -22813,10 +82587,18 @@ index e14b961..aed3d37 100644
+ systemd_config_all_services(sysadm_t)
+ systemd_manage_all_unit_files(sysadm_t)
+ systemd_manage_all_unit_lnk_files(sysadm_t)
++ systemd_login_status(sysadm_t)
++ systemd_login_reboot(sysadm_t)
++ systemd_login_halt(sysadm_t)
++ systemd_login_undefined(sysadm_t)
++')
++
++optional_policy(`
++ tftp_filetrans_named_content(sysadm_t)
')
optional_policy(`
-@@ -343,19 +418,15 @@ optional_policy(`
+@@ -343,19 +439,15 @@ optional_policy(`
')
optional_policy(`
@@ -22838,7 +82620,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -367,45 +438,45 @@ optional_policy(`
+@@ -367,45 +459,46 @@ optional_policy(`
')
optional_policy(`
@@ -22855,6 +82637,7 @@ index e14b961..aed3d37 100644
- vmware_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
+ virt_filetrans_home_content(sysadm_t)
++ virt_manage_pid_dirs(sysadm_t)
')
optional_policy(`
@@ -22895,7 +82678,7 @@ index e14b961..aed3d37 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +489,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +511,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22906,7 +82689,7 @@ index e14b961..aed3d37 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +506,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +528,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -22914,7 +82697,7 @@ index e14b961..aed3d37 100644
')
optional_policy(`
-@@ -446,11 +514,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +536,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22933,8 +82716,9 @@ index e14b961..aed3d37 100644
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
@@ -22965,9 +82749,8 @@ index e14b961..aed3d37 100644
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
@@ -23644,10 +83427,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..c21c9a4
+index 0000000..07b26fb
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,383 @@
+@@ -0,0 +1,392 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -23810,6 +83593,11 @@ index 0000000..c21c9a4
+ rtkit_scheduled(unconfined_t)
+ ')
+
++ # Might remove later if this proves to be problematic, but would like to gather AVCs
++ optional_policy(`
++ thumb_role(unconfined_r, unconfined_t)
++ ')
++
+ optional_policy(`
+ setroubleshoot_dbus_chat(unconfined_t)
+ setroubleshoot_dbus_chat_fixit(unconfined_t)
@@ -23916,10 +83704,14 @@ index 0000000..c21c9a4
+ optional_policy(`
+ vpn_dbus_chat(unconfined_t)
+ ')
-+')
+
-+optional_policy(`
-+ firewallgui_dbus_chat(unconfined_t)
++ optional_policy(`
++ firewalld_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
++ firewallgui_dbus_chat(unconfined_t)
++ ')
+')
+
+optional_policy(`
@@ -24031,6 +83823,16 @@ index 0000000..c21c9a4
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
+index 3835596..fbca2be 100644
+--- a/policy/modules/roles/unprivuser.if
++++ b/policy/modules/roles/unprivuser.if
+@@ -1,4 +1,4 @@
+-## <summary>Generic unprivileged user role</summary>
++## <summary>Generic unprivileged user</summary>
+
+ ########################################
+ ## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e5bfdd4..7e0ea58 100644
--- a/policy/modules/roles/unprivuser.te
@@ -24212,6 +84014,16 @@ index 0ecc786..3e7e984 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
+diff --git a/policy/modules/roles/xguest.if b/policy/modules/roles/xguest.if
+index d2234e3..030e845 100644
+--- a/policy/modules/roles/xguest.if
++++ b/policy/modules/roles/xguest.if
+@@ -1,4 +1,4 @@
+-## <summary>Least privledge xwindows user role</summary>
++## <summary>Least privileged X user</summary>
+
+ ########################################
+ ## <summary>
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index e88b95f..9b6536a 100644
--- a/policy/modules/roles/xguest.te
@@ -24385,19 +84197,22 @@ index e88b95f..9b6536a 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..0d7d8d1 100644
+index 1bd5812..196cfc9 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,13 +1,13 @@
+@@ -1,13 +1,16 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
- /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--
++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -24405,7 +84220,7 @@ index 1bd5812..0d7d8d1 100644
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +15,19 @@
+@@ -15,6 +18,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -24426,7 +84241,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..7f57a98 100644
+index 0b827c5..ac79ca6 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,12 +71,13 @@ interface(`abrt_read_state',`
@@ -24444,7 +84259,7 @@ index 0b827c5..7f57a98 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,8 +161,45 @@ interface(`abrt_run_helper',`
+@@ -160,8 +161,26 @@ interface(`abrt_run_helper',`
########################################
## <summary>
@@ -24470,13 +84285,14 @@ index 0b827c5..7f57a98 100644
+########################################
+## <summary>
+## Append abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -169,12 +188,33 @@ interface(`abrt_run_helper',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
+interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
@@ -24489,14 +84305,13 @@ index 0b827c5..7f57a98 100644
+########################################
+## <summary>
+## Manage abrt cache
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -169,12 +207,14 @@ interface(`abrt_run_helper',`
- ## </summary>
- ## </param>
- #
--interface(`abrt_cache_manage',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`abrt_manage_cache',`
gen_require(`
type abrt_var_cache_t;
@@ -24508,7 +84323,7 @@ index 0b827c5..7f57a98 100644
')
####################################
-@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +293,47 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -24530,11 +84345,37 @@ index 0b827c5..7f57a98 100644
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
++########################################
++## <summary>
++## Execute abrt server in the abrt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`abrt_systemctl',`
++ gen_require(`
++ type abrt_t;
++ type abrt_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 abrt_unit_file_t:file read_file_perms;
++ allow $1 abrt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, abrt_t)
++')
++
#####################################
## <summary>
## All of the rules required to administrate
-@@ -278,26 +336,128 @@ interface(`abrt_admin',`
+@@ -276,28 +357,135 @@ interface(`abrt_admin',`
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
type abrt_initrc_exec_t;
++ type abrt_unit_file_t;
')
- allow $1 abrt_t:process { ptrace signal_perms };
@@ -24569,7 +84410,11 @@ index 0b827c5..7f57a98 100644
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
- ')
++
++ abrt_systemctl($1)
++ admin_pattern($1, abrt_unit_file_t)
++ allow $1 abrt_unit_file_t:service all_service_perms;
++')
+
+####################################
+## <summary>
@@ -24667,12 +84512,12 @@ index 0b827c5..7f57a98 100644
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
-+')
+ ')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..c66fd4a 100644
+index 30861ec..c872f94 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
-@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
+@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
# Declarations
#
@@ -24699,7 +84544,16 @@ index 30861ec..c66fd4a 100644
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t)
+ type abrt_initrc_exec_t;
+ init_script_file(abrt_initrc_exec_t)
+
++type abrt_unit_file_t;
++systemd_unit_file(abrt_unit_file_t)
++
+ # etc files
+ type abrt_etc_t;
+ files_config_file(abrt_etc_t)
+@@ -32,9 +53,20 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -24721,7 +84575,7 @@ index 30861ec..c66fd4a 100644
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,22 +72,42 @@ ifdef(`enable_mcs',`
+@@ -43,22 +75,48 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -24745,6 +84599,12 @@ index 30861ec..c66fd4a 100644
+type abrt_retrace_spool_t;
+files_spool_file(abrt_retrace_spool_t)
+
++# Support abrt-watch log
++
++type abrt_watch_log_t;
++type abrt_watch_log_exec_t;
++init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
++
########################################
#
# abrt local policy
@@ -24767,7 +84627,7 @@ index 30861ec..c66fd4a 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +117,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +126,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -24777,7 +84637,7 @@ index 30861ec..c66fd4a 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +133,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +142,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -24790,7 +84650,7 @@ index 30861ec..c66fd4a 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +164,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -24799,7 +84659,7 @@ index 30861ec..c66fd4a 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +175,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -24809,7 +84669,7 @@ index 30861ec..c66fd4a 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +175,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +184,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -24819,7 +84679,7 @@ index 30861ec..c66fd4a 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +188,26 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,26 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -24852,7 +84712,7 @@ index 30861ec..c66fd4a 100644
')
optional_policy(`
-@@ -167,6 +228,7 @@ optional_policy(`
+@@ -167,6 +237,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -24860,7 +84720,7 @@ index 30861ec..c66fd4a 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +240,35 @@ optional_policy(`
+@@ -178,12 +249,35 @@ optional_policy(`
')
optional_policy(`
@@ -24897,7 +84757,7 @@ index 30861ec..c66fd4a 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +285,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +294,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -24926,7 +84786,7 @@ index 30861ec..c66fd4a 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +308,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +317,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24934,7 +84794,7 @@ index 30861ec..c66fd4a 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -25032,7 +84892,7 @@ index 30861ec..c66fd4a 100644
+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
-+allow abrt_dump_oops_t abrt_etc_t:file read_file_perms;
++read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
@@ -25045,6 +84905,24 @@ index 30861ec..c66fd4a 100644
+
+#######################################
+#
++# abrt_watch_log local policy
++#
++
++allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
++
++domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
++
++logging_read_all_logs(abrt_watch_log_t)
++
++optional_policy(`
++ unconfined_domain(abrt_watch_log_t)
+ ')
++
++#######################################
++#
+# Local policy for all abrt domain
+#
+
@@ -25055,8 +84933,18 @@ index 30861ec..c66fd4a 100644
+logging_send_syslog_msg(abrt_domain)
+
+miscfiles_read_localization(abrt_domain)
+diff --git a/policy/modules/services/accountsd.fc b/policy/modules/services/accountsd.fc
+index 1adca53..18e0e41 100644
+--- a/policy/modules/services/accountsd.fc
++++ b/policy/modules/services/accountsd.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
++
+ /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+ /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
-index c0f858d..5770f1a 100644
+index c0f858d..10a0cd6 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -5,9 +5,9 @@
@@ -25080,8 +84968,41 @@ index c0f858d..5770f1a 100644
## </summary>
## </param>
#
-@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
+@@ -118,6 +118,29 @@ interface(`accountsd_manage_lib_files',`
+
+ ########################################
+ ## <summary>
++## Execute accountsd server in the accountsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`accountsd_systemctl',`
++ gen_require(`
++ type accountsd_t;
++ type accountsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 accountsd_unit_file_t:file read_file_perms;
++ allow $1 accountsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, accountsd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an accountsd environment
+ ## </summary>
+@@ -136,10 +159,19 @@ interface(`accountsd_manage_lib_files',`
+ interface(`accountsd_admin',`
+ gen_require(`
type accountsd_t;
++ type accountsd_unit_file_t;
')
- allow $1 accountsd_t:process { ptrace signal_perms getattr };
@@ -25093,12 +85014,26 @@ index c0f858d..5770f1a 100644
+ ')
+
accountsd_manage_lib_files($1)
++
++ accountsd_systemctl($1)
++ admin_pattern($1, accountsd_unit_file_t)
++ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..6ede64d 100644
+index 1632f10..67cd103 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
-@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
+@@ -1,5 +1,9 @@
+ policy_module(accountsd, 1.0.0)
+
++gen_require(`
++ class passwd { passwd chfn chsh rootok crontab };
++')
++
+ ########################################
+ #
+ # Declarations
+@@ -8,34 +12,46 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
@@ -25107,7 +85042,12 @@ index 1632f10..6ede64d 100644
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
-@@ -17,7 +19,8 @@ files_type(accountsd_var_lib_t)
+
++type accountsd_unit_file_t;
++systemd_unit_file(accountsd_unit_file_t)
++
+ ########################################
+ #
# accountsd local policy
#
@@ -25115,9 +85055,14 @@ index 1632f10..6ede64d 100644
+allow accountsd_t self:capability { dac_override setuid setgid };
+allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
++allow accountsd_t self:passwd { rootok passwd chfn chsh };
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-@@ -28,14 +31,18 @@ kernel_read_kernel_sysctls(accountsd_t)
+ manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+ files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+
++kernel_read_system_state(accountsd_t)
+ kernel_read_kernel_sysctls(accountsd_t)
corecmd_exec_bin(accountsd_t)
@@ -25136,12 +85081,19 @@ index 1632f10..6ede64d 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +62,8 @@ optional_policy(`
+@@ -50,8 +66,15 @@ usermanage_domtrans_passwd(accountsd_t)
+
+ optional_policy(`
+ consolekit_read_log(accountsd_t)
++ consolekit_dbus_chat(accountsd_t)
+ ')
+
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
+
+optional_policy(`
++ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
@@ -25608,14 +85560,14 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..101af21 100644
+index 9e39aa5..8281bc3 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
-@@ -1,21 +1,32 @@
+@@ -1,39 +1,54 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_content_ra_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -25637,16 +85589,19 @@ index 9e39aa5..101af21 100644
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
-+/usr/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -24,16 +35,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+ /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+ /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
++
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -25666,11 +85621,12 @@ index 9e39aa5..101af21 100644
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +55,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +58,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -25682,7 +85638,7 @@ index 9e39aa5..101af21 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +67,11 @@ ifdef(`distro_suse', `
+@@ -54,9 +70,12 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25691,10 +85647,11 @@ index 9e39aa5..101af21 100644
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,25 +88,34 @@ ifdef(`distro_suse', `
+@@ -73,25 +92,36 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25705,6 +85662,7 @@ index 9e39aa5..101af21 100644
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -25714,12 +85672,15 @@ index 9e39aa5..101af21 100644
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -25731,7 +85692,7 @@ index 9e39aa5..101af21 100644
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -104,8 +128,26 @@ ifdef(`distro_debian', `
+@@ -104,8 +134,29 @@ ifdef(`distro_debian', `
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25743,6 +85704,9 @@ index 9e39aa5..101af21 100644
+
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
++/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -25760,7 +85724,7 @@ index 9e39aa5..101af21 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..2ad693a 100644
+index 6480167..d0bf548 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,62 +13,46 @@
@@ -26327,20 +86291,43 @@ index 6480167..2ad693a 100644
')
########################################
-@@ -1150,12 +1275,6 @@ interface(`apache_cgi_domain',`
+@@ -1148,14 +1273,31 @@ interface(`apache_cgi_domain',`
+
+ ########################################
## <summary>
- ## All of the rules required to administrate an apache environment
+-## All of the rules required to administrate an apache environment
++## Execute httpd server in the httpd domain.
## </summary>
-## <param name="prefix">
--## <summary>
++## <param name="domain">
+ ## <summary>
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
--## </summary>
--## </param>
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
++#
++interface(`httpd_systemctl',`
++ gen_require(`
++ type httpd_t;
++ type httpd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 httpd_unit_file_t:file read_file_perms;
++ allow $1 httpd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, httpd_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate an apache environment
++## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,19 +1289,21 @@ interface(`apache_cgi_domain',`
+@@ -1170,19 +1312,21 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -26369,7 +86356,7 @@ index 6480167..2ad693a 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 httpd_initrc_exec_t system_r;
-@@ -1191,10 +1312,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1335,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -26382,7 +86369,7 @@ index 6480167..2ad693a 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1326,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,93 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -26401,6 +86388,8 @@ index 6480167..2ad693a 100644
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
++ httpd_systemctl($1)
++ admin_pattern($1, httpd_unit_file_t)
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ ifdef(`TODO',`
@@ -26409,6 +86398,8 @@ index 6480167..2ad693a 100644
+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+ ')
++
++ apache_filetrans_named_content($1)
+')
+
+########################################
@@ -26444,6 +86435,26 @@ index 6480167..2ad693a 100644
+## </summary>
+## </param>
+#
++interface(`apache_filetrans_named_content',`
++ gen_require(`
++ type httpd_sys_content_t, httpd_sys_rw_content_t;
++ ')
++
++
++ apache_filetrans_home_content($1)
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++')
++
++########################################
++## <summary>
++## Transition to apache home content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`apache_filetrans_home_content',`
+ gen_require(`
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
@@ -26458,10 +86469,10 @@ index 6480167..2ad693a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..5cadd2e 100644
+index 3136c6a..6aa4bdc 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,233 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -26475,7 +86486,7 @@ index 3136c6a..5cadd2e 100644
-## </p>
+## <p>
+## Allow Apache to modify public files
-+## used for public file transfer services. Directories/Files must
++## used for public file transfer services, directories/files must
+## be labeled public_content_rw_t.
+## </p>
## </desc>
@@ -26551,6 +86562,13 @@ index 3136c6a..5cadd2e 100644
+
+## <desc>
+## <p>
++## Allow HTTPD to connect to port 80 for graceful shutdown
++## </p>
++## </desc>
++gen_tunable(httpd_graceful_shutdown, false)
++
++## <desc>
++## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
## </desc>
@@ -26667,6 +86685,13 @@ index 3136c6a..5cadd2e 100644
+
+## <desc>
+## <p>
++## Allow Apache to run in stickshift mode, not transition to passenger
++## </p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
++## <desc>
++## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
## </desc>
@@ -26708,6 +86733,13 @@ index 3136c6a..5cadd2e 100644
-## Allow httpd to access cifs file systems
-## </p>
+## <p>
++## Allow httpd to access openstack ports
++## </p>
++## </desc>
++gen_tunable(httpd_use_openstack, false)
++
++## <desc>
++## <p>
+## Allow httpd to access cifs file systems
+## </p>
## </desc>
@@ -26718,6 +86750,13 @@ index 3136c6a..5cadd2e 100644
-## Allow httpd to run gpg
-## </p>
+## <p>
++## Allow httpd to access cifs file systems
++## </p>
++## </desc>
++gen_tunable(httpd_use_fusefs, false)
++
++## <desc>
++## <p>
+## Allow httpd to run gpg in gpg-web domain
+## </p>
## </desc>
@@ -26735,11 +86774,18 @@ index 3136c6a..5cadd2e 100644
+## <desc>
+## <p>
-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
++## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
++## <desc>
++## <p>
++## Allow httpd to communicate with oddjob to start up a service
++## </p>
++## </desc>
++gen_tunable(httpd_use_oddjob, false)
++
attribute httpdcontent;
attribute httpd_user_content_type;
+attribute httpd_content_type;
@@ -26751,7 +86797,7 @@ index 3136c6a..5cadd2e 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +263,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +298,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -26760,7 +86806,7 @@ index 3136c6a..5cadd2e 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +274,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +309,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -26770,7 +86816,7 @@ index 3136c6a..5cadd2e 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +316,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +351,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26793,7 +86839,7 @@ index 3136c6a..5cadd2e 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +340,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +375,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26804,7 +86850,7 @@ index 3136c6a..5cadd2e 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +351,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26812,7 +86858,7 @@ index 3136c6a..5cadd2e 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +373,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +408,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26836,7 +86882,7 @@ index 3136c6a..5cadd2e 100644
########################################
#
# Apache server local policy
-@@ -281,11 +409,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26850,7 +86896,7 @@ index 3136c6a..5cadd2e 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +459,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26861,7 +86907,7 @@ index 3136c6a..5cadd2e 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +470,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26872,7 +86918,7 @@ index 3136c6a..5cadd2e 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +487,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26882,7 +86928,7 @@ index 3136c6a..5cadd2e 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +500,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26892,20 +86938,24 @@ index 3136c6a..5cadd2e 100644
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
++corenet_tcp_bind_jboss_messaging_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
-corenet_tcp_connect_http_port(httpd_t)
-+#corenet_tcp_connect_http_port(httpd_t)
++tunable_policy(`httpd_graceful_shutdown',`
++ corenet_tcp_connect_http_port(httpd_t)
++')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +518,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +556,13 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
++fs_read_hugetlbfs_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -26916,7 +86966,7 @@ index 3136c6a..5cadd2e 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +531,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +570,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26924,7 +86974,7 @@ index 3136c6a..5cadd2e 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +543,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +582,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -27028,8 +87078,14 @@ index 3136c6a..5cadd2e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +650,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +687,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -27086,7 +87142,7 @@ index 3136c6a..5cadd2e 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +708,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +751,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -27100,10 +87156,16 @@ index 3136c6a..5cadd2e 100644
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
++')
++
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_t)
++ fs_manage_fusefs_files(httpd_t)
++ fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +732,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +781,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -27124,7 +87186,7 @@ index 3136c6a..5cadd2e 100644
')
optional_policy(`
-@@ -513,7 +756,13 @@ optional_policy(`
+@@ -513,7 +805,13 @@ optional_policy(`
')
optional_policy(`
@@ -27139,7 +87201,7 @@ index 3136c6a..5cadd2e 100644
')
optional_policy(`
-@@ -528,7 +777,19 @@ optional_policy(`
+@@ -528,7 +826,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -27160,7 +87222,7 @@ index 3136c6a..5cadd2e 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +798,13 @@ optional_policy(`
+@@ -537,12 +847,21 @@ optional_policy(`
')
optional_policy(`
@@ -27175,7 +87237,15 @@ index 3136c6a..5cadd2e 100644
')
')
-@@ -556,7 +822,21 @@ optional_policy(`
+ optional_policy(`
++ jetty_admin(httpd_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
+ ')
+
+@@ -556,7 +875,21 @@ optional_policy(`
')
optional_policy(`
@@ -27197,7 +87267,7 @@ index 3136c6a..5cadd2e 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +847,7 @@ optional_policy(`
+@@ -567,6 +900,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -27205,13 +87275,26 @@ index 3136c6a..5cadd2e 100644
')
optional_policy(`
-@@ -577,6 +858,20 @@ optional_policy(`
+@@ -577,6 +911,33 @@ optional_policy(`
')
optional_policy(`
-+ passenger_domtrans(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_read_lib_files(httpd_t)
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ allow httpd_t self:capability sys_resource;
++ allow httpd_t self:capability { fowner fsetid };
++ allow httpd_t self:process setexec;
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_manage_lib_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ ')
+')
+
+optional_policy(`
@@ -27226,7 +87309,7 @@ index 3136c6a..5cadd2e 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +886,11 @@ optional_policy(`
+@@ -591,6 +952,11 @@ optional_policy(`
')
optional_policy(`
@@ -27238,7 +87321,7 @@ index 3136c6a..5cadd2e 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +903,12 @@ optional_policy(`
+@@ -603,6 +969,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27251,7 +87334,7 @@ index 3136c6a..5cadd2e 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +922,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +988,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27264,7 +87347,7 @@ index 3136c6a..5cadd2e 100644
########################################
#
-@@ -654,28 +964,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1030,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27308,7 +87391,7 @@ index 3136c6a..5cadd2e 100644
')
########################################
-@@ -685,6 +997,8 @@ optional_policy(`
+@@ -685,6 +1063,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27317,7 +87400,7 @@ index 3136c6a..5cadd2e 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1013,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1079,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27343,7 +87426,7 @@ index 3136c6a..5cadd2e 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1059,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1125,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27376,7 +87459,7 @@ index 3136c6a..5cadd2e 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1106,25 @@ optional_policy(`
+@@ -769,6 +1172,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27402,7 +87485,7 @@ index 3136c6a..5cadd2e 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1145,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1211,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27420,7 +87503,7 @@ index 3136c6a..5cadd2e 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1164,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1230,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27477,7 +87560,7 @@ index 3136c6a..5cadd2e 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1215,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1281,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27505,10 +87588,20 @@ index 3136c6a..5cadd2e 100644
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
++tunable_policy(`httpd_use_fusefs',`
++ fs_manage_fusefs_dirs(httpd_sys_script_t)
++ fs_manage_fusefs_files(httpd_sys_script_t)
++ fs_manage_fusefs_symlinks(httpd_sys_script_t)
++ fs_manage_fusefs_dirs(httpd_suexec_t)
++ fs_manage_fusefs_files(httpd_suexec_t)
++ fs_manage_fusefs_symlinks(httpd_suexec_t)
++ fs_exec_fusefs_files(httpd_suexec_t)
++')
++
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1250,20 @@ optional_policy(`
+@@ -842,10 +1326,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27529,7 +87622,7 @@ index 3136c6a..5cadd2e 100644
')
########################################
-@@ -891,11 +1309,135 @@ optional_policy(`
+@@ -891,11 +1385,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27553,7 +87646,7 @@ index 3136c6a..5cadd2e 100644
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
-+')
+ ')
+
+########################################
+#
@@ -27564,25 +87657,29 @@ index 3136c6a..5cadd2e 100644
+allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
+
-+domain_use_interactive_fds(httpd_passwd_t)
++kernel_read_system_state(httpd_passwd_t)
+
-+files_read_etc_files(httpd_passwd_t)
++corecmd_exec_bin(httpd_passwd_t)
++corecmd_exec_shell(httpd_passwd_t)
+
-+miscfiles_read_localization(httpd_passwd_t)
++dev_read_urand(httpd_passwd_t)
+
-+corecmd_exec_bin(httpd_passwd_t)
++domain_use_interactive_fds(httpd_passwd_t)
+
-+kernel_read_system_state(httpd_passwd_t)
++files_read_etc_files(httpd_passwd_t)
+
-+dev_read_urand(httpd_passwd_t)
++auth_use_nsswitch(httpd_passwd_t)
++
++miscfiles_read_certs(httpd_passwd_t)
++miscfiles_read_localization(httpd_passwd_t)
+
++systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
-+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
@@ -27667,12 +87764,24 @@ index 3136c6a..5cadd2e 100644
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
- ')
++')
++
++tunable_policy(`httpd_use_openstack',`
++ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
++ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
++ corenet_tcp_connect_glance_port(httpd_sys_script_t)
++')
++
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
-index cd07b96..9b7742f 100644
+index cd07b96..f3506be 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
-@@ -4,6 +4,8 @@
+@@ -1,9 +1,13 @@
+ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
++
+ /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
@@ -27681,17 +87790,50 @@ index cd07b96..9b7742f 100644
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-@@ -13,3 +15,4 @@
+@@ -13,3 +17,4 @@
/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
-index e342775..4ffdb80 100644
+index e342775..1fedbe5 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
-@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
+@@ -123,6 +123,29 @@ interface(`apcupsd_cgi_script_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute apcupsd server in the apcupsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`apcupsd_systemctl',`
++ gen_require(`
++ type apcupsd_t;
++ type apcupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 apcupsd_unit_file_t:file read_file_perms;
++ allow $1 apcupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apcupsd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an apcupsd environment
+ ## </summary>
+@@ -144,11 +167,16 @@ interface(`apcupsd_admin',`
+ type apcupsd_log_t, apcupsd_lock_t;
+ type apcupsd_var_run_t;
type apcupsd_initrc_exec_t;
++ type apcupsd_unit_file_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
@@ -27705,11 +87847,30 @@ index e342775..4ffdb80 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
+@@ -165,4 +193,8 @@ interface(`apcupsd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, apcupsd_var_run_t)
++
++ apcupsd_systemctl($1)
++ admin_pattern($1, apcupsd_unit_file_t)
++ allow $1 apcupsd_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
-index d052bf0..3059bd2 100644
+index d052bf0..77e6e19 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
-@@ -76,6 +76,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
+ type apcupsd_var_run_t;
+ files_pid_file(apcupsd_var_run_t)
+
++type apcupsd_unit_file_t;
++systemd_unit_file(apcupsd_unit_file_t)
++
+ ########################################
+ #
+ # apcupsd local policy
+@@ -76,6 +79,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
term_use_unallocated_ttys(apcupsd_t)
@@ -27717,7 +87878,7 @@ index d052bf0..3059bd2 100644
#apcupsd runs shutdown, probably need a shutdown domain
init_rw_utmp(apcupsd_t)
-@@ -87,13 +88,17 @@ miscfiles_read_localization(apcupsd_t)
+@@ -87,13 +91,17 @@ miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
@@ -27736,8 +87897,17 @@ index d052bf0..3059bd2 100644
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
+diff --git a/policy/modules/services/apm.fc b/policy/modules/services/apm.fc
+index 0123777..f2f0c35 100644
+--- a/policy/modules/services/apm.fc
++++ b/policy/modules/services/apm.fc
+@@ -1,3 +1,4 @@
++/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
+
+ #
+ # /usr
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
-index 1ea99b2..3582863 100644
+index 1ea99b2..1bf05b5 100644
--- a/policy/modules/services/apm.if
+++ b/policy/modules/services/apm.if
@@ -52,7 +52,8 @@ interface(`apm_write_pipes',`
@@ -27765,16 +87935,39 @@ index 1ea99b2..3582863 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -108,6 +109,5 @@ interface(`apm_stream_connect',`
+@@ -108,6 +109,28 @@ interface(`apm_stream_connect',`
')
files_search_pids($1)
- allow $1 apmd_var_run_t:sock_file write;
- allow $1 apmd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
++')
++
++########################################
++## <summary>
++## Execute apmd server in the apmd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`apmd_systemctl',`
++ gen_require(`
++ type apmd_t;
++ type apmd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 apmd_unit_file_t:file read_file_perms;
++ allow $1 apmd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..29bb904 100644
+index 1c8c27e..1fbabf7 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -27785,7 +87978,17 @@ index 1c8c27e..29bb904 100644
type apmd_t;
type apmd_exec_t;
init_daemon_domain(apmd_t, apmd_exec_t)
-@@ -45,7 +46,7 @@ dev_rw_apm_bios(apm_t)
+@@ -32,6 +33,9 @@ ifdef(`distro_suse',`
+ files_type(apmd_var_lib_t)
+ ')
+
++type apmd_unit_file_t;
++systemd_unit_file(apmd_unit_file_t)
++
+ ########################################
+ #
+ # apm client Local policy
+@@ -45,7 +49,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
@@ -27794,7 +87997,7 @@ index 1c8c27e..29bb904 100644
domain_use_interactive_fds(apm_t)
-@@ -59,9 +60,10 @@ logging_send_syslog_msg(apm_t)
+@@ -59,9 +63,10 @@ logging_send_syslog_msg(apm_t)
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
@@ -27806,7 +88009,7 @@ index 1c8c27e..29bb904 100644
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t)
+@@ -81,6 +86,8 @@ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
@@ -27815,7 +88018,7 @@ index 1c8c27e..29bb904 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -101,7 +105,6 @@ selinux_search_fs(apmd_t)
+@@ -101,7 +108,6 @@ selinux_search_fs(apmd_t)
corecmd_exec_all_executables(apmd_t)
domain_read_all_domains_state(apmd_t)
@@ -27823,7 +88026,7 @@ index 1c8c27e..29bb904 100644
domain_use_interactive_fds(apmd_t)
domain_dontaudit_getattr_all_sockets(apmd_t)
domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
-@@ -114,6 +117,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+@@ -114,6 +120,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
@@ -27832,7 +88035,7 @@ index 1c8c27e..29bb904 100644
init_domtrans_script(apmd_t)
init_rw_utmp(apmd_t)
init_telinit(apmd_t)
-@@ -127,10 +132,8 @@ logging_send_audit_msgs(apmd_t)
+@@ -127,10 +135,8 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -27844,7 +88047,7 @@ index 1c8c27e..29bb904 100644
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -27855,7 +88058,7 @@ index 1c8c27e..29bb904 100644
')
optional_policy(`
-@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -27871,7 +88074,7 @@ index 1c8c27e..29bb904 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +192,12 @@ optional_policy(`
+@@ -181,6 +195,12 @@ optional_policy(`
')
optional_policy(`
@@ -27884,7 +88087,7 @@ index 1c8c27e..29bb904 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -201,7 +218,8 @@ optional_policy(`
+@@ -201,7 +221,8 @@ optional_policy(`
')
optional_policy(`
@@ -27894,7 +88097,7 @@ index 1c8c27e..29bb904 100644
')
optional_policy(`
-@@ -209,8 +227,9 @@ optional_policy(`
+@@ -209,8 +230,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -27905,7 +88108,7 @@ index 1c8c27e..29bb904 100644
')
optional_policy(`
-@@ -219,10 +238,6 @@ optional_policy(`
+@@ -219,10 +241,6 @@ optional_policy(`
')
optional_policy(`
@@ -27916,12 +88119,57 @@ index 1c8c27e..29bb904 100644
vbetool_domtrans(apmd_t)
')
+diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc
+index a86a6c7..ab50afe 100644
+--- a/policy/modules/services/arpwatch.fc
++++ b/policy/modules/services/arpwatch.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
++
+ #
+ # /usr
+ #
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
-index c804110..980cd57 100644
+index c804110..06a516f 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
-@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
+@@ -115,6 +115,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
+
+ ########################################
+ ## <summary>
++## Execute arpwatch server in the arpwatch domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`arpwatch_systemctl',`
++ gen_require(`
++ type arpwatch_t;
++ type arpwatch_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 arpwatch_unit_file_t:file read_file_perms;
++ allow $1 arpwatch_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, arpwatch_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an arpwatch environment
+ ## </summary>
+@@ -135,11 +158,16 @@ interface(`arpwatch_admin',`
+ type arpwatch_t, arpwatch_tmp_t;
+ type arpwatch_data_t, arpwatch_var_run_t;
type arpwatch_initrc_exec_t;
++ type arpwatch_unit_file_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
@@ -27935,11 +88183,38 @@ index c804110..980cd57 100644
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
+@@ -153,4 +181,8 @@ interface(`arpwatch_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, arpwatch_var_run_t)
++
++ arpwatch_systemctl($1)
++ admin_pattern($1, arpwatch_unit_file_t)
++ allow $1 arpwatch_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
-index 804135f..af04567 100644
+index 804135f..613f77f 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
-@@ -47,8 +47,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
+ type arpwatch_var_run_t;
+ files_pid_file(arpwatch_var_run_t)
+
++type arpwatch_unit_file_t;
++systemd_unit_file(arpwatch_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -34,6 +37,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+ allow arpwatch_t self:udp_socket create_socket_perms;
+ allow arpwatch_t self:packet_socket create_socket_perms;
+ allow arpwatch_t self:socket create_socket_perms;
++allow arpwatch_t self:netlink_socket create_socket_perms;;
+
+ manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+ manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+@@ -47,8 +51,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
kernel_read_network_state(arpwatch_t)
@@ -27970,7 +88245,7 @@ index 8b8143e..a04a8af 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..8e66610 100644
+index b3b0176..31e5976 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,10 +19,11 @@ type asterisk_log_t;
@@ -27997,7 +88272,7 @@ index b3b0176..8e66610 100644
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
-@@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -76,11 +77,13 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
@@ -28008,9 +88283,11 @@ index b3b0176..8e66610 100644
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
++kernel_read_network_state(asterisk_t)
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,14 +110,19 @@ corenet_tcp_bind_generic_port(asterisk_t)
+ kernel_request_load_module(asterisk_t)
+@@ -108,14 +111,19 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
@@ -28030,7 +88307,7 @@ index b3b0176..8e66610 100644
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-@@ -125,6 +132,7 @@ files_search_spool(asterisk_t)
+@@ -125,6 +133,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -28038,7 +88315,7 @@ index b3b0176..8e66610 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -141,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -141,6 +150,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -28142,8 +88419,21 @@ index 2b348c7..0000000
-optional_policy(`
- udev_read_db(entropyd_t)
-')
+diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc
+index f16ab68..e4178a4 100644
+--- a/policy/modules/services/automount.fc
++++ b/policy/modules/services/automount.fc
+@@ -4,6 +4,8 @@
+ /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+ /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
++
+ #
+ # /usr
+ #
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
-index d80a16b..4f2a53f 100644
+index d80a16b..14c7b1e 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -28172,17 +88462,43 @@ index d80a16b..4f2a53f 100644
dontaudit $1 automount_t:fifo_file write;
')
-@@ -123,7 +124,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+@@ -123,7 +124,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
type automount_tmp_t;
')
- dontaudit $1 automount_tmp_t:dir getattr;
+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
++')
++
++########################################
++## <summary>
++## Execute automount server in the automount domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`automount_systemctl',`
++ gen_require(`
++ type automount_t;
++ type automount_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 automount_unit_file_t:file read_file_perms;
++ allow $1 automount_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, automount_t)
')
########################################
-@@ -149,9 +150,13 @@ interface(`automount_admin',`
+@@ -147,11 +171,16 @@ interface(`automount_admin',`
+ gen_require(`
+ type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
++ type automount_unit_file_t;
')
- allow $1 automount_t:process { ptrace signal_perms getattr };
@@ -28196,11 +88512,30 @@ index d80a16b..4f2a53f 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
+@@ -165,4 +194,8 @@ interface(`automount_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, automount_var_run_t)
++
++ automount_systemctl($1)
++ admin_pattern($1, automount_unit_file_t)
++ allow $1 automount_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
-index 39799db..9390ef1 100644
+index 39799db..fe1653e 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
-@@ -64,6 +64,7 @@ kernel_read_network_state(automount_t)
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+
++type automount_unit_file_t;
++systemd_unit_file(automount_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -64,6 +67,7 @@ kernel_read_network_state(automount_t)
kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
@@ -28208,7 +88543,7 @@ index 39799db..9390ef1 100644
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
-@@ -143,9 +144,6 @@ logging_search_logs(automount_t)
+@@ -143,9 +147,6 @@ logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
@@ -28218,7 +88553,7 @@ index 39799db..9390ef1 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +153,13 @@ optional_policy(`
+@@ -155,6 +156,13 @@ optional_policy(`
')
optional_policy(`
@@ -28232,8 +88567,20 @@ index 39799db..9390ef1 100644
fstools_domtrans(automount_t)
')
+diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc
+index 7e36549..010b2bc 100644
+--- a/policy/modules/services/avahi.fc
++++ b/policy/modules/services/avahi.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
++
+ /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
-index 61c74bc..c7a0db2 100644
+index 61c74bc..5e6a564 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
@@ -28244,8 +88591,41 @@ index 61c74bc..c7a0db2 100644
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
-@@ -153,9 +154,13 @@ interface(`avahi_admin',`
+@@ -133,6 +134,29 @@ interface(`avahi_dontaudit_search_pid',`
+
+ ########################################
+ ## <summary>
++## Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`avahi_systemctl',`
++ gen_require(`
++ type avahi_t;
++ type avahi_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 avahi_unit_file_t:file read_file_perms;
++ allow $1 avahi_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, avahi_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an avahi environment
+ ## </summary>
+@@ -151,11 +175,16 @@ interface(`avahi_dontaudit_search_pid',`
+ interface(`avahi_admin',`
+ gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
++ type avahi_unit_file_t;
')
- allow $1 avahi_t:process { ptrace signal_perms };
@@ -28259,19 +88639,31 @@ index 61c74bc..c7a0db2 100644
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
+@@ -163,4 +192,8 @@ interface(`avahi_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, avahi_var_run_t)
++
++ avahi_systemctl($1)
++ admin_pattern($1, avahi_unit_file_t)
++ allow $1 avahi_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
-index a7a0e71..5352ef6 100644
+index a7a0e71..3b01eed 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
-@@ -17,6 +17,7 @@ files_pid_file(avahi_var_lib_t)
+@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
++
++type avahi_unit_file_t;
++systemd_unit_file(avahi_unit_file_t)
########################################
#
-@@ -46,6 +47,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+@@ -46,6 +50,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
kernel_read_network_state(avahi_t)
@@ -28279,7 +88671,7 @@ index a7a0e71..5352ef6 100644
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-@@ -104,6 +106,10 @@ optional_policy(`
+@@ -104,6 +109,10 @@ optional_policy(`
')
optional_policy(`
@@ -28290,25 +88682,291 @@ index a7a0e71..5352ef6 100644
seutil_sigchld_newrole(avahi_t)
')
+diff --git a/policy/modules/services/bcfg2.fc b/policy/modules/services/bcfg2.fc
+new file mode 100644
+index 0000000..53a6f26
+--- /dev/null
++++ b/policy/modules/services/bcfg2.fc
+@@ -0,0 +1,9 @@
++/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
++
++/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
++
++/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
++
++/var/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0)
+diff --git a/policy/modules/services/bcfg2.if b/policy/modules/services/bcfg2.if
+new file mode 100644
+index 0000000..5ff58fd
+--- /dev/null
++++ b/policy/modules/services/bcfg2.if
+@@ -0,0 +1,185 @@
++
++## <summary>policy for bcfg2</summary>
++
++########################################
++## <summary>
++## Transition to bcfg2.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bcfg2_domtrans',`
++ gen_require(`
++ type bcfg2_t, bcfg2_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
++')
++
++########################################
++## <summary>
++## Execute bcfg2 server in the bcfg2 domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_initrc_domtrans',`
++ gen_require(`
++ type bcfg2_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Search bcfg2 lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_search_lib',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ allow $1 bcfg2_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read bcfg2 lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_read_lib_files',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage bcfg2 lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_manage_lib_files',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage bcfg2 lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_manage_lib_dirs',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute bcfg2 server in the bcfg2 domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bcfg2_systemctl',`
++ gen_require(`
++ type bcfg2_t;
++ type bcfg2_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 bcfg2_unit_file_t:file read_file_perms;
++ allow $1 bcfg2_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bcfg2_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an bcfg2 environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`bcfg2_admin',`
++ gen_require(`
++ type bcfg2_t;
++ type bcfg2_initrc_exec_t;
++ type bcfg2_var_lib_t;
++ type bcfg2_unit_file_t;
++ ')
++
++ allow $1 bcfg2_t:process { ptrace signal_perms };
++ ps_process_pattern($1, bcfg2_t)
++
++ bcfg2_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 bcfg2_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, bcfg2_var_lib_t)
++
++ bcfg2_systemctl($1)
++ admin_pattern($1, bcfg2_unit_file_t)
++ allow $1 bcfg2_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/bcfg2.te b/policy/modules/services/bcfg2.te
+new file mode 100644
+index 0000000..7c301dc
+--- /dev/null
++++ b/policy/modules/services/bcfg2.te
+@@ -0,0 +1,55 @@
++policy_module(bcfg2, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bcfg2_t;
++type bcfg2_exec_t;
++init_daemon_domain(bcfg2_t, bcfg2_exec_t)
++
++type bcfg2_initrc_exec_t;
++init_script_file(bcfg2_initrc_exec_t)
++
++type bcfg2_var_lib_t;
++files_type(bcfg2_var_lib_t)
++
++type bcfg2_unit_file_t;
++systemd_unit_file(bcfg2_unit_file_t)
++
++type bcfg2_var_run_t;
++files_pid_file(bcfg2_var_run_t)
++
++########################################
++#
++# bcfg2 local policy
++#
++
++allow bcfg2_t self:fifo_file rw_fifo_file_perms;
++allow bcfg2_t self:tcp_socket create_stream_socket_perms;
++allow bcfg2_t self:unix_stream_socket { connectto create_stream_socket_perms };
++
++manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
++manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
++files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, { dir file })
++
++manage_files_pattern(bcfg2_t, bcfg2_var_run_t,bcfg2_var_run_t)
++files_pid_filetrans(bcfg2_t,bcfg2_var_run_t, { file })
++
++kernel_read_system_state(bcfg2_t)
++
++corecmd_exec_bin(bcfg2_t)
++
++dev_read_urand(bcfg2_t)
++
++domain_use_interactive_fds(bcfg2_t)
++
++files_read_etc_files(bcfg2_t)
++files_read_usr_files(bcfg2_t)
++
++auth_use_nsswitch(bcfg2_t)
++
++logging_send_syslog_msg(bcfg2_t)
++
++miscfiles_read_localization(bcfg2_t)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index 59aa54f..643afce 100644
+index 59aa54f..b01072c 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
-@@ -4,6 +4,12 @@
+@@ -4,6 +4,11 @@
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
-+/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..776e2ed 100644
+index 44a1e3d..9b50c13 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -28331,7 +88989,7 @@ index 44a1e3d..776e2ed 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 named_unit_file_t:file read_file_perms;
-+ allow $1 named_unit_file_t:service all_service_perms;
++ allow $1 named_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, named_t)
+')
@@ -28422,7 +89080,7 @@ index 44a1e3d..776e2ed 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,18 +422,25 @@ interface(`bind_udp_chat_named',`
+@@ -359,18 +422,26 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -28433,6 +89091,7 @@ index 44a1e3d..776e2ed 100644
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
++ type named_unit_file_t;
')
- allow $1 named_t:process { ptrace signal_perms };
@@ -28454,7 +89113,7 @@ index 44a1e3d..776e2ed 100644
bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
-@@ -391,9 +461,10 @@ interface(`bind_admin',`
+@@ -391,9 +462,12 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -28465,7 +89124,9 @@ index 44a1e3d..776e2ed 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
+
-+ named_systemctl($1)
++ admin_pattern($1, named_unit_file_t)
++ bind_systemctl($1)
++ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4deca04..7859fa1 100644
@@ -28730,18 +89391,20 @@ index f4e7ad3..c323651 100644
dev_read_urand(bitlbee_t)
diff --git a/policy/modules/services/blueman.fc b/policy/modules/services/blueman.fc
new file mode 100644
-index 0000000..69f2b36
+index 0000000..98ba16a
--- /dev/null
+++ b/policy/modules/services/blueman.fc
-@@ -0,0 +1,2 @@
+@@ -0,0 +1,4 @@
+
-+/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
++/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
++
++/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/policy/modules/services/blueman.if b/policy/modules/services/blueman.if
new file mode 100644
-index 0000000..d694c0a
+index 0000000..a66b2ff
--- /dev/null
+++ b/policy/modules/services/blueman.if
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,99 @@
+## <summary>policy for blueman</summary>
+
+########################################
@@ -28783,12 +89446,70 @@ index 0000000..d694c0a
+ allow $1 blueman_t:dbus send_msg;
+ allow blueman_t $1:dbus send_msg;
+')
++
++########################################
++## <summary>
++## Search blueman lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`blueman_search_lib',`
++ gen_require(`
++ type blueman_var_lib_t;
++ ')
++
++ allow $1 blueman_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read blueman lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`blueman_read_lib_files',`
++ gen_require(`
++ type blueman_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## blueman lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`blueman_manage_lib_files',`
++ gen_require(`
++ type blueman_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
++')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..bccefc9
+index 0000000..6ed024b
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,56 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -28799,6 +89520,10 @@ index 0000000..bccefc9
+type blueman_t;
+type blueman_exec_t;
+dbus_system_domain(blueman_t, blueman_exec_t)
++init_daemon_domain(blueman_t, blueman_exec_t)
++
++type blueman_var_lib_t;
++files_type(blueman_var_lib_t)
+
+########################################
+#
@@ -28806,10 +89531,16 @@ index 0000000..bccefc9
+#
+allow blueman_t self:fifo_file rw_fifo_file_perms;
+
++manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
++manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
++files_var_lib_filetrans(blueman_t, blueman_var_lib_t, { file dir })
++
+kernel_read_system_state(blueman_t)
+
+corecmd_exec_bin(blueman_t)
+
++dev_read_rand(blueman_t)
++dev_read_urand(blueman_t)
+dev_rw_wireless(blueman_t)
+
+domain_use_interactive_fds(blueman_t)
@@ -28831,8 +89562,25 @@ index 0000000..bccefc9
+optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
++
++optional_policy(`
++ xserver_read_state_xdm(blueman_t)
++')
+diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
+index dc687e6..e0255eb 100644
+--- a/policy/modules/services/bluetooth.fc
++++ b/policy/modules/services/bluetooth.fc
+@@ -7,6 +7,8 @@
+ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
++
+ #
+ # /usr
+ #
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
-index 3e45431..58b9ece 100644
+index 3e45431..2d28039 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
@@ -28911,7 +89659,7 @@ index 3e45431..58b9ece 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -170,8 +198,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -170,8 +198,31 @@ interface(`bluetooth_dontaudit_read_helper_state',`
type bluetooth_helper_t;
')
@@ -28919,10 +89667,33 @@ index 3e45431..58b9ece 100644
- dontaudit $1 bluetooth_helper_t:file { read getattr };
+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
+ dontaudit $1 bluetooth_helper_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute bluetooth server in the bluetooth domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bluetooth_systemctl',`
++ gen_require(`
++ type bluetooth_t;
++ type bluetooth_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 bluetooth_unit_file_t:file read_file_perms;
++ allow $1 bluetooth_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bluetooth_t)
')
########################################
-@@ -193,23 +221,23 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -193,23 +244,24 @@ interface(`bluetooth_dontaudit_read_helper_state',`
#
interface(`bluetooth_admin',`
gen_require(`
@@ -28932,6 +89703,7 @@ index 3e45431..58b9ece 100644
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
- type bluetooth_initrc_exec_t;
++ type bluetooth_unit_file_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
@@ -28953,7 +89725,7 @@ index 3e45431..58b9ece 100644
files_list_var($1)
admin_pattern($1, bluetooth_lock_t)
-@@ -217,9 +245,6 @@ interface(`bluetooth_admin',`
+@@ -217,12 +269,13 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
@@ -28963,8 +89735,15 @@ index 3e45431..58b9ece 100644
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
+ files_list_pids($1)
+ admin_pattern($1, bluetooth_var_run_t)
++
++ bluetooth_systemctl($1)
++ admin_pattern($1, bluetooth_unit_file_t)
++ allow $1 bluetooth_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..76ab538 100644
+index 215b86b..d7c4d98 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
@@ -28982,7 +89761,7 @@ index 215b86b..76ab538 100644
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
-@@ -39,9 +40,6 @@ init_script_file(bluetooth_initrc_exec_t)
+@@ -39,15 +40,15 @@ init_script_file(bluetooth_initrc_exec_t)
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
@@ -28992,7 +89771,16 @@ index 215b86b..76ab538 100644
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
-@@ -80,10 +78,6 @@ can_exec(bluetooth_t, bluetooth_helper_exec_t)
+ type bluetooth_var_run_t;
+ files_pid_file(bluetooth_var_run_t)
+
++type bluetooth_unit_file_t;
++systemd_unit_file(bluetooth_unit_file_t)
++
+ ########################################
+ #
+ # Bluetooth services local policy
+@@ -80,10 +81,6 @@ can_exec(bluetooth_t, bluetooth_helper_exec_t)
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
@@ -29003,7 +89791,7 @@ index 215b86b..76ab538 100644
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
-@@ -147,6 +141,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -147,6 +144,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
@@ -29014,7 +89802,7 @@ index 215b86b..76ab538 100644
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
-@@ -190,7 +188,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+@@ -190,7 +191,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
@@ -29022,7 +89810,7 @@ index 215b86b..76ab538 100644
allow bluetooth_helper_t bluetooth_t:socket { read write };
-@@ -220,6 +217,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
+@@ -220,6 +220,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
@@ -29031,7 +89819,7 @@ index 215b86b..76ab538 100644
locallogin_dontaudit_use_fds(bluetooth_helper_t)
logging_send_syslog_msg(bluetooth_helper_t)
-@@ -236,9 +235,5 @@ optional_policy(`
+@@ -236,9 +238,5 @@ optional_policy(`
')
optional_policy(`
@@ -29217,10 +90005,10 @@ index 0000000..9fe3f9e
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..dac00da
+index 0000000..b1c752c
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,190 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -29264,6 +90052,9 @@ index 0000000..dac00da
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:sem create_sem_perms;
+
++manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_domain)
+
@@ -29281,6 +90072,8 @@ index 0000000..dac00da
+files_read_etc_runtime_files(boinc_domain)
+files_read_usr_files(boinc_domain)
+
++fs_getattr_all_fs(boinc_domain)
++
+miscfiles_read_fonts(boinc_domain)
+miscfiles_read_localization(boinc_domain)
+
@@ -29293,7 +90086,7 @@ index 0000000..dac00da
+# boinc local policy
+#
+
-+allow boinc_t self:process { setsched sigkill };
++allow boinc_t self:process { setsched setpgid signull sigkill };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
@@ -29307,13 +90100,17 @@ index 0000000..dac00da
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
++# this should be created by default by boinc
++# we need this label for transition to boinc_project_t
++# other boinc lib files will end up with boinc_var_lib_t
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
++kernel_search_vm_sysctl(boinc_t)
++
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
@@ -29335,7 +90132,7 @@ index 0000000..dac00da
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
-+fs_getattr_all_fs(boinc_t)
++auth_read_passwd(boinc_t)
+
+term_getattr_all_ptys(boinc_t)
+term_getattr_unallocated_ttys(boinc_t)
@@ -29353,30 +90150,32 @@ index 0000000..dac00da
+# boinc-projects local policy
+#
+
++allow boinc_project_t self:capability { setuid setgid };
++
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
++allow boinc_t boinc_project_t:process noatsecure;
+
-+allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
++manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
-+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
@@ -29385,9 +90184,21 @@ index 0000000..dac00da
+
+files_dontaudit_search_home(boinc_project_t)
+
++# needed by java
++fs_read_hugetlbfs_files(boinc_project_t)
++
++optional_policy(`
++ gnome_read_gconf_config(boinc_project_t)
++')
++
+optional_policy(`
+ java_exec(boinc_project_t)
+')
++
++# until solution for VirtualBox, java ..
++optional_policy(`
++ unconfined_domain(boinc_project_t)
++')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
index 8c84063..c8bfb68 100644
--- a/policy/modules/services/bugzilla.fc
@@ -30377,6 +91188,16 @@ index 3384132..97d3269 100644
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)
+diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc
+index 5ad1a52..e66fcf6 100644
+--- a/policy/modules/services/certmonger.fc
++++ b/policy/modules/services/certmonger.fc
+@@ -4,3 +4,5 @@
+
+ /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+ /var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
++
++/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index 7a6e5ba..e238dfd 100644
--- a/policy/modules/services/certmonger.if
@@ -30419,20 +91240,28 @@ index 7a6e5ba..e238dfd 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..3e78d4e 100644
+index c3e3f79..3bf8b0c 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
-@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
+@@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t)
+ type certmonger_var_lib_t;
+ files_type(certmonger_var_lib_t)
+
++type certmonger_unconfined_exec_t;
++application_executable_file(certmonger_unconfined_exec_t)
++
+ ########################################
+ #
# certmonger local policy
#
-allow certmonger_t self:capability { kill sys_nice };
-+allow certmonger_t self:capability { dac_override dac_read_search kill sys_nice };
++allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -32,16 +36,23 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -30443,7 +91272,11 @@ index c3e3f79..3e78d4e 100644
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
++kernel_read_kernel_sysctls(certmonger_t)
++kernel_read_system_state(certmonger_t)
++
+corecmd_exec_bin(certmonger_t)
++corecmd_exec_shell(certmonger_t)
+
corenet_tcp_sendrecv_generic_if(certmonger_t)
corenet_tcp_sendrecv_generic_node(certmonger_t)
@@ -30453,16 +91286,19 @@ index c3e3f79..3e78d4e 100644
dev_read_urand(certmonger_t)
-@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t)
+@@ -51,6 +62,11 @@ files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
++auth_use_nsswitch(certmonger_t)
+auth_rw_cache(certmonger_t)
+
++init_getattr_all_script_files(certmonger_t)
++
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +64,32 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +74,60 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -30470,6 +91306,8 @@ index c3e3f79..3e78d4e 100644
+
+optional_policy(`
+ apache_search_config(certmonger_t)
++ apache_signal(certmonger_t)
++ apache_signull(certmonger_t)
+')
+
+optional_policy(`
@@ -30482,7 +91320,9 @@ index c3e3f79..3e78d4e 100644
')
optional_policy(`
-+ dirsrv_manage_config(certmonger_t)
++ dirsrv_manage_config(certmonger_t)
++ dirsrv_signal(certmonger_t)
++ dirsrv_signull(certmonger_t)
+')
+
+optional_policy(`
@@ -30495,12 +91335,36 @@ index c3e3f79..3e78d4e 100644
pcscd_stream_connect(certmonger_t)
')
+
++########################################
++#
++# certmonger_unconfined_script_t local policy
++#
++
++optional_policy(`
++ type certmonger_unconfined_t;
++ domain_type(certmonger_unconfined_t)
++
++ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
++ role system_r types certmonger_unconfined_t;
++
++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
++
++ unconfined_domain(certmonger_unconfined_t)
++
++ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(certmonger_unconfined_t)
++
++ unconfined_domain(certmonger_unconfined_t)
++')
diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc
new file mode 100644
-index 0000000..4ec83df
+index 0000000..4c52fa3
--- /dev/null
+++ b/policy/modules/services/cfengine.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,12 @@
+
+/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
+/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
@@ -30511,15 +91375,43 @@ index 0000000..4ec83df
+/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+
+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0)
++
diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if
new file mode 100644
-index 0000000..883b697
+index 0000000..2972c77
--- /dev/null
+++ b/policy/modules/services/cfengine.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,143 @@
+
+## <summary>policy for cfengine</summary>
+
++######################################
++## <summary>
++## Creates types and rules for a basic
++## cfengine init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`cfengine_domain_template',`
++ gen_require(`
++ attribute cfengine_domain;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type cfengine_$1_t, cfengine_domain;
++ type cfengine_$1_exec_t;
++ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
++
++')
+
+########################################
+## <summary>
@@ -30540,6 +91432,24 @@ index 0000000..883b697
+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
+')
+
++#######################################
++## <summary>
++## Search cfengine lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_search_lib_files',`
++ gen_require(`
++ type cfengine_var_lib_t;
++ ')
++
++ allow $1 cfengine_var_lib_t:dir search_dir_perms;
++')
++
+########################################
+## <summary>
+## Read cfengine lib files.
@@ -30559,12 +91469,69 @@ index 0000000..883b697
+ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
+')
+
++######################################
++## <summary>
++## Allow the specified domain to read cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_read_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ files_search_var_lib($1)
++ cfengine_search_lib_files($1)
++ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t)
++')
++
++#####################################
++## <summary>
++## Allow the specified domain to append cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_append_inherited_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ cfengine_search_lib_files($1)
++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
++')
++
++####################################
++## <summary>
++## Dontaudit the specified domain to write cfengine's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cfengine_dontaudit_write_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
++
++ dontaudit $1 cfengine_var_log_t:file write;
++')
diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
new file mode 100644
-index 0000000..1ba0484
+index 0000000..0de6133
--- /dev/null
+++ b/policy/modules/services/cfengine.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,101 @@
+policy_module(cfengine, 1.0.0)
+
+########################################
@@ -30572,9 +91539,11 @@ index 0000000..1ba0484
+# Declarations
+#
+
-+type cfengine_serverd_t;
-+type cfengine_serverd_exec_t;
-+init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t)
++attribute cfengine_domain;
++
++cfengine_domain_template(serverd)
++cfengine_domain_template(execd)
++cfengine_domain_template(monitord)
+
+type cfengine_initrc_exec_t;
+init_script_file(cfengine_initrc_exec_t)
@@ -30582,116 +91551,88 @@ index 0000000..1ba0484
+type cfengine_var_lib_t;
+files_type(cfengine_var_lib_t)
+
-+type cfengine_execd_t;
-+type cfengine_execd_exec_t;
-+init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t)
++type cfengine_var_log_t;
++logging_log_file(cfengine_var_log_t)
+
-+type cfengine_monitord_t;
-+type cfengine_monitord_exec_t;
-+init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t)
-+
-+########################################
++#######################################
+#
-+# cfengine-server local policy
++# cfengine domain local policy
+#
-+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_serverd_t self:process { fork setfscreate signal };
+
-+allow cfengine_serverd_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_serverd_t self:unix_stream_socket create_stream_socket_perms;
++allow cfengine_domain self:fifo_file rw_fifo_file_perms;
++allow cfengine_domain self:unix_stream_socket create_stream_socket_perms;
+
-+manage_dirs_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+files_var_lib_filetrans(cfengine_serverd_t, cfengine_var_lib_t, { dir file })
++manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
++files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file })
+
-+kernel_read_system_state(cfengine_serverd_t)
++manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
++logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file })
+
-+corecmd_exec_bin(cfengine_serverd_t)
-+corecmd_exec_shell(cfengine_serverd_t)
++kernel_read_system_state(cfengine_domain)
+
-+dev_read_urand(cfengine_serverd_t)
-+dev_read_sysfs(cfengine_serverd_t)
++corecmd_exec_bin(cfengine_domain)
++corecmd_exec_shell(cfengine_domain)
+
-+domain_use_interactive_fds(cfengine_serverd_t)
++dev_read_urand(cfengine_domain)
++dev_read_sysfs(cfengine_domain)
+
-+files_read_etc_files(cfengine_serverd_t)
+
-+auth_use_nsswitch(cfengine_serverd_t)
++logging_send_syslog_msg(cfengine_domain)
+
-+logging_send_syslog_msg(cfengine_serverd_t)
++miscfiles_read_localization(cfengine_domain)
+
-+miscfiles_read_localization(cfengine_serverd_t)
++sysnet_dns_name_resolve(cfengine_domain)
++sysnet_domtrans_ifconfig(cfengine_domain)
+
-+sysnet_dns_name_resolve(cfengine_serverd_t)
-+sysnet_domtrans_ifconfig(cfengine_serverd_t)
++files_read_etc_files(cfengine_domain)
+
+########################################
+#
-+# cfengine_exec local policy
++# cfengine-server local policy
+#
-+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_execd_t self:process { fork setfscreate signal };
+
-+allow cfengine_execd_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_execd_t self:unix_stream_socket create_stream_socket_perms;
++allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_serverd_t self:process { fork setfscreate signal };
+
-+manage_dirs_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t)
++domain_use_interactive_fds(cfengine_serverd_t)
+
-+domain_use_interactive_fds(cfengine_execd_t)
++auth_use_nsswitch(cfengine_serverd_t)
+
-+files_read_etc_files(cfengine_execd_t)
++########################################
++#
++# cfengine_exec local policy
++#
+
-+kernel_read_system_state(cfengine_execd_t)
++allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
++allow cfengine_execd_t self:process { fork setfscreate signal };
+
-+corecmd_exec_bin(cfengine_execd_t)
-+corecmd_exec_shell(cfengine_execd_t)
++kernel_read_sysctl(cfengine_execd_t)
+
-+dev_read_urand(cfengine_execd_t)
-+dev_read_sysfs(cfengine_execd_t)
++domain_read_all_domains_state(cfengine_execd_t)
++domain_use_interactive_fds(cfengine_execd_t)
+
+auth_use_nsswitch(cfengine_execd_t)
+
-+logging_send_syslog_msg(cfengine_execd_t)
-+
-+miscfiles_read_localization(cfengine_execd_t)
-+
-+sysnet_dns_name_resolve(cfengine_execd_t)
-+sysnet_domtrans_ifconfig(cfengine_execd_t)
-+
+########################################
+#
+# cfengine_monitord local policy
+#
++
+allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot };
+allow cfengine_monitord_t self:process { fork setfscreate signal };
+
-+allow cfengine_monitord_t self:fifo_file rw_fifo_file_perms;
-+allow cfengine_monitord_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t)
-+
-+corecmd_exec_bin(cfengine_monitord_t)
-+
-+dev_read_sysfs(cfengine_monitord_t)
-+dev_read_urand(cfengine_monitord_t)
++kernel_read_hotplug_sysctls(cfengine_monitord_t)
++kernel_read_network_state(cfengine_monitord_t)
+
++domain_read_all_domains_state(cfengine_monitord_t)
+domain_use_interactive_fds(cfengine_monitord_t)
+
-+files_read_etc_files(cfengine_monitord_t)
++fs_getattr_xattr_fs(cfengine_monitord_t)
+
+auth_use_nsswitch(cfengine_monitord_t)
-+
-+logging_send_syslog_msg(cfengine_monitord_t)
-+
-+miscfiles_read_localization(cfengine_monitord_t)
-+
-+sysnet_dns_name_resolve(cfengine_monitord_t)
-+sysnet_domtrans_ifconfig(cfengine_monitord_t)
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
index b6bb46c..645d203 100644
--- a/policy/modules/services/cgroup.fc
@@ -30778,7 +91719,7 @@ index 33facaf..225e70c 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index dad226c..084063b 100644
+index dad226c..59c2a27 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -30800,17 +91741,24 @@ index dad226c..084063b 100644
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
kernel_read_system_state(cgclear_t)
-@@ -77,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t)
+@@ -72,12 +71,15 @@ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
+ fs_unmount_cgroup(cgconfig_t)
+
++auth_use_nsswitch(cgconfig_t)
++
+ ########################################
+ #
# cgred personal policy.
#
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -86,6 +86,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+@@ -86,6 +88,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -30820,7 +91768,7 @@ index dad226c..084063b 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -104,6 +107,8 @@ files_read_etc_files(cgred_t)
+@@ -104,6 +109,8 @@ files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
@@ -30830,16 +91778,14 @@ index dad226c..084063b 100644
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..c11cd2f 100644
+index fd8cd0b..f33885f 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
-@@ -2,8 +2,14 @@
+@@ -2,8 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-+/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
++/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
@@ -30849,7 +91795,7 @@ index fd8cd0b..c11cd2f 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..e3cec85 100644
+index 9a0da94..113eae2 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -30957,7 +91903,7 @@ index 9a0da94..e3cec85 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
-+ allow $1 chronyd_unit_file_t:service all_service_perms;
++ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
@@ -31003,7 +91949,7 @@ index 9a0da94..e3cec85 100644
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,31 +212,36 @@ interface(`chronyd_read_log',`
+@@ -75,31 +212,38 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -31012,7 +91958,7 @@ index 9a0da94..e3cec85 100644
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
-+ type chronyd_keys_t;
++ type chronyd_keys_t, chronyd_unit_file_t;
')
- allow $1 chronyd_t:process { ptrace signal_perms };
@@ -31048,10 +91994,12 @@ index 9a0da94..e3cec85 100644
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
+
++ admin_pattern($1, chronyd_unit_file_t)
+ chronyd_systemctl($1)
++ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..1a486b0 100644
+index fa82327..898d0db 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -31067,7 +92015,12 @@ index fa82327..1a486b0 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t)
+ #
+
+ allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+-allow chronyd_t self:process { getcap setcap setrlimit };
++allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
@@ -31082,7 +92035,7 @@ index fa82327..1a486b0 100644
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -48,8 +59,14 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+@@ -48,8 +59,15 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
@@ -31091,6 +92044,7 @@ index fa82327..1a486b0 100644
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+kernel_read_system_state(chronyd_t)
++kernel_read_network_state(chronyd_t)
+
+corecmd_exec_shell(chronyd_t)
+
@@ -31098,7 +92052,7 @@ index fa82327..1a486b0 100644
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
-@@ -63,6 +80,8 @@ logging_send_syslog_msg(chronyd_t)
+@@ -63,6 +81,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
@@ -31108,11 +92062,15 @@ index fa82327..1a486b0 100644
gpsd_rw_shm(chronyd_t)
')
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
-index e8e9a21..89fc935 100644
+index e8e9a21..22986ef 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
-@@ -10,7 +10,9 @@
+@@ -8,9 +8,13 @@
+ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+ /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
++
/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -31122,7 +92080,7 @@ index e8e9a21..89fc935 100644
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
-index 1f11572..717fb8d 100644
+index 1f11572..87840b4 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@@ -31149,7 +92107,7 @@ index 1f11572..717fb8d 100644
')
########################################
-@@ -133,6 +134,25 @@ interface(`clamav_exec_clamscan',`
+@@ -133,6 +134,49 @@ interface(`clamav_exec_clamscan',`
########################################
## <summary>
@@ -31170,12 +92128,36 @@ index 1f11572..717fb8d 100644
+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
++#######################################
++## <summary>
++## Execute clamd server in the clamd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`clamd_systemctl',`
++ gen_require(`
++ type clamd_t;
++ type clamd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 clamd_unit_file_t:file read_file_perms;
++ allow $1 clamd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, clamd_t)
++')
++
+########################################
+## <summary>
## All of the rules required to administrate
## an clamav environment
## </summary>
-@@ -151,19 +171,24 @@ interface(`clamav_exec_clamscan',`
+@@ -151,19 +195,25 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
@@ -31185,6 +92167,7 @@ index 1f11572..717fb8d 100644
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
++ type clamd_unit_file_t;
')
- allow $1 clamd_t:process { ptrace signal_perms };
@@ -31206,11 +92189,33 @@ index 1f11572..717fb8d 100644
ps_process_pattern($1, freshclam_t)
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+@@ -171,6 +221,10 @@ interface(`clamav_admin',`
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ clamd_systemctl($1)
++ admin_pattern($1, clamd_unit_file_t)
++ allow $1 clamd_unit_file_t:service all_service_perms;
++
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+@@ -189,4 +243,10 @@ interface(`clamav_admin',`
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++
+ ')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..9f2a358 100644
+index f758323..ced0ce2 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
-@@ -1,9 +1,16 @@
+@@ -1,9 +1,23 @@
policy_module(clamav, 1.9.0)
## <desc>
@@ -31224,13 +92229,30 @@ index f758323..9f2a358 100644
+gen_tunable(clamscan_read_user_content, false)
+
+## <desc>
++## <p>
++## Allow clamscan to non security files on a system
++## </p>
++## </desc>
++gen_tunable(clamscan_can_scan_system, false)
++
++## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
-@@ -64,6 +71,8 @@ logging_log_file(freshclam_var_log_t)
+@@ -24,6 +38,9 @@ files_config_file(clamd_etc_t)
+ type clamd_initrc_exec_t;
+ init_script_file(clamd_initrc_exec_t)
+
++type clamd_unit_file_t;
++systemd_unit_file(clamd_unit_file_t)
++
+ # tmp files
+ type clamd_tmp_t;
+ files_tmp_file(clamd_tmp_t)
+@@ -64,6 +81,8 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
@@ -31239,7 +92261,7 @@ index f758323..9f2a358 100644
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -80,6 +89,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+@@ -80,6 +99,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
@@ -31247,7 +92269,7 @@ index f758323..9f2a358 100644
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-@@ -89,9 +99,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+@@ -89,9 +109,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
@@ -31259,7 +92281,7 @@ index f758323..9f2a358 100644
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -110,6 +121,7 @@ corenet_tcp_bind_generic_node(clamd_t)
+@@ -110,6 +131,7 @@ corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
@@ -31267,7 +92289,7 @@ index f758323..9f2a358 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,13 +139,6 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,13 +149,6 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
@@ -31281,7 +92303,7 @@ index f758323..9f2a358 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -142,13 +147,31 @@ optional_policy(`
+@@ -142,13 +157,31 @@ optional_policy(`
')
optional_policy(`
@@ -31314,7 +92336,7 @@ index f758323..9f2a358 100644
')
########################################
-@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +211,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -31333,7 +92355,7 @@ index f758323..9f2a358 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +228,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -31341,7 +92363,7 @@ index f758323..9f2a358 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -31358,13 +92380,17 @@ index f758323..9f2a358 100644
')
+optional_policy(`
++ clamd_systemctl(freshclam_t)
++')
++
++optional_policy(`
+ cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
########################################
#
# clamscam local policy
-@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +288,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -31389,12 +92415,16 @@ index f758323..9f2a358 100644
+ userdom_dontaudit_read_user_home_content_files(clamscan_t)
+')
+
++tunable_policy(`clamscan_can_scan_system',`
++ files_read_non_security_files(clamscan_t)
++')
++
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -31539,10 +92569,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..22b18dc
+index 0000000..2709243
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,222 @@
+@@ -0,0 +1,224 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -31639,6 +92669,7 @@ index 0000000..22b18dc
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
++kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
@@ -31717,6 +92748,7 @@ index 0000000..22b18dc
+corenet_tcp_bind_mongod_port(mongod_t)
+
+kernel_read_vm_sysctls(mongod_t)
++kernel_read_system_state(mongod_t)
+
+files_read_usr_files(mongod_t)
+
@@ -31810,10 +92842,10 @@ index f8463c0..126b293 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
-index 1cf6c4e..e4bac67 100644
+index 1cf6c4e..0858f92 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
-@@ -1,7 +1,33 @@
+@@ -1,7 +1,35 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -31822,6 +92854,8 @@ index 1cf6c4e..e4bac67 100644
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
++
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -31853,7 +92887,7 @@ index 1cf6c4e..e4bac67 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 116d60f..11f6a31 100644
+index 116d60f..e2c6ec6 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
@@ -31960,7 +92994,7 @@ index 116d60f..11f6a31 100644
files_search_var_lib($1)
')
-@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,12 +140,56 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
@@ -31991,16 +93025,40 @@ index 116d60f..11f6a31 100644
+
+########################################
+## <summary>
++## Execute cobblerd server in the cobblerd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cobblerd_systemctl',`
++ gen_require(`
++ type cobblerd_t;
++ type cobblerd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cobblerd_unit_file_t:file read_file_perms;
++ allow $1 cobblerd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cobblerd_t)
++')
++
++########################################
++## <summary>
## All of the rules required to administrate
## an cobblerd environment
## </summary>
-@@ -161,25 +185,38 @@ interface(`cobbler_manage_lib_files',`
+@@ -161,25 +208,43 @@ interface(`cobbler_manage_lib_files',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
++ type cobblerd_unit_file_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
@@ -32037,9 +93095,13 @@ index 116d60f..11f6a31 100644
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
+ tftp_search_rw_content($1)
+ ')
++
++ cobblerd_systemctl($1)
++ admin_pattern($1, cobblerd_unit_file_t)
++ allow $1 cobblerd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..1328a63 100644
+index 0258b48..5f685a0 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -32082,7 +93144,7 @@ index 0258b48..1328a63 100644
type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
-@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
+@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
@@ -32093,6 +93155,9 @@ index 0258b48..1328a63 100644
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
++type cobblerd_unit_file_t;
++systemd_unit_file(cobblerd_unit_file_t)
++
########################################
#
# Cobbler personal policy.
@@ -32126,7 +93191,7 @@ index 0258b48..1328a63 100644
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -52,7 +92,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
@@ -32139,7 +93204,7 @@ index 0258b48..1328a63 100644
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
-@@ -65,44 +107,111 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+@@ -65,44 +110,111 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
@@ -32180,7 +93245,7 @@ index 0258b48..1328a63 100644
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
-+selinux_dontaudit_read_fs(cobblerd_t)
++selinux_get_enforce_mode(cobblerd_t)
+
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
@@ -32253,7 +93318,7 @@ index 0258b48..1328a63 100644
')
optional_policy(`
-@@ -110,12 +219,20 @@ optional_policy(`
+@@ -110,12 +222,21 @@ optional_policy(`
')
optional_policy(`
@@ -32274,10 +93339,11 @@ index 0258b48..1328a63 100644
+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+ # are any of those hard linked?
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
++ tftp_manage_config(cobblerd_t)
')
########################################
-@@ -124,5 +241,6 @@ optional_policy(`
+@@ -124,5 +245,6 @@ optional_policy(`
#
apache_content_template(cobbler)
@@ -32286,13 +93352,15 @@ index 0258b48..1328a63 100644
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc
new file mode 100644
-index 0000000..9d06a27
+index 0000000..2e1007b
--- /dev/null
+++ b/policy/modules/services/collectd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
++
+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
+/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
@@ -32303,14 +93371,13 @@ index 0000000..9d06a27
+
diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if
new file mode 100644
-index 0000000..40a0157
+index 0000000..40415f8
--- /dev/null
+++ b/policy/modules/services/collectd.if
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,186 @@
+
+## <summary>policy for collectd</summary>
+
-+
+########################################
+## <summary>
+## Transition to collectd.
@@ -32426,6 +93493,28 @@ index 0000000..40a0157
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
++########################################
++## <summary>
++## Execute collectd server in the collectd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`collectd_systemctl',`
++ gen_require(`
++ type collectd_t;
++ type collectd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 collectd_unit_file_t:file read_file_perms;
++ allow $1 collectd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, collectd_t)
++')
+
+########################################
+## <summary>
@@ -32447,8 +93536,9 @@ index 0000000..40a0157
+interface(`collectd_admin',`
+ gen_require(`
+ type collectd_t;
-+ type collectd_initrc_exec_t;
-+ type collectd_var_lib_t;
++ type collectd_initrc_exec_t;
++ type collectd_var_lib_t;
++ type collectd_unit_file_t;
+ ')
+
+ allow $1 collectd_t:process signal_perms;
@@ -32466,14 +93556,17 @@ index 0000000..40a0157
+ files_search_var_lib($1)
+ admin_pattern($1, collectd_var_lib_t)
+
++ collectd_systemctl($1)
++ admin_pattern($1, collectd_unit_file_t)
++ allow $1 collectd_unit_file_t:service all_service_perms;
+')
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..ab1d55b
+index 0000000..e7ca6fc
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,88 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -32502,14 +93595,19 @@ index 0000000..ab1d55b
+type collectd_var_run_t;
+files_pid_file(collectd_var_run_t)
+
++type collectd_unit_file_t;
++systemd_unit_file(collectd_unit_file_t)
++
+########################################
+#
+# collectd local policy
+#
++
+allow collectd_t self:capability ipc_lock;
-+allow collectd_t self:process fork;
++allow collectd_t self:process { signal fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
++allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -32527,6 +93625,8 @@ index 0000000..ab1d55b
+kernel_read_system_state(collectd_t)
+
+dev_read_sysfs(collectd_t)
++dev_read_urand(collectd_t)
++dev_read_rand(collectd_t)
+
+files_getattr_all_dirs(collectd_t)
+files_read_etc_files(collectd_t)
@@ -32555,8 +93655,51 @@ index 0000000..ab1d55b
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
+
+diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
+index 78b2fea..ef975ac 100644
+--- a/policy/modules/services/colord.fc
++++ b/policy/modules/services/colord.fc
+@@ -1,4 +1,7 @@
+ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
++/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
++
++/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
+ /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+ /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
+index 733e4e6..fa2c3cb 100644
+--- a/policy/modules/services/colord.if
++++ b/policy/modules/services/colord.if
+@@ -57,3 +57,26 @@ interface(`colord_read_lib_files',`
+ files_search_var_lib($1)
+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
+ ')
++
++########################################
++## <summary>
++## Execute colord server in the colord domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`colord_systemctl',`
++ gen_require(`
++ type colord_t;
++ type colord_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 colord_unit_file_t:file read_file_perms;
++ allow $1 colord_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, colord_t)
++')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..543b5dc 100644
+index 74505cc..dbd4f7f 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -32567,7 +93710,15 @@ index 74505cc..543b5dc 100644
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
-@@ -23,9 +24,11 @@ files_type(colord_var_lib_t)
+@@ -18,14 +19,20 @@ files_tmpfs_file(colord_tmpfs_t)
+ type colord_var_lib_t;
+ files_type(colord_var_lib_t)
+
++type colord_unit_file_t;
++systemd_unit_file(colord_unit_file_t)
++
+ ########################################
+ #
# colord local policy
#
allow colord_t self:capability { dac_read_search dac_override };
@@ -32576,10 +93727,11 @@ index 74505cc..543b5dc 100644
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:tcp_socket create_stream_socket_perms;
++allow colord_t self:shm create_shm_perms;
allow colord_t self:udp_socket create_socket_perms;
allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,8 +44,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +48,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -32595,7 +93747,7 @@ index 74505cc..543b5dc 100644
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +59,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +63,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -32604,7 +93756,7 @@ index 74505cc..543b5dc 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +76,35 @@ files_list_mnt(colord_t)
+@@ -65,19 +80,35 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -32641,7 +93793,7 @@ index 74505cc..543b5dc 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +116,12 @@ optional_policy(`
+@@ -89,6 +120,12 @@ optional_policy(`
')
optional_policy(`
@@ -32654,7 +93806,7 @@ index 74505cc..543b5dc 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +129,16 @@ optional_policy(`
+@@ -96,5 +133,20 @@ optional_policy(`
')
optional_policy(`
@@ -32671,8 +93823,619 @@ index 74505cc..543b5dc 100644
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+')
++
++optional_policy(`
++ zoneminder_rw_tmpfs_files(colord_t)
++')
+diff --git a/policy/modules/services/condor.fc b/policy/modules/services/condor.fc
+new file mode 100644
+index 0000000..b3a5b51
+--- /dev/null
++++ b/policy/modules/services/condor.fc
+@@ -0,0 +1,21 @@
++/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
++
++/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
++/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
++/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
++/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
++/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
++/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
++/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
++
++/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
++
++/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0)
++
++/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0)
++
++/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
+diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if
+new file mode 100644
+index 0000000..168f664
+--- /dev/null
++++ b/policy/modules/services/condor.if
+@@ -0,0 +1,327 @@
++
++## <summary>policy for condor</summary>
++
++#####################################
++## <summary>
++## Creates types and rules for a basic
++## condor init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`condor_domain_template',`
++ gen_require(`
++ type condor_master_t;
++ attribute condor_domain;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type condor_$1_t, condor_domain;
++ type condor_$1_exec_t;
++ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
++ role system_r types condor_$1_t;
++
++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
++ allow condor_master_t condor_$1_exec_t:file ioctl;
++')
++
++########################################
++## <summary>
++## Transition to condor.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`condor_domtrans',`
++ gen_require(`
++ type condor_t, condor_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, condor_exec_t, condor_t)
++')
++########################################
++## <summary>
++## Read condor's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`condor_read_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++## <summary>
++## Append to condor log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_append_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++## <summary>
++## Manage condor log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_manage_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, condor_log_t, condor_log_t)
++ manage_files_pattern($1, condor_log_t, condor_log_t)
++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
++')
++
++########################################
++## <summary>
++## Search condor lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_search_lib',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ allow $1 condor_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read condor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_read_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++######################################
++## <summary>
++## Read and write condor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage condor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_manage_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage condor lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_manage_lib_dirs',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read condor PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_read_pid_files',`
++ gen_require(`
++ type condor_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 condor_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute condor server in the condor domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`condor_systemctl',`
++ gen_require(`
++ type condor_t;
++ type condor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 condor_unit_file_t:file read_file_perms;
++ allow $1 condor_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, condor_t)
++')
++
++
++#######################################
++## <summary>
++## Read and write condor_startd server TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_tcp_sockets_startd',`
++ gen_require(`
++ type condor_startd_t;
++ ')
++
++ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
++')
++
++######################################
++## <summary>
++## Read and write condor_schedd server TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_tcp_sockets_schedd',`
++ gen_require(`
++ type condor_schedd_t;
++ ')
++
++ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an condor environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_admin',`
++ gen_require(`
++ type condor_t;
++ type condor_log_t;
++ type condor_var_lib_t;
++ type condor_var_run_t;
++ type condor_unit_file_t;
++ ')
++
++ allow $1 condor_t:process { ptrace signal_perms };
++ ps_process_pattern($1, condor_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, condor_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, condor_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, condor_var_run_t)
++
++ condor_systemctl($1)
++ admin_pattern($1, condor_unit_file_t)
++ allow $1 condor_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
+new file mode 100644
+index 0000000..4eb7bd9
+--- /dev/null
++++ b/policy/modules/services/condor.te
+@@ -0,0 +1,231 @@
++policy_module(condor, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow codnor domain to connect to the network using TCP.
++## </p>
++## </desc>
++gen_tunable(condor_domain_can_network_connect, false)
++
++attribute condor_domain;
++
++type condor_master_t, condor_domain;
++type condor_master_exec_t;
++init_daemon_domain(condor_master_t, condor_master_exec_t)
++
++condor_domain_template(collector)
++condor_domain_template(negotiator)
++condor_domain_template(schedd)
++condor_domain_template(startd)
++condor_domain_template(procd)
++
++type condor_schedd_tmp_t;
++files_tmp_file(condor_schedd_tmp_t)
++
++type condor_startd_tmp_t;
++files_tmp_file(condor_startd_tmp_t)
++
++type condor_startd_tmpfs_t;
++files_tmpfs_file(condor_startd_tmpfs_t)
++
++type condor_log_t;
++logging_log_file(condor_log_t)
++
++type condor_var_lib_t;
++files_type(condor_var_lib_t)
++
++type condor_var_lock_t;
++files_lock_file(condor_var_lock_t)
++
++type condor_var_run_t;
++files_pid_file(condor_var_run_t)
++
++type condor_unit_file_t;
++systemd_unit_file(condor_unit_file_t)
++
++########################################
++#
++# condor domain local policy
++#
++
++allow condor_domain self:process signal_perms;
++allow condor_domain self:fifo_file rw_fifo_file_perms;
++
++allow condor_domain self:tcp_socket create_stream_socket_perms;
++allow condor_domain self:udp_socket create_socket_perms;
++allow condor_domain self:unix_stream_socket create_stream_socket_perms;
++
++allow condor_domain condor_master_t:process signull;
++allow condor_domain condor_master_t:tcp_socket getattr;
++
++manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
++manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
++logging_log_filetrans(condor_domain, condor_log_t, { dir file })
++
++manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
++manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
++files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file })
++
++manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
++files_lock_filetrans(condor_domain, condor_var_lock_t, file)
++
++manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
++files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
++
++kernel_read_system_state(condor_domain)
++kernel_read_network_state(condor_domain)
++
++corecmd_exec_bin(condor_domain)
++corecmd_exec_shell(condor_domain)
++
++corenet_tcp_connect_condor_port(condor_domain)
++corenet_tcp_connect_all_ephemeral_ports(condor_domain)
++
++domain_use_interactive_fds(condor_domain)
++
++dev_read_rand(condor_domain)
++dev_read_urand(condor_domain)
++dev_read_sysfs(condor_domain)
++
++files_read_etc_files(condor_domain)
++
++logging_send_syslog_msg(condor_domain)
++
++miscfiles_read_localization(condor_domain)
++
++tunable_policy(`condor_domain_can_network_connect',`
++ corenet_tcp_connect_all_ports(condor_domain)
++')
++
++optional_policy(`
++ rhcs_stream_connect_cluster(condor_domain)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(condor_domain)
++')
++
++#####################################
++#
++# condor master local policy
++#
++
++allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
++
++allow condor_master_t condor_domain:process signal;
++
++corenet_tcp_bind_condor_port(condor_master_t)
++corenet_udp_bind_condor_port(condor_master_t)
++
++domain_read_all_domains_state(condor_master_t)
++
++auth_use_nsswitch(condor_master_t)
++
++######################################
++#
++# condor collector local policy
++#
++
++allow condor_collector_t self:capability { setuid setgid };
++
++allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
++
++kernel_read_network_state(condor_collector_t)
++
++auth_use_nsswitch(condor_collector_t)
++
++#####################################
++#
++# condor negotiator local policy
++#
++allow condor_negotiator_t self:capability { setuid setgid };
++allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_negotiator_t condor_master_t:udp_socket getattr;
++
++corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
++
++auth_use_nsswitch(condor_negotiator_t)
++
++######################################
++#
++# condor procd local policy
++#
++
++allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace };
++
++domain_read_all_domains_state(condor_procd_t)
++
++#######################################
++#
++# condor schedd local policy
++#
++
++domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
++domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
++
++# dac_override because of /var/log/condor
++allow condor_schedd_t self:capability { setuid chown setgid dac_override };
++allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
++allow condor_schedd_t condor_master_t:udp_socket getattr;
++
++allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
++
++manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
++manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
++files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
++allow condor_schedd_t condor_schedd_tmp_t:file { relabelfrom relabelto };
++
++kernel_read_kernel_sysctls(condor_schedd_t)
++
++corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
++
++auth_use_nsswitch(condor_schedd_t)
++
++#####################################
++#
++# condor startd local policy
++#
++
++# also needed by java
++allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
++allow condor_startd_t self:process execmem;
++
++manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
++manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
++files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir })
++allow condor_startd_t condor_startd_tmp_t:file { relabelfrom relabelto };
++
++manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
++manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
++fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file })
++
++can_exec(condor_startd_t, condor_startd_exec_t)
++
++kernel_read_kernel_sysctls(condor_startd_t)
++
++domain_read_all_domains_state(condor_startd_t)
++
++auth_use_nsswitch(condor_startd_t)
++
++init_domtrans_script(condor_startd_t)
++
++libs_exec_lib_files(condor_startd_t)
++
++files_read_usr_files(condor_startd_t)
++
++optional_policy(`
++ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
++ ssh_domtrans(condor_startd_t)
++')
++
++optional_policy(`
++ unconfined_domain(condor_startd_t)
++')
+diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
+index 32233ab..7058d21 100644
+--- a/policy/modules/services/consolekit.fc
++++ b/policy/modules/services/consolekit.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
++
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index fd15dfe..d33cc41 100644
+index fd15dfe..b6337fd 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
@@ -32740,7 +94503,7 @@ index fd15dfe..d33cc41 100644
## Read consolekit log files.
## </summary>
## <param name="domain">
-@@ -96,3 +135,41 @@ interface(`consolekit_read_pid_files',`
+@@ -96,3 +135,64 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
@@ -32782,29 +94545,54 @@ index fd15dfe..d33cc41 100644
+ kernel_search_proc($1)
+ ps_process_pattern($1, consolekit_t)
+')
++
++########################################
++## <summary>
++## Execute consolekit server in the consolekit domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`consolekit_systemctl',`
++ gen_require(`
++ type consolekit_t;
++ type consolekit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 consolekit_unit_file_t:file read_file_perms;
++ allow $1 consolekit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, consolekit_t)
++')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..f5b76dd 100644
+index e67a003..cc813f3 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
-@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
+@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
++type consolekit_unit_file_t;
++systemd_unit_file(consolekit_unit_file_t)
++
########################################
#
# consolekit local policy
#
--allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
+ allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,7 +47,6 @@ dev_read_sysfs(consolekit_t)
+@@ -43,7 +50,6 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -32812,7 +94600,7 @@ index e67a003..f5b76dd 100644
files_read_etc_files(consolekit_t)
files_read_usr_files(consolekit_t)
-@@ -53,8 +56,6 @@ files_search_all_mountpoints(consolekit_t)
+@@ -53,8 +59,6 @@ files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
@@ -32821,7 +94609,7 @@ index e67a003..f5b76dd 100644
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
-@@ -69,17 +70,17 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,17 +73,17 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
@@ -32846,7 +94634,7 @@ index e67a003..f5b76dd 100644
')
optional_policy(`
-@@ -99,6 +100,10 @@ optional_policy(`
+@@ -99,6 +103,10 @@ optional_policy(`
')
optional_policy(`
@@ -32857,7 +94645,7 @@ index e67a003..f5b76dd 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +111,10 @@ optional_policy(`
+@@ -106,9 +114,10 @@ optional_policy(`
')
optional_policy(`
@@ -32870,7 +94658,7 @@ index e67a003..f5b76dd 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -124,6 +130,5 @@ optional_policy(`
+@@ -124,6 +133,5 @@ optional_policy(`
')
optional_policy(`
@@ -32878,12 +94666,14 @@ index e67a003..f5b76dd 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..6c753ff 100644
+index 3a6d7eb..bb32bf0 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
-@@ -1,8 +1,14 @@
+@@ -1,12 +1,22 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
@@ -32891,18 +94681,19 @@ index 3a6d7eb..6c753ff 100644
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
-+/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
-@@ -10,3 +16,4 @@
+ /var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
-+/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
-index 5220c9d..db158cc 100644
+index 5220c9d..11e5dc4 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
@@ -32931,8 +94722,41 @@ index 5220c9d..db158cc 100644
#######################################
## <summary>
## Allow the specified domain to read corosync's log files.
-@@ -82,9 +101,13 @@ interface(`corosyncd_admin',`
+@@ -58,6 +77,29 @@ interface(`corosync_stream_connect',`
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+ ')
+
++########################################
++## <summary>
++## Execute corosync server in the corosync domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`corosync_systemctl',`
++ gen_require(`
++ type corosync_t;
++ type corosync_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 corosync_unit_file_t:file read_file_perms;
++ allow $1 corosync_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, corosync_t)
++')
++
+ ######################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -80,11 +122,16 @@ interface(`corosyncd_admin',`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
++ type corosync_unit_file_t;
')
- allow $1 corosync_t:process { ptrace signal_perms };
@@ -32946,8 +94770,17 @@ index 5220c9d..db158cc 100644
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
+@@ -103,4 +150,8 @@ interface(`corosyncd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, corosync_var_run_t)
++
++ corosync_systemctl($1)
++ admin_pattern($1, corosync_unit_file_t)
++ allow $1 corosync_unit_file_t:service all_service_perms;
+ ')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..a603e70 100644
+index 04969e5..58b16a6 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -32958,18 +94791,29 @@ index 04969e5..a603e70 100644
type corosync_initrc_exec_t;
init_script_file(corosync_initrc_exec_t)
-@@ -32,8 +33,8 @@ files_pid_file(corosync_var_run_t)
+@@ -27,23 +28,32 @@ logging_log_file(corosync_var_log_t)
+ type corosync_var_run_t;
+ files_pid_file(corosync_var_run_t)
+
++type corosync_unit_file_t;
++systemd_unit_file(corosync_unit_file_t)
++
+ ########################################
+ #
# corosync local policy
#
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
-+allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_resource ipc_lock };
++allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_admin sys_resource ipc_lock };
++# for hearbeat
++allow corosync_t self:capability { net_raw chown };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
-@@ -41,9 +42,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
++allow corosync_t self:shm create_shm_perms;
+ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
@@ -32982,19 +94826,35 @@ index 04969e5..a603e70 100644
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
-@@ -63,8 +67,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
- files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+@@ -52,7 +62,8 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
+ manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+ manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+-files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
++manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
++files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir fifo_file sock_file })
+
+ manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+@@ -60,11 +71,16 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+
+ manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+-files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
++manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
++files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir })
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
+kernel_read_net_sysctls(corosync_t)
++kernel_read_kernel_sysctls(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,9 +80,12 @@ dev_read_urand(corosync_t)
+@@ -73,9 +89,12 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
@@ -33007,10 +94867,11 @@ index 04969e5..a603e70 100644
init_read_script_state(corosync_t)
init_rw_script_tmp_files(corosync_t)
-@@ -83,21 +93,51 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,21 +102,52 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
++userdom_read_user_tmp_files(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
@@ -33028,11 +94889,13 @@ index 04969e5..a603e70 100644
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
-+
+
+- rhcs_rw_fenced_semaphores(corosync_t)
+optional_policy(`
+ dbus_system_bus_client(corosync_t)
+')
-+
+
+- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ drbd_domtrans(corosync_t)
+')
@@ -33041,13 +94904,11 @@ index 04969e5..a603e70 100644
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
-
-- rhcs_rw_fenced_semaphores(corosync_t)
++
+optional_policy(`
+ qpidd_rw_shm(corosync_t)
+')
-
-- rhcs_rw_gfs_controld_semaphores(corosync_t)
++
+optional_policy(`
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
@@ -33063,6 +94924,369 @@ index 04969e5..a603e70 100644
rgmanager_manage_tmpfs_files(corosync_t)
')
+
+diff --git a/policy/modules/services/couchdb.fc b/policy/modules/services/couchdb.fc
+new file mode 100644
+index 0000000..196461b
+--- /dev/null
++++ b/policy/modules/services/couchdb.fc
+@@ -0,0 +1,11 @@
++/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_etc_t,s0)
++
++/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
++
++/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
++
++/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
++
++/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
++
++/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
+diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if
+new file mode 100644
+index 0000000..31692fb
+--- /dev/null
++++ b/policy/modules/services/couchdb.if
+@@ -0,0 +1,249 @@
++
++## <summary>policy for couchdb</summary>
++
++########################################
++## <summary>
++## Transition to couchdb.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`couchdb_domtrans',`
++ gen_require(`
++ type couchdb_t, couchdb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, couchdb_exec_t, couchdb_t)
++')
++########################################
++## <summary>
++## Read couchdb's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`couchdb_read_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
++## Append to couchdb log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_append_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
++## Manage couchdb log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_log',`
++ gen_require(`
++ type couchdb_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
++ manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t)
++')
++
++########################################
++## <summary>
++## Search couchdb lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_search_lib',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ allow $1 couchdb_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read couchdb lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_read_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage couchdb lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_lib_files',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage couchdb lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_manage_lib_dirs',`
++ gen_require(`
++ type couchdb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read couchdb PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`couchdb_read_pid_files',`
++ gen_require(`
++ type couchdb_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute couchdb server in the couchdb domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`couchdb_systemctl',`
++ gen_require(`
++ type couchdb_t;
++ type couchdb_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 couchdb_unit_file_t:file read_file_perms;
++ allow $1 couchdb_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, couchdb_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an couchdb environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`couchdb_admin',`
++ gen_require(`
++ type couchdb_t, couchdb_etc_t, couchdb_log_t;
++ type couchdb_var_lib_t, couchdb_var_run_t;
++ type couchdb_unit_file_t;
++ ')
++
++ allow $1 couchdb_t:process { ptrace signal_perms };
++ ps_process_pattern($1, couchdb_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, couchdb_log_t)
++
++ files_search_etc($1)
++ admin_pattern($1, couchdb_etc_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, couchdb_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, couchdb_var_run_t)
++
++ admin_pattern($1, couchdb_unit_file_t)
++ couchdb_systemctl($1)
++ allow $1 couchdb_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/couchdb.te b/policy/modules/services/couchdb.te
+new file mode 100644
+index 0000000..4a80b5c
+--- /dev/null
++++ b/policy/modules/services/couchdb.te
+@@ -0,0 +1,85 @@
++policy_module(couchdb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type couchdb_t;
++type couchdb_exec_t;
++init_daemon_domain(couchdb_t, couchdb_exec_t)
++
++type couchdb_etc_t;
++files_config_file(couchdb_etc_t)
++
++type couchdb_tmp_t;
++files_tmp_file(couchdb_tmp_t)
++
++type couchdb_log_t;
++logging_log_file(couchdb_log_t)
++
++type couchdb_var_lib_t;
++files_type(couchdb_var_lib_t)
++
++type couchdb_var_run_t;
++files_pid_file(couchdb_var_run_t)
++
++type couchdb_unit_file_t;
++systemd_unit_file(couchdb_unit_file_t)
++
++########################################
++#
++# couchdb local policy
++#
++allow couchdb_t self:process { setsched signal signull sigkill };
++allow couchdb_t self:fifo_file rw_fifo_file_perms;
++allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
++allow couchdb_t self:tcp_socket create_stream_socket_perms;
++allow couchdb_t self:udp_socket create_socket_perms;
++
++allow couchdb_t couchdb_etc_t:dir list_dir_perms;
++read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
++
++manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
++manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
++logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
++manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
++files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
++manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
++files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file })
++
++manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
++manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
++files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file })
++
++can_exec(couchdb_t, couchdb_exec_t)
++
++kernel_read_system_state(couchdb_t)
++
++corecmd_exec_bin(couchdb_t)
++corecmd_exec_shell(couchdb_t)
++
++corenet_tcp_bind_generic_node(couchdb_t)
++corenet_udp_bind_generic_node(couchdb_t)
++corenet_tcp_bind_couchdb_port(couchdb_t)
++
++dev_list_sysfs(couchdb_t)
++dev_read_sysfs(couchdb_t)
++dev_read_urand(couchdb_t)
++
++domain_use_interactive_fds(couchdb_t)
++
++files_read_etc_files(couchdb_t)
++files_read_usr_files(couchdb_t)
++
++fs_getattr_xattr_fs(couchdb_t)
++
++auth_use_nsswitch(couchdb_t)
++
++libs_exec_lib_files(couchdb_t)
++
++miscfiles_read_localization(couchdb_t)
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 01d31f1..8e2754b 100644
--- a/policy/modules/services/courier.fc
@@ -33280,19 +95504,25 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..32a4a69 100644
+index 2eefc08..16adc00 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
-@@ -2,6 +2,8 @@
-
+@@ -3,6 +3,9 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+/usr/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,14 +16,15 @@
+
+@@ -11,17 +14,20 @@
+ /usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+
++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
++
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -33310,14 +95540,14 @@ index 2eefc08..32a4a69 100644
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <<none>>
-@@ -45,3 +48,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +51,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..9ac0000 100644
+index 35241ed..2f6f038 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -33533,7 +95763,17 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -304,7 +323,7 @@ interface(`cron_exec',`
+@@ -264,6 +283,9 @@ interface(`cron_system_entry',`
+ domtrans_pattern(crond_t, $2, $1)
+
+ role system_r types $1;
++
++ allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -304,7 +326,7 @@ interface(`cron_exec',`
########################################
## <summary>
@@ -33542,7 +95782,7 @@ index 35241ed..9ac0000 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -322,6 +341,29 @@ interface(`cron_initrc_domtrans',`
+@@ -322,6 +344,29 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -33562,7 +95802,7 @@ index 35241ed..9ac0000 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
-+ allow $1 crond_unit_file_t:service all_service_perms;
++ allow $1 crond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, crond_t)
+')
@@ -33572,7 +95812,7 @@ index 35241ed..9ac0000 100644
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
-@@ -359,6 +401,24 @@ interface(`cron_sigchld',`
+@@ -359,6 +404,24 @@ interface(`cron_sigchld',`
########################################
## <summary>
@@ -33597,7 +95837,7 @@ index 35241ed..9ac0000 100644
## Read a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -377,6 +437,47 @@ interface(`cron_read_pipes',`
+@@ -377,6 +440,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -33645,7 +95885,7 @@ index 35241ed..9ac0000 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +491,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +494,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -33653,7 +95893,7 @@ index 35241ed..9ac0000 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +510,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +513,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -33698,7 +95938,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -468,6 +606,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +609,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -33724,7 +95964,7 @@ index 35241ed..9ac0000 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +638,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +641,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -33732,7 +95972,7 @@ index 35241ed..9ac0000 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +694,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +697,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -33741,7 +95981,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -554,7 +712,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +715,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -33750,7 +95990,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -587,11 +745,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +748,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -33766,7 +96006,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -627,7 +788,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +791,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -33815,7 +96055,7 @@ index 35241ed..9ac0000 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..8946846 100644
+index f7583ab..4545fb1 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -34255,10 +96495,15 @@ index f7583ab..8946846 100644
')
optional_policy(`
-@@ -502,7 +611,13 @@ optional_policy(`
+@@ -502,7 +611,18 @@ optional_policy(`
')
optional_policy(`
++ systemd_dbus_chat_logind(system_cronjob_t)
++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
++')
++
++optional_policy(`
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
+')
@@ -34269,7 +96514,7 @@ index f7583ab..8946846 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +710,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +715,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -34693,18 +96938,21 @@ index 0000000..284fbae
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..ac5dae0 100644
+index 1b492ed..d3e9822 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
-@@ -20,6 +20,7 @@
+@@ -19,7 +19,10 @@
+
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
++
/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -28,11 +29,8 @@
+@@ -28,11 +31,8 @@
# keep as separate lines to ensure proper sorting
/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
@@ -34716,7 +96964,7 @@ index 1b492ed..ac5dae0 100644
/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -56,6 +54,7 @@
+@@ -56,6 +56,7 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -34724,7 +96972,7 @@ index 1b492ed..ac5dae0 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -64,10 +63,16 @@
+@@ -64,10 +65,16 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -34743,7 +96991,7 @@ index 1b492ed..ac5dae0 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..c9de648 100644
+index 305ddf4..4d70951 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -9,6 +9,11 @@
@@ -34789,7 +97037,37 @@ index 305ddf4..c9de648 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -314,16 +321,19 @@ interface(`cups_stream_connect_ptal',`
+@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',`
+
+ ########################################
+ ## <summary>
++## Execute cupsd server in the cupsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cupsd_systemctl',`
++ gen_require(`
++ type cupsd_t;
++ type cupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cupsd_unit_file_t:file read_file_perms;
++ allow $1 cupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cupsd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an cups environment
+ ## </summary>
+@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -34802,6 +97080,7 @@ index 305ddf4..c9de648 100644
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
+ type ptal_var_run_t;
++ type cupsd_unit_file_t;
')
- allow $1 cupsd_t:process { ptrace signal_perms };
@@ -34815,7 +97094,7 @@ index 305ddf4..c9de648 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,15 +351,14 @@ interface(`cups_admin',`
+@@ -341,18 +375,47 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -34833,8 +97112,41 @@ index 305ddf4..c9de648 100644
admin_pattern($1, hplip_var_run_t)
admin_pattern($1, ptal_etc_t)
+
+ admin_pattern($1, ptal_var_run_t)
++
++ cupsd_systemctl($1)
++ admin_pattern($1, cupsd_unit_file_t)
++ allow $1 cupsd_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Transition to cups named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cups_filetrans_named_content',`
++ gen_require(`
++ type cups_rw_etc_t;
++ type cups_etc_t;
++ ')
++
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "classes.conf")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf.default")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "lpoptions")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "subscriptions.conf")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "subscriptions.conf.O")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
+ ')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..03f22e6 100644
+index 0f28095..085e634 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -34845,7 +97157,17 @@ index 0f28095..03f22e6 100644
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
-@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -60,6 +61,9 @@ type cupsd_var_run_t;
+ files_pid_file(cupsd_var_run_t)
+ mls_trusted_object(cupsd_var_run_t)
+
++type cupsd_unit_file_t;
++systemd_unit_file(cupsd_unit_file_t)
++
+ type hplip_t;
+ type hplip_exec_t;
+ init_daemon_domain(hplip_t, hplip_exec_t)
+@@ -123,6 +127,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -34853,7 +97175,7 @@ index 0f28095..03f22e6 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+@@ -137,6 +142,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
@@ -34861,7 +97183,7 @@ index 0f28095..03f22e6 100644
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -146,11 +152,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -34876,7 +97198,7 @@ index 0f28095..03f22e6 100644
allow cupsd_t hplip_t:process { signal sigkill };
-@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+@@ -159,7 +166,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -34885,7 +97207,7 @@ index 0f28095..03f22e6 100644
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
-@@ -211,6 +215,7 @@ mls_rangetrans_target(cupsd_t)
+@@ -211,6 +218,7 @@ mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
@@ -34893,7 +97215,7 @@ index 0f28095..03f22e6 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -220,6 +225,7 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,11 +228,13 @@ corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
@@ -34901,7 +97223,13 @@ index 0f28095..03f22e6 100644
files_list_spool(cupsd_t)
files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
-@@ -270,12 +276,6 @@ files_dontaudit_list_home(cupsd_t)
+ # read python modules
+ files_read_usr_files(cupsd_t)
++files_exec_usr_files(cupsd_t)
+ # for /var/lib/defoma
+ files_read_var_lib_files(cupsd_t)
+ files_list_world_readable(cupsd_t)
+@@ -270,12 +280,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -34914,7 +97242,7 @@ index 0f28095..03f22e6 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -287,6 +287,8 @@ optional_policy(`
+@@ -287,6 +291,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -34923,7 +97251,7 @@ index 0f28095..03f22e6 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +299,10 @@ optional_policy(`
+@@ -297,8 +303,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -34934,7 +97262,7 @@ index 0f28095..03f22e6 100644
')
')
-@@ -311,10 +315,22 @@ optional_policy(`
+@@ -311,10 +319,22 @@ optional_policy(`
')
optional_policy(`
@@ -34957,7 +97285,16 @@ index 0f28095..03f22e6 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +387,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -322,6 +342,8 @@ optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
++ # needed by smbspool
++ samba_stream_connect_nmbd(cupsd_t)
+ ')
+
+ optional_policy(`
+@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -34968,7 +97305,7 @@ index 0f28095..03f22e6 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +410,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +416,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -34979,7 +97316,7 @@ index 0f28095..03f22e6 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +452,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -34993,7 +97330,7 @@ index 0f28095..03f22e6 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +474,10 @@ optional_policy(`
+@@ -453,6 +480,10 @@ optional_policy(`
')
optional_policy(`
@@ -35004,7 +97341,7 @@ index 0f28095..03f22e6 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +492,10 @@ optional_policy(`
+@@ -467,6 +498,10 @@ optional_policy(`
')
optional_policy(`
@@ -35015,7 +97352,7 @@ index 0f28095..03f22e6 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +572,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -35023,7 +97360,7 @@ index 0f28095..03f22e6 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +617,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +623,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -35056,7 +97393,7 @@ index 0f28095..03f22e6 100644
')
########################################
-@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -35065,15 +97402,26 @@ index 0f28095..03f22e6 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -661,6 +696,8 @@ corenet_tcp_bind_generic_node(hplip_t)
+ corenet_udp_bind_generic_node(hplip_t)
+ corenet_tcp_bind_hplip_port(hplip_t)
+ corenet_tcp_connect_hplip_port(hplip_t)
++corenet_tcp_bind_glance_port(hplip_t)
++corenet_tcp_connect_glance_port(hplip_t)
+ corenet_tcp_connect_ipp_port(hplip_t)
+ corenet_sendrecv_hplip_client_packets(hplip_t)
+ corenet_receive_hplip_server_packets(hplip_t)
+@@ -685,6 +722,9 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
++
++auth_read_passwd(hplip_t)
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +736,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -35651,7 +97999,7 @@ index 1a1becd..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..4327f89 100644
+index 1bff6ee..a3267cd 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -35694,7 +98042,16 @@ index 1bff6ee..4327f89 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -111,6 +114,8 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -84,6 +87,8 @@ kernel_read_kernel_sysctls(system_dbusd_t)
+ dev_read_urand(system_dbusd_t)
+ dev_read_sysfs(system_dbusd_t)
+
++files_rw_inherited_non_security_files(system_dbusd_t)
++
+ fs_getattr_all_fs(system_dbusd_t)
+ fs_list_inotifyfs(system_dbusd_t)
+ fs_search_auto_mountpoints(system_dbusd_t)
+@@ -111,6 +116,8 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -35703,7 +98060,7 @@ index 1bff6ee..4327f89 100644
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
-@@ -121,7 +126,9 @@ files_read_usr_files(system_dbusd_t)
+@@ -121,7 +128,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -35713,7 +98070,7 @@ index 1bff6ee..4327f89 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +143,27 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -136,11 +145,27 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -35741,7 +98098,7 @@ index 1bff6ee..4327f89 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +174,156 @@ optional_policy(`
+@@ -151,12 +176,160 @@ optional_policy(`
')
optional_policy(`
@@ -35874,16 +98231,20 @@ index 1bff6ee..4327f89 100644
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-
++
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
-+
+
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
++ thumb_domtrans(session_bus_type)
++')
++
++optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
@@ -36103,7 +98464,7 @@ index 567865f..3a57eb9 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
-index 8ba9425..ca29d0a 100644
+index 8ba9425..1d68f66 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -36117,15 +98478,19 @@ index 8ba9425..ca29d0a 100644
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
-@@ -45,6 +47,7 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+@@ -43,8 +45,11 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+ setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
++kernel_read_network_state(denyhosts_t)
kernel_read_system_state(denyhosts_t)
++kernel_read_network_state(denyhosts_t)
+corecmd_exec_shell(denyhosts_t)
corecmd_exec_bin(denyhosts_t)
corenet_all_recvfrom_unlabeled(denyhosts_t)
-@@ -53,20 +56,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+@@ -53,20 +58,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -36188,7 +98553,7 @@ index 418a5a0..de67309 100644
+/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..d41e4fe 100644
+index f706b99..9b9f4ad 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -36337,7 +98702,7 @@ index f706b99..d41e4fe 100644
########################################
## <summary>
## Read devicekit PID files.
-@@ -139,22 +252,92 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +252,93 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -36380,6 +98745,7 @@ index f706b99..d41e4fe 100644
+ files_search_pids($1)
+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
@@ -36436,7 +98802,7 @@ index f706b99..d41e4fe 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +348,46 @@ interface(`devicekit_admin',`
+@@ -165,21 +349,46 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -36490,10 +98856,20 @@ index f706b99..d41e4fe 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..6c1a7eb 100644
+index f231f17..f6803f2 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
-@@ -16,6 +16,7 @@ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+@@ -8,14 +8,17 @@ policy_module(devicekit, 1.1.0)
+ type devicekit_t;
+ type devicekit_exec_t;
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
++init_daemon_domain(devicekit_t, devicekit_exec_t)
+
+ type devicekit_power_t;
+ type devicekit_power_exec_t;
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
++init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
+
type devicekit_disk_t;
type devicekit_disk_exec_t;
dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
@@ -36501,7 +98877,7 @@ index f231f17..6c1a7eb 100644
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
-@@ -26,6 +27,9 @@ files_pid_file(devicekit_var_run_t)
+@@ -26,6 +29,9 @@ files_pid_file(devicekit_var_run_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
@@ -36511,7 +98887,7 @@ index f231f17..6c1a7eb 100644
########################################
#
# DeviceKit local policy
-@@ -62,7 +66,8 @@ optional_policy(`
+@@ -62,7 +68,8 @@ optional_policy(`
# DeviceKit disk local policy
#
@@ -36521,7 +98897,7 @@ index f231f17..6c1a7eb 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +80,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -75,10 +82,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -36529,13 +98905,14 @@ index f231f17..6c1a7eb 100644
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
++files_filetrans_named_content(devicekit_disk_t)
+kernel_list_unlabeled(devicekit_disk_t)
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +105,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +108,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -36543,7 +98920,7 @@ index f231f17..6c1a7eb 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +114,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +117,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -36562,7 +98939,7 @@ index f231f17..6c1a7eb 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,10 +139,12 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,14 +142,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -36576,7 +98953,23 @@ index f231f17..6c1a7eb 100644
miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
-@@ -178,55 +192,84 @@ optional_policy(`
+ userdom_search_user_home_dirs(devicekit_disk_t)
++userdom_manage_user_tmp_dirs(devicekit_disk_t)
+
+ optional_policy(`
+ dbus_system_bus_client(devicekit_disk_t)
+@@ -170,6 +188,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_read_logind_sessions_files(devicekit_disk_t)
++')
++
++optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+ ')
+@@ -178,55 +200,85 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -36625,6 +99018,7 @@ index f231f17..6c1a7eb 100644
+kernel_rw_vm_sysctls(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
++kernel_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -36666,7 +99060,7 @@ index f231f17..6c1a7eb 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +278,12 @@ optional_policy(`
+@@ -235,7 +287,12 @@ optional_policy(`
')
optional_policy(`
@@ -36679,7 +99073,7 @@ index f231f17..6c1a7eb 100644
')
optional_policy(`
-@@ -261,14 +309,21 @@ optional_policy(`
+@@ -261,14 +318,21 @@ optional_policy(`
')
optional_policy(`
@@ -36702,7 +99096,7 @@ index f231f17..6c1a7eb 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +331,30 @@ optional_policy(`
+@@ -276,9 +340,30 @@ optional_policy(`
')
optional_policy(`
@@ -36734,15 +99128,13 @@ index f231f17..6c1a7eb 100644
+ xserver_stream_connect(devicekit_power_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
-index 767e0c7..c8306c2 100644
+index 767e0c7..9553bcf 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
-@@ -1,8 +1,12 @@
+@@ -1,8 +1,10 @@
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
-+/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
-+
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
@@ -36753,7 +99145,7 @@ index 767e0c7..c8306c2 100644
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
-index 5e2cea8..8eec089 100644
+index 5e2cea8..2ab8a14 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
@@ -36786,7 +99178,7 @@ index 5e2cea8..8eec089 100644
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
-+ allow $1 dhcpd_unit_file_t:service all_service_perms;
++ allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dhcpd_t)
+')
@@ -36796,13 +99188,14 @@ index 5e2cea8..8eec089 100644
## All of the rules required to administrate
## an dhcp environment
## </summary>
-@@ -77,12 +101,15 @@ interface(`dhcpd_initrc_domtrans',`
+@@ -77,12 +101,16 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
gen_require(`
- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
++ type dhcpd_unit_file_t;
')
- allow $1 dhcpd_t:process { ptrace signal_perms };
@@ -36814,12 +99207,14 @@ index 5e2cea8..8eec089 100644
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -96,4 +123,6 @@ interface(`dhcpd_admin',`
+@@ -96,4 +124,8 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
+
+ dhcpd_systemctl($1)
++ admin_pattern($1, dhcpd_unit_file_t)
++ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..5d01064 100644
@@ -37227,10 +99622,10 @@ index 0000000..c2ac646
+
diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
new file mode 100644
-index 0000000..3aae725
+index 0000000..6fc4865
--- /dev/null
+++ b/policy/modules/services/dirsrv.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
@@ -37244,6 +99639,9 @@ index 0000000..3aae725
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
++# BZ:
++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
@@ -37467,10 +99865,10 @@ index 0000000..b214253
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..ff2ba38
+index 0000000..71f225b
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,194 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -37525,10 +99923,9 @@ index 0000000..ff2ba38
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
-+allow dirsrv_t self:fifo_file rw_fifo_file_perms;
++allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
-+allow dirsrv_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
@@ -37561,8 +99958,10 @@ index 0000000..ff2ba38
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
++allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+kernel_read_system_state(dirsrv_t)
++kernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
@@ -37609,6 +100008,11 @@ index 0000000..ff2ba38
+ kerberos_use(dirsrv_t)
+')
+
++# FIPS mode
++optional_policy(`
++ prelink_exec(dirsrv_t)
++')
++
+optional_policy(`
+ rpcbind_stream_connect(dirsrv_t)
+')
@@ -37694,15 +100098,13 @@ index dc1056c..bd60100 100644
+
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
-index b886676..2b4d0f6 100644
+index b886676..3d5ca2b 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
-@@ -1,12 +1,16 @@
+@@ -1,12 +1,14 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
-+/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
-+
+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
@@ -37716,7 +100118,7 @@ index b886676..2b4d0f6 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..144cbb7 100644
+index 9bd812b..6572368 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -37772,7 +100174,7 @@ index 9bd812b..144cbb7 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
-+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
++ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dnsmasq_t)
+')
@@ -37902,8 +100304,11 @@ index 9bd812b..144cbb7 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
-@@ -195,8 +298,11 @@ interface(`dnsmasq_admin',`
+@@ -193,10 +296,14 @@ interface(`dnsmasq_admin',`
+ gen_require(`
+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
type dnsmasq_initrc_exec_t;
++ type dnsmasq_unit_file_t;
')
- allow $1 dnsmasq_t:process { ptrace signal_perms };
@@ -37915,15 +100320,17 @@ index 9bd812b..144cbb7 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -208,4 +314,6 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +315,8 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
+
+ dnsmasq_systemctl($1)
++ admin_pattern($1, dnsmasq_unit_file_t)
++ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..b1ea136 100644
+index fdaeeba..1a2a666 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -37982,9 +100389,11 @@ index fdaeeba..b1ea136 100644
')
optional_policy(`
-@@ -114,4 +135,5 @@ optional_policy(`
+@@ -113,5 +134,7 @@ optional_policy(`
+
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
++ virt_read_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
@@ -38075,10 +100484,10 @@ index 0000000..a9dbcf2
+')
diff --git a/policy/modules/services/dnssec.te b/policy/modules/services/dnssec.te
new file mode 100755
-index 0000000..8aa75f3
+index 0000000..98ba6e1
--- /dev/null
+++ b/policy/modules/services/dnssec.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,61 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -38116,6 +100525,7 @@ index 0000000..8aa75f3
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
++corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
@@ -38280,7 +100690,7 @@ index e1d7dc5..13e4800 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..47969fe 100644
+index acf6d4f..f31286c 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -38372,7 +100782,7 @@ index acf6d4f..47969fe 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -160,6 +170,15 @@ optional_policy(`
+@@ -160,10 +170,24 @@ optional_policy(`
')
optional_policy(`
@@ -38388,7 +100798,16 @@ index acf6d4f..47969fe 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -180,8 +199,8 @@ optional_policy(`
+ optional_policy(`
++ # Handle sieve scripts
++ sendmail_domtrans(dovecot_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(dovecot_t)
+ ')
+
+@@ -180,8 +204,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -38399,7 +100818,7 @@ index acf6d4f..47969fe 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +209,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -38409,7 +100828,7 @@ index acf6d4f..47969fe 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +223,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +228,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -38422,7 +100841,7 @@ index acf6d4f..47969fe 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +241,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +246,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -38432,7 +100851,7 @@ index acf6d4f..47969fe 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +262,8 @@ optional_policy(`
+@@ -236,6 +267,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -38441,7 +100860,7 @@ index acf6d4f..47969fe 100644
')
optional_policy(`
-@@ -243,6 +271,8 @@ optional_policy(`
+@@ -243,6 +276,8 @@ optional_policy(`
')
optional_policy(`
@@ -38450,7 +100869,7 @@ index acf6d4f..47969fe 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +280,42 @@ optional_policy(`
+@@ -250,23 +285,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -38495,7 +100914,7 @@ index acf6d4f..47969fe 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +332,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +337,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -38553,10 +100972,10 @@ index 0000000..60c19b9
+
diff --git a/policy/modules/services/drbd.if b/policy/modules/services/drbd.if
new file mode 100644
-index 0000000..f92ef50
+index 0000000..659d051
--- /dev/null
+++ b/policy/modules/services/drbd.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,127 @@
+
+## <summary>policy for drbd</summary>
+
@@ -38666,12 +101085,6 @@ index 0000000..f92ef50
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`drbd_admin',`
+ gen_require(`
@@ -38692,10 +101105,10 @@ index 0000000..f92ef50
+
diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
new file mode 100644
-index 0000000..3bca7b0
+index 0000000..f09fbb3
--- /dev/null
+++ b/policy/modules/services/drbd.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,52 @@
+policy_module(drbd, 1.0.0)
+
+########################################
@@ -38738,6 +101151,8 @@ index 0000000..3bca7b0
+kernel_read_system_state(drbd_t)
+
+dev_read_sysfs(drbd_t)
++dev_read_rand(drbd_t)
++dev_read_urand(drbd_t)
+
+files_read_etc_files(drbd_t)
+
@@ -39631,7 +102046,7 @@ index f590a1f..eb6f870 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..afb6deb 100644
+index 2a69e5e..78841e5 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -39695,7 +102110,7 @@ index 2a69e5e..afb6deb 100644
optional_policy(`
apache_read_log(fail2ban_t)
')
-@@ -94,5 +110,43 @@ optional_policy(`
+@@ -94,5 +110,45 @@ optional_policy(`
')
optional_policy(`
@@ -39733,6 +102148,8 @@ index 2a69e5e..afb6deb 100644
+files_read_usr_files(fail2ban_client_t)
+files_search_pids(fail2ban_client_t)
+
++auth_read_passwd(fail2ban_client_t)
++
+miscfiles_read_localization(fail2ban_client_t)
+
+optional_policy(`
@@ -39752,10 +102169,10 @@ index 0000000..83279fb
+/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0)
diff --git a/policy/modules/services/fcoemon.if b/policy/modules/services/fcoemon.if
new file mode 100644
-index 0000000..f25a1cb
+index 0000000..33508c1
--- /dev/null
+++ b/policy/modules/services/fcoemon.if
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,88 @@
+
+## <summary>policy for fcoemon</summary>
+
@@ -39826,12 +102243,6 @@ index 0000000..f25a1cb
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`fcoemon_admin',`
+ gen_require(`
@@ -40008,30 +102419,31 @@ index 9b7036a..4770f61 100644
diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
new file mode 100644
-index 0000000..ba9a7a9
+index 0000000..f440549
--- /dev/null
+++ b/policy/modules/services/firewalld.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
+
++/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
++
++/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
+
-+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
++/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
new file mode 100644
-index 0000000..06462d4
+index 0000000..c4c7510
--- /dev/null
+++ b/policy/modules/services/firewalld.if
-@@ -0,0 +1,76 @@
-+
+@@ -0,0 +1,130 @@
+## <summary>policy for firewalld</summary>
+
-+
+########################################
+## <summary>
+## Execute a domain transition to run firewalld.
@@ -40071,6 +102483,50 @@ index 0000000..06462d4
+
+########################################
+## <summary>
++## Execute firewalld server in the firewalld domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`firewalld_systemctl',`
++ gen_require(`
++ type firewalld_t;
++ type firewalld_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 firewalld_unit_file_t:file read_file_perms;
++ allow $1 firewalld_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, firewalld_t)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## firewalld over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`firewalld_dbus_chat',`
++ gen_require(`
++ type firewalld_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 firewalld_t:dbus send_msg;
++ allow firewalld_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an firewalld environment
+## </summary>
@@ -40088,8 +102544,9 @@ index 0000000..06462d4
+#
+interface(`firewalld_admin',`
+ gen_require(`
-+ type firewalld_t;
-+ type firewalld_initrc_exec_t;
++ type firewalld_t, firewalld_initrc_exec_t;
++ type firewall_etc_rw_t, firewalld_var_run_t;
++ type firewalld_var_log_t;
+ ')
+
+ allow $1 firewalld_t:process signal_perms;
@@ -40103,13 +102560,24 @@ index 0000000..06462d4
+ role_transition $2 firewalld_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_pids($1)
++ admin_pattern($1, firewalld_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, firewalld_var_log_t)
++
++ admin_pattern($1, firewall_etc_rw_t)
++
++ admin_pattern($1, firewalld_unit_file_t)
++ firewalld_systemctl($1)
++ allow $1 firewalld_unit_file_t:service all_service_perms;
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..60fcddb
+index 0000000..b3727f1
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,91 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -40125,12 +102593,18 @@ index 0000000..60fcddb
+type firewalld_initrc_exec_t;
+init_script_file(firewalld_initrc_exec_t)
+
++type firewalld_etc_rw_t;
++files_config_file(firewalld_etc_rw_t)
++
+type firewalld_var_log_t;
+logging_log_file(firewalld_var_log_t)
+
+type firewalld_var_run_t;
+files_pid_file(firewalld_var_run_t)
+
++type firewalld_unit_file_t;
++systemd_unit_file(firewalld_unit_file_t)
++
+########################################
+#
+# firewalld local policy
@@ -40139,6 +102613,9 @@ index 0000000..60fcddb
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
++
+append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
+read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
@@ -40153,6 +102630,7 @@ index 0000000..60fcddb
+kernel_read_system_state(firewalld_t)
+
+corecmd_exec_bin(firewalld_t)
++corecmd_exec_shell(firewalld_t)
+
+dev_read_urand(firewalld_t)
+
@@ -40161,14 +102639,27 @@ index 0000000..60fcddb
+files_read_etc_files(firewalld_t)
+files_read_usr_files(firewalld_t)
+
++fs_getattr_xattr_fs(firewalld_t)
++
+auth_read_passwd(firewalld_t)
+
+logging_send_syslog_msg(firewalld_t)
+
+miscfiles_read_localization(firewalld_t)
+
++seutil_exec_setfiles(firewalld_t)
++seutil_read_file_contexts(firewalld_t)
++
+optional_policy(`
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
++
++ optional_policy(`
++ policykit_dbus_chat(firewalld_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(firewalld_t)
++ ')
+')
+
+optional_policy(`
@@ -40178,10 +102669,6 @@ index 0000000..60fcddb
+optional_policy(`
+ modutils_domtrans_insmod(firewalld_t)
+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(firewalld_t)
-+')
diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
index ebad8c4..eeddf7b 100644
--- a/policy/modules/services/fprintd.if
@@ -40206,10 +102693,18 @@ index ebad8c4..eeddf7b 100644
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..8512254 100644
+index 7df52c7..26422af 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
-@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t)
+@@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0)
+ type fprintd_t;
+ type fprintd_exec_t;
+ dbus_system_domain(fprintd_t, fprintd_exec_t)
++init_daemon_domain(fprintd_t, fprintd_exec_t)
+
+ type fprintd_var_lib_t;
+ files_type(fprintd_var_lib_t)
+@@ -17,9 +18,10 @@ files_type(fprintd_var_lib_t)
# Local policy
#
@@ -40222,36 +102717,33 @@ index 7df52c7..8512254 100644
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -54,4 +55,5 @@ optional_policy(`
+@@ -54,4 +56,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
-index 69dcd2a..030dbb6 100644
+index 69dcd2a..4d97da7 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
-@@ -6,6 +6,12 @@
+@@ -6,6 +6,9 @@
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
-+/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
#
# /usr
#
-@@ -29,3 +35,4 @@
+@@ -29,3 +32,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index 9d3201b..41c2c99 100644
+index 9d3201b..6e75e3d 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -1,5 +1,66 @@
@@ -40313,7 +102805,7 @@ index 9d3201b..41c2c99 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
-+ allow $1 ftpd_unit_file_t:service all_service_perms;
++ allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ftpd_t)
+')
@@ -40321,8 +102813,11 @@ index 9d3201b..41c2c99 100644
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
-@@ -176,8 +237,11 @@ interface(`ftp_admin',`
+@@ -174,10 +235,14 @@ interface(`ftp_admin',`
+ type ftpd_etc_t, ftpd_lock_t;
+ type ftpd_var_run_t, xferlog_t;
type ftpd_initrc_exec_t;
++ type ftpd_unit_file_t;
')
- allow $1 ftpd_t:process { ptrace signal_perms };
@@ -40334,18 +102829,20 @@ index 9d3201b..41c2c99 100644
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -203,4 +267,6 @@ interface(`ftp_admin',`
+@@ -203,4 +268,8 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
+
+ ftp_systemctl($1)
++ admin_pattern($1, ftpd_unit_file_t)
++ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..84fe0c6 100644
+index 8a74a83..9be06fe 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
-@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
+@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
## <p>
@@ -40356,6 +102853,13 @@ index 8a74a83..84fe0c6 100644
+
+## <desc>
+## <p>
++## Allow ftp servers to use bind to all unreserved ports for passive mode
++## </p>
++## </desc>
++gen_tunable(ftpd_use_passive_mode, false)
++
++## <desc>
++## <p>
+## Allow ftp servers to connect to all ports > 1023
+## </p>
+## </desc>
@@ -40366,7 +102870,16 @@ index 8a74a83..84fe0c6 100644
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
-@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+@@ -48,7 +69,7 @@ gen_tunable(ftp_home_dir, false)
+ ## <desc>
+ ## <p>
+ ## Allow anon internal-sftp to upload files, used for
+-## public file transfer services. Directories must be labeled
++## public file transfer services, directories must be labeled
+ ## public_content_rw_t.
+ ## </p>
+ ## </desc>
+@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false)
## </desc>
gen_tunable(sftpd_full_access, false)
@@ -40381,7 +102894,7 @@ index 8a74a83..84fe0c6 100644
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
-@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t)
+@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -40391,7 +102904,7 @@ index 8a74a83..84fe0c6 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -115,6 +140,10 @@ ifdef(`enable_mcs',`
+@@ -115,6 +147,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
@@ -40402,7 +102915,7 @@ index 8a74a83..84fe0c6 100644
########################################
#
# anon-sftp local policy
-@@ -122,6 +151,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +158,7 @@ ifdef(`enable_mcs',`
files_read_etc_files(anon_sftpd_t)
@@ -40410,7 +102923,7 @@ index 8a74a83..84fe0c6 100644
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +170,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -40419,7 +102932,7 @@ index 8a74a83..84fe0c6 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +188,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -40427,7 +102940,7 @@ index 8a74a83..84fe0c6 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +199,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -40443,7 +102956,16 @@ index 8a74a83..84fe0c6 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
+-kernel_search_network_state(ftpd_t)
++kernel_read_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
+@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
@@ -40455,7 +102977,7 @@ index 8a74a83..84fe0c6 100644
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
@@ -40471,7 +102993,7 @@ index 8a74a83..84fe0c6 100644
init_rw_utmp(ftpd_t)
-@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
@@ -40479,12 +103001,16 @@ index 8a74a83..84fe0c6 100644
+ files_manage_non_security_files(ftpd_t)
+')
+
++tunable_policy(`ftpd_use_passive_mode',`
++ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
++')
++
+tunable_policy(`ftpd_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -40502,7 +103028,7 @@ index 8a74a83..84fe0c6 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +342,10 @@ optional_policy(`
+@@ -309,10 +353,34 @@ optional_policy(`
')
optional_policy(`
@@ -40513,10 +103039,12 @@ index 8a74a83..84fe0c6 100644
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +353,25 @@ optional_policy(`
- ')
-
- optional_policy(`
+- kerberos_manage_host_rcache(ftpd_t)
++ # this part of auth_use_pam
++ #kerberos_manage_host_rcache(ftpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ mysql_stream_connect(ftpd_t)
+ ')
@@ -40533,13 +103061,10 @@ index 8a74a83..84fe0c6 100644
+ mysql_tcp_connect(ftpd_t)
+ postgresql_tcp_connect(ftpd_t)
+ ')
-+')
-+
-+optional_policy(`
- inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
+ ')
- optional_policy(`
-@@ -347,16 +403,17 @@ optional_policy(`
+ optional_policy(`
+@@ -347,16 +415,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -40559,7 +103084,7 @@ index 8a74a83..84fe0c6 100644
########################################
#
-@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -40596,7 +103121,7 @@ index 8a74a83..84fe0c6 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -41667,10 +104192,10 @@ index 0000000..ebe1dde
+')
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..4afb81f
+index 0000000..57e0566
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,112 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -41754,6 +104279,13 @@ index 0000000..4afb81f
+corenet_tcp_bind_generic_node(glance_registry_t)
+corenet_tcp_bind_glance_registry_port(glance_registry_t)
+
++logging_send_syslog_msg(glance_registry_t)
++
++
++optional_policy(`
++ mysql_stream_connect(glance_registry_t)
++')
++
+########################################
+#
+# glance-api local policy
@@ -41767,8 +104299,9 @@ index 0000000..4afb81f
+corecmd_exec_shell(glance_api_t)
+
+corenet_tcp_bind_generic_node(glance_api_t)
-+corenet_tcp_bind_hplip_port(glance_api_t)
++corenet_tcp_bind_glance_port(glance_api_t)
+corenet_tcp_connect_glance_registry_port(glance_api_t)
++corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
+dev_read_urand(glance_api_t)
+
@@ -41816,10 +104349,17 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..a250b06 100644
+index 4fde46b..469a6e3 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -14,19 +14,28 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -8,25 +8,37 @@ policy_module(gnomeclock, 1.0.0)
+ type gnomeclock_t;
+ type gnomeclock_exec_t;
+ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+ ########################################
+ #
# gnomeclock local policy
#
@@ -41837,6 +104377,8 @@ index 4fde46b..a250b06 100644
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
+
++corenet_tcp_connect_time_port(gnomeclock_t)
++
+dev_read_sysfs(gnomeclock_t)
-files_read_etc_files(gnomeclock_t)
@@ -41852,7 +104394,7 @@ index 4fde46b..a250b06 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +47,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -41879,6 +104421,7 @@ index 4fde46b..a250b06 100644
+ ntp_domtrans_ntpdate(gnomeclock_t)
+ ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
++ init_dontaudit_getattr_exec(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
+')
+
@@ -41948,7 +104491,7 @@ index a627b34..c4cfc6d 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..f38c5db 100644
+index 03742d8..3f7065f 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
@@ -41963,11 +104506,12 @@ index 03742d8..f38c5db 100644
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,16 +39,24 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+@@ -38,16 +39,25 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+kernel_list_proc(gpsd_t)
++kernel_request_load_module(gpsd_t)
+
corenet_all_recvfrom_unlabeled(gpsd_t)
corenet_all_recvfrom_netlabel(gpsd_t)
@@ -41989,7 +104533,7 @@ index 03742d8..f38c5db 100644
auth_use_nsswitch(gpsd_t)
-@@ -56,6 +65,12 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +66,12 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
@@ -42763,10 +105307,21 @@ index df48e5e..878d9df 100644
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..5f71f35 100644
+index c51a7b2..afc68dc 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
-@@ -149,7 +149,10 @@ miscfiles_read_localization(inetd_t)
+@@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t)
+ corenet_udp_bind_ftp_port(inetd_t)
+ corenet_tcp_bind_inetd_child_port(inetd_t)
+ corenet_udp_bind_inetd_child_port(inetd_t)
++corenet_tcp_bind_echo_port(inetd_t)
++corenet_udp_bind_echo_port(inetd_t)
++corenet_tcp_bind_time_port(inetd_t)
++corenet_udp_bind_time_port(inetd_t)
+ corenet_tcp_bind_ircd_port(inetd_t)
+ corenet_udp_bind_ktalkd_port(inetd_t)
+ corenet_tcp_bind_printer_port(inetd_t)
+@@ -149,7 +153,10 @@ miscfiles_read_localization(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -42777,6 +105332,17 @@ index c51a7b2..5f71f35 100644
sysnet_read_config(inetd_t)
+@@ -176,6 +183,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ tftp_read_config(inetd_t)
++')
++
++optional_policy(`
+ udev_read_db(inetd_t)
+ ')
+
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
index 8ca038d..8507ee2 100644
--- a/policy/modules/services/inn.fc
@@ -42983,6 +105549,267 @@ index 9aeeaf9..28fdfc5 100644
allow irqbalance_t self:process { getcap setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
+diff --git a/policy/modules/services/isnsd.fc b/policy/modules/services/isnsd.fc
+new file mode 100644
+index 0000000..3e29080
+--- /dev/null
++++ b/policy/modules/services/isnsd.fc
+@@ -0,0 +1,8 @@
++/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
++
++/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
++
++/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
++
++/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0)
++/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0)
+diff --git a/policy/modules/services/isnsd.if b/policy/modules/services/isnsd.if
+new file mode 100644
+index 0000000..1b3514a
+--- /dev/null
++++ b/policy/modules/services/isnsd.if
+@@ -0,0 +1,181 @@
++
++## <summary>policy for isnsd</summary>
++
++
++########################################
++## <summary>
++## Transition to isnsd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`isnsd_domtrans',`
++ gen_require(`
++ type isnsd_t, isnsd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, isnsd_exec_t, isnsd_t)
++')
++
++
++########################################
++## <summary>
++## Execute isnsd server in the isnsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`isnsd_initrc_domtrans',`
++ gen_require(`
++ type isnsd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Search isnsd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`isnsd_search_lib',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ allow $1 isnsd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read isnsd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`isnsd_read_lib_files',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage isnsd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`isnsd_manage_lib_files',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage isnsd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`isnsd_manage_lib_dirs',`
++ gen_require(`
++ type isnsd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read isnsd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`isnsd_read_pid_files',`
++ gen_require(`
++ type isnsd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 isnsd_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an isnsd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`isnsd_admin',`
++ gen_require(`
++ type isnsd_t;
++ type isnsd_initrc_exec_t;
++ type isnsd_var_lib_t;
++ type isnsd_var_run_t;
++ ')
++
++ allow $1 isnsd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, isnsd_t)
++
++ isnsd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 isnsd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, isnsd_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, isnsd_var_run_t)
++
++')
++
+diff --git a/policy/modules/services/isnsd.te b/policy/modules/services/isnsd.te
+new file mode 100644
+index 0000000..a0f2f83
+--- /dev/null
++++ b/policy/modules/services/isnsd.te
+@@ -0,0 +1,54 @@
++policy_module(isnsd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type isnsd_t;
++type isnsd_exec_t;
++init_daemon_domain(isnsd_t, isnsd_exec_t)
++
++type isnsd_initrc_exec_t;
++init_script_file(isnsd_initrc_exec_t)
++
++type isnsd_var_lib_t;
++files_type(isnsd_var_lib_t)
++
++type isnsd_var_run_t;
++files_pid_file(isnsd_var_run_t)
++
++########################################
++#
++# isnsd local policy
++#
++
++allow isnsd_t self:capability { kill };
++allow isnsd_t self:process { signal };
++
++allow isnsd_t self:fifo_file rw_fifo_file_perms;
++allow isnsd_t self:udp_socket { listen };
++allow isnsd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
++manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
++files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, { dir file })
++
++manage_dirs_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
++manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
++manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
++files_pid_filetrans(isnsd_t, isnsd_var_run_t, { dir file sock_file })
++
++corenet_tcp_bind_generic_node(isnsd_t)
++corenet_tcp_bind_isns_port(isnsd_t)
++
++domain_use_interactive_fds(isnsd_t)
++
++files_read_etc_files(isnsd_t)
++
++logging_send_syslog_msg(isnsd_t)
++
++miscfiles_read_localization(isnsd_t)
++
++sysnet_dns_name_resolve(isnsd_t)
++
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 4c9acec..9a9ca2a 100644
--- a/policy/modules/services/jabber.fc
@@ -43178,10 +106005,10 @@ index 9878499..8643cd3 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..24e20b0 100644
+index da2127e..91bdd44 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
-@@ -5,90 +5,148 @@ policy_module(jabber, 1.8.0)
+@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0)
# Declarations
#
@@ -43259,40 +106086,42 @@ index da2127e..24e20b0 100644
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-
--dev_read_sysfs(jabberd_t)
--# For SSL
--dev_read_rand(jabberd_t)
++
++kernel_read_network_state(jabberd_router_t)
++
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
--domain_use_interactive_fds(jabberd_t)
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
+fs_getattr_all_fs(jabberd_router_t)
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
+-domain_use_interactive_fds(jabberd_t)
+miscfiles_read_generic_certs(jabberd_router_t)
--fs_getattr_all_fs(jabberd_t)
--fs_search_auto_mountpoints(jabberd_t)
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
--logging_send_syslog_msg(jabberd_t)
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
--miscfiles_read_localization(jabberd_t)
+-logging_send_syslog_msg(jabberd_t)
+#####################################
+#
+# Local policy for other jabberd components
+#
-+
+
+-miscfiles_read_localization(jabberd_t)
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
@@ -43311,8 +106140,8 @@ index da2127e..24e20b0 100644
optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
+ udev_read_db(jabberd_t)
-+')
-+
+ ')
+
+######################################
+#
+# Local policy for pyicq-t
@@ -43343,12 +106172,12 @@ index da2127e..24e20b0 100644
+libs_use_shared_libs(pyicqt_t)
+
+# needed for pyicq-t-mysql
-+optional_policy(`
-+ corenet_tcp_connect_mysqld_port(pyicqt_t)
- ')
-
optional_policy(`
- udev_read_db(jabberd_t)
++ corenet_tcp_connect_mysqld_port(pyicqt_t)
++')
++
++optional_policy(`
+ sysnet_use_ldap(pyicqt_t)
')
+
@@ -43386,8 +106215,333 @@ index da2127e..24e20b0 100644
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
+diff --git a/policy/modules/services/jetty.fc b/policy/modules/services/jetty.fc
+new file mode 100644
+index 0000000..1725b7e
+--- /dev/null
++++ b/policy/modules/services/jetty.fc
+@@ -0,0 +1,9 @@
++
++/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
++
++/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
++
++/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
++
++/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
++
+diff --git a/policy/modules/services/jetty.if b/policy/modules/services/jetty.if
+new file mode 100644
+index 0000000..9f09101
+--- /dev/null
++++ b/policy/modules/services/jetty.if
+@@ -0,0 +1,273 @@
++
++## <summary>policy for jetty</summary>
++
++########################################
++## <summary>
++## Search jetty cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_search_cache',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ allow $1 jetty_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read jetty cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_read_cache_files',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## jetty cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_manage_cache_files',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
++')
++
++########################################
++## <summary>
++## Manage jetty cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_manage_cache_dirs',`
++ gen_require(`
++ type jetty_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
++')
++
++########################################
++## <summary>
++## Read jetty's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`jetty_read_log',`
++ gen_require(`
++ type jetty_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, jetty_log_t, jetty_log_t)
++')
++
++########################################
++## <summary>
++## Append to jetty log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_append_log',`
++ gen_require(`
++ type jetty_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, jetty_log_t, jetty_log_t)
++')
++
++########################################
++## <summary>
++## Manage jetty log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_manage_log',`
++ gen_require(`
++ type jetty_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
++ manage_files_pattern($1, jetty_log_t, jetty_log_t)
++ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
++')
++
++########################################
++## <summary>
++## Search jetty lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_search_lib',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ allow $1 jetty_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read jetty lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_read_lib_files',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage jetty lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_manage_lib_files',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage jetty lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_manage_lib_dirs',`
++ gen_require(`
++ type jetty_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read jetty PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jetty_read_pid_files',`
++ gen_require(`
++ type jetty_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 jetty_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an jetty environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`jetty_admin',`
++ gen_require(`
++ type jetty_cache_t;
++ type jetty_log_t;
++ type jetty_var_lib_t;
++ type jetty_var_run_t;
++ ')
++
++ files_search_var($1)
++ admin_pattern($1, jetty_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, jetty_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, jetty_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, jetty_var_run_t)
++')
+diff --git a/policy/modules/services/jetty.te b/policy/modules/services/jetty.te
+new file mode 100644
+index 0000000..af510ea
+--- /dev/null
++++ b/policy/modules/services/jetty.te
+@@ -0,0 +1,25 @@
++policy_module(jetty, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type jetty_cache_t;
++files_type(jetty_cache_t)
++
++type jetty_log_t;
++logging_log_file(jetty_log_t)
++
++type jetty_var_lib_t;
++files_type(jetty_var_lib_t)
++
++type jetty_var_run_t;
++files_pid_file(jetty_var_run_t)
++
++########################################
++#
++# jetty local policy
++#
++
++# No local policy. This module just contains type definitions
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..033de90 100644
+index 3525d24..36582cd 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -43399,7 +106553,7 @@ index 3525d24..033de90 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
@@ -43407,9 +106561,13 @@ index 3525d24..033de90 100644
+
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..91ef376 100644
+index 604f67b..ea249fa 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -43456,7 +106614,18 @@ index 604f67b..91ef376 100644
')
optional_policy(`
-@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',`
+@@ -111,10 +111,6 @@ interface(`kerberos_use',`
+ pcscd_stream_connect($1)
+ ')
+ ')
+-
+- optional_policy(`
+- sssd_read_public_files($1)
+- ')
+ ')
+
+ ########################################
+@@ -218,6 +214,25 @@ interface(`kerberos_rw_keytab',`
########################################
## <summary>
@@ -43482,7 +106651,7 @@ index 604f67b..91ef376 100644
## Create a derived type for kerberos keytab
## </summary>
## <param name="prefix">
-@@ -235,7 +254,7 @@ template(`kerberos_keytab_template',`
+@@ -235,7 +250,7 @@ template(`kerberos_keytab_template',`
type $1_keytab_t;
files_type($1_keytab_t)
@@ -43491,7 +106660,7 @@ index 604f67b..91ef376 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -289,35 +308,14 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,31 +304,18 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
@@ -43500,10 +106669,10 @@ index 604f67b..91ef376 100644
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
')
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Connect to krb524 service
-## </summary>
-## <param name="domain">
@@ -43515,21 +106684,24 @@ index 604f67b..91ef376 100644
-interface(`kerberos_connect_524',`
- tunable_policy(`allow_kerberos',`
- allow $1 self:udp_socket create_socket_perms;
--
+
- corenet_all_recvfrom_unlabeled($1)
- corenet_udp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_node($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
- corenet_sendrecv_kerberos_master_client_packets($1)
- ')
--')
--
--########################################
--## <summary>
- ## All of the rules required to administrate
- ## an kerberos environment
- ## </summary>
-@@ -338,18 +336,22 @@ interface(`kerberos_admin',`
++ kerberos_tmp_filetrans_host_rcache($1, "host_0")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
++ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+ ')
+
+ ########################################
+@@ -338,18 +340,22 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -43557,7 +106729,7 @@ index 604f67b..91ef376 100644
ps_process_pattern($1, kpropd_t)
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +380,109 @@ interface(`kerberos_admin',`
+@@ -378,3 +384,113 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -43613,10 +106785,10 @@ index 604f67b..91ef376 100644
+#
+interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
-+ type kerberos_home_t;
++ type krb5_home_t;
+ ')
+
-+ userdom_admin_home_dir_filetrans($1, kerberos_home_t, file, ".k5login")
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+')
+
+########################################
@@ -43631,10 +106803,10 @@ index 604f67b..91ef376 100644
+#
+interface(`kerberos_filetrans_home_content',`
+ gen_require(`
-+ type kerberos_home_t;
++ type krb5_home_t;
+ ')
+
-+ userdom_user_home_dir_filetrans($1, kerberos_home_t, file, ".k5login")
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+')
+
+########################################
@@ -43665,7 +106837,11 @@ index 604f67b..91ef376 100644
+
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
++ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..92dde2c 100644
@@ -43949,6 +107125,324 @@ index 0000000..21e49e3
+files_read_etc_files(keyboardd_t)
+
+miscfiles_read_localization(keyboardd_t)
+diff --git a/policy/modules/services/keystone.fc b/policy/modules/services/keystone.fc
+new file mode 100644
+index 0000000..408d6c0
+--- /dev/null
++++ b/policy/modules/services/keystone.fc
+@@ -0,0 +1,7 @@
++/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
++
++/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
++
++/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
+diff --git a/policy/modules/services/keystone.if b/policy/modules/services/keystone.if
+new file mode 100644
+index 0000000..c7a5aeb
+--- /dev/null
++++ b/policy/modules/services/keystone.if
+@@ -0,0 +1,224 @@
++
++## <summary>policy for keystone</summary>
++
++########################################
++## <summary>
++## Transition to keystone.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keystone_domtrans',`
++ gen_require(`
++ type keystone_t, keystone_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, keystone_exec_t, keystone_t)
++')
++########################################
++## <summary>
++## Read keystone's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`keystone_read_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++## <summary>
++## Append to keystone log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_append_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++## <summary>
++## Manage keystone log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_manage_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
++ manage_files_pattern($1, keystone_log_t, keystone_log_t)
++ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++## <summary>
++## Search keystone lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_search_lib',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ allow $1 keystone_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read keystone lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_read_lib_files',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage keystone lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_manage_lib_files',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage keystone lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_manage_lib_dirs',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute keystone server in the keystone domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keystone_systemctl',`
++ gen_require(`
++ type keystone_t;
++ type keystone_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 keystone_unit_file_t:file read_file_perms;
++ allow $1 keystone_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, keystone_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an keystone environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`keystone_admin',`
++ gen_require(`
++ type keystone_t;
++ type keystone_log_t;
++ type keystone_var_lib_t;
++ type keystone_unit_file_t;
++ ')
++
++ allow $1 keystone_t:process { ptrace signal_perms };
++ ps_process_pattern($1, keystone_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, keystone_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, keystone_var_lib_t)
++
++ keystone_systemctl($1)
++ admin_pattern($1, keystone_unit_file_t)
++ allow $1 keystone_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/keystone.te b/policy/modules/services/keystone.te
+new file mode 100644
+index 0000000..1b3d4d9
+--- /dev/null
++++ b/policy/modules/services/keystone.te
+@@ -0,0 +1,69 @@
++policy_module(keystone, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keystone_t;
++type keystone_exec_t;
++init_daemon_domain(keystone_t, keystone_exec_t)
++
++type keystone_log_t;
++logging_log_file(keystone_log_t)
++
++type keystone_var_lib_t;
++files_type(keystone_var_lib_t)
++
++type keystone_tmp_t;
++files_tmp_file(keystone_tmp_t)
++
++type keystone_unit_file_t;
++systemd_unit_file(keystone_unit_file_t)
++
++########################################
++#
++# keystone local policy
++#
++allow keystone_t self:fifo_file rw_fifo_file_perms;
++allow keystone_t self:unix_stream_socket create_stream_socket_perms;
++allow keystone_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t)
++manage_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
++logging_log_filetrans(keystone_t, keystone_log_t, { dir file })
++
++manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++files_tmp_filetrans(keystone_t, keystone_tmp_t, { file dir lnk_file })
++can_exec(keystone_t, keystone_tmp_t)
++
++manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
++manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
++files_var_lib_filetrans(keystone_t, keystone_var_lib_t, { dir file })
++
++kernel_read_system_state(keystone_t)
++
++corecmd_exec_bin(keystone_t)
++corecmd_exec_shell(keystone_t)
++
++corenet_tcp_bind_keystone_port(keystone_t)
++corenet_tcp_bind_generic_node(keystone_t)
++
++dev_read_urand(keystone_t)
++
++domain_use_interactive_fds(keystone_t)
++
++files_read_etc_files(keystone_t)
++files_read_usr_files(keystone_t)
++
++auth_use_pam(keystone_t)
++
++libs_exec_ldconfig(keystone_t)
++
++miscfiles_read_localization(keystone_t)
++
++optional_policy(`
++ mysql_stream_connect(keystone_t)
++')
diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
index 9c0c835..8360166 100644
--- a/policy/modules/services/ksmtuned.fc
@@ -44064,29 +107558,35 @@ index ca5cfdf..554ad30 100644
diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc
new file mode 100644
-index 0000000..76d879e
+index 0000000..6b27066
--- /dev/null
+++ b/policy/modules/services/l2tpd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,18 @@
++/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0)
+
-+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
+
-+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+
-+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0)
+
-+/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
++/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644
-index 0000000..c8b246f
+index 0000000..8bc2c6d
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
-@@ -0,0 +1,118 @@
-+
-+## <summary>policy for l2tpd</summary>
+@@ -0,0 +1,178 @@
++## <summary>Layer 2 Tunneling Protocol daemons.</summary>
+
+########################################
+## <summary>
@@ -44107,7 +107607,6 @@ index 0000000..c8b246f
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
-+
+########################################
+## <summary>
+## Execute l2tpd server in the l2tpd domain.
@@ -44126,6 +107625,42 @@ index 0000000..c8b246f
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
++########################################
++## <summary>
++## Send to l2tpd via a unix dgram socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_dgram_send',`
++ gen_require(`
++ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
++ ')
++
++ files_search_tmp($1)
++ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
++')
++
++########################################
++## <summary>
++## Read and write l2tpd sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_rw_socket',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:socket rw_socket_perms;
++')
+
+########################################
+## <summary>
@@ -44146,6 +107681,27 @@ index 0000000..c8b246f
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
++#####################################
++## <summary>
++## Connect to l2tpd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_stream_connect',`
++ gen_require(`
++ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
++ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
++')
++
+########################################
+## <summary>
+## Read and write l2tpd unnamed pipes.
@@ -44183,13 +107739,13 @@ index 0000000..c8b246f
+#
+interface(`l2tpd_admin',`
+ gen_require(`
-+ type l2tpd_t;
-+ type l2tpd_initrc_exec_t;
-+ type l2tpd_var_run_t;
++ type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t;
++ type l2tp_etc_t, l2tpd_tmp_t;
+ ')
+
+ allow $1 l2tpd_t:process signal_perms;
+ ps_process_pattern($1, l2tpd_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 l2tpd_t:process ptrace;
+ ')
@@ -44199,16 +107755,21 @@ index 0000000..c8b246f
+ role_transition $2 l2tpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_etc($1)
++ admin_pattern($1, l2tp_etc_t)
++
+ files_search_pids($1)
+ admin_pattern($1, l2tpd_var_run_t)
-+')
+
++ files_search_tmp($1)
++ admin_pattern($1, l2tpd_tmp_t)
++')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..4aac893
+index 0000000..4786fde
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,99 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -44223,6 +107784,9 @@ index 0000000..4aac893
+type l2tpd_initrc_exec_t;
+init_script_file(l2tpd_initrc_exec_t)
+
++type l2tp_etc_t;
++files_config_file(l2tp_etc_t)
++
+type l2tpd_tmp_t;
+files_tmp_file(l2tpd_tmp_t)
+
@@ -44231,17 +107795,20 @@ index 0000000..4aac893
+
+########################################
+#
-+# l2tpd local policy
++# Local policy
+#
-+allow l2tpd_t self:capability net_bind_service;
-+allow l2tpd_t self:process signal;
+
++allow l2tpd_t self:capability { net_admin net_bind_service };
++allow l2tpd_t self:process signal;
+allow l2tpd_t self:fifo_file rw_fifo_file_perms;
-+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++allow l2tpd_t self:netlink_socket create_socket_perms;
++allow l2tpd_t self:rawip_socket create_socket_perms;
++allow l2tpd_t self:socket create_socket_perms;
+allow l2tpd_t self:tcp_socket create_stream_socket_perms;
++allow l2tpd_t self:unix_dgram_socket sendto;
++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
+
-+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
-+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
++read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t)
+
+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
@@ -44249,10 +107816,39 @@ index 0000000..4aac893
+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
+
++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
++
++corenet_all_recvfrom_unlabeled(l2tpd_t)
++corenet_all_recvfrom_netlabel(l2tpd_t)
++corenet_raw_sendrecv_generic_if(l2tpd_t)
++corenet_tcp_sendrecv_generic_if(l2tpd_t)
++corenet_udp_sendrecv_generic_if(l2tpd_t)
++corenet_raw_bind_generic_node(l2tpd_t)
+corenet_tcp_bind_generic_node(l2tpd_t)
+corenet_udp_bind_generic_node(l2tpd_t)
-+corenet_udp_bind_generic_port(l2tpd_t)
++corenet_raw_sendrecv_generic_node(l2tpd_t)
++corenet_tcp_sendrecv_generic_node(l2tpd_t)
++corenet_udp_sendrecv_generic_node(l2tpd_t)
++
+corenet_tcp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_generic_port(l2tpd_t)
++
++corenet_udp_bind_l2tp_port(l2tpd_t)
++corenet_udp_sendrecv_l2tp_port(l2tpd_t)
++corenet_sendrecv_l2tp_server_packets(l2tpd_t)
++
++kernel_read_system_state(l2tpd_t)
++kernel_read_network_state(l2tpd_t)
++# net-pf-24 (pppox)
++kernel_request_load_module(l2tpd_t)
++
++term_use_ptmx(l2tpd_t)
++term_use_generic_ptys(l2tpd_t)
++
++# prol2tpc
++corecmd_exec_bin(l2tpd_t)
+
+dev_read_urand(l2tpd_t)
+
@@ -44260,16 +107856,24 @@ index 0000000..4aac893
+
+files_read_etc_files(l2tpd_t)
+
++term_use_ptmx(l2tpd_t)
++
+logging_send_syslog_msg(l2tpd_t)
+
+miscfiles_read_localization(l2tpd_t)
+
+sysnet_dns_name_resolve(l2tpd_t)
++
++optional_policy(`
++ ppp_domtrans(l2tpd_t)
++ ppp_signal(l2tpd_t)
++ ppp_kill(l2tpd_t)
++')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..63e3be1 100644
+index c62f23e..8b1a1dd 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
-@@ -1,6 +1,12 @@
+@@ -1,6 +1,10 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
@@ -44277,19 +107881,17 @@ index c62f23e..63e3be1 100644
+
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
-+/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-@@ -15,3 +21,4 @@ ifdef(`distro_debian',`
+@@ -15,3 +19,4 @@ ifdef(`distro_debian',`
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..436aace 100644
+index 3aa8fa7..27cb806 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,64 @@
@@ -44349,7 +107951,7 @@ index 3aa8fa7..436aace 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
-+ allow $1 slapd_unit_file_t:service all_service_perms;
++ allow $1 slapd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, slapd_t)
+')
@@ -44402,8 +108004,11 @@ index 3aa8fa7..436aace 100644
')
########################################
-@@ -97,8 +174,11 @@ interface(`ldap_admin',`
+@@ -95,10 +172,14 @@ interface(`ldap_admin',`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t;
++ type ldap_unit_file_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
@@ -44415,7 +108020,7 @@ index 3aa8fa7..436aace 100644
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +190,7 @@ interface(`ldap_admin',`
+@@ -110,6 +191,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -44423,12 +108028,14 @@ index 3aa8fa7..436aace 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -117,4 +198,6 @@ interface(`ldap_admin',`
+@@ -117,4 +199,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
+
+ ldap_systemctl($1)
++ admin_pattern($1, ldap_unit_file_t)
++ allow $1 ldap_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 64fd1ff..0f5d0b7 100644
@@ -44930,7 +108537,7 @@ index 5c9eb68..ca4fd2b 100644
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
+/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
-index a4f32f5..32824fb 100644
+index a4f32f5..628b63c 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -14,6 +14,7 @@
@@ -44971,8 +108578,41 @@ index a4f32f5..32824fb 100644
gen_require(`
type lpr_t, lpr_exec_t;
')
+@@ -196,6 +200,32 @@ template(`lpd_domtrans_lpr',`
+
+ ########################################
+ ## <summary>
++## Execute lpr in the lpr domain, and
++## allow the specified role the lpr domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`lpd_run_lpr',`
++ gen_require(`
++ type lpr_t;
++ ')
++
++ lpd_domtrans_lpr($1)
++ role $2 types lpr_t;
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to execute lpr
+ ## in the caller domain.
+ ## </summary>
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..27d96e1 100644
+index 93c14ca..d3d5067 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -45079,41 +108719,64 @@ index 93c14ca..27d96e1 100644
optional_policy(`
cups_read_config(lpr_t)
+@@ -326,5 +317,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_stream_connect_gkeyringd(lpr_t)
++')
++
++optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+ ')
++
++optional_policy(`
++ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
++')
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
-index 14ad189..8317f33 100644
+index 14ad189..c7daa85 100644
--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
@@ -1,11 +1,14 @@
-/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+
-+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
- /usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+-/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
- /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
- /var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
- /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
- /var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
+-/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+-/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+-/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+-/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
-/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
-+/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_var_run_t,s0)
++/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++
++/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
++/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
++/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
++/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0)
++/var/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0)
#
# distro_debian
-@@ -25,10 +28,10 @@ ifdef(`distro_debian', `
+@@ -23,12 +26,12 @@ ifdef(`distro_debian', `
+ # distro_redhat
+ #
ifdef(`distro_redhat', `
- /etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+-/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
++/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
++/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
- /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+-/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
++/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
')
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index 67c7fdd..d7338be 100644
@@ -45422,29 +109085,41 @@ index 0000000..5b84980
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..ea9dc7a
+index 0000000..515def0
--- /dev/null
+++ b/policy/modules/services/matahari.fc
-@@ -0,0 +1,25 @@
-+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+@@ -0,0 +1,37 @@
++/etc/rc\.d/init\.d/matahari-host -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-net -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-service -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-sysconfig -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init.d/matahari-sysconfig-console -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/matahari-host.* -- gen_context(system_u:object_r:matahari_hostd_unit_file_t,s0)
++/usr/lib/systemd/system/matahari-network.* -- gen_context(system_u:object_r:matahari_netd_unit_file_t,s0)
++/usr/lib/systemd/system/matahari-rpc.* -- gen_context(system_u:object_r:matahari_rpcd_unit_file_t,s0)
++/usr/lib/systemd/system/matahari-service.* -- gen_context(system_u:object_r:matahari_serviced_unit_file_t,s0)
++/usr/lib/systemd/system/matahari-sysconfig.* -- gen_context(system_u:object_r:matahari_sysconfigd_unit_file_t,s0)
++/usr/lib/systemd/system/matahari-sysconfig-console.* -- gen_context(system_u:object_r:matahari_sysconfigd_unit_file_t,s0)
+
-+/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-+/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
-+/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+
+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
-+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
++/usr/sbin/matahari-dbus-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
++/usr/sbin/matahari-qmf-sysconfig-consoled -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
+
-+/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+/usr/sbin/matahari-qmf-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
-+/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
-+/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
++
++/usr/sbin/matahari-qmf-rpcd -- gen_context(system_u:object_r:matahari_rpcd_exec_t,s0)
+
+/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+
+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
+
@@ -45453,10 +109128,10 @@ index 0000000..ea9dc7a
+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if
new file mode 100644
-index 0000000..2e8b6d8
+index 0000000..1ec1c97
--- /dev/null
+++ b/policy/modules/services/matahari.if
-@@ -0,0 +1,244 @@
+@@ -0,0 +1,291 @@
+## <summary>policy for matahari</summary>
+
+######################################
@@ -45483,6 +109158,9 @@ index 0000000..2e8b6d8
+ type matahari_$1_t, matahari_domain;
+ type matahari_$1_exec_t;
+ init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
++
++ type matahari_$1_unit_file_t;
++ systemd_unit_file(matahari_$1_unit_file_t)
+')
+
+########################################
@@ -45654,6 +109332,44 @@ index 0000000..2e8b6d8
+ domtrans_pattern($1, matahari_serviced_exec_t, matahari_serviced_t)
+')
+
++#######################################
++## <summary>
++## Execute matahari services in the matahari domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`matahari_systemctl',`
++ gen_require(`
++ type matahari_hostd_t;
++ type matahari_netd_t;
++ type matahari_serviced_t;
++ type matahari_sysconfigd_t;
++ type matahari_hostd_unit_file_t;
++ type matahari_netd_unit_file_t;
++ type matahari_serviced_unit_file_t;
++ type matahari_sysconfigd_unit_file_t;
++ attribute matahari_domain;
++ ')
++
++ systemd_exec_systemctl($1)
++
++ allow $1 matahari_hostd_unit_file_t:file read_file_perms;
++ allow $1 matahari_netd_unit_file_t:file read_file_perms;
++ allow $1 matahari_serviced_unit_file_t:file read_file_perms;
++ allow $1 matahari_sysconfigd_unit_file_t:file read_file_perms;
++
++ allow $1 matahari_hostd_unit_file_t:service manage_service_perms;
++ allow $1 matahari_netd_unit_file_t:service manage_service_perms;
++ allow $1 matahari_serviced_unit_file_t:service manage_service_perms;
++ allow $1 matahari_sysconfigd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, matahari_domain)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -45674,8 +109390,13 @@ index 0000000..2e8b6d8
+interface(`matahari_admin',`
+ gen_require(`
+ type matahari_initrc_exec_t, matahari_hostd_t;
-+ type matahari_netd_t, matahari_serviced_t;
-+ type matahari_var_lib_t, matahari_var_run_t;
++ type matahari_netd_t, matahari_serviced_t, matahari_sysconfigd_t;
++ type matahari_var_lib_t, matahari_var_run_t;
++ attribute matahari_domain;
++ type matahari_hostd_unit_file_t;
++ type matahari_netd_unit_file_t;
++ type matahari_serviced_unit_file_t;
++ type matahari_sysconfigd_unit_file_t;
+ ')
+
+ init_labeled_script_domtrans($1, matahari_initrc_exec_t)
@@ -45683,30 +109404,31 @@ index 0000000..2e8b6d8
+ role_transition $2 matahari_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ allow $1 matahari_netd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_netd_t)
-+
-+ allow $1 matahari_hostd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_hostd_t)
-+
-+ allow $1 matahari_serviced_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_serviced_t)
-+
-+ allow $1 matahari_sysconfigd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, matahari_sysconfigd_t)
++ allow $1 matahari_domain:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_domain)
+
+ files_search_var_lib($1)
+ admin_pattern($1, matahari_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, matahari_var_run_t)
++
++ matahari_systemctl($1)
++ admin_pattern($1, matahari_hostd_unit_file_t)
++ allow $1 matahari_hostd_unit_file_t:service all_service_perms;
++ admin_pattern($1, matahari_netd_unit_file_t)
++ allow $1 matahari_netd_unit_file_t:service all_service_perms;
++ admin_pattern($1, matahari_serviced_unit_file_t)
++ allow $1 matahari_serviced_unit_file_t:service all_service_perms;
++ admin_pattern($1, matahari_sysconfigd_unit_file_t)
++ allow $1 matahari_sysconfigd_unit_file_t:service all_service_perms;
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..8f7cdb0
+index 0000000..d1ba3e7
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,108 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -45718,6 +109440,7 @@ index 0000000..8f7cdb0
+
+matahari_domain_template(hostd)
+matahari_domain_template(netd)
++matahari_domain_template(rpcd)
+matahari_domain_template(serviced)
+matahari_domain_template(sysconfigd)
+
@@ -45734,6 +109457,7 @@ index 0000000..8f7cdb0
+#
+# matahari_hostd local policy
+#
++
+dev_read_sysfs(matahari_hostd_t)
+dev_rw_mtrr(matahari_hostd_t)
+
@@ -45755,6 +109479,19 @@ index 0000000..8f7cdb0
+ dbus_system_bus_client(matahari_netd_t)
+')
+
++
++#######################################
++#
++# matahari_rpcd local policy
++#
++
++corecmd_exec_bin(matahari_rpcd_t)
++corecmd_exec_shell(matahari_rpcd_t)
++
++auth_read_passwd(matahari_rpcd_t)
++
++files_read_usr_files(matahari_rpcd_t)
++
+########################################
+#
+# matahari_serviced local policy
@@ -45779,9 +109516,9 @@ index 0000000..8f7cdb0
+#
+# matahari domain local policy
+#
-+
++allow matahari_domain self:capability sys_nice;
++allow matahari_domain self:process setsched;
+allow matahari_domain self:process signal;
-+
+allow matahari_domain self:fifo_file rw_fifo_file_perms;
+allow matahari_domain self:unix_stream_socket create_stream_socket_perms;
+
@@ -45856,7 +109593,7 @@ index 4d69477..d3b4f39 100644
+/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
-index db4fd6f..a32c2f3 100644
+index db4fd6f..a1003ed 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -5,15 +5,14 @@
@@ -45896,7 +109633,7 @@ index db4fd6f..a32c2f3 100644
+ ')
+
+ files_search_pids($1)
-+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
++ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
+')
+
+########################################
@@ -46498,10 +110235,10 @@ index 0000000..1d76fb8
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..4389219
+index 0000000..621fc5a
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,251 @@
+@@ -0,0 +1,253 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -46564,7 +110301,8 @@ index 0000000..4389219
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
-+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
++manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
++files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
@@ -46589,6 +110327,7 @@ index 0000000..4389219
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
++corenet_tcp_connect_git_port(mock_t)
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
@@ -46770,10 +110509,18 @@ index 3368699..7a7fc02 100644
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..6c9f30c 100644
+index b3ace16..83392b6 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
-@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+@@ -8,6 +8,7 @@ policy_module(modemmanager, 1.1.0)
+ type modemmanager_t;
+ type modemmanager_exec_t;
+ dbus_system_domain(modemmanager_t, modemmanager_exec_t)
++init_daemon_domain(modemmanager_t, modemmanager_exec_t)
+ typealias modemmanager_t alias ModemManager_t;
+ typealias modemmanager_exec_t alias ModemManager_exec_t;
+
+@@ -16,7 +17,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
# ModemManager local policy
#
@@ -46783,7 +110530,7 @@ index b3ace16..6c9f30c 100644
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +29,25 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +30,25 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
@@ -46847,10 +110594,10 @@ index 657a9fc..0b9bf04 100644
admin_pattern($1, httpd_mojomojo_script_t)
admin_pattern($1, httpd_mojomojo_content_t)
diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te
-index 83f002c..ed69996 100644
+index 83f002c..fa8a3d5 100644
--- a/policy/modules/services/mojomojo.te
+++ b/policy/modules/services/mojomojo.te
-@@ -7,6 +7,9 @@ policy_module(mojomojo, 1.0.0)
+@@ -7,12 +7,17 @@ policy_module(mojomojo, 1.0.0)
apache_content_template(mojomojo)
@@ -46860,17 +110607,25 @@ index 83f002c..ed69996 100644
########################################
#
# mojomojo local policy
-@@ -14,6 +17,10 @@ apache_content_template(mojomojo)
-
- allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+ #
+-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
-+
+
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
- corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc
+index ddc14d6..c74bf3d 100644
+--- a/policy/modules/services/mpd.fc
++++ b/policy/modules/services/mpd.fc
+@@ -6,3 +6,5 @@
+ /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
+ /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+ /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
++
++/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
index d72276f..cb8c563 100644
--- a/policy/modules/services/mpd.if
@@ -46889,7 +110644,7 @@ index d72276f..cb8c563 100644
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
-index 7f68872..36ff69d 100644
+index 7f68872..72c1f8a 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -46902,7 +110657,18 @@ index 7f68872..36ff69d 100644
manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -103,6 +106,10 @@ logging_send_syslog_msg(mpd_t)
+@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+ read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
++manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t)
++manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t)
++logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file })
++
+ manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+@@ -103,6 +110,10 @@ logging_send_syslog_msg(mpd_t)
miscfiles_read_localization(mpd_t)
@@ -46913,7 +110679,7 @@ index 7f68872..36ff69d 100644
optional_policy(`
alsa_read_rw_config(mpd_t)
')
-@@ -122,5 +129,14 @@ optional_policy(`
+@@ -122,5 +133,14 @@ optional_policy(`
')
optional_policy(`
@@ -46929,18 +110695,19 @@ index 7f68872..36ff69d 100644
+ xserver_dontaudit_read_xdm_pid(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
-index 256166a..71e7a36 100644
+index 256166a..a8fe27a 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
-@@ -1,4 +1,6 @@
+@@ -1,4 +1,7 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -11,20 +13,26 @@ ifdef(`distro_redhat',`
+@@ -11,20 +14,27 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
@@ -46948,6 +110715,7 @@ index 256166a..71e7a36 100644
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -46975,7 +110743,7 @@ index 256166a..71e7a36 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..ff6a8c7 100644
+index 343cee3..555300e 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -47207,10 +110975,46 @@ index 343cee3..ff6a8c7 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +371,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +371,60 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
++## Send all user mail client a signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_signal_user_agent',`
++ gen_require(`
++ attribute mta_user_agent;
++ ')
++
++ allow $1 mta_user_agent:process signal;
++')
++
++########################################
++## <summary>
++## Send all user mail client a kill signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_kill_user_agent',`
++ gen_require(`
++ attribute mta_user_agent;
++ ')
++
++ allow $1 mta_user_agent:process sigkill;
++')
++
++########################################
++## <summary>
+## Send system mail client a kill signal
+## </summary>
+## <param name="domain">
@@ -47232,7 +111036,7 @@ index 343cee3..ff6a8c7 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +407,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +443,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -47259,7 +111063,7 @@ index 343cee3..ff6a8c7 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +463,8 @@ interface(`mta_write_config',`
+@@ -474,7 +499,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -47269,7 +111073,7 @@ index 343cee3..ff6a8c7 100644
')
########################################
-@@ -494,6 +484,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +520,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -47277,7 +111081,7 @@ index 343cee3..ff6a8c7 100644
')
########################################
-@@ -532,7 +523,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +559,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -47286,7 +111090,7 @@ index 343cee3..ff6a8c7 100644
')
########################################
-@@ -552,7 +543,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +579,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -47295,7 +111099,7 @@ index 343cee3..ff6a8c7 100644
')
#######################################
-@@ -646,8 +637,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +673,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -47306,12 +111110,12 @@ index 343cee3..ff6a8c7 100644
')
#######################################
-@@ -677,7 +668,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +704,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
- filetrans_pattern($1, mail_spool_t, $2, $3)
-+ filetrans_pattern($1, mail_spool_t, $2, $3, $5)
++ filetrans_pattern($1, mail_spool_t, $2, $3, $4)
+')
+
+#######################################
@@ -47334,7 +111138,7 @@ index 343cee3..ff6a8c7 100644
')
########################################
-@@ -697,8 +707,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +743,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -47345,7 +111149,7 @@ index 343cee3..ff6a8c7 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +848,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +884,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -47354,7 +111158,7 @@ index 343cee3..ff6a8c7 100644
')
########################################
-@@ -864,6 +874,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +910,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -47391,7 +111195,7 @@ index 343cee3..ff6a8c7 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +939,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +975,118 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -47457,11 +111261,13 @@ index 343cee3..ff6a8c7 100644
+interface(`mta_filetrans_admin_home_content',`
+ gen_require(`
+ type mail_home_t;
++ type mail_home_rw_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
+')
+
+########################################
@@ -47477,11 +111283,13 @@ index 343cee3..ff6a8c7 100644
+interface(`mta_filetrans_home_content',`
+ gen_require(`
+ type mail_home_t;
++ type mail_home_rw_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
+')
+
+########################################
@@ -47507,10 +111315,10 @@ index 343cee3..ff6a8c7 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..8fd5f8a 100644
+index 64268e4..da35763 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
-@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
+@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -47518,6 +111326,9 @@ index 64268e4..8fd5f8a 100644
-files_type(mail_forward_t)
+type mail_home_t alias mail_forward_t;
+userdom_user_home_content(mail_home_t)
++
++type mail_home_rw_t;
++userdom_user_home_content(mail_home_rw_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -47529,7 +111340,7 @@ index 64268e4..8fd5f8a 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -42,6 +44,7 @@ typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+@@ -42,6 +47,7 @@ typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
ubac_constrained(user_mail_t)
ubac_constrained(user_mail_tmp_t)
@@ -47537,7 +111348,7 @@ index 64268e4..8fd5f8a 100644
########################################
#
-@@ -50,22 +53,11 @@ ubac_constrained(user_mail_tmp_t)
+@@ -50,22 +56,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
@@ -47561,7 +111372,7 @@ index 64268e4..8fd5f8a 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -79,9 +71,16 @@ selinux_getattr_fs(system_mail_t)
+@@ -79,9 +74,22 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -47572,14 +111383,20 @@ index 64268e4..8fd5f8a 100644
userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
++manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
++
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
++
+logging_append_all_logs(system_mail_t)
++
++logging_send_syslog_msg(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,14 +91,21 @@ optional_policy(`
+@@ -92,14 +100,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -47604,7 +111421,7 @@ index 64268e4..8fd5f8a 100644
')
optional_policy(`
-@@ -108,9 +114,15 @@ optional_policy(`
+@@ -108,9 +123,15 @@ optional_policy(`
')
optional_policy(`
@@ -47620,7 +111437,7 @@ index 64268e4..8fd5f8a 100644
')
optional_policy(`
-@@ -124,12 +136,9 @@ optional_policy(`
+@@ -124,12 +145,9 @@ optional_policy(`
')
optional_policy(`
@@ -47635,7 +111452,7 @@ index 64268e4..8fd5f8a 100644
')
optional_policy(`
-@@ -146,6 +155,10 @@ optional_policy(`
+@@ -146,6 +164,10 @@ optional_policy(`
')
optional_policy(`
@@ -47646,7 +111463,7 @@ index 64268e4..8fd5f8a 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +171,13 @@ optional_policy(`
+@@ -158,22 +180,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -47672,7 +111489,7 @@ index 64268e4..8fd5f8a 100644
')
optional_policy(`
-@@ -189,6 +193,10 @@ optional_policy(`
+@@ -189,6 +202,10 @@ optional_policy(`
')
optional_policy(`
@@ -47683,7 +111500,7 @@ index 64268e4..8fd5f8a 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +207,16 @@ optional_policy(`
+@@ -199,15 +216,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -47704,7 +111521,7 @@ index 64268e4..8fd5f8a 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,28 +229,21 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,21 +238,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -47712,23 +111529,26 @@ index 64268e4..8fd5f8a 100644
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
- read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
+-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_manage_cifs_symlinks(mailserver_delivery)
-')
--
++manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_manage_nfs_symlinks(mailserver_delivery)
-')
--
++read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
optional_policy(`
dovecot_manage_spool(mailserver_delivery)
- dovecot_domtrans_deliver(mailserver_delivery)
+@@ -242,6 +252,10 @@ optional_policy(`
')
optional_policy(`
@@ -47739,7 +111559,7 @@ index 64268e4..8fd5f8a 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +251,25 @@ optional_policy(`
+@@ -249,16 +263,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -47767,7 +111587,7 @@ index 64268e4..8fd5f8a 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,14 +288,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,14 +300,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -47784,7 +111604,7 @@ index 64268e4..8fd5f8a 100644
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +303,114 @@ optional_policy(`
+@@ -292,3 +315,123 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -47803,6 +111623,9 @@ index 64268e4..8fd5f8a 100644
+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+
++manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
++manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
++
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
+can_exec(user_mail_domain, mta_exec_type)
@@ -47861,6 +111684,12 @@ index 64268e4..8fd5f8a 100644
+miscfiles_read_localization(user_mail_domain)
+
+optional_policy(`
++ courier_manage_spool_dirs(user_mail_domain)
++ courier_manage_spool_files(user_mail_domain)
++ courier_rw_spool_pipes(user_mail_domain)
++')
++
++optional_policy(`
+ exim_domtrans(user_mail_domain)
+ exim_manage_log(user_mail_domain)
+ exim_manage_spool_files(user_mail_domain)
@@ -48272,8 +112101,27 @@ index f17583b..923fdfb 100644
+optional_policy(`
+ nscd_socket_use(munin_plugin_domain)
+')
+diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
+index cc7192c..cb169dc 100644
+--- a/policy/modules/services/mysql.fc
++++ b/policy/modules/services/mysql.fc
+@@ -1,6 +1,14 @@
+ # mysql database server
+
+ #
++# /HOME
++#
++HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
++/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
++
++/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
++
++#
+ # /etc
+ #
+ /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..840e562 100644
+index e9c0982..404ed6d 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -48334,7 +112182,34 @@ index e9c0982..840e562 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
+@@ -122,6 +159,26 @@ interface(`mysql_search_db',`
+
+ ########################################
+ ## <summary>
++## List the directories that contain MySQL
++## database storage.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_list_db',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 mysqld_db_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Read and write to the MySQL database directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -252,12 +309,12 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
@@ -48349,7 +112224,7 @@ index e9c0982..840e562 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -273,6 +330,24 @@ interface(`mysql_domtrans_mysql_safe',`
domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
@@ -48374,7 +112249,75 @@ index e9c0982..840e562 100644
#####################################
## <summary>
## Read MySQL PID files.
-@@ -329,27 +384,35 @@ interface(`mysql_search_pid_files',`
+@@ -313,6 +388,67 @@ interface(`mysql_search_pid_files',`
+
+ ########################################
+ ## <summary>
++## Execute mysqld server in the mysqld domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mysql_systemctl',`
++ gen_require(`
++ type mysqld_unit_file_t;
++ type mysqld_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 mysqld_unit_file_t:file read_file_perms;
++ allow $1 mysqld_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, mysqld_t)
++')
++
++########################################
++## <summary>
++## read mysqld homedir content (.k5login)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_read_home_content',`
++ gen_require(`
++ type mysqld_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
++')
++
++########################################
++## <summary>
++## Transition to mysqld named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_filetrans_named_content',`
++ gen_require(`
++ type mysqld_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
++ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate an mysql environment
+ ## </summary>
+ ## <param name="domain">
+@@ -329,27 +465,45 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -48385,6 +112328,8 @@ index e9c0982..840e562 100644
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
+ type mysqld_etc_t;
++ type mysqld_home_t;
++ type mysqld_unit_file_t;
')
- allow $1 mysqld_t:process { ptrace signal_perms };
@@ -48413,10 +112358,18 @@ index e9c0982..840e562 100644
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
+
++ userdom_search_user_home_dirs($1)
++ files_list_root($1)
++ admin_pattern($1, mysqld_home_t)
++
++ mysql_systemctl($1)
++ admin_pattern($1, mysqld_unit_file_t)
++ allow $1 mysqld_unit_file_t:service all_service_perms;
++
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..2f51d5a 100644
+index 0a0d63c..a798a26 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -48432,7 +112385,20 @@ index 0a0d63c..2f51d5a 100644
## </desc>
gen_tunable(mysql_connect_any, false)
-@@ -64,11 +64,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
+@@ -29,6 +29,12 @@ files_type(mysqld_db_t)
+ type mysqld_etc_t alias etc_mysqld_t;
+ files_config_file(mysqld_etc_t)
+
++type mysqld_home_t;
++userdom_user_home_content(mysqld_home_t)
++
++type mysqld_unit_file_t;
++systemd_unit_file(mysqld_unit_file_t)
++
+ type mysqld_initrc_exec_t;
+ init_script_file(mysqld_initrc_exec_t)
+
+@@ -64,11 +70,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -48446,7 +112412,7 @@ index 0a0d63c..2f51d5a 100644
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -78,13 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -48455,8 +112421,12 @@ index 0a0d63c..2f51d5a 100644
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
-files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
++
++userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
++kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
++kernel_read_network_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
+corecmd_exec_bin(mysqld_t)
@@ -48465,9 +112435,14 @@ index 0a0d63c..2f51d5a 100644
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
-@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
- userdom_read_user_home_content_files(mysqld_t)
+@@ -122,13 +137,8 @@ miscfiles_read_localization(mysqld_t)
+
+ sysnet_read_config(mysqld_t)
+-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+-# for /root/.my.cnf - should not be needed:
+-userdom_read_user_home_content_files(mysqld_t)
+-
ifdef(`distro_redhat',`
- # because Fedora has the sock_file in the database directory
- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
@@ -48475,7 +112450,7 @@ index 0a0d63c..2f51d5a 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -154,10 +158,11 @@ optional_policy(`
+@@ -154,10 +164,11 @@ optional_policy(`
#
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
@@ -48488,7 +112463,7 @@ index 0a0d63c..2f51d5a 100644
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-@@ -170,26 +175,33 @@ kernel_read_system_state(mysqld_safe_t)
+@@ -170,26 +181,35 @@ kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
@@ -48507,6 +112482,8 @@ index 0a0d63c..2f51d5a 100644
-hostname_exec(mysqld_safe_t)
+logging_send_syslog_msg(mysqld_safe_t)
++
++auth_read_passwd(mysqld_safe_t)
miscfiles_read_localization(mysqld_safe_t)
@@ -48524,7 +112501,7 @@ index 0a0d63c..2f51d5a 100644
#
# MySQL Manager Policy
diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc
-index 1fc9905..1d05c60 100644
+index 1fc9905..d80b4db 100644
--- a/policy/modules/services/nagios.fc
+++ b/policy/modules/services/nagios.fc
@@ -6,8 +6,8 @@
@@ -48538,7 +112515,7 @@ index 1fc9905..1d05c60 100644
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-@@ -19,70 +19,72 @@
+@@ -19,70 +19,75 @@
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
')
@@ -48666,48 +112643,49 @@ index 1fc9905..1d05c60 100644
# unconfined plugins
-/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++
++# eventhandlers
++/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..039bfa0 100644
+index 8581040..7d8e93b 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
-@@ -12,10 +12,8 @@
+@@ -12,31 +12,22 @@
## </param>
#
template(`nagios_plugin_template',`
-
gen_require(`
-- type nagios_t, nrpe_t;
++ attribute nagios_plugin_domain;
+ type nagios_t, nrpe_t;
- type nagios_log_t;
-+ type nagios_t, nrpe_t, nagios_log_t;
')
- type nagios_$1_plugin_t;
-@@ -26,9 +24,11 @@ template(`nagios_plugin_template',`
- allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+- type nagios_$1_plugin_t;
++ type nagios_$1_plugin_t, nagios_plugin_domain;
+ type nagios_$1_plugin_exec_t;
+ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
+ role system_r types nagios_$1_plugin_t;
+- allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+-
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-+ allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
++ allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-+ allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
-
- allow nagios_t nagios_$1_plugin_t:process signal_perms;
-@@ -36,6 +36,12 @@ template(`nagios_plugin_template',`
- dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
- dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
-
-+ # FIXME
-+ # Probably add nagios_plugin_domain attribute
-+ kernel_read_system_state(nagios_$1_plugin_t)
-+
-+ files_read_usr_files(nagios_$1_plugin_t)
-+
- miscfiles_read_localization(nagios_$1_plugin_t)
+- allow nagios_t nagios_$1_plugin_t:process signal_perms;
+-
+- # cjp: leaked file descriptor
+- dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+- dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+-
+- miscfiles_read_localization(nagios_$1_plugin_t)
')
-@@ -49,7 +55,6 @@ template(`nagios_plugin_template',`
+ ########################################
+@@ -49,7 +40,6 @@ template(`nagios_plugin_template',`
## Domain to not audit.
## </summary>
## </param>
@@ -48715,7 +112693,7 @@ index 8581040..039bfa0 100644
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
-@@ -159,6 +164,26 @@ interface(`nagios_read_tmp_files',`
+@@ -159,6 +149,26 @@ interface(`nagios_read_tmp_files',`
########################################
## <summary>
@@ -48742,7 +112720,7 @@ index 8581040..039bfa0 100644
## Execute the nagios NRPE with
## a domain transition.
## </summary>
-@@ -195,15 +220,16 @@ interface(`nagios_domtrans_nrpe',`
+@@ -195,15 +205,16 @@ interface(`nagios_domtrans_nrpe',`
#
interface(`nagios_admin',`
gen_require(`
@@ -48766,10 +112744,19 @@ index 8581040..039bfa0 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..9ad9024 100644
+index bf64a4c..1f9d8e1 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
-@@ -25,7 +25,10 @@ type nagios_var_run_t;
+@@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
+ # Declarations
+ #
+
++attribute nagios_plugin_domain;
++
+ type nagios_t;
+ type nagios_exec_t;
+ init_daemon_domain(nagios_t, nagios_exec_t)
+@@ -25,7 +27,10 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
type nagios_spool_t;
@@ -48781,7 +112768,18 @@ index bf64a4c..9ad9024 100644
nagios_plugin_template(admin)
nagios_plugin_template(checkdisk)
-@@ -77,8 +80,13 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+@@ -33,6 +38,10 @@ nagios_plugin_template(mail)
+ nagios_plugin_template(services)
+ nagios_plugin_template(system)
+ nagios_plugin_template(unconfined)
++nagios_plugin_template(eventhandler)
++
++type nagios_eventhandler_plugin_tmp_t;
++files_tmp_file(nagios_eventhandler_plugin_tmp_t)
+
+ type nagios_system_plugin_tmp_t;
+ files_tmp_file(nagios_system_plugin_tmp_t)
+@@ -77,8 +86,13 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@@ -48795,7 +112793,7 @@ index bf64a4c..9ad9024 100644
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-@@ -107,13 +115,11 @@ files_read_etc_files(nagios_t)
+@@ -107,13 +121,11 @@ files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
files_search_spool(nagios_t)
@@ -48810,7 +112808,7 @@ index bf64a4c..9ad9024 100644
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-@@ -124,10 +130,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+@@ -124,10 +136,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t)
@@ -48823,7 +112821,7 @@ index bf64a4c..9ad9024 100644
netutils_kill_ping(nagios_t)
')
-@@ -143,6 +149,7 @@ optional_policy(`
+@@ -143,6 +155,7 @@ optional_policy(`
#
# Nagios CGI local policy
#
@@ -48831,7 +112829,7 @@ index bf64a4c..9ad9024 100644
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -180,11 +187,13 @@ optional_policy(`
+@@ -180,11 +193,13 @@ optional_policy(`
#
allow nrpe_t self:capability { setuid setgid };
@@ -48846,7 +112844,7 @@ index bf64a4c..9ad9024 100644
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
-@@ -201,7 +210,8 @@ corecmd_exec_shell(nrpe_t)
+@@ -201,7 +216,8 @@ corecmd_exec_shell(nrpe_t)
corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t)
@@ -48856,7 +112854,7 @@ index bf64a4c..9ad9024 100644
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
-@@ -211,6 +221,7 @@ domain_read_all_domains_state(nrpe_t)
+@@ -211,6 +227,7 @@ domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
files_read_etc_files(nrpe_t)
@@ -48864,7 +112862,15 @@ index bf64a4c..9ad9024 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -270,12 +281,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -251,7 +268,6 @@ optional_policy(`
+ corecmd_read_bin_files(nagios_admin_plugin_t)
+ corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+-dev_read_urand(nagios_admin_plugin_t)
+ dev_getattr_all_chr_files(nagios_admin_plugin_t)
+ dev_getattr_all_blk_files(nagios_admin_plugin_t)
+
+@@ -270,19 +286,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -48877,7 +112883,14 @@ index bf64a4c..9ad9024 100644
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
-@@ -299,7 +308,7 @@ optional_policy(`
+ corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+
+-dev_read_urand(nagios_mail_plugin_t)
+-
+ files_read_etc_files(nagios_mail_plugin_t)
+
+ logging_send_syslog_msg(nagios_mail_plugin_t)
+@@ -299,7 +311,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -48886,7 +112899,7 @@ index bf64a4c..9ad9024 100644
')
######################################
-@@ -310,6 +319,9 @@ optional_policy(`
+@@ -310,6 +322,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -48896,15 +112909,21 @@ index bf64a4c..9ad9024 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +335,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -321,11 +336,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+ # local policy for service check plugins
+ #
- allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+-allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
++allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
++allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
+
+ corecmd_exec_bin(nagios_services_plugin_t)
-@@ -340,6 +351,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +355,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -48913,7 +112932,7 @@ index bf64a4c..9ad9024 100644
')
optional_policy(`
-@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +380,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -48922,15 +112941,76 @@ index bf64a4c..9ad9024 100644
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+@@ -370,12 +389,15 @@ corecmd_exec_bin(nagios_system_plugin_t)
+ corecmd_exec_shell(nagios_system_plugin_t)
+
+ dev_read_sysfs(nagios_system_plugin_t)
+-dev_read_urand(nagios_system_plugin_t)
+
+ domain_read_all_domains_state(nagios_system_plugin_t)
files_read_etc_files(nagios_system_plugin_t)
+fs_getattr_all_fs(nagios_system_plugin_t)
+
++auth_read_passwd(nagios_system_plugin_t)
++
# needed by check_users plugin
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
+@@ -389,3 +411,52 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain(nagios_unconfined_plugin_t)
+ ')
++
++#######################################
++#
++# Event handler plugin plugin policy
++#
++
++manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
++manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
++files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file })
++
++corecmd_exec_bin(nagios_eventhandler_plugin_t)
++corecmd_exec_shell(nagios_eventhandler_plugin_t)
++
++init_domtrans_script(nagios_eventhandler_plugin_t)
++
++systemd_exec_systemctl(nagios_eventhandler_plugin_t)
++
++allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
++
++optional_policy(`
++ unconfined_domain(nagios_eventhandler_plugin_t)
++')
++
++######################################
++#
++# nagios plugin domain policy
++#
++
++allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
++
++allow nrpe_t nagios_plugin_domain:process { signal sigkill };
++
++allow nagios_t nagios_plugin_domain:process signal_perms;
++
++# cjp: leaked file descriptor
++dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
++dontaudit nagios_plugin_domain nagios_log_t:file { read write };
++
++kernel_read_system_state(nagios_plugin_domain)
++
++dev_read_urand(nagios_plugin_domain)
++dev_read_rand(nagios_plugin_domain)
++
++files_read_usr_files(nagios_plugin_domain)
++
++miscfiles_read_localization(nagios_plugin_domain)
++
++userdom_use_inherited_user_ptys(nagios_plugin_domain)
++userdom_use_inherited_user_ttys(nagios_plugin_domain)
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
index 74da57f..b94bb3b 100644
--- a/policy/modules/services/nessus.fc
@@ -48945,10 +113025,10 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..ea4e5e6 100644
+index 386543b..8fe1d63 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -1,6 +1,17 @@
+@@ -1,6 +1,19 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -48957,17 +113037,19 @@ index 386543b..ea4e5e6 100644
+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
++/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
-+/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
++/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -12,15 +23,19 @@
+@@ -12,15 +25,19 @@
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -48989,7 +113071,7 @@ index 386543b..ea4e5e6 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..8666a3c 100644
+index 2324d9e..da61d01 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -49025,7 +113107,7 @@ index 2324d9e..8666a3c 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
-+ allow $1 NetworkManager_unit_file_t:service all_service_perms;
++ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, NetworkManager_t)
+')
@@ -49064,7 +113146,7 @@ index 2324d9e..8666a3c 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +236,77 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +236,90 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -49129,6 +113211,7 @@ index 2324d9e..8666a3c 100644
+interface(`networkmanager_filetrans_named_content',`
+ gen_require(`
+ type NetworkManager_var_run_t;
++ type NetworkManager_var_lib_t;
+ ')
+
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
@@ -49141,9 +113224,21 @@ index 2324d9e..8666a3c 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..be38b9d 100644
+index 0619395..103f6f8 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -49162,7 +113257,7 @@ index 0619395..be38b9d 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,16 +44,25 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,16 +44,26 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -49177,6 +113272,7 @@ index 0619395..be38b9d 100644
+')
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
+tunable_policy(`deny_ptrace',`',`
++ allow NetworkManager_t self:capability sys_ptrace;
+ allow NetworkManager_t self:process ptrace;
+')
+
@@ -49192,7 +113288,7 @@ index 0619395..be38b9d 100644
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -52,9 +70,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+@@ -52,9 +71,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
@@ -49213,7 +113309,7 @@ index 0619395..be38b9d 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -95,11 +124,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+@@ -95,11 +125,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
@@ -49227,7 +113323,7 @@ index 0619395..be38b9d 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,7 +143,7 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +144,11 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -49236,7 +113332,11 @@ index 0619395..be38b9d 100644
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
-@@ -133,30 +163,37 @@ logging_send_syslog_msg(NetworkManager_t)
++files_read_system_conf_files(NetworkManager_t)
+ files_read_usr_files(NetworkManager_t)
+ files_read_usr_src_files(NetworkManager_t)
+
+@@ -133,30 +165,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -49276,7 +113376,7 @@ index 0619395..be38b9d 100644
')
optional_policy(`
-@@ -176,10 +213,17 @@ optional_policy(`
+@@ -176,10 +215,17 @@ optional_policy(`
')
optional_policy(`
@@ -49294,7 +113394,7 @@ index 0619395..be38b9d 100644
')
')
-@@ -191,6 +235,7 @@ optional_policy(`
+@@ -191,6 +237,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -49302,7 +113402,7 @@ index 0619395..be38b9d 100644
')
optional_policy(`
-@@ -202,23 +247,45 @@ optional_policy(`
+@@ -202,23 +249,45 @@ optional_policy(`
')
optional_policy(`
@@ -49348,7 +113448,18 @@ index 0619395..be38b9d 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -241,6 +308,7 @@ optional_policy(`
+@@ -234,6 +303,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ polipo_systemctl(NetworkManager_t)
++')
++
++optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
+ ppp_manage_pid_files(NetworkManager_t)
+@@ -241,6 +314,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -49356,7 +113467,18 @@ index 0619395..be38b9d 100644
')
optional_policy(`
-@@ -263,6 +331,7 @@ optional_policy(`
+@@ -254,6 +328,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_read_logind_sessions_files(NetworkManager_t)
++')
++
++optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
+ ')
+@@ -263,6 +341,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -49365,7 +113487,7 @@ index 0619395..be38b9d 100644
########################################
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
-index 15448d5..62284bf 100644
+index 15448d5..36b45bd 100644
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
@@ -49375,34 +113497,30 @@ index 15448d5..62284bf 100644
/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-@@ -7,10 +7,10 @@
+@@ -7,10 +7,11 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
++/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
-@@ -19,3 +19,13 @@
+@@ -19,3 +20,8 @@
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
-+/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
-+/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
-+/usr/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
++/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..4b891ee 100644
+index abe3f7f..8ba3aef 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -49480,7 +113598,7 @@ index abe3f7f..4b891ee 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
-+ allow $1 ypbind_unit_file_t:service all_service_perms;
++ allow $1 ypbind_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
@@ -49497,13 +113615,13 @@ index abe3f7f..4b891ee 100644
+#
+interface(`nis_systemctl',`
+ gen_require(`
-+ type nis_unit_file_t;
++ type nis_unit_file_t, ypbind_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
-+ allow $1 nis_unit_file_t:service all_service_perms;
++ allow $1 nis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
@@ -49516,7 +113634,7 @@ index abe3f7f..4b891ee 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,22 +385,28 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,22 +385,30 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -49527,6 +113645,8 @@ index abe3f7f..4b891ee 100644
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
++ type nis_unit_file_t;
++ type ypbind_unit_file_t;
')
- allow $1 ypbind_t:process { ptrace signal_perms };
@@ -49552,7 +113672,7 @@ index abe3f7f..4b891ee 100644
ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
-@@ -379,18 +416,15 @@ interface(`nis_admin',`
+@@ -379,18 +418,20 @@ interface(`nis_admin',`
role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
@@ -49562,6 +113682,8 @@ index abe3f7f..4b891ee 100644
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
++ admin_pattern($1, ypbind_unit_file_t)
++ allow $1 ypbind_unit_file_t:service all_service_perms;
admin_pattern($1, yppasswdd_var_run_t)
@@ -49571,10 +113693,13 @@ index abe3f7f..4b891ee 100644
- admin_pattern($1, ypserv_tmp_t)
-
admin_pattern($1, ypserv_var_run_t)
++
+ nis_systemctl($1)
++ admin_pattern($1, nis_unit_file_t)
++ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..e29f5d6 100644
+index 4876cae..9f3b09b 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -18,12 +18,12 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -49643,7 +113768,24 @@ index 4876cae..e29f5d6 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -211,6 +208,10 @@ optional_policy(`
+@@ -156,6 +153,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+ manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+ manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+
++can_exec(yppasswdd_t,yppasswdd_exec_t)
++
+ kernel_list_proc(yppasswdd_t)
+ kernel_read_proc_symlinks(yppasswdd_t)
+ kernel_getattr_proc_files(yppasswdd_t)
+@@ -186,6 +185,7 @@ selinux_get_fs_mount(yppasswdd_t)
+
+ auth_manage_shadow(yppasswdd_t)
+ auth_relabel_shadow(yppasswdd_t)
++auth_read_passwd(yppasswdd_t)
+ auth_etc_filetrans_shadow(yppasswdd_t)
+
+ corecmd_exec_bin(yppasswdd_t)
+@@ -211,6 +211,10 @@ optional_policy(`
')
optional_policy(`
@@ -49654,7 +113796,7 @@ index 4876cae..e29f5d6 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -224,8 +225,8 @@ optional_policy(`
+@@ -224,8 +228,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -49664,7 +113806,7 @@ index 4876cae..e29f5d6 100644
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -236,10 +237,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+@@ -236,10 +240,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
allow ypserv_t ypserv_conf_t:file read_file_perms;
@@ -49677,21 +113819,36 @@ index 4876cae..e29f5d6 100644
diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
new file mode 100644
-index 0000000..4af11e2
+index 0000000..02dc6dc
--- /dev/null
+++ b/policy/modules/services/nova.fc
-@@ -0,0 +1,17 @@
-+
+@@ -0,0 +1,32 @@
+
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
-+#/usr/bin/nova-compute -- gen_context(system_u:object_r:nova_compute_exec_t,s0)
++/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
++/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
++/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0)
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
++/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
+
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
+
@@ -49700,10 +113857,10 @@ index 0000000..4af11e2
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/policy/modules/services/nova.if b/policy/modules/services/nova.if
new file mode 100644
-index 0000000..ac0e1e6
+index 0000000..0d11800
--- /dev/null
+++ b/policy/modules/services/nova.if
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,33 @@
+## <summary>openstack-nova</summary>
+
+#######################################
@@ -49726,6 +113883,9 @@ index 0000000..ac0e1e6
+ type nova_$1_exec_t;
+ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
+
++ type nova_$1_unit_file_t;
++ systemd_unit_file(nova_$1_unit_file_t)
++
+ type nova_$1_tmp_t;
+ files_tmp_file(nova_$1_tmp_t)
+
@@ -49736,10 +113896,10 @@ index 0000000..ac0e1e6
+')
diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te
new file mode 100644
-index 0000000..49acffa
+index 0000000..b0d25bb
--- /dev/null
+++ b/policy/modules/services/nova.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,328 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -49756,7 +113916,9 @@ index 0000000..49acffa
+
+nova_domain_template(ajax)
+nova_domain_template(api)
++nova_domain_template(cert)
+nova_domain_template(compute)
++nova_domain_template(console)
+nova_domain_template(direct)
+nova_domain_template(network)
+nova_domain_template(objectstore)
@@ -49831,6 +113993,8 @@ index 0000000..49acffa
+
+allow nova_api_t self:process setfscreate;
+
++allow nova_api_t self:key write;
++
+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow nova_api_t self:udp_socket create_socket_perms;
@@ -49843,6 +114007,8 @@ index 0000000..49acffa
+corenet_tcp_connect_all_ports(nova_api_t)
+corenet_tcp_bind_all_unreserved_ports(nova_api_t)
+
++auth_read_passwd(nova_api_t)
++
+logging_send_syslog_msg(nova_api_t)
+
+miscfiles_read_certs(nova_api_t)
@@ -49868,6 +114034,23 @@ index 0000000..49acffa
+ unconfined_domain(nova_api_t)
+')
+
++######################################
++#
++# nova cert local policy
++#
++
++allow nova_cert_t self:process setfscreate;
++
++allow nova_cert_t self:udp_socket create_socket_perms;
++
++auth_read_passwd(nova_cert_t)
++
++miscfiles_read_certs(nova_cert_t)
++
++optional_policy(`
++ mysql_stream_connect(nova_cert_t)
++')
++
+#######################################
+#
+# nova compute local policy
@@ -49888,6 +114071,14 @@ index 0000000..49acffa
+ virt_stream_connect(nova_compute_t)
+')
+
++######################################
++#
++# nova console local policy
++#
++
++allow nova_console_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(nova_console_t)
+
+#######################################
+#
@@ -50038,7 +114229,7 @@ index 0000000..49acffa
+')
+
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..0a96e14 100644
+index 85188dc..783accb 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
@@ -50124,7 +114315,7 @@ index 85188dc..0a96e14 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
-+ allow $1 nscd_unit_file_t:service all_service_perms;
++ allow $1 nscd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nscd_t)
+')
@@ -50134,8 +114325,11 @@ index 85188dc..0a96e14 100644
## All of the rules required to administrate
## an nscd environment
## </summary>
-@@ -275,8 +321,11 @@ interface(`nscd_admin',`
+@@ -273,10 +319,14 @@ interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
++ type nscd_unit_file_t;
')
- allow $1 nscd_t:process { ptrace signal_perms };
@@ -50147,15 +114341,17 @@ index 85188dc..0a96e14 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -288,4 +337,6 @@ interface(`nscd_admin',`
+@@ -288,4 +338,8 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
+
+ nscd_systemctl($1)
++ admin_pattern($1, ncsd_unit_file_t)
++ allow $1 ncsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..2f6a98f 100644
+index 7936e09..c0538d0 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
@@ -50186,7 +114382,7 @@ index 7936e09..2f6a98f 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
+@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
@@ -50198,7 +114394,12 @@ index 7936e09..2f6a98f 100644
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t)
+
++kernel_read_network_state(nscd_t)
+ kernel_read_kernel_sysctls(nscd_t)
+ kernel_list_proc(nscd_t)
+ kernel_read_proc_symlinks(nscd_t)
+@@ -90,6 +102,7 @@ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
@@ -50206,7 +114407,7 @@ index 7936e09..2f6a98f 100644
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+@@ -112,6 +125,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
@@ -50217,7 +114418,7 @@ index 7936e09..2f6a98f 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +143,17 @@ optional_policy(`
+@@ -127,3 +144,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -50481,22 +114682,20 @@ index ded9fb6..9d1e60a 100644
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
-index e79dccc..82a62e9 100644
+index e79dccc..e8d3e38 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
-@@ -10,6 +10,10 @@
+@@ -10,6 +10,8 @@
/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-+/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
++/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..3d17408 100644
+index e80f8c0..0044e73 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
@@ -50540,7 +114739,7 @@ index e80f8c0..3d17408 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
-+ allow $1 ntpd_unit_file_t:service all_service_perms;
++ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
@@ -50574,13 +114773,14 @@ index e80f8c0..3d17408 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,12 +201,14 @@ interface(`ntp_rw_shm',`
+@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t;
- type ntpd_initrc_exec_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
++ type ntpd_unit_file_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms getattr };
@@ -50592,12 +114792,14 @@ index e80f8c0..3d17408 100644
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -162,4 +225,6 @@ interface(`ntp_admin',`
+@@ -162,4 +226,8 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
+
+ ntp_systemctl($1)
++ admin_pattern($1, ntpd_unit_file_t)
++ allow $1 ntpd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..09bb140 100644
@@ -50629,6 +114831,154 @@ index c61adc8..09bb140 100644
auth_use_nsswitch(ntpd_t)
+diff --git a/policy/modules/services/numad.fc b/policy/modules/services/numad.fc
+new file mode 100644
+index 0000000..be6fcb0
+--- /dev/null
++++ b/policy/modules/services/numad.fc
+@@ -0,0 +1,7 @@
++/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
++
++/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
++
++/var/log/numad\.log -- gen_context(system_u:object_r:numad_var_log_t,s0)
++
++/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+diff --git a/policy/modules/services/numad.if b/policy/modules/services/numad.if
+new file mode 100644
+index 0000000..77a3112
+--- /dev/null
++++ b/policy/modules/services/numad.if
+@@ -0,0 +1,78 @@
++
++## <summary>policy for numad</summary>
++
++########################################
++## <summary>
++## Transition to numad.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`numad_domtrans',`
++ gen_require(`
++ type numad_t, numad_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, numad_exec_t, numad_t)
++')
++########################################
++## <summary>
++## Execute numad server in the numad domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`numad_systemctl',`
++ gen_require(`
++ type numad_t;
++ type numad_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 numad_unit_file_t:file read_file_perms;
++ allow $1 numad_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, numad_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an numad environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`numad_admin',`
++ gen_require(`
++ type numad_t;
++ type numad_unit_file_t;
++ ')
++
++ allow $1 numad_t:process { ptrace signal_perms };
++ ps_process_pattern($1, numad_t)
++
++ numad_systemctl($1)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te
+new file mode 100644
+index 0000000..e18b767
+--- /dev/null
++++ b/policy/modules/services/numad.te
+@@ -0,0 +1,45 @@
++policy_module(numad, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type numad_t;
++type numad_exec_t;
++init_daemon_domain(numad_t, numad_exec_t)
++
++type numad_unit_file_t;
++systemd_unit_file(numad_unit_file_t)
++
++type numad_var_log_t;
++logging_log_file(numad_var_log_t)
++
++type numad_var_run_t;
++files_pid_file(numad_var_run_t)
++
++########################################
++#
++# numad local policy
++#
++
++allow numad_t self:process { fork };
++allow numad_t self:fifo_file rw_fifo_file_perms;
++allow numad_t self:msgq create_msgq_perms;
++allow numad_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
++logging_log_filetrans(numad_t, numad_var_log_t, { file })
++
++manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
++files_pid_filetrans(numad_t, numad_var_run_t, { file })
++
++kernel_read_system_state(numad_t)
++
++dev_read_sysfs(numad_t)
++
++domain_use_interactive_fds(numad_t)
++
++files_read_etc_files(numad_t)
++
++miscfiles_read_localization(numad_t)
diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc
index 0a929ef..371119d 100644
--- a/policy/modules/services/nut.fc
@@ -50789,14 +115139,13 @@ index b4c5f86..0f1549d 100644
cron_system_entry(oav_update_t, oav_update_exec_t)
diff --git a/policy/modules/services/obex.fc b/policy/modules/services/obex.fc
new file mode 100644
-index 0000000..eebfda8
+index 0000000..7b31529
--- /dev/null
+++ b/policy/modules/services/obex.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,3 @@
+
+
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
-+
diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if
new file mode 100644
index 0000000..d3b9544
@@ -50882,10 +115231,10 @@ index 0000000..d3b9544
+')
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
new file mode 100644
-index 0000000..4a6f24c
+index 0000000..3689d8a
--- /dev/null
+++ b/policy/modules/services/obex.te
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,30 @@
+policy_module(obex,1.0.0)
+
+########################################
@@ -50895,7 +115244,8 @@ index 0000000..4a6f24c
+
+type obex_t;
+type obex_exec_t;
-+dbus_system_domain(obex_t, obex_exec_t)
++application_domain(obex_t, obex_exec_t)
++ubac_constrained(obex_t)
+
+########################################
+#
@@ -50903,6 +115253,7 @@ index 0000000..4a6f24c
+#
+
+allow obex_t self:fifo_file rw_fifo_file_perms;
++allow obex_t self:socket create_stream_socket_perms;
+
+dev_read_urand(obex_t)
+
@@ -50912,6 +115263,8 @@ index 0000000..4a6f24c
+
+miscfiles_read_localization(obex_t)
+
++userdom_search_user_home_content(obex_t)
++
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
index bdf8c89..0132b08 100644
--- a/policy/modules/services/oddjob.fc
@@ -50999,7 +115352,7 @@ index bd76ec2..ca6517b 100644
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
-index cadfc63..c8f4d64 100644
+index cadfc63..e056e78 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0)
@@ -51018,7 +115371,16 @@ index cadfc63..c8f4d64 100644
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -53,6 +51,8 @@ selinux_compute_create_context(oddjob_t)
+
+ files_read_etc_files(oddjob_t)
+
++auth_use_nsswitch(oddjob_t)
++
+ miscfiles_read_localization(oddjob_t)
+
+ locallogin_dontaudit_use_fds(oddjob_t)
+@@ -99,8 +99,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
@@ -51206,6 +115568,244 @@ index 7f8fdc2..047d985 100644
optional_policy(`
seutil_sigchld_newrole(openct_t)
+diff --git a/policy/modules/services/openhpid.fc b/policy/modules/services/openhpid.fc
+new file mode 100644
+index 0000000..9441fd7
+--- /dev/null
++++ b/policy/modules/services/openhpid.fc
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
++
++/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
++
++/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
++
++/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
+diff --git a/policy/modules/services/openhpid.if b/policy/modules/services/openhpid.if
+new file mode 100644
+index 0000000..598789a
+--- /dev/null
++++ b/policy/modules/services/openhpid.if
+@@ -0,0 +1,159 @@
++
++## <summary>policy for openhpid</summary>
++
++
++########################################
++## <summary>
++## Transition to openhpid.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openhpid_domtrans',`
++ gen_require(`
++ type openhpid_t, openhpid_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
++')
++
++
++########################################
++## <summary>
++## Execute openhpid server in the openhpid domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_initrc_domtrans',`
++ gen_require(`
++ type openhpid_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Search openhpid lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_search_lib',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ allow $1 openhpid_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read openhpid lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_read_lib_files',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openhpid lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_manage_lib_files',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openhpid lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_manage_lib_dirs',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an openhpid environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openhpid_admin',`
++ gen_require(`
++ type openhpid_t;
++ type openhpid_initrc_exec_t;
++ type openhpid_var_lib_t;
++ ')
++
++ allow $1 openhpid_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openhpid_t)
++
++ openhpid_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 openhpid_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, openhpid_var_lib_t)
++
++
++
++')
++
+diff --git a/policy/modules/services/openhpid.te b/policy/modules/services/openhpid.te
+new file mode 100644
+index 0000000..faa9b16
+--- /dev/null
++++ b/policy/modules/services/openhpid.te
+@@ -0,0 +1,53 @@
++policy_module(openhpid, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openhpid_t;
++type openhpid_exec_t;
++init_daemon_domain(openhpid_t, openhpid_exec_t)
++
++type openhpid_initrc_exec_t;
++init_script_file(openhpid_initrc_exec_t)
++
++type openhpid_var_lib_t;
++files_type(openhpid_var_lib_t)
++
++type openhpid_var_run_t;
++files_pid_file(openhpid_var_run_t)
++
++########################################
++#
++# openhpid local policy
++#
++
++allow openhpid_t self:capability { kill };
++allow openhpid_t self:process { fork signal };
++
++allow openhpid_t self:fifo_file rw_fifo_file_perms;
++allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
++allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
++allow openhpid_t self:tcp_socket create_stream_socket_perms;
++allow openhpid_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
++manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
++files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
++
++manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
++files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
++
++corenet_tcp_bind_generic_node(openhpid_t)
++corenet_tcp_bind_openhpid_port(openhpid_t)
++
++domain_use_interactive_fds(openhpid_t)
++
++dev_read_urand(openhpid_t)
++
++files_read_etc_files(openhpid_t)
++
++logging_send_syslog_msg(openhpid_t)
++
++miscfiles_read_localization(openhpid_t)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index d883214..d6afa87 100644
--- a/policy/modules/services/openvpn.if
@@ -51224,7 +115824,7 @@ index d883214..d6afa87 100644
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..117a7ac 100644
+index 8b550f4..6075d39 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -51269,21 +115869,25 @@ index 8b550f4..117a7ac 100644
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +60,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+@@ -58,9 +60,15 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+-allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+-logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
- allow openvpn_t openvpn_var_log_t:file manage_file_perms;
- logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
++manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
++manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
++logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file })
++
+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-@@ -68,6 +74,7 @@ kernel_read_kernel_sysctls(openvpn_t)
+@@ -68,6 +76,7 @@ kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
@@ -51291,7 +115895,7 @@ index 8b550f4..117a7ac 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -87,6 +94,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
+@@ -87,6 +96,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
@@ -51299,8 +115903,12 @@ index 8b550f4..117a7ac 100644
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -102,6 +110,8 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -100,33 +110,40 @@ dev_read_urand(openvpn_t)
+ files_read_etc_files(openvpn_t)
+ files_read_etc_runtime_files(openvpn_t)
++fs_getattr_xattr_fs(openvpn_t)
++
auth_use_pam(openvpn_t)
+init_read_utmp(openvpn_t)
@@ -51308,7 +115916,11 @@ index 8b550f4..117a7ac 100644
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-@@ -112,21 +122,23 @@ sysnet_exec_ifconfig(openvpn_t)
+ miscfiles_read_all_certs(openvpn_t)
+
+ sysnet_dns_name_resolve(openvpn_t)
++sysnet_use_ldap(openvpn_t)
+ sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
@@ -51340,7 +115952,7 @@ index 8b550f4..117a7ac 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +150,7 @@ optional_policy(`
+@@ -138,3 +155,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -51348,6 +115960,293 @@ index 8b550f4..117a7ac 100644
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc
+new file mode 100644
+index 0000000..4e915ab
+--- /dev/null
++++ b/policy/modules/services/pacemaker.fc
+@@ -0,0 +1,11 @@
++/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
++
++/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
++
++/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
++
++/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
++
++/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
+diff --git a/policy/modules/services/pacemaker.if b/policy/modules/services/pacemaker.if
+new file mode 100644
+index 0000000..e05c78f
+--- /dev/null
++++ b/policy/modules/services/pacemaker.if
+@@ -0,0 +1,209 @@
++
++## <summary>policy for pacemaker</summary>
++
++########################################
++## <summary>
++## Transition to pacemaker.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pacemaker_domtrans',`
++ gen_require(`
++ type pacemaker_t, pacemaker_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
++')
++
++########################################
++## <summary>
++## Execute pacemaker server in the pacemaker domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_initrc_domtrans',`
++ gen_require(`
++ type pacemaker_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Search pacemaker lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_search_lib',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read pacemaker lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_read_lib_files',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage pacemaker lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_manage_lib_files',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage pacemaker lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_manage_lib_dirs',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read pacemaker PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_read_pid_files',`
++ gen_require(`
++ type pacemaker_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 pacemaker_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute pacemaker server in the pacemaker domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pacemaker_systemctl',`
++ gen_require(`
++ type pacemaker_t;
++ type pacemaker_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 pacemaker_unit_file_t:file read_file_perms;
++ allow $1 pacemaker_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, pacemaker_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pacemaker environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pacemaker_admin',`
++ gen_require(`
++ type pacemaker_t;
++ type pacemaker_initrc_exec_t;
++ type pacemaker_var_lib_t;
++ type pacemaker_var_run_t;
++ type pacemaker_unit_file_t;
++ ')
++
++ allow $1 pacemaker_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pacemaker_t)
++
++ pacemaker_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pacemaker_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, pacemaker_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, pacemaker_var_run_t)
++
++ pacemaker_systemctl($1)
++ admin_pattern($1, pacemaker_unit_file_t)
++ allow $1 pacemaker_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
+new file mode 100644
+index 0000000..99ab306
+--- /dev/null
++++ b/policy/modules/services/pacemaker.te
+@@ -0,0 +1,49 @@
++policy_module(pacemaker, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pacemaker_t;
++type pacemaker_exec_t;
++init_daemon_domain(pacemaker_t, pacemaker_exec_t)
++
++type pacemaker_initrc_exec_t;
++init_script_file(pacemaker_initrc_exec_t)
++
++type pacemaker_var_lib_t;
++files_type(pacemaker_var_lib_t)
++
++type pacemaker_var_run_t;
++files_pid_file(pacemaker_var_run_t)
++
++type pacemaker_unit_file_t;
++systemd_unit_file(pacemaker_unit_file_t)
++
++########################################
++#
++# pacemaker local policy
++#
++allow pacemaker_t self:capability { chown dac_override setuid };
++allow pacemaker_t self:process { fork setrlimit signal };
++allow pacemaker_t self:fifo_file rw_fifo_file_perms;
++allow pacemaker_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
++manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
++files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file })
++
++manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
++manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
++files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
++
++domain_use_interactive_fds(pacemaker_t)
++
++files_read_etc_files(pacemaker_t)
++
++auth_use_nsswitch(pacemaker_t)
++
++logging_send_syslog_msg(pacemaker_t)
++
++miscfiles_read_localization(pacemaker_t)
diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc
index 0870c56..6d5fb1d 100644
--- a/policy/modules/services/pads.fc
@@ -51401,7 +116300,7 @@ index 8ac407e..45673ad 100644
admin_pattern($1, pads_config_t)
')
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
-index b246bdd..07baada 100644
+index b246bdd..e6a686f 100644
--- a/policy/modules/services/pads.te
+++ b/policy/modules/services/pads.te
@@ -1,4 +1,4 @@
@@ -51418,7 +116317,7 @@ index b246bdd..07baada 100644
type pads_initrc_exec_t;
init_script_file(pads_initrc_exec_t)
-@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t)
+@@ -25,10 +24,11 @@ files_pid_file(pads_var_run_t)
#
allow pads_t self:capability { dac_override net_raw };
@@ -51428,12 +116327,21 @@ index b246bdd..07baada 100644
-allow pads_t self:unix_dgram_socket { write create connect };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
+allow pads_t self:packet_socket create_socket_perms;
++allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -48,6 +47,7 @@ corenet_tcp_connect_prelude_port(pads_t)
+@@ -37,6 +37,7 @@ allow pads_t pads_var_run_t:file manage_file_perms;
+ files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+ kernel_read_sysctl(pads_t)
++kernel_read_network_state(pads_t)
+
+ corecmd_search_bin(pads_t)
+
+@@ -48,6 +49,7 @@ corenet_tcp_connect_prelude_port(pads_t)
dev_read_rand(pads_t)
dev_read_urand(pads_t)
@@ -52707,7 +117615,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..9438cc4 100644
+index 1e7169d..67a2c44 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0)
@@ -52776,8 +117684,8 @@ index 1e7169d..9438cc4 100644
-allow policykit_t self:capability { setgid setuid };
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
-+allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
-+allow policykit_t self:process { getsched signal };
++allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
++allow policykit_t self:process { getsched setsched signal };
allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52995,10 +117903,10 @@ index 1e7169d..9438cc4 100644
-
diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc
new file mode 100644
-index 0000000..8a06f66
+index 0000000..11f77ee
--- /dev/null
+++ b/policy/modules/services/polipo.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,16 @@
+HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
+HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
+
@@ -53006,6 +117914,8 @@ index 0000000..8a06f66
+
+/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
++
+/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
+
+/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
@@ -53015,10 +117925,10 @@ index 0000000..8a06f66
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if
new file mode 100644
-index 0000000..7dc2c0c
+index 0000000..d00f6ba
--- /dev/null
+++ b/policy/modules/services/polipo.if
-@@ -0,0 +1,191 @@
+@@ -0,0 +1,219 @@
+## <summary>Caching web proxy.</summary>
+
+########################################
@@ -53167,6 +118077,29 @@ index 0000000..7dc2c0c
+
+########################################
+## <summary>
++## Execute polipo server in the polipo domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`polipo_systemctl',`
++ gen_require(`
++ type polipo_t;
++ type polipo_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 polipo_unit_file_t:file read_file_perms;
++ allow $1 polipo_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, polipo_t)
++')
++
++########################################
++## <summary>
+## Administrate an polipo environment.
+## </summary>
+## <param name="domain">
@@ -53185,6 +118118,7 @@ index 0000000..7dc2c0c
+ gen_require(`
+ type polipo_t, polipo_pid_t, polipo_cache_t;
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
++ type polipo_unit_file_t;
+ ')
+
+ allow $1 polipo_t:process signal_perms;
@@ -53209,13 +118143,17 @@ index 0000000..7dc2c0c
+
+ files_list_pids($1)
+ admin_pattern($1, polipo_pid_t)
++
++ polipo_systemctl($1)
++ admin_pattern($1, polipo_unit_file_t)
++ allow $1 polipo_unit_file_t:service all_service_perms;
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..87e8372
+index 0000000..c08cddc
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,160 @@
+@@ -0,0 +1,171 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -53302,6 +118240,9 @@ index 0000000..87e8372
+type polipo_cache_home_t;
+userdom_user_home_content(polipo_cache_home_t)
+
++type polipo_unit_file_t;
++systemd_unit_file(polipo_unit_file_t)
++
+########################################
+#
+# Global local policy
@@ -53333,15 +118274,23 @@ index 0000000..87e8372
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
+
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++files_var_filetrans(polipo_t, polipo_cache_t, dir)
+
-+append_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
++manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
++logging_log_filetrans(polipo_t, polipo_log_t, file)
+
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
++files_pid_filetrans(polipo_t, polipo_pid_t, file)
+
+auth_use_nsswitch(polipo_t)
+
+logging_send_syslog_msg(polipo_t)
+
++optional_policy(`
++ cron_system_entry(polipo_t, polipo_exec_t)
++')
++
+tunable_policy(`polipo_connect_all_unreserved',`
+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
+')
@@ -54013,7 +118962,7 @@ index 46bee12..99499ef 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..e92a85d 100644
+index a32c4b3..f278544 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.1)
@@ -54377,7 +119326,17 @@ index a32c4b3..e92a85d 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +673,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+ corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+ # for prng_exch
+-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
++manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
++manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
++manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
+ allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+
+ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -54394,7 +119353,7 @@ index a32c4b3..e92a85d 100644
')
optional_policy(`
-@@ -599,6 +690,12 @@ optional_policy(`
+@@ -599,6 +692,12 @@ optional_policy(`
')
optional_policy(`
@@ -54407,7 +119366,7 @@ index a32c4b3..e92a85d 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +708,6 @@ optional_policy(`
+@@ -611,7 +710,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -54415,7 +119374,7 @@ index a32c4b3..e92a85d 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +726,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -54536,7 +119495,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index f03fad4..1865d8f 100644
+index f03fad4..df9f22b 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -11,9 +11,9 @@
@@ -54552,6 +119511,24 @@ index f03fad4..1865d8f 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -28,9 +28,9 @@ ifdef(`distro_redhat', `
+ #
+ /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+
+-/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
+@@ -45,4 +45,4 @@ ifdef(`distro_redhat', `
+
+ /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
++#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 09aeffa..e66adbd 100644
--- a/policy/modules/services/postgresql.if
@@ -54737,7 +119714,7 @@ index 09aeffa..e66adbd 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4a5387a..6a6dd0e 100644
+index 4a5387a..3124e96 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -54763,6 +119740,15 @@ index 4a5387a..6a6dd0e 100644
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)
+@@ -205,7 +205,7 @@ allow postgresql_t self:shm create_shm_perms;
+ allow postgresql_t self:tcp_socket create_stream_socket_perms;
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
++allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+
+ allow postgresql_t sepgsql_database_type:db_database *;
@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -54848,15 +119834,13 @@ index db843e2..4389e81 100644
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
-index 2d82c6d..fdee468 100644
+index 2d82c6d..ff2c96a 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
-@@ -11,19 +11,26 @@
+@@ -11,19 +11,24 @@
# Fix /etc/ppp {up,down} family scripts (see man pppd)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-+/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
@@ -54880,7 +119864,7 @@ index 2d82c6d..fdee468 100644
#
# /var
-@@ -34,5 +41,7 @@
+@@ -34,5 +39,7 @@
# Fix pptp sockets
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
@@ -54890,7 +119874,7 @@ index 2d82c6d..fdee468 100644
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..3089841 100644
+index b524673..1cca3d2 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -54949,7 +119933,7 @@ index b524673..3089841 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
-+ allow $1 pppd_unit_file_t:service all_service_perms;
++ allow $1 pppd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pppd_t)
+')
@@ -54959,7 +119943,7 @@ index b524673..3089841 100644
## All of the rules required to administrate
## an ppp environment
## </summary>
-@@ -348,20 +371,30 @@ interface(`ppp_initrc_domtrans',`
+@@ -348,20 +371,31 @@ interface(`ppp_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -54980,6 +119964,7 @@ index b524673..3089841 100644
type pptp_t, pptp_log_t, pptp_var_run_t;
- type pppd_initrc_exec_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
++ type pppd_unit_file_t;
')
- allow $1 pppd_t:process { ptrace signal_perms getattr };
@@ -54995,7 +119980,7 @@ index b524673..3089841 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
-@@ -374,6 +407,7 @@ interface(`ppp_admin',`
+@@ -374,6 +408,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -55003,7 +119988,7 @@ index b524673..3089841 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,10 +420,9 @@ interface(`ppp_admin',`
+@@ -386,10 +421,11 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -55015,9 +120000,11 @@ index b524673..3089841 100644
admin_pattern($1, pptp_var_run_t)
+
+ ppp_systemctl($1)
++ admin_pattern($1, pppd_unit_file_t)
++ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..20f5d6b 100644
+index 2af42e7..2a05225 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -55101,7 +120088,7 @@ index 2af42e7..20f5d6b 100644
allow pppd_t pptp_t:process signal;
-@@ -143,6 +147,7 @@ fs_getattr_all_fs(pppd_t)
+@@ -143,10 +147,12 @@ fs_getattr_all_fs(pppd_t)
fs_search_auto_mountpoints(pppd_t)
term_use_unallocated_ttys(pppd_t)
@@ -55109,7 +120096,12 @@ index 2af42e7..20f5d6b 100644
term_setattr_unallocated_ttys(pppd_t)
term_ioctl_generic_ptys(pppd_t)
# for pppoe
-@@ -166,6 +171,8 @@ init_dontaudit_write_utmp(pppd_t)
+ term_create_pty(pppd_t, pppd_devpts_t)
++term_use_generic_ptys(pppd_t)
+
+ # allow running ip-up and ip-down scripts and running chat.
+ corecmd_exec_bin(pppd_t)
+@@ -166,6 +172,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -55118,7 +120110,7 @@ index 2af42e7..20f5d6b 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +183,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,9 +184,10 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -55126,12 +120118,21 @@ index 2af42e7..20f5d6b 100644
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
++userdom_search_admin_dir(pppd_t)
+
+ ppp_exec(pppd_t)
-@@ -187,13 +194,15 @@ optional_policy(`
+@@ -187,13 +196,21 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
++ l2tpd_dgram_send(pppd_t)
++ l2tpd_rw_socket(pppd_t)
++ l2tpd_stream_connect(pppd_t)
++')
++
++optional_policy(`
+ tunable_policy(`pppd_can_insmod',`
modutils_domtrans_insmod_uncond(pppd_t)
')
@@ -55144,7 +120145,7 @@ index 2af42e7..20f5d6b 100644
')
optional_policy(`
-@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +260,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -55164,7 +120165,7 @@ index 2af42e7..20f5d6b 100644
dev_read_sysfs(pptp_t)
-@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +286,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -55441,7 +120442,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..df6c236 100644
+index 29b9295..624afe6 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -55463,7 +120464,15 @@ index 29b9295..df6c236 100644
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -75,10 +78,20 @@ files_search_pids(procmail_t)
+@@ -67,7 +70,6 @@ auth_use_nsswitch(procmail_t)
+
+ corecmd_exec_bin(procmail_t)
+ corecmd_exec_shell(procmail_t)
+-corecmd_read_bin_symlinks(procmail_t)
+
+ files_read_etc_files(procmail_t)
+ files_read_etc_runtime_files(procmail_t)
+@@ -75,10 +77,20 @@ files_search_pids(procmail_t)
# for spamassasin
files_read_usr_files(procmail_t)
@@ -55484,7 +120493,7 @@ index 29b9295..df6c236 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +99,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -55495,7 +120504,7 @@ index 29b9295..df6c236 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -97,21 +110,16 @@ ifdef(`hide_broken_symptoms',`
+@@ -97,21 +109,19 @@ ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
@@ -55503,27 +120512,29 @@ index 29b9295..df6c236 100644
- fs_manage_nfs_dirs(procmail_t)
- fs_manage_nfs_files(procmail_t)
- fs_manage_nfs_symlinks(procmail_t)
--')
--
++userdom_home_manager(procmail_t)
++
++optional_policy(`
++ clamav_domtrans_clamscan(procmail_t)
++ clamav_search_lib(procmail_t)
+ ')
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
--')
-+userdom_home_manager(procmail_t)
++optional_policy(`
++ cyrus_stream_connect(procmail_t)
+ ')
optional_policy(`
- clamav_domtrans_clamscan(procmail_t)
- clamav_search_lib(procmail_t)
-+ cyrus_stream_connect(procmail_t)
-+')
-+
-+optional_policy(`
+- clamav_domtrans_clamscan(procmail_t)
+- clamav_search_lib(procmail_t)
+ gnome_manage_data(procmail_t)
')
optional_policy(`
-@@ -125,6 +133,11 @@ optional_policy(`
+@@ -125,6 +135,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -57019,7 +122030,7 @@ index 5a9630c..bedca3a 100644
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
-index cb7ecb5..2b3f6f9 100644
+index cb7ecb5..52cb067 100644
--- a/policy/modules/services/qpid.te
+++ b/policy/modules/services/qpid.te
@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -57040,7 +122051,7 @@ index cb7ecb5..2b3f6f9 100644
########################################
#
# qpidd local policy
-@@ -30,27 +33,35 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -30,27 +33,36 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket create_stream_socket_perms;
allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
@@ -57072,6 +122083,7 @@ index cb7ecb5..2b3f6f9 100644
corenet_tcp_bind_amqp_port(qpidd_t)
+corenet_tcp_bind_matahari_port(qpidd_t)
+corenet_tcp_connect_amqp_port(qpidd_t)
++corenet_tcp_connect_matahari_port(qpidd_t)
+dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
@@ -57081,7 +122093,7 @@ index cb7ecb5..2b3f6f9 100644
logging_send_syslog_msg(qpidd_t)
-@@ -61,3 +72,8 @@ sysnet_dns_name_resolve(qpidd_t)
+@@ -61,3 +73,8 @@ sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
corosync_stream_connect(qpidd_t)
')
@@ -57090,6 +122102,341 @@ index cb7ecb5..2b3f6f9 100644
+ matahari_manage_lib_files(qpidd_t)
+ matahari_manage_pid_files(qpidd_t)
+')
+diff --git a/policy/modules/services/quantum.fc b/policy/modules/services/quantum.fc
+new file mode 100644
+index 0000000..9108437
+--- /dev/null
++++ b/policy/modules/services/quantum.fc
+@@ -0,0 +1,10 @@
++/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++
++/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
++
++/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
++
++/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
+diff --git a/policy/modules/services/quantum.if b/policy/modules/services/quantum.if
+new file mode 100644
+index 0000000..89e4bc5
+--- /dev/null
++++ b/policy/modules/services/quantum.if
+@@ -0,0 +1,224 @@
++## <summary>Quantum is a virtual network service for Openstack</summary>
++
++########################################
++## <summary>
++## Transition to quantum.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`quantum_domtrans',`
++ gen_require(`
++ type quantum_t, quantum_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, quantum_exec_t, quantum_t)
++')
++
++########################################
++## <summary>
++## Read quantum's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`quantum_read_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++## <summary>
++## Append to quantum log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_append_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++## <summary>
++## Manage quantum log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_manage_log',`
++ gen_require(`
++ type quantum_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, quantum_log_t, quantum_log_t)
++ manage_files_pattern($1, quantum_log_t, quantum_log_t)
++ manage_lnk_files_pattern($1, quantum_log_t, quantum_log_t)
++')
++
++########################################
++## <summary>
++## Search quantum lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_search_lib',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ allow $1 quantum_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read quantum lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_read_lib_files',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage quantum lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_manage_lib_files',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage quantum lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quantum_manage_lib_dirs',`
++ gen_require(`
++ type quantum_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, quantum_var_lib_t, quantum_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute quantum server in the quantum domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`quantum_systemctl',`
++ gen_require(`
++ type quantum_t;
++ type quantum_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 quantum_unit_file_t:file read_file_perms;
++ allow $1 quantum_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, quantum_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an quantum environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`quantum_admin',`
++ gen_require(`
++ type quantum_t;
++ type quantum_log_t;
++ type quantum_var_lib_t;
++ type quantum_unit_file_t;
++ ')
++
++ allow $1 quantum_t:process { ptrace signal_perms };
++ ps_process_pattern($1, quantum_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, quantum_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, quantum_var_lib_t)
++
++ quantum_systemctl($1)
++ admin_pattern($1, quantum_unit_file_t)
++ allow $1 quantum_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/quantum.te b/policy/modules/services/quantum.te
+new file mode 100644
+index 0000000..616ed06
+--- /dev/null
++++ b/policy/modules/services/quantum.te
+@@ -0,0 +1,83 @@
++policy_module(quantum, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type quantum_t;
++type quantum_exec_t;
++init_daemon_domain(quantum_t, quantum_exec_t)
++
++type quantum_log_t;
++logging_log_file(quantum_log_t)
++
++type quantum_tmp_t;
++files_tmp_file(quantum_tmp_t)
++
++type quantum_var_lib_t;
++files_type(quantum_var_lib_t)
++
++type quantum_unit_file_t;
++systemd_unit_file(quantum_unit_file_t)
++
++########################################
++#
++# quantum local policy
++#
++allow quantum_t self:capability { setuid sys_resource setgid audit_write };
++allow quantum_t self:process { setsched setrlimit };
++allow quantum_t self:key manage_key_perms;
++
++allow quantum_t self:fifo_file rw_fifo_file_perms;
++allow quantum_t self:unix_stream_socket create_stream_socket_perms;
++allow quantum_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
++manage_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
++logging_log_filetrans(quantum_t, quantum_log_t, { dir file })
++
++manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
++files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
++can_exec(quantum_t, quantum_tmp_t)
++
++manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
++manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
++files_var_lib_filetrans(quantum_t, quantum_var_lib_t, { dir file })
++
++kernel_read_kernel_sysctls(quantum_t)
++kernel_read_system_state(quantum_t)
++
++corecmd_exec_shell(quantum_t)
++corecmd_exec_bin(quantum_t)
++
++corenet_tcp_bind_generic_node(quantum_t)
++corenet_tcp_bind_quantum_port(quantum_t)
++corenet_tcp_connect_mysqld_port(quantum_t)
++
++dev_read_urand(quantum_t)
++dev_list_sysfs(quantum_t)
++
++domain_use_interactive_fds(quantum_t)
++
++files_read_etc_files(quantum_t)
++files_read_usr_files(quantum_t)
++
++auth_use_nsswitch(quantum_t)
++
++libs_exec_ldconfig(quantum_t)
++
++logging_send_audit_msgs(quantum_t)
++logging_send_syslog_msg(quantum_t)
++
++miscfiles_read_localization(quantum_t)
++
++sysnet_domtrans_ifconfig(quantum_t)
++
++optional_policy(`
++ brctl_domtrans(quantum_t)
++')
++
++optional_policy(`
++ sudo_exec(quantum_t)
++')
diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc
new file mode 100644
index 0000000..594c110
@@ -57240,7 +122587,7 @@ index 75e5dc4..87d75fe 100644
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
-index b1ed1bf..124971d 100644
+index b1ed1bf..4719120 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
@@ -57259,6 +122606,15 @@ index b1ed1bf..124971d 100644
corenet_tcp_connect_mysqld_port(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
+@@ -113,6 +115,8 @@ logging_send_syslog_msg(radiusd_t)
+ miscfiles_read_localization(radiusd_t)
+ miscfiles_read_generic_certs(radiusd_t)
+
++sysnet_use_ldap(radiusd_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+ userdom_dontaudit_search_user_home_dirs(radiusd_t)
+
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index be05bff..7b00e1e 100644
--- a/policy/modules/services/radvd.if
@@ -57283,14 +122639,24 @@ index be05bff..7b00e1e 100644
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
-index 1efba0c..71d657c 100644
+index 1efba0c..bfda924 100644
--- a/policy/modules/services/razor.fc
+++ b/policy/modules/services/razor.fc
-@@ -1,3 +1,4 @@
-+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
- HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+@@ -1,8 +1,9 @@
+-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
++#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
++#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
- /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
++#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+
+-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
++#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+
+-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+-/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
++#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
++#/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index f04a595..d6a6e1a 100644
--- a/policy/modules/services/razor.if
@@ -58265,7 +123631,7 @@ index de37806..3e870b7 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..407bb05 100644
+index 93c896a..a99868e 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
@@ -58345,7 +123711,7 @@ index 93c896a..407bb05 100644
can_exec(fenced_t, fenced_exec_t)
-@@ -82,8 +95,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,13 +95,19 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -58359,7 +123725,21 @@ index 93c896a..407bb05 100644
corenet_tcp_connect_http_port(fenced_t)
dev_read_sysfs(fenced_t)
-@@ -105,8 +123,24 @@ tunable_policy(`fenced_can_network_connect',`
+ dev_read_urand(fenced_t)
+
++files_read_usr_files(fenced_t)
+ files_read_usr_symlinks(fenced_t)
+
+ storage_raw_read_fixed_disk(fenced_t)
+@@ -97,6 +116,7 @@ storage_raw_read_removable_device(fenced_t)
+
+ term_getattr_pty_fs(fenced_t)
+ term_use_ptmx(fenced_t)
++term_use_generic_ptys(fenced_t)
+
+ auth_use_nsswitch(fenced_t)
+
+@@ -105,8 +125,28 @@ tunable_policy(`fenced_can_network_connect',`
')
optional_policy(`
@@ -58382,13 +123762,23 @@ index 93c896a..407bb05 100644
+optional_policy(`
ccs_read_config(fenced_t)
- ccs_stream_connect(fenced_t)
++')
++
++optional_policy(`
++ gnome_read_generic_data_home_files(fenced_t)
')
optional_policy(`
-@@ -114,13 +148,37 @@ optional_policy(`
+@@ -114,13 +154,43 @@ optional_policy(`
lvm_read_config(fenced_t)
')
++optional_policy(`
++ snmp_manage_var_lib_files(fenced_t)
++ snmp_manage_var_lib_dirs(fenced_t)
++')
++
++
+#######################################
+#
+# foghorn local policy
@@ -58424,7 +123814,7 @@ index 93c896a..407bb05 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +197,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +209,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -58435,7 +123825,7 @@ index 93c896a..407bb05 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +208,10 @@ optional_policy(`
+@@ -154,9 +220,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -58447,7 +123837,7 @@ index 93c896a..407bb05 100644
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +223,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +235,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -58457,7 +123847,7 @@ index 93c896a..407bb05 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -182,7 +236,7 @@ kernel_read_system_state(qdiskd_t)
+@@ -182,7 +248,7 @@ kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -58466,7 +123856,7 @@ index 93c896a..407bb05 100644
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
-@@ -199,6 +253,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +265,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -58475,7 +123865,7 @@ index 93c896a..407bb05 100644
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +263,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +275,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -58486,7 +123876,7 @@ index 93c896a..407bb05 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +275,28 @@ optional_policy(`
+@@ -223,18 +287,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -58519,11 +123909,14 @@ index 93c896a..407bb05 100644
+')
diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc
new file mode 100644
-index 0000000..9a8524d
+index 0000000..48beae9
--- /dev/null
+++ b/policy/modules/services/rhev.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,8 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++
++/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+
@@ -58612,10 +124005,10 @@ index 0000000..bf11e25
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..b5168a0
+index 0000000..5a48fce
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,109 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -58627,6 +124020,9 @@ index 0000000..b5168a0
+type rhev_agentd_exec_t;
+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
+
++type rhev_agentd_unit_file_t;
++systemd_unit_file(rhev_agentd_unit_file_t)
++
+type rhev_agentd_var_run_t;
+files_pid_file(rhev_agentd_var_run_t)
+
@@ -59072,10 +124468,10 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..4adb871
+index 0000000..d45cfe5
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,69 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -59107,6 +124503,9 @@ index 0000000..4adb871
+# rhsmcertd local policy
+#
+
++allow rhsmcertd_t self:capability sys_nice;
++allow rhsmcertd_t self:process setsched;
++
+allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -59121,6 +124520,7 @@ index 0000000..4adb871
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+
+kernel_read_network_state(rhsmcertd_t)
+kernel_read_system_state(rhsmcertd_t)
@@ -59135,6 +124535,8 @@ index 0000000..4adb871
+files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+
++auth_read_passwd(rhsmcertd_t)
++
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
+
@@ -59648,7 +125050,7 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..91c8ee8 100644
+index 779fa44..1570864 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -59688,7 +125090,7 @@ index 779fa44..91c8ee8 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,29 +88,24 @@ seutil_read_config(rlogind_t)
+@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -59713,21 +125115,20 @@ index 779fa44..91c8ee8 100644
- fs_list_cifs(rlogind_t)
- fs_read_cifs_files(rlogind_t)
- fs_read_cifs_symlinks(rlogind_t)
--')
--
- optional_policy(`
- kerberos_keytab_template(rlogind, rlogind_t)
- kerberos_manage_host_rcache(rlogind_t)
++optional_policy(`
++ kerberos_keytab_template(rlogind, rlogind_t)
++ #part of auth_use_pam
++ #kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
+- kerberos_keytab_template(rlogind, rlogind_t)
+- kerberos_manage_host_rcache(rlogind_t)
+ remotelogin_domtrans(rlogind_t)
+ remotelogin_signal(rlogind_t)
-+')
-+
-+optional_policy(`
- tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
+
+ optional_policy(`
diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if
index 30c4b75..e07c2ff 100644
--- a/policy/modules/services/roundup.if
@@ -59746,23 +125147,20 @@ index 30c4b75..e07c2ff 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 5c70c0c..5a75e95 100644
+index 5c70c0c..b0c22f7 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
-@@ -6,6 +6,12 @@
+@@ -6,6 +6,9 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-+/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
-+/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
-+
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+
#
# /sbin
#
-@@ -15,12 +21,14 @@
+@@ -15,12 +18,14 @@
#
# /usr
#
@@ -59777,14 +125175,13 @@ index 5c70c0c..5a75e95 100644
#
# /var
-@@ -29,3 +37,5 @@
+@@ -29,3 +34,4 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
-+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..617e83f 100644
+index cda37bb..fa20a5d 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -59838,7 +125235,7 @@ index cda37bb..617e83f 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
-+ allow $1 nfsd_unit_file_t:service all_service_perms;
++ allow $1 nfsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nfsd_t)
+')
@@ -59901,7 +125298,7 @@ index cda37bb..617e83f 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
-+ allow $1 rpcd_unit_file_t:service all_service_perms;
++ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, rpcd_t)
+')
@@ -59920,23 +125317,42 @@ index cda37bb..617e83f 100644
')
########################################
-@@ -375,7 +451,7 @@ interface(`rpc_search_nfs_state_data',`
+@@ -375,7 +451,26 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## List NFS state data in /var/lib/nfs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpc_list_nfs_state_data',`
++ gen_require(`
++ type var_lib_nfs_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 var_lib_nfs_t:dir list_dir_perms;
')
########################################
-@@ -414,4 +490,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -414,4 +509,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..32dd23d 100644
+index b1468ed..6ca60ac 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -59984,7 +125400,12 @@ index b1468ed..32dd23d 100644
type nfsd_rw_t;
files_type(nfsd_rw_t)
-@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+@@ -58,13 +64,14 @@ files_mountpoint(var_lib_nfs_t)
+ # RPC local policy
+ #
+
+-allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
++allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -59997,7 +125418,14 @@ index b1468ed..32dd23d 100644
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
-@@ -87,6 +94,7 @@ fs_read_rpc_files(rpcd_t)
+@@ -81,12 +88,14 @@ corecmd_exec_bin(rpcd_t)
+
+ files_manage_mounttab(rpcd_t)
+ files_getattr_all_dirs(rpcd_t)
++files_read_usr_files(rpcd_t)
+
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
fs_get_all_fs_quotas(rpcd_t)
@@ -60005,7 +125433,7 @@ index b1468ed..32dd23d 100644
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
-@@ -97,21 +105,33 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -97,21 +106,41 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -60022,10 +125450,18 @@ index b1468ed..32dd23d 100644
+')
+
+optional_policy(`
++ quota_manage_db(rpcd_t)
++')
++
++optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
+optional_policy(`
++ quota_read_db(rpcd_t)
++')
++
++optional_policy(`
+ rgmanager_manage_tmp_files(rpcd_t)
+')
+
@@ -60039,11 +125475,13 @@ index b1468ed..32dd23d 100644
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
-@@ -120,9 +140,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +149,16 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_setsched(nfsd_t)
++kernel_request_load_module(nfsd_t)
++kernel_mounton_proc(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
@@ -60054,7 +125492,22 @@ index b1468ed..32dd23d 100644
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -148,6 +173,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -135,12 +171,12 @@ files_getattr_tmp_dirs(nfsd_t)
+ # cjp: this should really have its own type
+ files_manage_mounttab(nfsd_t)
+ files_read_etc_runtime_files(nfsd_t)
++files_read_usr_files(nfsd_t)
+
+ fs_mount_nfsd_fs(nfsd_t)
+-fs_search_nfsd_fs(nfsd_t)
+ fs_getattr_all_fs(nfsd_t)
+ fs_getattr_all_dirs(nfsd_t)
+-fs_rw_nfsd_fs(nfsd_t)
++fs_manage_nfsd_fs(nfsd_t)
+
+ storage_dontaudit_read_fixed_disk(nfsd_t)
+ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +184,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -60063,7 +125516,7 @@ index b1468ed..32dd23d 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +185,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +196,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -60071,17 +125524,21 @@ index b1468ed..32dd23d 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +196,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +207,11 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
- auth_read_all_dirs_except_shadow(nfsd_t)
- auth_read_all_files_except_shadow(nfsd_t)
+ files_read_non_security_files(nfsd_t)
++')
++
++optional_policy(`
++ mount_exec(nfsd_t)
')
########################################
-@@ -181,7 +206,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +221,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -60090,7 +125547,7 @@ index b1468ed..32dd23d 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +224,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +239,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -60098,7 +125555,7 @@ index b1468ed..32dd23d 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +236,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +251,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -60115,17 +125572,18 @@ index b1468ed..32dd23d 100644
')
optional_policy(`
-@@ -229,6 +255,10 @@ optional_policy(`
- ')
+@@ -226,6 +267,11 @@ optional_policy(`
optional_policy(`
-+ mount_signal(gssd_t)
+ kerberos_keytab_template(gssd, gssd_t)
++ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
+')
+
+optional_policy(`
- pcscd_read_pub_files(gssd_t)
++ mount_signal(gssd_t)
')
+ optional_policy(`
diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
index f5c47d6..482b584 100644
--- a/policy/modules/services/rpcbind.fc
@@ -60245,7 +125703,7 @@ index d6d76e1..9cb5e25 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 0b405d1..e91eb53 100644
+index 0b405d1..d55394c 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -39,6 +39,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
@@ -60257,7 +125715,7 @@ index 0b405d1..e91eb53 100644
selinux_get_fs_mount(rshd_t)
selinux_validate_context(rshd_t)
selinux_compute_access_vector(rshd_t)
-@@ -66,16 +68,9 @@ seutil_read_config(rshd_t)
+@@ -66,20 +68,13 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
userdom_search_user_home_content(rshd_t)
@@ -60276,6 +125734,11 @@ index 0b405d1..e91eb53 100644
optional_policy(`
kerberos_keytab_template(rshd, rshd_t)
+- kerberos_manage_host_rcache(rshd_t)
++ #kerberos_manage_host_rcache(rshd_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 3386f29..b28cae5 100644
--- a/policy/modules/services/rsync.if
@@ -60365,13 +125828,27 @@ index 3386f29..b28cae5 100644
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
-index 39015ae..967bebd 100644
+index 39015ae..8b08e21 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
-@@ -7,6 +7,13 @@ policy_module(rsync, 1.10.0)
+@@ -7,6 +7,27 @@ policy_module(rsync, 1.10.0)
## <desc>
## <p>
++## Allow rsync servers to share cifs files systems
++## </p>
++## </desc>
++gen_tunable(rsync_use_cifs, false)
++
++## <desc>
++## <p>
++## Allow rsync servers to share nfs files systems
++## </p>
++## </desc>
++gen_tunable(rsync_use_nfs, false)
++
++## <desc>
++## <p>
+## Allow rsync to run as a client
+## </p>
+## </desc>
@@ -60382,7 +125859,7 @@ index 39015ae..967bebd 100644
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
-@@ -23,7 +30,6 @@ gen_tunable(allow_rsync_anon_write, false)
+@@ -23,7 +44,6 @@ gen_tunable(allow_rsync_anon_write, false)
type rsync_t;
type rsync_exec_t;
@@ -60390,7 +125867,7 @@ index 39015ae..967bebd 100644
application_executable_file(rsync_exec_t)
role system_r types rsync_t;
-@@ -59,7 +65,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
+@@ -59,7 +79,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd
@@ -60399,9 +125876,22 @@ index 39015ae..967bebd 100644
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-@@ -122,12 +128,26 @@ optional_policy(`
+@@ -121,13 +141,39 @@ optional_policy(`
+ inetd_service_domain(rsync_t, rsync_exec_t)
')
++tunable_policy(`rsync_use_cifs',`
++ fs_list_cifs(rsync_t)
++ fs_read_cifs_files(rsync_t)
++ fs_read_cifs_symlinks(rsync_t)
++')
++
++tunable_policy(`rsync_use_nfs',`
++ fs_list_nfs(rsync_t)
++ fs_read_nfs_files(rsync_t)
++ fs_read_nfs_symlinks(rsync_t)
++')
++
tunable_policy(`rsync_export_all_ro',`
+ files_getattr_all_pipes(rsync_t)
fs_read_noxattr_fs_files(rsync_t)
@@ -60483,10 +125973,10 @@ index 46dad1f..6586da0 100644
allow rtkit_daemon_t $1:process { getsched setsched };
rtkit_daemon_dbus_chat($1)
diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te
-index 6f8e268..a53e4f0 100644
+index 6f8e268..7d64285 100644
--- a/policy/modules/services/rtkit.te
+++ b/policy/modules/services/rtkit.te
-@@ -8,13 +8,14 @@ policy_module(rtkit, 1.1.0)
+@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0)
type rtkit_daemon_t;
type rtkit_daemon_exec_t;
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
@@ -60494,14 +125984,6 @@ index 6f8e268..a53e4f0 100644
########################################
#
- # rtkit_daemon local policy
- #
-
--allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
-+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice };
- allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
-
- kernel_read_system_state(rtkit_daemon_t)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 71ea0ea..26af97f 100644
--- a/policy/modules/services/rwho.if
@@ -60532,7 +126014,7 @@ index 71ea0ea..26af97f 100644
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
-index a07b2f4..ee39810 100644
+index a07b2f4..36b4903 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
@@ -60544,7 +126026,15 @@ index a07b2f4..ee39810 100644
########################################
#
-@@ -55,6 +55,10 @@ files_read_etc_files(rwho_t)
+@@ -24,6 +24,7 @@ files_type(rwho_spool_t)
+ #
+
+ allow rwho_t self:capability sys_chroot;
++allow rwho_t self:process signal;
+ allow rwho_t self:unix_dgram_socket create;
+ allow rwho_t self:fifo_file rw_file_perms;
+ allow rwho_t self:unix_stream_socket create_stream_socket_perms;
+@@ -55,6 +56,10 @@ files_read_etc_files(rwho_t)
init_read_utmp(rwho_t)
init_dontaudit_write_utmp(rwho_t)
@@ -60556,33 +126046,29 @@ index a07b2f4..ee39810 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..8ed95f2 100644
+index 69a6074..5c02dec 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
-@@ -11,9 +11,13 @@
- /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
- /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
-
-+/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-+
+@@ -14,6 +14,8 @@
#
# /usr
#
-+/usr/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +40,8 @@
+@@ -36,6 +38,9 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
-+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
++/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
++/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -51,3 +57,7 @@
+@@ -51,3 +56,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -60591,10 +126077,36 @@ index 69a6074..8ed95f2 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..48c023e 100644
+index 82cb169..0ed7e14 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
-@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',`
+@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',`
+
+ ########################################
+ ## <summary>
++## Connect to nmbd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`samba_stream_connect_nmbd',`
++ gen_require(`
++ type nmbd_t, nmbd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++')
++
++########################################
++## <summary>
+ ## Execute samba server in the samba domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
@@ -60614,7 +126126,7 @@ index 82cb169..48c023e 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
-+ allow $1 samba_unit_file_t:service all_service_perms;
++ allow $1 samba_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, smbd_t)
+')
@@ -60624,7 +126136,7 @@ index 82cb169..48c023e 100644
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
-@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',`
+@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -60650,7 +126162,7 @@ index 82cb169..48c023e 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +145,51 @@ interface(`samba_run_net',`
+@@ -103,6 +164,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -60702,7 +126214,7 @@ index 82cb169..48c023e 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -327,7 +414,6 @@ interface(`samba_search_var',`
+@@ -327,7 +433,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -60710,7 +126222,7 @@ index 82cb169..48c023e 100644
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
-@@ -348,7 +434,6 @@ interface(`samba_read_var_files',`
+@@ -348,7 +453,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -60718,7 +126230,7 @@ index 82cb169..48c023e 100644
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',`
+@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -60726,7 +126238,7 @@ index 82cb169..48c023e 100644
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
@@ -60737,7 +126249,7 @@ index 82cb169..48c023e 100644
')
########################################
-@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
@@ -60756,7 +126268,7 @@ index 82cb169..48c023e 100644
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -60764,7 +126276,7 @@ index 82cb169..48c023e 100644
')
########################################
-@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -60802,7 +126314,7 @@ index 82cb169..48c023e 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,29 +776,28 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,33 +795,33 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -60827,6 +126339,7 @@ index 82cb169..48c023e 100644
+ type samba_etc_t, samba_share_t, winbind_log_t;
+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
++ type samba_unit_file_t;
')
- allow $1 smbd_t:process { ptrace signal_perms };
@@ -60842,13 +126355,21 @@ index 82cb169..48c023e 100644
+ allow $1 nmbd_t:process signal_perms;
ps_process_pattern($1, nmbd_t)
+- samba_run_smbcontrol($1, $2, $3)
+- samba_run_winbind_helper($1, $2, $3)
+- samba_run_smbmount($1, $2, $3)
+- samba_run_net($1, $2, $3)
+ allow $1 samba_unconfined_script_t:process signal_perms;
+ ps_process_pattern($1, samba_unconfined_script_t)
+
- samba_run_smbcontrol($1, $2, $3)
- samba_run_winbind_helper($1, $2, $3)
- samba_run_smbmount($1, $2, $3)
-@@ -709,9 +823,6 @@ interface(`samba_admin',`
++ samba_run_smbcontrol($1, $2)
++ samba_run_winbind_helper($1, $2)
++ samba_run_smbmount($1, $2)
++ samba_run_net($1, $2)
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -709,9 +843,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -60858,19 +126379,36 @@ index 82cb169..48c023e 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +838,7 @@ interface(`samba_admin',`
+@@ -727,4 +858,9 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+
+ samba_systemctl($1)
++ admin_pattern($1, samba_unit_file_t)
++ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..895d6c0 100644
+index e30bb63..ef60f40 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
-@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
+@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
+
+ ## <desc>
+ ## <p>
++## Allow samba to act as a portmapper
++##
++## </p>
++## </desc>
++gen_tunable(samba_portmapper, false)
++
++## <desc>
++## <p>
+ ## Allow samba to share users home directories.
+ ## </p>
+ ## </desc>
+@@ -85,6 +93,9 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
@@ -60880,7 +126418,7 @@ index e30bb63..895d6c0 100644
type samba_log_t;
logging_log_file(samba_log_t)
-@@ -152,9 +155,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+@@ -152,9 +163,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -60890,16 +126428,32 @@ index e30bb63..895d6c0 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -215,7 +215,7 @@ miscfiles_read_localization(samba_net_t)
+@@ -181,7 +189,6 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+ manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+-
+ kernel_read_proc_symlinks(samba_net_t)
+ kernel_read_system_state(samba_net_t)
+
+@@ -215,22 +222,30 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
-userdom_use_user_terminals(samba_net_t)
++sysnet_use_ldap(samba_net_t)
++
+userdom_use_inherited_user_terminals(samba_net_t)
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
-@@ -224,13 +224,14 @@ optional_policy(`
++ ldap_stream_connect(samba_net_t)
++ dirsrv_stream_connect(samba_net_t)
++')
++
++optional_policy(`
+ pcscd_read_pub_files(samba_net_t)
+ ')
optional_policy(`
kerberos_use(samba_net_t)
@@ -60915,15 +126469,17 @@ index e30bb63..895d6c0 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -249,6 +250,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -248,7 +263,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
allow smbd_t nmbd_t:process { signal signull };
++allow winbind_t smbd_var_run_t:dir search_dir_perms;
allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -263,7 +265,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -60932,7 +126488,13 @@ index e30bb63..895d6c0 100644
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -279,7 +281,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
++files_var_filetrans(smbd_t, samba_var_t, dir)
+
+ allow smbd_t smbcontrol_t:process { signal signull };
+
+@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -60941,7 +126503,15 @@ index e30bb63..895d6c0 100644
allow smbd_t swat_t:process signal;
-@@ -323,15 +325,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+
+ dev_read_sysfs(smbd_t)
+ dev_read_urand(smbd_t)
++dev_dontaudit_write_urand(smbd_t)
+ dev_getattr_mtrr_dev(smbd_t)
+ dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+ # For redhat bug 566984
+@@ -323,15 +342,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -60960,7 +126530,7 @@ index e30bb63..895d6c0 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +348,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +365,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -60968,7 +126538,28 @@ index e30bb63..895d6c0 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +391,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -354,6 +377,8 @@ logging_send_syslog_msg(smbd_t)
+ miscfiles_read_localization(smbd_t)
+ miscfiles_read_public_files(smbd_t)
+
++sysnet_use_ldap(smbd_t)
++
+ userdom_use_unpriv_users_fds(smbd_t)
+ userdom_search_user_home_content(smbd_t)
+ userdom_signal_all_users(smbd_t)
+@@ -372,6 +397,11 @@ tunable_policy(`allow_smbd_anon_write',`
+ miscfiles_manage_public_files(smbd_t)
+ ')
+
++tunable_policy(`samba_portmapper',`
++ corenet_tcp_bind_epmap_port(smbd_t)
++ corenet_tcp_bind_all_unreserved_ports(smbd_t)
++')
++
+ tunable_policy(`samba_domain_controller',`
+ gen_require(`
+ class passwd passwd;
+@@ -385,12 +415,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -60982,7 +126573,7 @@ index e30bb63..895d6c0 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +411,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +435,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -60993,7 +126584,19 @@ index e30bb63..895d6c0 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +450,25 @@ optional_policy(`
+@@ -422,6 +451,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ldap_stream_connect(smbd_t)
++ dirsrv_stream_connect(smbd_t)
++')
++
++optional_policy(`
+ lpd_exec_lpr(smbd_t)
+ ')
+
+@@ -445,26 +479,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -61027,7 +126630,7 @@ index e30bb63..895d6c0 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +488,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +517,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -61039,7 +126642,7 @@ index e30bb63..895d6c0 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -555,18 +561,21 @@ optional_policy(`
+@@ -555,18 +590,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -61065,7 +126668,7 @@ index e30bb63..895d6c0 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +583,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +612,21 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -61078,6 +126681,8 @@ index e30bb63..895d6c0 100644
miscfiles_read_localization(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
++sysnet_use_ldap(smbcontrol_t)
++
+userdom_use_inherited_user_terminals(smbcontrol_t)
+
+optional_policy(`
@@ -61086,7 +126691,7 @@ index e30bb63..895d6c0 100644
########################################
#
-@@ -644,19 +661,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +692,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -61111,7 +126716,7 @@ index e30bb63..895d6c0 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +696,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +727,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -61121,7 +126726,7 @@ index e30bb63..895d6c0 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +712,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -61136,7 +126741,7 @@ index e30bb63..895d6c0 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +732,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -61144,8 +126749,12 @@ index e30bb63..895d6c0 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +777,8 @@ logging_search_logs(swat_t)
+@@ -752,8 +806,12 @@ logging_send_syslog_msg(swat_t)
+ logging_send_audit_msgs(swat_t)
+ logging_search_logs(swat_t)
++sysnet_use_ldap(swat_t)
++
miscfiles_read_localization(swat_t)
+userdom_dontaudit_search_admin_dir(swat_t)
@@ -61153,16 +126762,17 @@ index e30bb63..895d6c0 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +808,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +841,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
++allow winbind_t smbd_var_run_t:dir search_dir_perms;
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +831,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +865,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -61184,7 +126794,7 @@ index e30bb63..895d6c0 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +859,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +893,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -61192,7 +126802,7 @@ index e30bb63..895d6c0 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +877,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +911,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -61207,7 +126817,7 @@ index e30bb63..895d6c0 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +894,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +928,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -61220,7 +126830,7 @@ index e30bb63..895d6c0 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +941,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +975,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -61229,34 +126839,46 @@ index e30bb63..895d6c0 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +959,18 @@ optional_policy(`
+@@ -922,19 +993,34 @@ optional_policy(`
#
optional_policy(`
+- type samba_unconfined_script_t;
+- type samba_unconfined_script_exec_t;
+- domain_type(samba_unconfined_script_t)
+- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+- corecmd_shell_entry_type(samba_unconfined_script_t)
+- role system_r types samba_unconfined_script_t;
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
-+
+
+- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
-+
- type samba_unconfined_script_t;
- type samba_unconfined_script_exec_t;
- domain_type(samba_unconfined_script_t)
-@@ -932,9 +981,12 @@ optional_policy(`
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++type samba_unconfined_script_t;
++type samba_unconfined_script_exec_t;
++domain_type(samba_unconfined_script_t)
++domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
++corecmd_shell_entry_type(samba_unconfined_script_t)
++role system_r types samba_unconfined_script_t;
++
++allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
++allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
- tunable_policy(`samba_run_unconfined',`
+- tunable_policy(`samba_run_unconfined',`
++tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ')
+',`
@@ -61431,10 +127053,10 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..64d3e6a
+index 0000000..d5d96e7
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,102 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -61505,6 +127127,8 @@ index 0000000..64d3e6a
+
+dev_read_urand(sanlock_t)
+
++auth_use_nsswitch(sanlock_t)
++
+init_read_utmp(sanlock_t)
+init_dontaudit_write_utmp(sanlock_t)
+
@@ -61567,7 +127191,7 @@ index f1aea88..3e6a93f 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index cfc60dd..71d76cf 100644
+index cfc60dd..8908145 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -61616,7 +127240,7 @@ index cfc60dd..71d76cf 100644
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
-+ kerberos_manage_host_rcache(saslauthd_t)
++ #kerberos_manage_host_rcache(saslauthd_t)
')
optional_policy(`
@@ -61634,10 +127258,10 @@ index 0000000..d5c3c3f
+/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
new file mode 100644
-index 0000000..fe23f5a
+index 0000000..182057f
--- /dev/null
+++ b/policy/modules/services/sblim.if
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,76 @@
+
+## <summary> policy for SBLIM Gatherer </summary>
+
@@ -61691,12 +127315,6 @@ index 0000000..fe23f5a
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`sblim_admin',`
+ gen_require(`
@@ -61967,7 +127585,7 @@ index 7e94c7c..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..75081a5 100644
+index 22dac1f..e2f2d7d 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -62006,7 +127624,18 @@ index 22dac1f..75081a5 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -128,7 +129,14 @@ optional_policy(`
+@@ -115,6 +116,10 @@ mta_manage_spool(sendmail_t)
+ mta_sendmail_exec(sendmail_t)
+
+ optional_policy(`
++ cfengine_dontaudit_write_log(sendmail_t)
++')
++
++optional_policy(`
+ cron_read_pipes(sendmail_t)
+ ')
+
+@@ -128,7 +133,14 @@ optional_policy(`
')
optional_policy(`
@@ -62021,7 +127650,7 @@ index 22dac1f..75081a5 100644
')
optional_policy(`
-@@ -149,7 +157,9 @@ optional_policy(`
+@@ -149,7 +161,9 @@ optional_policy(`
')
optional_policy(`
@@ -62031,7 +127660,7 @@ index 22dac1f..75081a5 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +178,13 @@ optional_policy(`
+@@ -168,20 +182,13 @@ optional_policy(`
')
optional_policy(`
@@ -62127,19 +127756,30 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..6e66656 100644
+index 086cd5f..e010142 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
-@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
+@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+ type setroubleshoot_fixit_t;
+ type setroubleshoot_fixit_exec_t;
+ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
++init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
+ type setroubleshoot_var_lib_t;
+ files_type(setroubleshoot_var_lib_t)
+@@ -30,8 +31,10 @@ files_pid_file(setroubleshoot_var_run_t)
+ # setroubleshootd local policy
+ #
- allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+-allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
++allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,17 +51,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+@@ -49,17 +52,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
# pid file
@@ -62162,7 +127802,7 @@ index 086cd5f..6e66656 100644
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
-@@ -85,6 +91,7 @@ files_getattr_all_files(setroubleshootd_t)
+@@ -85,6 +92,7 @@ files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
files_getattr_all_sockets(setroubleshootd_t)
files_read_all_symlinks(setroubleshootd_t)
@@ -62170,7 +127810,15 @@ index 086cd5f..6e66656 100644
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+
+ selinux_get_enforce_mode(setroubleshootd_t)
+ selinux_validate_context(setroubleshootd_t)
++selinux_read_policy(setroubleshootd_t)
+
+ term_dontaudit_use_all_ptys(setroubleshootd_t)
+ term_dontaudit_use_all_ttys(setroubleshootd_t)
+@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -62179,7 +127827,7 @@ index 086cd5f..6e66656 100644
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
-@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -62188,7 +127836,7 @@ index 086cd5f..6e66656 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -62212,7 +127860,7 @@ index 086cd5f..6e66656 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,7 +171,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,7 +173,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -62224,7 +127872,7 @@ index 086cd5f..6e66656 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -62260,10 +127908,10 @@ index 0000000..839f1b3
+
diff --git a/policy/modules/services/sge.te b/policy/modules/services/sge.te
new file mode 100644
-index 0000000..3a28b77
+index 0000000..803c998
--- /dev/null
+++ b/policy/modules/services/sge.te
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,195 @@
+policy_module(sge, 1.0.0)
+
+########################################
@@ -62278,6 +127926,13 @@ index 0000000..3a28b77
+## </desc>
+gen_tunable(sge_use_nfs, false)
+
++## <desc>
++## <p>
++## Allow sge to connect to the network using any TCP port
++## </p>
++## </desc>
++gen_tunable(sge_domain_can_network_connect, false)
++
+attribute sge_domain;
+
+type sge_execd_t, sge_domain;
@@ -62318,14 +127973,23 @@ index 0000000..3a28b77
+files_exec_usr_files(sge_execd_t)
+files_search_spool(sge_execd_t)
+
++fs_getattr_xattr_fs(sge_execd_t)
++
++auth_use_nsswitch(sge_execd_t)
++
+init_read_utmp(sge_execd_t)
+
++optional_policy(`
++ sendmail_domtrans(sge_execd_t)
++')
++
+######################################
+#
+# sge_shepherd local policy
+#
+
+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
++allow sge_shepherd_t self:process { setsched setrlimit setpgid };
+allow sge_shepherd_t self:process signal_perms;
+
+domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
@@ -62341,6 +128005,14 @@ index 0000000..3a28b77
+ mta_send_mail(sge_shepherd_t)
+')
+
++optional_policy(`
++ ssh_domtrans(sge_shepherd_t)
++')
++
++optional_policy(`
++ unconfined_domain(sge_shepherd_t)
++')
++
+#####################################
+#
+# sge_job local policy
@@ -62359,6 +128031,7 @@ index 0000000..3a28b77
+ ssh_domtrans(sge_job_t)
+
+ allow sge_job_t sge_job_ssh_t:process sigkill;
++ allow sge_shepherd_t sge_job_ssh_t:process sigkill;
+
+ xserver_exec_xauth(sge_job_ssh_t)
+
@@ -62411,6 +128084,10 @@ index 0000000..3a28b77
+
+miscfiles_read_localization(sge_domain)
+
++tunable_policy(`sge_domain_can_network_connect',`
++ corenet_tcp_connect_all_ports(sge_domain)
++')
++
+tunable_policy(`sge_use_nfs',`
+ fs_list_auto_mountpoints(sge_domain)
+ fs_manage_nfs_dirs(sge_domain)
@@ -62469,7 +128146,7 @@ index adea9f9..145adbd 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..441f753 100644
+index 606a098..522fb54 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
@@ -62489,7 +128166,7 @@ index 606a098..441f753 100644
kernel_read_software_raid_state(fsdaemon_t)
kernel_read_system_state(fsdaemon_t)
-@@ -73,19 +74,30 @@ files_read_etc_runtime_files(fsdaemon_t)
+@@ -73,19 +74,31 @@ files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
@@ -62503,6 +128180,7 @@ index 606a098..441f753 100644
#mls_rangetrans_target(fsdaemon_t)
+storage_create_fixed_disk_dev(fsdaemon_t)
++storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
@@ -62882,10 +128560,10 @@ index 93fe7bf..1b07ed4 100644
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..a785741 100644
+index 6b3abf9..21f3e07 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,28 @@
+@@ -1,15 +1,38 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -62916,6 +128594,16 @@ index 6b3abf9..a785741 100644
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
++
++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++
++/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
++
++/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
++
++/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++/var/log/razor-agent\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index c954f31..82fc7f6 100644
--- a/policy/modules/services/spamassassin.if
@@ -63665,7 +129353,7 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..7b3d2db 100644
+index 4b2230e..51dc8d8 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -63702,7 +129390,26 @@ index 4b2230e..7b3d2db 100644
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
-@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file)
+@@ -40,6 +40,9 @@ logging_log_file(squid_log_t)
+ type squid_tmpfs_t;
+ files_tmpfs_file(squid_tmpfs_t)
+
++type squid_tmp_t;
++files_tmp_file(squid_tmp_t)
++
+ type squid_var_run_t;
+ files_pid_file(squid_var_run_t)
+
+@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+ manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+ fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+
++manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
++
+ manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+ files_pid_filetrans(squid_t, squid_var_run_t, file)
kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
@@ -63710,7 +129417,7 @@ index 4b2230e..7b3d2db 100644
files_dontaudit_getattr_boot_dirs(squid_t)
-@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -63720,7 +129427,7 @@ index 4b2230e..7b3d2db 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +187,7 @@ optional_policy(`
+@@ -185,6 +194,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -63728,7 +129435,7 @@ index 4b2230e..7b3d2db 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +209,7 @@ optional_policy(`
+@@ -206,3 +216,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -63737,10 +129444,10 @@ index 4b2230e..7b3d2db 100644
+ kerberos_manage_host_rcache(squid_t)
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..84d29ee 100644
+index 078bcd7..21ff471 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,4 +1,11 @@
+@@ -1,9 +1,19 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
@@ -63752,7 +129459,15 @@ index 078bcd7..84d29ee 100644
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +21,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host_dsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
++/etc/ssh/ssh_host_rsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+ /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+ /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+@@ -14,3 +24,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -63761,7 +129476,7 @@ index 078bcd7..84d29ee 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..6ec295a 100644
+index 22adaca..7f010a4 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -63925,7 +129640,7 @@ index 22adaca..6ec295a 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,21 +276,13 @@ template(`ssh_server_template', `
+@@ -243,31 +276,31 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -63949,7 +129664,11 @@ index 22adaca..6ec295a 100644
optional_policy(`
kerberos_use($1_t)
-@@ -268,6 +293,14 @@ template(`ssh_server_template', `
+- kerberos_manage_host_rcache($1_t)
++ #kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -63964,7 +129683,7 @@ index 22adaca..6ec295a 100644
')
########################################
-@@ -290,11 +323,11 @@ template(`ssh_server_template', `
+@@ -290,14 +323,15 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
@@ -63977,7 +129696,11 @@ index 22adaca..6ec295a 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,17 +360,20 @@ template(`ssh_role_template',`
++ type cache_home_t;
+ ')
+
+ ##############################
+@@ -327,17 +361,20 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -63999,8 +129722,11 @@ index 22adaca..6ec295a 100644
##############################
#
-@@ -359,7 +395,7 @@ template(`ssh_role_template',`
+@@ -357,9 +394,10 @@ template(`ssh_role_template',`
+
+ # for ssh-add
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
++ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
- allow $3 $1_ssh_agent_t:process signal;
@@ -64008,7 +129734,7 @@ index 22adaca..6ec295a 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +417,6 @@ template(`ssh_role_template',`
+@@ -381,7 +419,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -64016,7 +129742,7 @@ index 22adaca..6ec295a 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,28 +428,15 @@ template(`ssh_role_template',`
+@@ -393,28 +430,15 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -64048,7 +129774,7 @@ index 22adaca..6ec295a 100644
optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
-@@ -464,6 +486,24 @@ interface(`ssh_signal',`
+@@ -464,6 +488,24 @@ interface(`ssh_signal',`
########################################
## <summary>
@@ -64073,7 +129799,7 @@ index 22adaca..6ec295a 100644
## Read a ssh server unnamed pipe.
## </summary>
## <param name="domain">
-@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +519,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -64102,7 +129828,7 @@ index 22adaca..6ec295a 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +555,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -64111,7 +129837,7 @@ index 22adaca..6ec295a 100644
')
########################################
-@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +647,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -64136,7 +129862,7 @@ index 22adaca..6ec295a 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +697,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -64145,7 +129871,7 @@ index 22adaca..6ec295a 100644
files_search_pids($1)
')
-@@ -643,6 +720,42 @@ interface(`ssh_agent_exec',`
+@@ -643,6 +722,42 @@ interface(`ssh_agent_exec',`
########################################
## <summary>
@@ -64188,7 +129914,7 @@ index 22adaca..6ec295a 100644
## Read ssh home directory content
## </summary>
## <param name="domain">
-@@ -682,6 +795,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -682,6 +797,50 @@ interface(`ssh_domtrans_keygen',`
########################################
## <summary>
@@ -64239,7 +129965,7 @@ index 22adaca..6ec295a 100644
## Read ssh server keys
## </summary>
## <param name="domain">
-@@ -695,7 +852,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +854,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -64248,7 +129974,7 @@ index 22adaca..6ec295a 100644
')
######################################
-@@ -735,3 +892,63 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +894,64 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -64270,6 +129996,7 @@ index 22adaca..6ec295a 100644
+
+ allow sshd_t $1:process dyntransition;
+ allow $1 sshd_t:process sigchld;
++ allow sshd_t $1:process { getattr sigkill sigstop signull signal };
+')
+
+########################################
@@ -64313,7 +130040,7 @@ index 22adaca..6ec295a 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..4a63fae 100644
+index 2dad3c8..6dbec51 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -64455,14 +130182,14 @@ index 2dad3c8..4a63fae 100644
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
-+corenet_tcp_bind_all_unreserved_ports(ssh_t)
++#corenet_tcp_bind_all_unreserved_ports(ssh_t)
+corenet_rw_tun_tap_dev(ssh_t)
+dev_read_rand(ssh_t)
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,31 +179,24 @@ logging_read_generic_logs(ssh_t)
+@@ -162,37 +179,36 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -64481,6 +130208,7 @@ index 2dad3c8..4a63fae 100644
userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
++userdom_rw_inherited_user_home_content_files(ssh_t)
+userdom_read_home_certs(ssh_t)
+userdom_home_manager(ssh_t)
@@ -64503,15 +130231,18 @@ index 2dad3c8..4a63fae 100644
')
# for port forwarding
-@@ -196,10 +206,15 @@ tunable_policy(`user_tcp_server',`
- ')
-
- optional_policy(`
-+ gnome_stream_connect_all_gkeyringd(ssh_t)
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_ssh_port(ssh_t)
+ corenet_tcp_bind_generic_node(ssh_t)
++ corenet_tcp_bind_all_unreserved_ports(ssh_t)
+')
+
+optional_policy(`
- xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
++ gnome_stream_connect_gkeyringd(ssh_t)
+ ')
+
+ optional_policy(`
+@@ -200,6 +216,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -64519,7 +130250,7 @@ index 2dad3c8..4a63fae 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +224,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +226,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -64541,7 +130272,7 @@ index 2dad3c8..4a63fae 100644
#################################
#
# sshd local policy
-@@ -232,33 +242,39 @@ optional_policy(`
+@@ -232,33 +244,46 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -64571,6 +130302,7 @@ index 2dad3c8..4a63fae 100644
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
++userdom_dyntransition_admin_users(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -64587,10 +130319,16 @@ index 2dad3c8..4a63fae 100644
+
+optional_policy(`
+ amanda_search_var_lib(sshd_t)
++')
++
++optional_policy(`
++ condor_rw_lib_files(sshd_t)
++ condor_rw_tcp_sockets_startd(sshd_t)
++ condor_rw_tcp_sockets_schedd(sshd_t)
')
optional_policy(`
-@@ -266,11 +282,24 @@ optional_policy(`
+@@ -266,11 +291,24 @@ optional_policy(`
')
optional_policy(`
@@ -64616,7 +130354,7 @@ index 2dad3c8..4a63fae 100644
')
optional_policy(`
-@@ -284,6 +313,15 @@ optional_policy(`
+@@ -284,6 +322,15 @@ optional_policy(`
')
optional_policy(`
@@ -64632,7 +130370,7 @@ index 2dad3c8..4a63fae 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +330,26 @@ optional_policy(`
+@@ -292,26 +339,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -64678,7 +130416,7 @@ index 2dad3c8..4a63fae 100644
') dnl endif TODO
########################################
-@@ -322,19 +360,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +369,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -64706,7 +130444,7 @@ index 2dad3c8..4a63fae 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +396,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -64720,7 +130458,7 @@ index 2dad3c8..4a63fae 100644
')
optional_policy(`
-@@ -363,3 +410,77 @@ optional_policy(`
+@@ -363,3 +419,76 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -64755,7 +130493,6 @@ index 2dad3c8..4a63fae 100644
+# chroot_user_t local policy
+#
+
-+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
@@ -64798,6 +130535,19 @@ index 2dad3c8..4a63fae 100644
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
+diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
+index 4271815..4bc00ea 100644
+--- a/policy/modules/services/sssd.fc
++++ b/policy/modules/services/sssd.fc
+@@ -4,6 +4,8 @@
+
+ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++
+ /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+ /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..e1095f0 100644
--- a/policy/modules/services/sssd.if
@@ -64884,7 +130634,7 @@ index 941380a..e1095f0 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..4b21a45 100644
+index 8ffa257..1dfa5ce 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -64900,10 +130650,11 @@ index 8ffa257..4b21a45 100644
# sssd local policy
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
-+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
- allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
+-allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
++
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
++allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
+allow sssd_t self:fifo_file rw_fifo_file_perms;
+allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -64920,7 +130671,7 @@ index 8ffa257..4b21a45 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,11 +52,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,18 +52,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -64937,15 +130688,16 @@ index 8ffa257..4b21a45 100644
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
-@@ -60,6 +69,7 @@ domain_obj_id_change_exemption(sssd_t)
+
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
++files_read_etc_runtime_files(sssd_t)
files_read_usr_files(sssd_t)
+files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -68,10 +78,14 @@ selinux_validate_context(sssd_t)
+@@ -68,10 +79,14 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -64961,7 +130713,7 @@ index 8ffa257..4b21a45 100644
init_read_utmp(sssd_t)
-@@ -79,6 +93,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +94,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -64974,7 +130726,7 @@ index 8ffa257..4b21a45 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +107,18 @@ optional_policy(`
+@@ -87,4 +108,18 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -65053,6 +130805,215 @@ index f646c66..5370bb8 100644
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+diff --git a/policy/modules/services/svnserve.fc b/policy/modules/services/svnserve.fc
+new file mode 100644
+index 0000000..5ab0840
+--- /dev/null
++++ b/policy/modules/services/svnserve.fc
+@@ -0,0 +1,12 @@
++/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
++
++/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
++
++/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
++/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
++
++/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
++/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
++
++/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
++/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+diff --git a/policy/modules/services/svnserve.if b/policy/modules/services/svnserve.if
+new file mode 100644
+index 0000000..bab5617
+--- /dev/null
++++ b/policy/modules/services/svnserve.if
+@@ -0,0 +1,125 @@
++
++## <summary>policy for svnserve</summary>
++
++
++########################################
++## <summary>
++## Transition to svnserve.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`svnserve_domtrans',`
++ gen_require(`
++ type svnserve_t, svnserve_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, svnserve_exec_t, svnserve_t)
++')
++
++
++########################################
++## <summary>
++## Execute svnserve server in the svnserve domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`svnserve_initrc_domtrans',`
++ gen_require(`
++ type svnserve_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
++')
++
++#######################################
++## <summary>
++## Execute svnserve server in the svnserve domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`svnserve_systemctl',`
++ gen_require(`
++ type svnserve_t;
++ type svnserve_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 svnserve_unit_file_t:file read_file_perms;
++ allow $1 svnserve_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, svnserve_t)
++')
++
++########################################
++## <summary>
++## Read svnserve PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`svnserve_read_pid_files',`
++ gen_require(`
++ type svnserve_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 svnserve_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an svnserve environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`svnserve_admin',`
++ gen_require(`
++ type svnserve_t;
++ type svnserve_var_run_t;
++ type svnserve_unit_file_t;
++ ')
++
++ allow $1 svnserve_t:process { ptrace signal_perms };
++ ps_process_pattern($1, svnserve_t)
++
++ files_search_pids($1)
++ admin_pattern($1, svnserve_var_run_t)
++
++ svnserve_systemctl($1)
++ admin_pattern($1, svnserve_unit_file_t)
++ allow $1 svnserve_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
++
+diff --git a/policy/modules/services/svnserve.te b/policy/modules/services/svnserve.te
+new file mode 100644
+index 0000000..df04e25
+--- /dev/null
++++ b/policy/modules/services/svnserve.te
+@@ -0,0 +1,54 @@
++policy_module(svnserve, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type svnserve_t;
++type svnserve_exec_t;
++init_daemon_domain(svnserve_t, svnserve_exec_t)
++
++type svnserve_initrc_exec_t;
++init_script_file(svnserve_initrc_exec_t)
++
++type svnserve_var_run_t;
++files_pid_file(svnserve_var_run_t)
++
++type svnserve_content_t;
++files_type(svnserve_content_t)
++
++type svnserve_unit_file_t;
++systemd_unit_file(svnserve_unit_file_t)
++
++########################################
++#
++# svnserve local policy
++#
++
++allow svnserve_t self:fifo_file rw_fifo_file_perms;
++allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
++manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
++
++manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
++manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
++files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
++
++corenet_udp_bind_generic_node(svnserve_t)
++#corenet_tcp_connect_svn_port(svnserve_t)
++#corenet_tcp_bind_svn_port(svnserve_t)
++#corenet_udp_bind_svn_port(svnserve_t)
++
++domain_use_interactive_fds(svnserve_t)
++
++files_read_etc_files(svnserve_t)
++files_read_usr_files(svnserve_t)
++
++logging_send_syslog_msg(svnserve_t)
++
++miscfiles_read_localization(svnserve_t)
++
++sysnet_dns_name_resolve(svnserve_t)
++
diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc
index 08d999c..bca4388 100644
--- a/policy/modules/services/sysstat.fc
@@ -65277,8 +131238,17 @@ index f40e67b..8d1e658 100644
+optional_policy(`
+ remotelogin_domtrans(telnetd_t)
+')
+diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc
+index 25eee43..621f343 100644
+--- a/policy/modules/services/tftp.fc
++++ b/policy/modules/services/tftp.fc
+@@ -1,3 +1,4 @@
++/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
+
+ /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+ /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
-index 38bb312..0fee098 100644
+index 38bb312..4b691ac 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -13,9 +13,33 @@
@@ -65315,10 +131285,47 @@ index 38bb312..0fee098 100644
')
########################################
-@@ -40,6 +64,36 @@ interface(`tftp_manage_rw_content',`
+@@ -40,6 +64,91 @@ interface(`tftp_manage_rw_content',`
########################################
## <summary>
++## Read tftp config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_read_config',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
++')
++
++########################################
++## <summary>
++## Manage tftp config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_manage_config',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
++')
++
++########################################
++## <summary>
+## Create objects in tftpdir directories
+## with specified types.
+## </summary>
@@ -65349,10 +131356,28 @@ index 38bb312..0fee098 100644
+
+########################################
+## <summary>
++## Transition to tftp named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_filetrans_named_content',`
++ gen_require(`
++ type tftpd_etc_t;
++ ')
++
++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
++')
++
++########################################
++## <summary>
## All of the rules required to administrate
## an tftp environment
## </summary>
-@@ -55,9 +109,13 @@ interface(`tftp_admin',`
+@@ -55,13 +164,19 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
@@ -65367,8 +131392,14 @@ index 38bb312..0fee098 100644
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)
+
+ files_list_pids($1)
+ admin_pattern($1, tftpd_var_run_t)
++
++ tftp_manage_config($1)
+ ')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
-index d50c10d..97ce79e 100644
+index d50c10d..e0c6d19 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
@@ -65386,7 +131417,16 @@ index d50c10d..97ce79e 100644
## </desc>
gen_tunable(tftp_anon_write, false)
-@@ -32,15 +32,15 @@ files_type(tftpdir_rw_t)
+@@ -26,21 +26,26 @@ files_type(tftpdir_t)
+ type tftpdir_rw_t;
+ files_type(tftpdir_rw_t)
+
++type tftpd_etc_t;
++files_config_file(tftpd_etc_t)
++
+ ########################################
+ #
+ # Local policy
#
allow tftpd_t self:capability { setgid setuid sys_chroot };
@@ -65401,10 +131441,12 @@ index d50c10d..97ce79e 100644
allow tftpd_t tftpdir_t:file read_file_perms;
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
++
++read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
-@@ -94,6 +94,10 @@ tunable_policy(`tftp_anon_write',`
+@@ -94,6 +99,10 @@ tunable_policy(`tftp_anon_write',`
')
optional_policy(`
@@ -65425,7 +131467,7 @@ index 8294f6f..4847b43 100644
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index 665bf7c..a1ea37a 100644
+index 665bf7c..55c5868 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
@@ -65464,7 +131506,7 @@ index 665bf7c..a1ea37a 100644
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
-+dev_search_sysfs(tgtd_t)
++dev_read_sysfs(tgtd_t)
+
files_read_etc_files(tgtd_t)
@@ -65479,12 +131521,59 @@ index 665bf7c..a1ea37a 100644
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
+diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
+index e2e06b2..6752bc3 100644
+--- a/policy/modules/services/tor.fc
++++ b/policy/modules/services/tor.fc
+@@ -4,6 +4,8 @@
+ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+ /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+
++/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
++
+ /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+ /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
-index 904f13e..f9d007b 100644
+index 904f13e..26f16dd 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
-@@ -42,8 +42,11 @@ interface(`tor_admin',`
+@@ -18,6 +18,30 @@ interface(`tor_domtrans',`
+ domtrans_pattern($1, tor_exec_t, tor_t)
+ ')
+
++#######################################
++## <summary>
++## Execute tor server in the tor domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tor_systemctl',`
++ gen_require(`
++ type tor_t;
++ type tor_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 tor_unit_file_t:file read_file_perms;
++ allow $1 tor_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tor_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -40,10 +64,14 @@ interface(`tor_admin',`
+ type tor_t, tor_var_log_t, tor_etc_t;
+ type tor_var_lib_t, tor_var_run_t;
type tor_initrc_exec_t;
++ type tor_unit_file_t;
')
- allow $1 tor_t:process { ptrace signal_perms getattr };
@@ -65496,11 +131585,34 @@ index 904f13e..f9d007b 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -61,4 +89,13 @@ interface(`tor_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, tor_var_run_t)
++
++ tor_systemctl($1)
++ admin_pattern($1, tor_unit_file_t)
++ allow $1 tor_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..037dd90 100644
+index c842cad..799fac3 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
-@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
+@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
+ type tor_var_run_t;
+ files_pid_file(tor_var_run_t)
+
++type tor_unit_file_t;
++systemd_unit_file(tor_unit_file_t)
++
+ ########################################
+ #
+ # tor local policy
#
allow tor_t self:capability { setgid setuid sys_tty_config };
@@ -65508,7 +131620,7 @@ index c842cad..037dd90 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -87,6 +88,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
corenet_tcp_bind_tor_port(tor_t)
@@ -65516,7 +131628,7 @@ index c842cad..037dd90 100644
corenet_udp_bind_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,9 +97,11 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,9 +100,11 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -65528,6 +131640,23 @@ index c842cad..037dd90 100644
domain_use_interactive_fds(tor_t)
+diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc
+index 639c962..8488152 100644
+--- a/policy/modules/services/tuned.fc
++++ b/policy/modules/services/tuned.fc
+@@ -1,8 +1,12 @@
+ /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+
++/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
++/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
++
+ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
+ /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+ /var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
++/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
+ /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..a04f013 100644
--- a/policy/modules/services/tuned.if
@@ -65570,36 +131699,76 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..7f1a022 100644
+index db9d2a5..da20967 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
-@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t)
+@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
+ type tuned_initrc_exec_t;
+ init_script_file(tuned_initrc_exec_t)
+
++type tuned_etc_t;
++files_config_file(tuned_etc_t)
++
++type tuned_rw_etc_t;
++files_config_file(tuned_rw_etc_t)
++
+ type tuned_log_t;
+ logging_log_file(tuned_log_t)
+
+@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t)
+ # tuned local policy
#
++allow tuned_t self:process signal;
++
dontaudit tuned_t self:capability { dac_override sys_tty_config };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
++allow tuned_t self:udp_socket create_socket_perms;
++
++read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
++
++manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-@@ -39,7 +40,7 @@ kernel_read_system_state(tuned_t)
+-logging_log_filetrans(tuned_t, tuned_log_t, file)
++logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+
+ manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+-files_pid_filetrans(tuned_t, tuned_var_run_t, file)
++manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
++files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
+
+ corecmd_exec_shell(tuned_t)
+ corecmd_exec_bin(tuned_t)
+
+ kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
++kernel_read_kernel_sysctls(tuned_t)
++kernel_rw_hotplug_sysctls(tuned_t)
++kernel_rw_vm_sysctls(tuned_t)
++dev_getattr_all_blk_files(tuned_t)
++dev_getattr_all_chr_files(tuned_t)
++dev_dontaudit_getattr_all(tuned_t)
dev_read_urand(tuned_t)
-dev_read_sysfs(tuned_t)
+dev_rw_sysfs(tuned_t)
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +48,8 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
++fs_getattr_xattr_fs(tuned_t)
++
+auth_use_nsswitch(tuned_t)
+
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +61,10 @@ optional_policy(`
+@@ -58,6 +83,14 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -65607,6 +131776,10 @@ index db9d2a5..7f1a022 100644
+ gnome_dontaudit_search_config(tuned_t)
+')
+
++optional_policy(`
++ mount_domtrans(tuned_t)
++')
++
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
@@ -66091,7 +132264,7 @@ index 93975d6..7a665ff 100644
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
-index f9310f3..7a350f1 100644
+index f9310f3..a6ed441 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.2.0)
@@ -66127,6 +132300,15 @@ index f9310f3..7a350f1 100644
########################################
#
+@@ -87,6 +87,8 @@ corenet_tcp_connect_http_port(varnishd_t)
+
+ dev_read_urand(varnishd_t)
+
++files_read_usr_files(varnishd_t)
++
+ fs_getattr_all_fs(varnishd_t)
+
+ auth_use_nsswitch(varnishd_t)
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
new file mode 100644
index 0000000..2ba852c
@@ -66145,10 +132327,10 @@ index 0000000..2ba852c
+
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
-index 0000000..c6be180
+index 0000000..8c74340
--- /dev/null
+++ b/policy/modules/services/vdagent.if
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,122 @@
+
+## <summary>policy for vdagent</summary>
+
@@ -66256,12 +132438,6 @@ index 0000000..c6be180
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
+interface(`vdagent_admin',`
+ gen_require(`
@@ -66279,10 +132455,10 @@ index 0000000..c6be180
+')
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
-index 0000000..4fd2377
+index 0000000..16033bd
--- /dev/null
+++ b/policy/modules/services/vdagent.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,62 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -66306,6 +132482,7 @@ index 0000000..4fd2377
+#
+
+dontaudit vdagent_t self:capability sys_admin;
++allow vdagent_t self:process signal;
+
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
@@ -66325,8 +132502,15 @@ index 0000000..4fd2377
+
+files_read_etc_files(vdagent_t)
+
++init_read_state(vdagent_t)
++
++systemd_read_logind_sessions_files(vdagent_t)
++systemd_login_read_pid_files(vdagent_t)
++
+term_use_virtio_console(vdagent_t)
+
++userdom_read_all_users_state(vdagent_t)
++
+miscfiles_read_localization(vdagent_t)
+
+optional_policy(`
@@ -66425,7 +132609,7 @@ index 1f872b5..88a8157 100644
-
')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
-index 32a3c13..e3d91ad 100644
+index 32a3c13..803eea6 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t)
@@ -66439,11 +132623,20 @@ index 32a3c13..e3d91ad 100644
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-@@ -44,9 +44,15 @@ corecmd_exec_shell(vhostmd_t)
+@@ -35,6 +35,7 @@ manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+ manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+ files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
++kernel_read_kernel_sysctls(vhostmd_t)
+ kernel_read_system_state(vhostmd_t)
+ kernel_read_network_state(vhostmd_t)
+ kernel_write_xen_state(vhostmd_t)
+@@ -44,9 +45,16 @@ corecmd_exec_shell(vhostmd_t)
corenet_tcp_connect_soundd_port(vhostmd_t)
+dev_read_rand(vhostmd_t)
++dev_read_urand(vhostmd_t)
+dev_read_sysfs(vhostmd_t)
+
+# 579803
@@ -66455,7 +132648,7 @@ index 32a3c13..e3d91ad 100644
dev_read_sysfs(vhostmd_t)
auth_use_nsswitch(vhostmd_t)
-@@ -66,6 +72,7 @@ optional_policy(`
+@@ -66,6 +74,7 @@ optional_policy(`
optional_policy(`
virt_stream_connect(vhostmd_t)
@@ -66464,19 +132657,20 @@ index 32a3c13..e3d91ad 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..d9da85a 100644
+index 2124b6a..5072bd7 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
-@@ -1,5 +1,6 @@
+@@ -1,5 +1,7 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,44 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +14,49 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -66504,7 +132698,8 @@ index 2124b6a..d9da85a 100644
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
++/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
++/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
@@ -66518,6 +132713,10 @@ index 2124b6a..d9da85a 100644
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
++# add support vios-proxy-*
++/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
++
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
@@ -66525,7 +132724,7 @@ index 2124b6a..d9da85a 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..cd38850 100644
+index 7c5d8d8..85b7d8b 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -66741,10 +132940,49 @@ index 7c5d8d8..cd38850 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +335,36 @@ interface(`virt_manage_pid_files',`
+@@ -250,6 +316,28 @@ interface(`virt_read_pid_files',`
########################################
## <summary>
++## Manage virt pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_manage_pid_dirs',`
++ gen_require(`
++ type virt_var_run_t;
++ type virt_lxc_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++ virt_filetrans_named_content($1)
++')
++
++########################################
++## <summary>
+ ## Manage virt pid files.
+ ## </summary>
+ ## <param name="domain">
+@@ -261,10 +349,42 @@ interface(`virt_read_pid_files',`
+ interface(`virt_manage_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
++ type virt_lxc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++')
++
++########################################
++## <summary>
+## Create objects in the pid directory
+## with a private type with a type transition.
+## </summary>
@@ -66771,14 +133009,10 @@ index 7c5d8d8..cd38850 100644
+ ')
+
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
- ## Search virt lib directories.
- ## </summary>
- ## <param name="domain">
-@@ -308,6 +404,24 @@ interface(`virt_read_lib_files',`
+ ')
+
+ ########################################
+@@ -308,6 +428,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -66803,7 +133037,7 @@ index 7c5d8d8..cd38850 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +466,9 @@ interface(`virt_read_log',`
+@@ -352,9 +490,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -66815,7 +133049,33 @@ index 7c5d8d8..cd38850 100644
## </param>
#
interface(`virt_append_log',`
-@@ -408,6 +522,7 @@ interface(`virt_read_images',`
+@@ -388,6 +526,25 @@ interface(`virt_manage_log',`
+
+ ########################################
+ ## <summary>
++## Allow domain to search virt image direcories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_search_images',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Allow domain to read virt image files
+ ## </summary>
+ ## <param name="domain">
+@@ -408,6 +565,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -66823,7 +133083,7 @@ index 7c5d8d8..cd38850 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -424,6 +539,24 @@ interface(`virt_read_images',`
+@@ -424,6 +582,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -66848,7 +133108,7 @@ index 7c5d8d8..cd38850 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +566,15 @@ interface(`virt_read_images',`
+@@ -433,15 +609,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -66869,7 +133129,7 @@ index 7c5d8d8..cd38850 100644
')
########################################
-@@ -466,6 +599,7 @@ interface(`virt_manage_images',`
+@@ -466,6 +642,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -66877,7 +133137,7 @@ index 7c5d8d8..cd38850 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -500,10 +634,19 @@ interface(`virt_manage_images',`
+@@ -500,10 +677,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -66889,8 +133149,8 @@ index 7c5d8d8..cd38850 100644
+ allow $1 virtd_t:process signal_perms;
ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 virtd_t:process ptrace;
-+ allow $1 virt_lxc_t:process ptrace;
++ allow $1 virtd_t:process ptrace_perms_perms;
++ allow $1 virt_lxc_t:process ptrace_perms_perms;
+ ')
+
+ allow $1 virt_lxc_t:process signal_perms;
@@ -66898,7 +133158,7 @@ index 7c5d8d8..cd38850 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -515,4 +658,231 @@ interface(`virt_admin',`
+@@ -515,4 +701,248 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -66906,7 +133166,7 @@ index 7c5d8d8..cd38850 100644
+ virt_manage_images($1)
+
+ allow $1 virt_domain:process signal_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -67130,11 +133390,28 @@ index 7c5d8d8..cd38850 100644
+ can_exec($1, qemu_exec_t)
+')
+
++########################################
++## <summary>
++## Transition to virt named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_filetrans_named_content',`
++ gen_require(`
++ type virt_lxc_var_run_t;
++ ')
++
++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ ')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..fe37c85 100644
+index 3eca020..96f86b2 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
# Declarations
#
@@ -67224,10 +133501,12 @@ index 3eca020..fe37c85 100644
virt_domain_template(svirt)
role system_r types svirt_t;
--
++typealias svirt_t alias qemu_t;
+
-type svirt_cache_t;
-files_type(svirt_cache_t)
-+typealias svirt_t alias qemu_t;
++virt_domain_template(svirt_prot_exec)
++role system_r types svirt_prot_exec_t;
attribute virt_domain;
attribute virt_image_type;
@@ -67240,13 +133519,16 @@ index 3eca020..fe37c85 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +90,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +93,34 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
+type virt_home_t;
+userdom_user_home_content(virt_home_t)
+
++type svirt_home_t;
++userdom_user_home_content(svirt_home_t)
++
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@@ -67273,7 +133555,7 @@ index 3eca020..fe37c85 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +125,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +131,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -67285,7 +133567,7 @@ index 3eca020..fe37c85 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +138,34 @@ ifdef(`enable_mls',`
+@@ -97,6 +144,35 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -67310,8 +133592,9 @@ index 3eca020..fe37c85 100644
+type virtd_lxc_exec_t;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
-+type virtd_lxc_var_run_t;
-+files_pid_file(virtd_lxc_var_run_t)
++type virt_lxc_var_run_t;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
+
+# virt lxc container files
+type svirt_lxc_file_t;
@@ -67320,7 +133603,7 @@ index 3eca020..fe37c85 100644
########################################
#
# svirt local policy
-@@ -104,15 +173,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +180,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -67337,7 +133620,7 @@ index 3eca020..fe37c85 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +196,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +203,17 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -67347,11 +133630,15 @@ index 3eca020..fe37c85 100644
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-+stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
++manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
++manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
++manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
++filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, { dir sock_file file })
++stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +217,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +228,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -67367,7 +133654,7 @@ index 3eca020..fe37c85 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +234,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +245,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -67396,7 +133683,7 @@ index 3eca020..fe37c85 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +264,40 @@ optional_policy(`
+@@ -173,22 +275,41 @@ optional_policy(`
# virtd local policy
#
@@ -67419,6 +133706,7 @@ index 3eca020..fe37c85 100644
+allow virtd_t self:rawip_socket create_socket_perms;
+allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
-manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
@@ -67444,7 +133732,7 @@ index 3eca020..fe37c85 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +308,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +320,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -67465,14 +133753,14 @@ index 3eca020..fe37c85 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +335,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +347,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-+manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-+stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
++manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
++stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -67481,7 +133769,7 @@ index 3eca020..fe37c85 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +363,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +375,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -67512,11 +133800,10 @@ index 3eca020..fe37c85 100644
+
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
-+files_etc_filetrans_system_conf(virtd_t)
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +397,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -67535,7 +133822,7 @@ index 3eca020..fe37c85 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +423,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +434,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -67544,18 +133831,19 @@ index 3eca020..fe37c85 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +434,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +445,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
++sysnet_signull_ifconfig(virtd_t)
+sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
@@ -67576,7 +133864,7 @@ index 3eca020..fe37c85 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +477,10 @@ optional_policy(`
+@@ -313,6 +489,10 @@ optional_policy(`
')
optional_policy(`
@@ -67587,7 +133875,7 @@ index 3eca020..fe37c85 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +494,14 @@ optional_policy(`
+@@ -326,6 +506,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -67602,7 +133890,7 @@ index 3eca020..fe37c85 100644
')
optional_policy(`
-@@ -334,11 +510,14 @@ optional_policy(`
+@@ -334,11 +522,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -67617,7 +133905,20 @@ index 3eca020..fe37c85 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +539,11 @@ optional_policy(`
+@@ -353,6 +544,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Run mount in the mount_t domain.
++ mount_domtrans(virtd_t)
++ mount_signal(virtd_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+@@ -360,11 +557,11 @@ optional_policy(`
')
optional_policy(`
@@ -67634,7 +133935,7 @@ index 3eca020..fe37c85 100644
')
optional_policy(`
-@@ -394,20 +573,36 @@ optional_policy(`
+@@ -394,20 +591,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -67674,7 +133975,7 @@ index 3eca020..fe37c85 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +613,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -67683,11 +133984,12 @@ index 3eca020..fe37c85 100644
corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
++dev_getattr_fs(virt_domain)
+dev_read_generic_symlinks(virt_domain)
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +625,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +644,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -67700,7 +134002,7 @@ index 3eca020..fe37c85 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +638,386 @@ files_search_all(virt_domain)
+@@ -440,25 +657,428 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -67708,12 +134010,12 @@ index 3eca020..fe37c85 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -67726,7 +134028,7 @@ index 3eca020..fe37c85 100644
miscfiles_read_localization(virt_domain)
+tunable_policy(`virt_use_execmem',`
-+ allow virtd_t virt_domain:process { execmem execstack };
++ allow virt_domain self:process { execmem execstack };
+')
+
optional_policy(`
@@ -67857,7 +134159,7 @@ index 3eca020..fe37c85 100644
+# virt_lxc local policy
+#
+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_resource };
-+allow virtd_lxc_t self:process { setrlimit setsched getcap setcap signal_perms };
++allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
@@ -67870,10 +134172,10 @@ index 3eca020..fe37c85 100644
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-+manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-+files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
++manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+
+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -67882,6 +134184,8 @@ index 3eca020..fe37c85 100644
+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(svirt_lxc_file_t)
+
+storage_manage_fixed_disk(virtd_lxc_t)
+
@@ -67895,9 +134199,12 @@ index 3eca020..fe37c85 100644
+
+dev_relabel_all_dev_nodes(virtd_lxc_t)
+dev_rw_sysfs(virtd_lxc_t)
++dev_read_sysfs(virtd_lxc_t)
+
+domain_use_interactive_fds(virtd_lxc_t)
+
++files_search_all(virtd_lxc_t)
++files_getattr_all_files(virtd_lxc_t)
+files_read_etc_files(virtd_lxc_t)
+files_read_usr_files(virtd_lxc_t)
+files_relabel_rootfs(virtd_lxc_t)
@@ -67905,6 +134212,7 @@ index 3eca020..fe37c85 100644
+files_mount_all_file_type_fs(virtd_lxc_t)
+files_unmount_all_file_type_fs(virtd_lxc_t)
+files_list_isid_type_dirs(virtd_lxc_t)
++files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+
+fs_getattr_all_fs(virtd_lxc_t)
+fs_manage_tmpfs_dirs(virtd_lxc_t)
@@ -67916,9 +134224,11 @@ index 3eca020..fe37c85 100644
+fs_rw_cgroup_files(virtd_lxc_t)
+fs_unmount_xattr_fs(virtd_lxc_t)
+fs_unmount_configfs(virtd_lxc_t)
++fs_relabelfrom_tmpfs(virtd_lxc_t)
+
+selinux_mount_fs(virtd_lxc_t)
+selinux_unmount_fs(virtd_lxc_t)
++seutil_read_config(virtd_lxc_t)
+
+term_use_generic_ptys(virtd_lxc_t)
+term_use_ptmx(virtd_lxc_t)
@@ -67933,6 +134243,15 @@ index 3eca020..fe37c85 100644
+seutil_domtrans_setfiles(virtd_lxc_t)
+seutil_read_default_contexts(virtd_lxc_t)
+
++selinux_get_enforce_mode(virtd_lxc_t)
++selinux_get_fs_mount(virtd_lxc_t)
++selinux_validate_context(virtd_lxc_t)
++selinux_compute_access_vector(virtd_lxc_t)
++selinux_compute_create_context(virtd_lxc_t)
++selinux_compute_relabel_context(virtd_lxc_t)
++selinux_compute_user_contexts(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
+#optional_policy(`
@@ -67949,8 +134268,10 @@ index 3eca020..fe37c85 100644
+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_lxc_domain:process { signal_perms };
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
++allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -67958,7 +134279,7 @@ index 3eca020..fe37c85 100644
+allow svirt_lxc_domain self:sem create_sem_perms;
+allow svirt_lxc_domain self:shm create_shm_perms;
+allow svirt_lxc_domain self:msgq create_msgq_perms;
-+allow svirt_lxc_domain self:unix_stream_socket create_stream_socket_perms;
++allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
@@ -67970,35 +134291,37 @@ index 3eca020..fe37c85 100644
+rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
++allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
++allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+
+kernel_getattr_proc(svirt_lxc_domain)
+kernel_read_kernel_sysctls(svirt_lxc_domain)
++kernel_read_net_sysctls(svirt_lxc_domain)
+kernel_read_system_state(svirt_lxc_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+
+corecmd_exec_all_executables(svirt_lxc_domain)
+
-+dev_read_urand(svirt_lxc_domain)
-+dev_dontaudit_read_rand(svirt_lxc_domain)
-+dev_read_sysfs(svirt_lxc_domain)
-+
++files_read_kernel_modules(svirt_lxc_net_t)
+files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
++files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+files_entrypoint_all_files(svirt_lxc_domain)
+files_search_all(svirt_lxc_domain)
+files_read_config_files(svirt_lxc_domain)
+files_read_usr_files(svirt_lxc_domain)
+files_read_usr_symlinks(svirt_lxc_domain)
++files_search_locks(svirt_lxc_domain)
+
-+fs_getattr_tmpfs(svirt_lxc_domain)
-+fs_getattr_xattr_fs(svirt_lxc_domain)
++fs_getattr_all_fs(svirt_lxc_domain)
+fs_list_inotifyfs(svirt_lxc_domain)
-+fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
+
+auth_dontaudit_read_passwd(svirt_lxc_domain)
+auth_dontaudit_read_login_records(svirt_lxc_domain)
+auth_dontaudit_write_login_records(svirt_lxc_domain)
+auth_search_pam_console_data(svirt_lxc_domain)
+
++clock_read_adjtime(svirt_lxc_domain)
++
+init_read_utmp(svirt_lxc_domain)
+init_dontaudit_write_utmp(svirt_lxc_domain)
+
@@ -68006,18 +134329,13 @@ index 3eca020..fe37c85 100644
+
+miscfiles_read_localization(svirt_lxc_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
++miscfiles_read_fonts(svirt_lxc_domain)
+
+mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+
-+selinux_get_fs_mount(svirt_lxc_domain)
-+selinux_validate_context(svirt_lxc_domain)
-+selinux_compute_access_vector(svirt_lxc_domain)
-+selinux_compute_create_context(svirt_lxc_domain)
-+selinux_compute_relabel_context(svirt_lxc_domain)
-+selinux_compute_user_contexts(svirt_lxc_domain)
-+seutil_read_default_contexts(svirt_lxc_domain)
-+
-+miscfiles_read_fonts(svirt_lxc_domain)
++optional_policy(`
++ udev_read_pid_files(svirt_lxc_domain)
++')
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
@@ -68025,16 +134343,20 @@ index 3eca020..fe37c85 100644
+
+virt_lxc_domain_template(svirt_lxc_net)
+
++allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service sys_nice chown dac_read_search dac_override fowner };
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
+allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
++allow svirt_lxc_net_t self:socket create_socket_perms;
++allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
+corenet_udp_bind_generic_node(svirt_lxc_net_t)
+
-+allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service };
++dev_read_sysfs(svirt_lxc_net_t)
+
+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
@@ -68043,25 +134365,37 @@ index 3eca020..fe37c85 100644
+corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_network_state(svirt_lxc_net_t)
+
-+domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
-+domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
-+corecmd_shell_domtrans(virtd_lxc_t, svirt_lxc_net_t)
+fs_noxattr_type(svirt_lxc_file_t)
+term_pty(svirt_lxc_file_t)
+
++auth_use_nsswitch(svirt_lxc_net_t)
++
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
++allow svirt_prot_exec_t self:process { execmem execstack };
++
+########################################
+#
+# virt_qmf local policy
+#
-+allow virt_qmf_t self:process signal;
++allow virt_qmf_t self:capability { sys_nice sys_tty_config };
++allow virt_qmf_t self:process { setsched signal };
+allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
+allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
++allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
++
++can_exec(virt_qmf_t, virtd_exec_t)
+
++kernel_read_system_state(virt_qmf_t)
+kernel_read_network_state(virt_qmf_t)
+
-+dev_list_sysfs(virt_qmf_t)
+dev_read_sysfs(virt_qmf_t)
++dev_read_rand(virt_qmf_t)
++dev_read_urand(virt_qmf_t)
+
+corenet_tcp_connect_matahari_port(virt_qmf_t)
+
@@ -68073,6 +134407,16 @@ index 3eca020..fe37c85 100644
+
+miscfiles_read_localization(virt_qmf_t)
+
++sysnet_read_config(virt_qmf_t)
++
++optional_policy(`
++ dbus_read_lib_files(virt_qmf_t)
++')
++
++optional_policy(`
++ virt_stream_connect(virt_qmf_t)
++')
++
+########################################
+#
+# virt_bridgehelper local policy
@@ -68125,10 +134469,10 @@ index 727fe95..adbb3fb 100644
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
-index 8121937..5a462fb 100644
+index 8121937..275409f 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
-@@ -28,9 +28,12 @@ allow vnstatd_t self:process signal;
+@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
@@ -68139,11 +134483,15 @@ index 8121937..5a462fb 100644
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -64,7 +67,6 @@ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+@@ -62,9 +66,9 @@ allow vnstat_t self:process signal;
+ allow vnstat_t self:fifo_file rw_fifo_file_perms;
+ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
++files_search_var_lib(vnstat_t)
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
@@ -68193,13 +134541,12 @@ index 0000000..ad47e05
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if
new file mode 100644
-index 0000000..1a04747
+index 0000000..8e3570d
--- /dev/null
+++ b/policy/modules/services/wdmd.if
-@@ -0,0 +1,114 @@
-+
-+## <summary>policy for wdmd</summary>
+@@ -0,0 +1,113 @@
+
++## <summary>watchdog multiplexing daemon</summary>
+
+########################################
+## <summary>
@@ -68313,10 +134660,10 @@ index 0000000..1a04747
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
-index 0000000..11b8863
+index 0000000..df9a759
--- /dev/null
+++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,46 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -68338,7 +134685,7 @@ index 0000000..11b8863
+#
+# wdmd local policy
+#
-+allow wdmd_t self:capability { sys_nice ipc_lock };
++allow wdmd_t self:capability { chown sys_nice ipc_lock };
+allow wdmd_t self:process { setsched signal };
+
+allow wdmd_t self:fifo_file rw_fifo_file_perms;
@@ -68358,6 +134705,8 @@ index 0000000..11b8863
+
+fs_read_anon_inodefs_files(wdmd_t)
+
++auth_use_nsswitch(wdmd_t)
++
+logging_send_syslog_msg(wdmd_t)
+
+miscfiles_read_localization(wdmd_t)
@@ -68372,7 +134721,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..cb2e1a3 100644
+index 4966c94..587ddea 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,34 @@
@@ -68410,16 +134759,26 @@ index 4966c94..cb2e1a3 100644
#
# /dev
-@@ -21,6 +42,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -21,11 +42,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
++/etc/gdm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/gdm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/gdm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
++/etc/gdm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+
/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-@@ -33,11 +56,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ /etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+
++/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+ /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+@@ -33,11 +61,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -68431,7 +134790,7 @@ index 4966c94..cb2e1a3 100644
#
# /opt
#
-@@ -48,28 +66,30 @@ ifdef(`distro_redhat',`
+@@ -48,28 +71,35 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -68441,17 +134800,24 @@ index 4966c94..cb2e1a3 100644
-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.X11-unix/.* -s <<none>>
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
#
# /usr
#
- /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -68468,7 +134834,7 @@ index 4966c94..cb2e1a3 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +110,44 @@ ifdef(`distro_debian', `
+@@ -90,17 +120,45 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -68506,6 +134872,7 @@ index 4966c94..cb2e1a3 100644
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
++/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -68517,7 +134884,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..4c198c1 100644
+index 130ced9..56cb1f8 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -69266,7 +135633,7 @@ index 130ced9..4c198c1 100644
')
########################################
-@@ -1243,10 +1540,462 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1540,533 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -69490,6 +135857,25 @@ index 130ced9..4c198c1 100644
+
+########################################
+## <summary>
++## Allow append the xdm
++## tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`xserver_append_xdm_tmp_files',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ allow $1 xdm_tmp_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Read a user Iceauthority domain.
+## </summary>
+## <param name="domain">
@@ -69641,6 +136027,26 @@ index 130ced9..4c198c1 100644
+
+########################################
+## <summary>
++## Manage user fonts dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`xserver_manage_user_fonts_dir',`
++ gen_require(`
++ type user_fonts_t;
++ ')
++
++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
++')
++
++########################################
++## <summary>
+## Manage user homedir fonts.
+## </summary>
+## <param name="domain">
@@ -69697,6 +136103,7 @@ index 130ced9..4c198c1 100644
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
+')
+
+########################################
@@ -69731,8 +136138,39 @@ index 130ced9..4c198c1 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
++
++########################################
++## <summary>
++## Create objects in a xdm temporary directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`xserver_xdm_tmp_filetrans',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
++ files_search_tmp($1)
++')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..163158e 100644
+index 143c893..a4cacbf 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -69794,12 +136232,17 @@ index 143c893..163158e 100644
attribute x_domain;
# X Events
-@@ -109,21 +132,25 @@ xserver_common_x_domain_template(remote, remote_t)
+@@ -107,23 +130,29 @@ xserver_object_types_template(remote)
+ xserver_common_x_domain_template(remote, remote_t)
+
type user_fonts_t;
- typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
+-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
++typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
++typealias user_fonts_t alias xfs_tmp_t;
userdom_user_home_content(user_fonts_t)
++files_tmp_file(user_fonts_t)
type user_fonts_cache_t;
typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
@@ -69820,7 +136263,7 @@ index 143c893..163158e 100644
typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
application_domain(iceauth_t, iceauth_exec_t)
ubac_constrained(iceauth_t)
-@@ -131,22 +158,26 @@ ubac_constrained(iceauth_t)
+@@ -131,22 +160,26 @@ ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
@@ -69847,7 +136290,14 @@ index 143c893..163158e 100644
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -161,15 +192,21 @@ type xdm_t;
+@@ -157,19 +190,28 @@ files_type(xconsole_device_t)
+ fs_associate_tmpfs(xconsole_device_t)
+ files_associate_tmp(xconsole_device_t)
+
++type xdm_unconfined_exec_t;
++application_executable_file(xdm_unconfined_exec_t)
++
+ type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -69871,7 +136321,7 @@ index 143c893..163158e 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -177,13 +214,27 @@ files_type(xdm_var_lib_t)
+@@ -177,13 +219,27 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -69900,7 +136350,7 @@ index 143c893..163158e 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -196,15 +247,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -196,15 +252,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -69918,7 +136368,7 @@ index 143c893..163158e 100644
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,17 +279,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,17 +284,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -69957,7 +136407,7 @@ index 143c893..163158e 100644
')
########################################
-@@ -252,45 +310,78 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -252,45 +315,78 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -70046,11 +136496,14 @@ index 143c893..163158e 100644
')
optional_policy(`
-@@ -305,19 +396,36 @@ optional_policy(`
+@@ -304,20 +400,38 @@ optional_policy(`
+ # XDM Local policy
#
- allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++dontaudit xdm_t self:capability sys_admin;
+
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_fifo_file_perms;
@@ -70086,7 +136539,7 @@ index 143c893..163158e 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +433,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +439,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -70156,7 +136609,7 @@ index 143c893..163158e 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +498,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +504,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -70184,7 +136637,7 @@ index 143c893..163158e 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +529,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -70237,7 +136690,7 @@ index 143c893..163158e 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +581,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +587,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -70263,7 +136716,7 @@ index 143c893..163158e 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +608,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +614,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -70278,7 +136731,8 @@ index 143c893..163158e 100644
+term_relabel_unallocated_ttys(xdm_t)
auth_domtrans_pam_console(xdm_t)
- auth_manage_pam_pid(xdm_t)
+-auth_manage_pam_pid(xdm_t)
++#auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
auth_rw_faillog(xdm_t)
@@ -70287,6 +136741,7 @@ index 143c893..163158e 100644
# Run telinit->init to shutdown.
init_telinit(xdm_t)
+init_dbus_chat(xdm_t)
++init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
libs_exec_lib_files(xdm_t)
@@ -70303,7 +136758,7 @@ index 143c893..163158e 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +647,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +654,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -70353,7 +136808,7 @@ index 143c893..163158e 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +697,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +704,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -70375,7 +136830,7 @@ index 143c893..163158e 100644
')
optional_policy(`
-@@ -519,12 +719,63 @@ optional_policy(`
+@@ -519,12 +726,63 @@ optional_policy(`
')
optional_policy(`
@@ -70439,7 +136894,7 @@ index 143c893..163158e 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +793,69 @@ optional_policy(`
+@@ -542,28 +800,69 @@ optional_policy(`
')
optional_policy(`
@@ -70518,7 +136973,7 @@ index 143c893..163158e 100644
')
optional_policy(`
-@@ -575,6 +867,14 @@ optional_policy(`
+@@ -575,6 +874,14 @@ optional_policy(`
')
optional_policy(`
@@ -70533,15 +136988,17 @@ index 143c893..163158e 100644
xfs_stream_connect(xdm_t)
')
-@@ -600,6 +900,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +906,8 @@ allow xserver_t input_xevent_t:x_event send;
+ # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
- allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +921,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -70557,7 +137014,7 @@ index 143c893..163158e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +948,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -70579,7 +137036,7 @@ index 143c893..163158e 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +968,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -70587,7 +137044,7 @@ index 143c893..163158e 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +988,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +995,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -70618,7 +137075,7 @@ index 143c893..163158e 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1020,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1027,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -70632,7 +137089,7 @@ index 143c893..163158e 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1039,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1046,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -70641,7 +137098,7 @@ index 143c893..163158e 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1046,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1053,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -70656,7 +137113,7 @@ index 143c893..163158e 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1105,40 @@ optional_policy(`
+@@ -778,16 +1112,40 @@ optional_policy(`
')
optional_policy(`
@@ -70698,7 +137155,7 @@ index 143c893..163158e 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1147,10 @@ optional_policy(`
+@@ -796,6 +1154,10 @@ optional_policy(`
')
optional_policy(`
@@ -70709,7 +137166,7 @@ index 143c893..163158e 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1166,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1173,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -70723,7 +137180,7 @@ index 143c893..163158e 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1177,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1184,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -70732,7 +137189,7 @@ index 143c893..163158e 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1190,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1197,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -70767,7 +137224,7 @@ index 143c893..163158e 100644
')
optional_policy(`
-@@ -862,6 +1212,10 @@ optional_policy(`
+@@ -862,6 +1219,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -70778,7 +137235,7 @@ index 143c893..163158e 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1259,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1266,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -70787,7 +137244,7 @@ index 143c893..163158e 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1313,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1320,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -70819,7 +137276,7 @@ index 143c893..163158e 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1359,31 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1366,43 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -70866,6 +137323,18 @@ index 143c893..163158e 100644
+ unconfined_signal(xserver_t)
+ unconfined_getpgid(xserver_t)
+')
++
++can_exec(xdm_t, xdm_unconfined_exec_t)
++
++optional_policy(`
++ type xdm_unconfined_t;
++ domain_type(xdm_unconfined_t)
++ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t)
++ role system_r types xdm_unconfined_t;
++
++ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t)
++ unconfined_domain(xdm_unconfined_t)
++')
diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc
index 664cd7a..e3eaec5 100644
--- a/policy/modules/services/zabbix.fc
@@ -70959,7 +137428,7 @@ index c9981d1..75a7d17 100644
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..7d8a06e 100644
+index 7f88f5f..67a111c 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1)
@@ -71017,7 +137486,7 @@ index 7f88f5f..7d8a06e 100644
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,25 +75,54 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
@@ -71048,8 +137517,7 @@ index 7f88f5f..7d8a06e 100644
zabbix_agent_tcp_connect(zabbix_t)
+tunable_policy(`zabbix_can_network',`
-+ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
-+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
++ corenet_tcp_connect_all_ports(zabbix_t)
+')
+
optional_policy(`
@@ -71075,16 +137543,16 @@ index 7f88f5f..7d8a06e 100644
########################################
#
# zabbix agent local policy
-@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
+@@ -134,3 +180,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
# Network access to zabbix server
zabbix_tcp_connect(zabbix_agent_t)
+
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
-index 3defaa1..2ad2488 100644
+index 3defaa1..7436a1c 100644
--- a/policy/modules/services/zarafa.fc
+++ b/policy/modules/services/zarafa.fc
-@@ -8,7 +8,8 @@
+@@ -8,8 +8,10 @@
/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
@@ -71092,8 +137560,23 @@ index 3defaa1..2ad2488 100644
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/log/zarafa/dagent\.log -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+ /var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+@@ -18,9 +20,11 @@
+ /var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+
+ /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
++/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
+ /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
+ /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
+-/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+ /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
+ /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+ /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
index 21ae664..cb3a098 100644
--- a/policy/modules/services/zarafa.if
@@ -71278,7 +137761,7 @@ index 6b87605..c745e03 100644
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
-index ade6c2c..2b78f0d 100644
+index ade6c2c..08479b0 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -6,11 +6,10 @@ policy_module(zebra, 1.12.0)
@@ -71314,15 +137797,27 @@ index ade6c2c..2b78f0d 100644
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+@@ -106,6 +105,8 @@ files_search_etc(zebra_t)
+ files_read_etc_files(zebra_t)
+ files_read_etc_runtime_files(zebra_t)
+
++auth_read_passwd(zebra_t)
++
+ logging_send_syslog_msg(zebra_t)
+
+ miscfiles_read_localization(zebra_t)
diff --git a/policy/modules/services/zoneminder.fc b/policy/modules/services/zoneminder.fc
new file mode 100644
-index 0000000..b74fadf
+index 0000000..47e388a
--- /dev/null
+++ b/policy/modules/services/zoneminder.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,22 @@
++/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
++/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
++
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
@@ -71331,13 +137826,20 @@ index 0000000..b74fadf
+
+/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
+
++/var/log/motion\.log -- gen_context(system_u:object_r:zoneminder_log_t,s0)
++
++/var/run/motion\.pid -- gen_context(system_u:object_r:zoneminder_var_run_t,s0)
++
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
++
++
++
diff --git a/policy/modules/services/zoneminder.if b/policy/modules/services/zoneminder.if
new file mode 100644
-index 0000000..d3e6527
+index 0000000..b34b8b4
--- /dev/null
+++ b/policy/modules/services/zoneminder.if
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,339 @@
+
+## <summary>policy for zoneminder</summary>
+
@@ -71613,6 +138115,25 @@ index 0000000..d3e6527
+ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
+')
+
++######################################
++## <summary>
++## Read/write zonerimender tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_rw_tmpfs_files',`
++ gen_require(`
++ type zoneminder_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -71660,10 +138181,10 @@ index 0000000..d3e6527
+
diff --git a/policy/modules/services/zoneminder.te b/policy/modules/services/zoneminder.te
new file mode 100644
-index 0000000..bcbe09f
+index 0000000..9562539
--- /dev/null
+++ b/policy/modules/services/zoneminder.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,124 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
@@ -71739,12 +138260,14 @@ index 0000000..bcbe09f
+corecmd_exec_bin(zoneminder_t)
+corecmd_exec_shell(zoneminder_t)
+
++corenet_tcp_bind_http_cache_port(zoneminder_t)
++corenet_tcp_bind_transproxy_port(zoneminder_t)
++
+dev_read_sysfs(zoneminder_t)
+dev_read_rand(zoneminder_t)
+dev_read_urand(zoneminder_t)
+dev_read_video_dev(zoneminder_t)
-+
-+domain_use_interactive_fds(zoneminder_t)
++dev_write_video_dev(zoneminder_t)
+
+files_read_etc_files(zoneminder_t)
+files_read_usr_files(zoneminder_t)
@@ -71832,10 +138355,35 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e..c480ddd 100644
+index 1b6619e..3aed6ad 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -205,3 +205,21 @@ interface(`application_dontaudit_sigkill',`
+@@ -189,6 +189,24 @@ interface(`application_dontaudit_signal',`
+
+ ########################################
+ ## <summary>
++## Send kill signals to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_sigkill',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to send kill signals
+ ## to all application domains.
+ ## </summary>
+@@ -205,3 +223,21 @@ interface(`application_dontaudit_sigkill',`
dontaudit $1 application_domain_type:process sigkill;
')
@@ -71858,10 +138406,10 @@ index 1b6619e..c480ddd 100644
+ allow $1 application_domain_type:socket_class_set getattr;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..41198a4 100644
+index c6fdab7..32f45fa 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
-@@ -6,6 +6,24 @@ attribute application_domain_type;
+@@ -6,6 +6,28 @@ attribute application_domain_type;
# Executables to be run by user
attribute application_exec_type;
@@ -71879,6 +138427,10 @@ index c6fdab7..41198a4 100644
+')
+
+optional_policy(`
++ cfengine_append_inherited_log(application_domain_type)
++')
++
++optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type)
+ cron_sigchld(application_domain_type)
+')
@@ -71887,29 +138439,31 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..29f3011 100644
+index 28ad538..82def3d 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -1,3 +1,5 @@
+@@ -1,3 +1,7 @@
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-@@ -5,7 +7,12 @@
+@@ -5,7 +9,12 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -16,13 +23,22 @@ ifdef(`distro_suse', `
+@@ -16,13 +25,22 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -71934,7 +138488,7 @@ index 28ad538..29f3011 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,6 +46,8 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +48,8 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -71943,7 +138497,7 @@ index 28ad538..29f3011 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -39,11 +57,13 @@ ifdef(`distro_gentoo', `
+@@ -39,11 +59,13 @@ ifdef(`distro_gentoo', `
/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
@@ -71959,10 +138513,29 @@ index 28ad538..29f3011 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..7b6edd5 100644
+index 73554ec..a0bd29b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
-@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
+@@ -23,11 +23,17 @@ interface(`auth_role',`
+ role $1 types chkpwd_t;
+
+ # Transition from the user domain to this domain.
+- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
++ auth_domtrans_chkpwd($2)
+
+ ps_process_pattern($2, chkpwd_t)
+
+ dontaudit $2 shadow_t:file read_file_perms;
++
++ logging_send_syslog_msg($2)
++ logging_send_audit_msgs($2)
++
++ usermanage_read_crack_db($2)
++
+ ')
+
+ ########################################
+@@ -57,6 +63,8 @@ interface(`auth_use_pam',`
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -71971,7 +138544,7 @@ index 73554ec..7b6edd5 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -78,8 +80,19 @@ interface(`auth_use_pam',`
+@@ -78,8 +86,19 @@ interface(`auth_use_pam',`
')
optional_policy(`
@@ -71991,7 +138564,7 @@ index 73554ec..7b6edd5 100644
')
########################################
-@@ -95,9 +108,13 @@ interface(`auth_use_pam',`
+@@ -95,9 +114,13 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -72005,7 +138578,7 @@ index 73554ec..7b6edd5 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -105,14 +122,17 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +128,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
@@ -72023,7 +138596,7 @@ index 73554ec..7b6edd5 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +140,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
@@ -72054,7 +138627,7 @@ index 73554ec..7b6edd5 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +178,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -72063,7 +138636,7 @@ index 73554ec..7b6edd5 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +190,87 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -72108,11 +138681,11 @@ index 73554ec..7b6edd5 100644
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Read authlogin state files.
+## </summary>
+## <param name="domain">
@@ -72143,17 +138716,13 @@ index 73554ec..7b6edd5 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
-+ ')
+ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Use the login program as an entry point program.
- ## </summary>
- ## <param name="domain">
-@@ -368,13 +477,15 @@ interface(`auth_domtrans_chk_passwd',`
+ ')
+
+ ########################################
+@@ -368,13 +483,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -72170,7 +138739,7 @@ index 73554ec..7b6edd5 100644
')
########################################
-@@ -421,6 +532,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +538,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -72196,7 +138765,7 @@ index 73554ec..7b6edd5 100644
')
########################################
-@@ -440,7 +570,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +576,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -72204,7 +138773,7 @@ index 73554ec..7b6edd5 100644
')
########################################
-@@ -637,6 +766,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +772,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -72215,7 +138784,7 @@ index 73554ec..7b6edd5 100644
')
#######################################
-@@ -736,7 +869,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +875,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -72267,7 +138836,7 @@ index 73554ec..7b6edd5 100644
')
#######################################
-@@ -932,9 +1108,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1114,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -72301,7 +138870,26 @@ index 73554ec..7b6edd5 100644
')
########################################
-@@ -1387,6 +1584,25 @@ interface(`auth_setattr_login_records',`
+@@ -1013,6 +1216,10 @@ interface(`auth_manage_pam_pid',`
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir manage_dir_perms;
+ allow $1 pam_var_run_t:file manage_file_perms;
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
+ ')
+
+ ########################################
+@@ -1130,6 +1337,7 @@ interface(`auth_manage_pam_console_data',`
+ files_search_pids($1)
+ manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
+ manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
++ files_pid_filetrans($1, pam_var_console_t, dir, "console")
+ ')
+
+ #######################################
+@@ -1387,6 +1595,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -72327,7 +138915,7 @@ index 73554ec..7b6edd5 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1537,37 +1753,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1764,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -72387,7 +138975,7 @@ index 73554ec..7b6edd5 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1803,192 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1814,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -72426,15 +139014,20 @@ index 73554ec..7b6edd5 100644
+ type shadow_t;
+ type passwd_file_t;
+ type faillog_t;
++ type lastlog_t;
+ type wtmp_t;
++ type pam_var_console_t;
++ type pam_var_run_t;
+ ')
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
+ files_etc_filetrans($1, passwd_file_t, file, "group")
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ #files_etc_filetrans($1, passwd_file_t, file, "group+")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ #files_etc_filetrans($1, passwd_file_t, file, "passwd+")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
+ files_etc_filetrans($1, shadow_t, file, "group.lock")
@@ -72444,10 +139037,17 @@ index 73554ec..7b6edd5 100644
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
+ files_pid_filetrans($1, faillog_t, file, "faillog")
++ files_pid_filetrans($1, faillog_t, dir, "faillock")
++ files_pid_filetrans($1, pam_var_console_t, dir, "console")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
@@ -72591,6 +139191,7 @@ index 73554ec..7b6edd5 100644
')
+
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
########################################
@@ -72629,9 +139230,10 @@ index 73554ec..7b6edd5 100644
- typeattribute $1 can_write_shadow_passwords;
- typeattribute $1 can_relabelto_shadow_passwords;
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..a22fe6d 100644
+index b7a5f00..27ad087 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1)
@@ -72647,7 +139249,7 @@ index b7a5f00..a22fe6d 100644
+
+## <desc>
+## <p>
-+## Allow users to login using a sssd server
++## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
+## </p>
+## </desc>
+gen_tunable(authlogin_nsswitch_use_ldap, false)
@@ -72740,7 +139342,7 @@ index b7a5f00..a22fe6d 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -72811,6 +139413,7 @@ index b7a5f00..a22fe6d 100644
+
+optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
++ sssd_read_public_files(nsswitch_domain)
+')
+
+optional_policy(`
@@ -72952,7 +139555,7 @@ index dcc5f1c..5610417 100644
daemontools_manage_svc(svc_start_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..368d3c2 100644
+index a97a096..e1b5cd8 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -72968,14 +139571,7 @@ index a97a096..368d3c2 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -36,12 +34,51 @@
- /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
-+/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+
- /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -41,7 +39,44 @@
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -73272,29 +139868,30 @@ index 1a3d970..0995a02 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..4738083 100644
+index 354ce93..abe4723 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -33,6 +33,18 @@ ifdef(`distro_gentoo', `
+@@ -2,6 +2,7 @@
+ # /etc
+ #
+ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
+
+ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+@@ -33,6 +34,11 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
+#
-+# systemd init scripts
-+#
-+/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+#
+# /sbin
+#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -50,11 +62,23 @@ ifdef(`distro_gentoo', `
+@@ -50,11 +56,23 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -73318,13 +139915,21 @@ index 354ce93..4738083 100644
#
# /var
-@@ -76,3 +100,4 @@ ifdef(`distro_suse', `
+@@ -63,6 +81,7 @@ ifdef(`distro_gentoo', `
+ /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
++/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
+
+ ifdef(`distro_gentoo', `
+ /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
+@@ -76,3 +95,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..5a52670 100644
+index 94fd8dd..5f91350 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -73536,7 +140141,15 @@ index 94fd8dd..5a52670 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -451,6 +501,10 @@ interface(`init_exec',`
+@@ -442,7 +492,6 @@ interface(`init_domtrans',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`init_exec',`
+ gen_require(`
+@@ -451,6 +500,29 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -73544,10 +140157,29 @@ index 94fd8dd..5a52670 100644
+ tunable_policy(`init_systemd',`
+ systemd_exec_systemctl($1)
+ ')
++')
++
++#######################################
++## <summary>
++## Dontaudit getattr on the init program.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`init_dontaudit_getattr_exec',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ dontaudit $1 init_exec_t:file getattr;
')
########################################
-@@ -509,6 +563,24 @@ interface(`init_sigchld',`
+@@ -509,6 +581,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -73572,7 +140204,7 @@ index 94fd8dd..5a52670 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +591,66 @@ interface(`init_sigchld',`
+@@ -519,10 +609,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -73641,7 +140273,7 @@ index 94fd8dd..5a52670 100644
')
########################################
-@@ -688,19 +816,25 @@ interface(`init_telinit',`
+@@ -688,19 +834,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -73668,7 +140300,7 @@ index 94fd8dd..5a52670 100644
')
')
-@@ -730,7 +864,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +882,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -73677,7 +140309,7 @@ index 94fd8dd..5a52670 100644
## </summary>
## </param>
#
-@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -73701,7 +140333,7 @@ index 94fd8dd..5a52670 100644
')
')
-@@ -800,23 +935,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +953,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -73724,11 +140356,11 @@ index 94fd8dd..5a52670 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -73741,17 +140373,13 @@ index 94fd8dd..5a52670 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
+ ')
+
+ ########################################
+@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -73766,7 +140394,7 @@ index 94fd8dd..5a52670 100644
files_search_etc($1)
')
-@@ -961,7 +1123,9 @@ interface(`init_ptrace',`
+@@ -961,7 +1141,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -73777,7 +140405,7 @@ index 94fd8dd..5a52670 100644
')
########################################
-@@ -1079,6 +1243,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1261,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -73802,7 +140430,7 @@ index 94fd8dd..5a52670 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1312,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1330,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -73816,7 +140444,7 @@ index 94fd8dd..5a52670 100644
')
########################################
-@@ -1375,6 +1552,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1570,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -73844,7 +140472,7 @@ index 94fd8dd..5a52670 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1659,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1677,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -73870,7 +140498,7 @@ index 94fd8dd..5a52670 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1736,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1754,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -73895,10 +140523,29 @@ index 94fd8dd..5a52670 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1586,6 +1821,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1839,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
++## Read utmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_read_machineid',`
++ gen_require(`
++ type machineid_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 machineid_t:file read_file_perms;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read utmp.
+## </summary>
+## <param name="domain">
@@ -73920,7 +140567,7 @@ index 94fd8dd..5a52670 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1674,7 +1927,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1964,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -73929,7 +140576,7 @@ index 94fd8dd..5a52670 100644
')
########################################
-@@ -1715,6 +1968,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +2005,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -74058,7 +140705,7 @@ index 94fd8dd..5a52670 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2124,194 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2161,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -74253,8 +140900,98 @@ index 94fd8dd..5a52670 100644
+
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
++
++########################################
++## <summary>
++## Read/Write init unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_rw_pipes',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++########################################
++## <summary>
++## Get the system status information from init
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_status',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system status;
++')
++
++########################################
++## <summary>
++## Tell init to reboot the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_reboot',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system reboot;
++')
++
++########################################
++## <summary>
++## Tell init to halt the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_halt',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system halt;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_undefined',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system undefined;
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..75822e6 100644
+index 29a9565..289edda 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -74312,7 +141049,17 @@ index 29a9565..75822e6 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -63,6 +95,8 @@ role system_r types initrc_t;
+@@ -45,6 +77,9 @@ role system_r types init_t;
+ type init_var_run_t;
+ files_pid_file(init_var_run_t)
+
++type machineid_t;
++files_config_file(machineid_t)
++
+ #
+ # initctl_t is the type of the named pipe created
+ # by init during initialization. This pipe is used
+@@ -63,6 +98,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -74321,7 +141068,7 @@ index 29a9565..75822e6 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -87,7 +121,7 @@ ifdef(`enable_mls',`
+@@ -87,7 +124,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -74330,28 +141077,39 @@ index 29a9565..75822e6 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -100,11 +134,16 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -99,12 +136,25 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+
# Re-exec itself
can_exec(init_t, init_exec_t)
-
+-
-allow init_t initrc_t:unix_stream_socket connectto;
-+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
-+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
-+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
-
+-
-# For /var/run/shutdown.pid.
-allow init_t init_var_run_t:file manage_file_perms;
-files_pid_filetrans(init_t, init_var_run_t, file)
++# executing content in /run/initramfs
++manage_files_pattern(init_t, initrc_state_t, initrc_state_t)
++can_exec(init_t, initrc_state_t)
++
++allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
++allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
++allow initrc_t init_t:fifo_file rw_fifo_file_perms;
++
+manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
+allow init_t init_var_run_t:dir mounton;
++
++allow init_t machineid_t:file manage_file_perms;
++files_pid_filetrans(init_t, machineid_t, file, "machine-id")
++files_etc_filetrans(init_t, machineid_t, file, "machine-id")
++allow init_t machineid_t:file mounton;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -114,25 +153,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,25 +164,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -74387,7 +141145,7 @@ index 29a9565..75822e6 100644
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
-@@ -144,6 +192,8 @@ fs_list_inotifyfs(init_t)
+@@ -144,6 +203,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -74396,7 +141154,7 @@ index 29a9565..75822e6 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -151,34 +201,50 @@ mls_file_read_all_levels(init_t)
+@@ -151,34 +212,54 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -74429,9 +141187,13 @@ index 29a9565..75822e6 100644
+seutil_read_module_store(init_t)
miscfiles_read_localization(init_t)
-
-+allow init_t self:process setsched;
++miscfiles_manage_localization(init_t)
++miscfiles_filetrans_named_content(init_t)
++
++userdom_use_user_ttys(init_t)
+
++allow init_t self:process setsched;
+
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
@@ -74449,17 +141211,18 @@ index 29a9565..75822e6 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +252,146 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +267,146 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -74568,12 +141331,11 @@ index 29a9565..75822e6 100644
+ systemd_filetrans_named_content(init_t)
+')
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ lvm_rw_pipes(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -74598,7 +141360,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -203,6 +399,17 @@ optional_policy(`
+@@ -203,6 +414,17 @@ optional_policy(`
')
optional_policy(`
@@ -74616,17 +141378,18 @@ index 29a9565..75822e6 100644
unconfined_domain(init_t)
')
-@@ -212,7 +419,8 @@ optional_policy(`
+@@ -212,8 +434,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
-+
- dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
++dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +449,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+
+@@ -241,12 +463,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -74642,7 +141405,7 @@ index 29a9565..75822e6 100644
init_write_initctl(initrc_t)
-@@ -258,20 +469,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +483,34 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -74662,6 +141425,8 @@ index 29a9565..75822e6 100644
+files_manage_system_conf_files(initrc_t)
+
+fs_manage_tmpfs_dirs(initrc_t)
++fs_manage_tmpfs_symlinks(initrc_t)
++fs_delete_tmpfs_files(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
corecmd_exec_all_executables(initrc_t)
@@ -74679,7 +141444,7 @@ index 29a9565..75822e6 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +502,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +518,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -74687,7 +141452,7 @@ index 29a9565..75822e6 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +513,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +529,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -74698,7 +141463,7 @@ index 29a9565..75822e6 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,17 +524,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +540,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -74718,7 +141483,7 @@ index 29a9565..75822e6 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -316,6 +541,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +557,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -74726,7 +141491,7 @@ index 29a9565..75822e6 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +549,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +565,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -74738,7 +141503,7 @@ index 29a9565..75822e6 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +568,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +584,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -74752,7 +141517,7 @@ index 29a9565..75822e6 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,9 +583,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +599,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -74766,7 +141531,7 @@ index 29a9565..75822e6 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +598,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +614,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -74774,7 +141539,7 @@ index 29a9565..75822e6 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +610,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +626,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -74782,7 +141547,7 @@ index 29a9565..75822e6 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +631,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +647,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -74804,7 +141569,7 @@ index 29a9565..75822e6 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +694,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +710,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -74815,7 +141580,7 @@ index 29a9565..75822e6 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +718,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +734,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -74824,7 +141589,7 @@ index 29a9565..75822e6 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +733,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +749,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -74832,7 +141597,15 @@ index 29a9565..75822e6 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +763,35 @@ ifdef(`distro_redhat',`
+@@ -513,6 +770,7 @@ ifdef(`distro_redhat',`
+ miscfiles_rw_localization(initrc_t)
+ miscfiles_setattr_localization(initrc_t)
+ miscfiles_relabel_localization(initrc_t)
++ miscfiles_filetrans_named_content(initrc_t)
+
+ miscfiles_read_fonts(initrc_t)
+ miscfiles_read_hwdata(initrc_t)
+@@ -522,8 +780,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -74868,7 +141641,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -531,10 +799,22 @@ ifdef(`distro_redhat',`
+@@ -531,14 +816,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -74891,7 +141664,12 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -549,6 +829,39 @@ ifdef(`distro_suse',`
+ xserver_delete_log(initrc_t)
++ xserver_manage_user_fonts_dir(initrc_t)
+ ')
+ ')
+
+@@ -549,6 +847,39 @@ ifdef(`distro_suse',`
')
')
@@ -74931,7 +141709,7 @@ index 29a9565..75822e6 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +874,8 @@ optional_policy(`
+@@ -561,6 +892,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -74940,7 +141718,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -577,6 +892,7 @@ optional_policy(`
+@@ -577,6 +910,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -74948,7 +141726,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -589,6 +905,17 @@ optional_policy(`
+@@ -589,6 +923,17 @@ optional_policy(`
')
optional_policy(`
@@ -74966,7 +141744,7 @@ index 29a9565..75822e6 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +932,13 @@ optional_policy(`
+@@ -605,9 +950,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -74980,7 +141758,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -632,6 +963,10 @@ optional_policy(`
+@@ -632,6 +981,10 @@ optional_policy(`
')
optional_policy(`
@@ -74991,10 +141769,14 @@ index 29a9565..75822e6 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +984,11 @@ optional_policy(`
+@@ -649,6 +1002,15 @@ optional_policy(`
')
optional_policy(`
++ firewalld_dbus_chat(initrc_t)
++')
++
++optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
@@ -75003,7 +141785,7 @@ index 29a9565..75822e6 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1029,7 @@ optional_policy(`
+@@ -689,6 +1051,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -75011,7 +141793,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -706,7 +1047,13 @@ optional_policy(`
+@@ -706,7 +1069,13 @@ optional_policy(`
')
optional_policy(`
@@ -75025,7 +141807,7 @@ index 29a9565..75822e6 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1076,10 @@ optional_policy(`
+@@ -729,6 +1098,10 @@ optional_policy(`
')
optional_policy(`
@@ -75036,7 +141818,7 @@ index 29a9565..75822e6 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1089,20 @@ optional_policy(`
+@@ -738,10 +1111,20 @@ optional_policy(`
')
optional_policy(`
@@ -75057,7 +141839,7 @@ index 29a9565..75822e6 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1111,10 @@ optional_policy(`
+@@ -750,6 +1133,10 @@ optional_policy(`
')
optional_policy(`
@@ -75068,7 +141850,7 @@ index 29a9565..75822e6 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1136,6 @@ optional_policy(`
+@@ -771,8 +1158,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -75077,7 +141859,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -781,6 +1144,10 @@ optional_policy(`
+@@ -781,6 +1166,10 @@ optional_policy(`
')
optional_policy(`
@@ -75088,7 +141870,7 @@ index 29a9565..75822e6 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1157,12 @@ optional_policy(`
+@@ -790,10 +1179,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -75101,7 +141883,7 @@ index 29a9565..75822e6 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1174,6 @@ optional_policy(`
+@@ -805,7 +1196,6 @@ optional_policy(`
')
optional_policy(`
@@ -75109,11 +141891,12 @@ index 29a9565..75822e6 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1183,25 @@ optional_policy(`
+@@ -815,11 +1205,30 @@ optional_policy(`
')
optional_policy(`
- virt_manage_svirt_cache(initrc_t)
++ virt_manage_pid_dirs(initrc_t)
+ virt_manage_cache(initrc_t)
+ virt_manage_lib_files(initrc_t)
+')
@@ -75122,6 +141905,10 @@ index 29a9565..75822e6 100644
+optional_policy(`
+ cron_rw_pipes(daemon)
+ cron_rw_inherited_user_spool_files(daemon)
++')
++
++optional_policy(`
++ cfengine_append_inherited_log(daemon)
')
optional_policy(`
@@ -75136,7 +141923,7 @@ index 29a9565..75822e6 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1211,18 @@ optional_policy(`
+@@ -829,6 +1238,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -75155,7 +141942,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -844,6 +1238,10 @@ optional_policy(`
+@@ -844,6 +1265,10 @@ optional_policy(`
')
optional_policy(`
@@ -75166,7 +141953,7 @@ index 29a9565..75822e6 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1252,161 @@ optional_policy(`
+@@ -854,3 +1279,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -75302,6 +142089,10 @@ index 29a9565..75822e6 100644
+')
+
+optional_policy(`
++ cfengine_append_inherited_log(systemprocess)
++')
++
++optional_policy(`
+ cron_rw_pipes(systemprocess)
+')
+
@@ -75403,7 +142194,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..94e11eb 100644
+index 55a6cd8..02378d2 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,13 +73,15 @@ role system_r types setkey_t;
@@ -75423,7 +142214,7 @@ index 55a6cd8..94e11eb 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -128,13 +130,13 @@ corecmd_exec_bin(ipsec_t)
+@@ -128,19 +130,21 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
@@ -75443,7 +142234,15 @@ index 55a6cd8..94e11eb 100644
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
-@@ -156,6 +158,8 @@ files_dontaudit_search_home(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -75452,7 +142251,7 @@ index 55a6cd8..94e11eb 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -169,6 +173,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -75461,18 +142260,20 @@ index 55a6cd8..94e11eb 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,8 +193,8 @@ optional_policy(`
+@@ -186,9 +194,9 @@ optional_policy(`
+ # ipsec_mgmt Local policy
#
- allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -245,6 +251,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -75489,7 +142290,16 @@ index 55a6cd8..94e11eb 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -277,9 +293,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+ corecmd_exec_bin(ipsec_mgmt_t)
+ corecmd_exec_shell(ipsec_mgmt_t)
+
++corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
++
+ dev_read_rand(ipsec_mgmt_t)
+ dev_read_urand(ipsec_mgmt_t)
+
+@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -75501,16 +142311,21 @@ index 55a6cd8..94e11eb 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +314,7 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +318,12 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
-userdom_use_user_terminals(ipsec_mgmt_t)
+userdom_use_inherited_user_terminals(ipsec_mgmt_t)
++
++optional_policy(`
++ bind_read_dnssec_keys(ipsec_mgmt_t)
++ bind_read_config(ipsec_mgmt_t)
++')
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -324,10 +341,6 @@ optional_policy(`
+@@ -324,10 +350,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -75521,7 +142336,7 @@ index 55a6cd8..94e11eb 100644
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-@@ -377,12 +390,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +399,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -75540,7 +142355,7 @@ index 55a6cd8..94e11eb 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +424,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +433,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -75549,7 +142364,7 @@ index 55a6cd8..94e11eb 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +463,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +472,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -75558,21 +142373,22 @@ index 55a6cd8..94e11eb 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..dd07f08 100644
+index 05fb364..5effebe 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,7 @@
+@@ -1,7 +1,8 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+
-+/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +12,17 @@
+@@ -12,8 +13,15 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -75591,10 +142407,8 @@ index 05fb364..dd07f08 100644
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
-+/usr/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index 7ba53db..db118e3 100644
+index 7ba53db..f4a49a0 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -75630,7 +142444,7 @@ index 7ba53db..db118e3 100644
+
+ systemd_exec_systemctl($1)
+ allow $1 iptables_unit_file_t:file read_file_perms;
-+ allow $1 iptables_unit_file_t:service all_service_perms;
++ allow $1 iptables_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iptables_t)
+')
@@ -75748,7 +142562,7 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..16d4a57 100644
+index 14d9670..358255e 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
@@ -1,7 +1,16 @@
@@ -75761,7 +142575,7 @@ index 14d9670..16d4a57 100644
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0)
++/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
+
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
@@ -75802,7 +142616,7 @@ index ddbd8be..fad18e0 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..75a2fbd 100644
+index 560dc48..e644b1e 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,26 +28,24 @@ ifdef(`distro_redhat',`
@@ -75836,9 +142650,12 @@ index 560dc48..75a2fbd 100644
')
ifdef(`distro_gentoo',`
-@@ -62,7 +60,6 @@ ifdef(`distro_gentoo',`
+@@ -60,9 +58,8 @@ ifdef(`distro_gentoo',`
+ #
+ # /opt
#
- /opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
+-/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
++/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -75857,7 +142674,7 @@ index 560dc48..75a2fbd 100644
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -119,64 +122,62 @@ ifdef(`distro_redhat',`
+@@ -119,64 +122,63 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -75924,6 +142741,7 @@ index 560dc48..75a2fbd 100644
+/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -75956,7 +142774,7 @@ index 560dc48..75a2fbd 100644
')
ifdef(`distro_gentoo',`
-@@ -195,7 +196,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +197,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -75964,7 +142782,7 @@ index 560dc48..75a2fbd 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +203,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +204,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -76109,7 +142927,7 @@ index 560dc48..75a2fbd 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +304,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +305,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -76119,7 +142937,7 @@ index 560dc48..75a2fbd 100644
') dnl end distro_redhat
#
-@@ -312,17 +312,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +313,157 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -76146,6 +142964,7 @@ index 560dc48..75a2fbd 100644
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -76283,11 +143102,22 @@ index 560dc48..75a2fbd 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..4ff705d 100644
+index 808ba93..f94b80a 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
-@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
+@@ -147,6 +147,7 @@ interface(`libs_manage_ld_so',`
+ type lib_t, ld_so_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, ld_so_t)
+ ')
+
+@@ -205,8 +206,26 @@ interface(`libs_search_lib',`
+ type lib_t;
+ ')
++ read_lnk_files_pattern($1, lib_t, lib_t)
allow $1 lib_t:dir search_dir_perms;
')
+########################################
@@ -76310,7 +143140,13 @@ index 808ba93..4ff705d 100644
########################################
## <summary>
-@@ -253,24 +270,6 @@ interface(`libs_manage_lib_dirs',`
+@@ -248,29 +267,12 @@ interface(`libs_manage_lib_dirs',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ allow $1 lib_t:dir manage_dir_perms;
+ ')
########################################
## <summary>
@@ -76335,16 +143171,25 @@ index 808ba93..4ff705d 100644
## Read files in the library directories, such
## as static libraries.
## </summary>
-@@ -421,7 +420,7 @@ interface(`libs_manage_shared_libs',`
+@@ -345,6 +347,7 @@ interface(`libs_manage_lib_files',`
+ type lib_t;
+ ')
+
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, lib_t, lib_t)
+ ')
+
+@@ -421,7 +424,8 @@ interface(`libs_manage_shared_libs',`
type lib_t, textrel_shlib_t;
')
- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++ read_lnk_files_pattern($1, lib_t, lib_t)
+ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
')
########################################
-@@ -440,9 +439,9 @@ interface(`libs_use_shared_libs',`
+@@ -440,9 +444,9 @@ interface(`libs_use_shared_libs',`
')
files_search_usr($1)
@@ -76357,7 +143202,7 @@ index 808ba93..4ff705d 100644
allow $1 textrel_shlib_t:file execmod;
')
-@@ -483,7 +482,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -483,7 +487,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t;
')
@@ -76366,7 +143211,7 @@ index 808ba93..4ff705d 100644
')
########################################
-@@ -534,3 +533,24 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +538,26 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -76384,27 +143229,33 @@ index 808ba93..4ff705d 100644
+interface(`libs_filetrans_named_content',`
+ gen_require(`
+ type ld_so_cache_t;
++ type ldconfig_cache_t;
+ ')
+
++ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..cc8dabb 100644
+index e5836d3..648d152 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
-@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
+@@ -59,9 +59,11 @@ optional_policy(`
+ allow ldconfig_t self:capability { dac_override sys_chroot };
+
++manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
++files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +75,14 @@ kernel_read_system_state(ldconfig_t)
+@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
@@ -76419,7 +143270,7 @@ index e5836d3..cc8dabb 100644
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
-@@ -94,7 +98,8 @@ miscfiles_read_localization(ldconfig_t)
+@@ -94,7 +100,8 @@ miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
@@ -76429,7 +143280,7 @@ index e5836d3..cc8dabb 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +108,12 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +110,12 @@ ifdef(`distro_ubuntu',`
')
')
@@ -76442,7 +143293,7 @@ index e5836d3..cc8dabb 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +125,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +127,9 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -76452,7 +143303,7 @@ index e5836d3..cc8dabb 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +145,10 @@ optional_policy(`
+@@ -131,6 +147,10 @@ optional_policy(`
')
optional_policy(`
@@ -76463,7 +143314,7 @@ index e5836d3..cc8dabb 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +159,3 @@ optional_policy(`
+@@ -141,6 +161,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -76548,20 +143399,22 @@ index 0e3c2a9..40adf5a 100644
+')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..2291a13 100644
+index a0b379d..362176f 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
-@@ -17,6 +17,9 @@ type local_login_tmp_t;
- files_tmp_file(local_login_tmp_t)
- files_poly_parent(local_login_tmp_t)
+@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
+ type local_login_lock_t;
+ files_lock_file(local_login_lock_t)
+-type local_login_tmp_t;
+-files_tmp_file(local_login_tmp_t)
+-files_poly_parent(local_login_tmp_t)
+type local_login_home_t;
+userdom_user_home_content(local_login_home_t)
-+
+
type sulogin_t;
type sulogin_exec_t;
- domain_obj_id_change_exemption(sulogin_t)
-@@ -32,9 +35,8 @@ role system_r types sulogin_t;
+@@ -32,9 +31,8 @@ role system_r types sulogin_t;
# Local login local policy
#
@@ -76573,16 +143426,18 @@ index a0b379d..2291a13 100644
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
-@@ -51,6 +53,8 @@ allow local_login_t self:key { search write link };
+@@ -51,9 +49,7 @@ allow local_login_t self:key { search write link };
allow local_login_t local_login_lock_t:file manage_file_perms;
files_lock_filetrans(local_login_t, local_login_lock_t, file)
+-allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+-allow local_login_t local_login_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+allow local_login_t local_login_home_t:file read_file_perms;
-+
- allow local_login_t local_login_tmp_t:dir manage_dir_perms;
- allow local_login_t local_login_tmp_t:file manage_file_perms;
- files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
-@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
+
+ kernel_read_system_state(local_login_t)
+ kernel_read_kernel_sysctls(local_login_t)
+@@ -73,6 +69,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
@@ -76591,8 +143446,12 @@ index a0b379d..2291a13 100644
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -123,8 +129,10 @@ auth_rw_faillog(local_login_t)
- auth_manage_pam_pid(local_login_t)
+@@ -120,11 +118,13 @@ term_setattr_unallocated_ttys(local_login_t)
+
+ auth_rw_login_records(local_login_t)
+ auth_rw_faillog(local_login_t)
+-auth_manage_pam_pid(local_login_t)
++#auth_manage_pam_pid(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
+auth_use_nsswitch(local_login_t)
@@ -76602,7 +143461,7 @@ index a0b379d..2291a13 100644
miscfiles_read_localization(local_login_t)
-@@ -146,14 +154,12 @@ tunable_policy(`console_login',`
+@@ -146,14 +146,14 @@ tunable_policy(`console_login',`
term_relabel_console(local_login_t)
')
@@ -76611,6 +143470,8 @@ index a0b379d..2291a13 100644
- fs_read_nfs_symlinks(local_login_t)
-')
+userdom_home_reader(local_login_t)
++userdom_manage_tmp_files(local_login_t)
++userdom_tmp_filetrans_user_tmp(local_login_t, file)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(local_login_t)
@@ -76622,7 +143483,7 @@ index a0b379d..2291a13 100644
')
optional_policy(`
-@@ -177,14 +183,6 @@ optional_policy(`
+@@ -177,14 +177,6 @@ optional_policy(`
')
optional_policy(`
@@ -76637,7 +143498,7 @@ index a0b379d..2291a13 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +213,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +207,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -76645,7 +143506,7 @@ index a0b379d..2291a13 100644
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +222,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +216,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -76663,7 +143524,7 @@ index a0b379d..2291a13 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +241,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +235,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -76690,7 +143551,7 @@ index a0b379d..2291a13 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +263,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -76703,16 +143564,22 @@ index a0b379d..2291a13 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..dfd853e 100644
+index 02f4c97..54c74fe 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -17,12 +17,28 @@
+@@ -6,6 +6,8 @@
+ /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
++
+ /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+@@ -17,12 +19,25 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
@@ -76736,7 +143603,12 @@ index 02f4c97..dfd853e 100644
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,7 +54,7 @@ ifdef(`distro_suse', `
+@@ -34,11 +49,11 @@ ifdef(`distro_suse', `
+
+ /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+-/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -76745,7 +143617,7 @@ index 02f4c97..dfd853e 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -46,6 +62,7 @@ ifdef(`distro_suse', `
+@@ -46,6 +61,7 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
@@ -76753,6 +143625,14 @@ index 02f4c97..dfd853e 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -54,6 +70,7 @@ ifndef(`distro_gentoo',`
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+ ')
+
+ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
@@ -66,6 +83,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -76772,7 +143652,7 @@ index 02f4c97..dfd853e 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..118f708 100644
+index 831b909..b9cff6d 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -76984,8 +143864,11 @@ index 831b909..118f708 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -944,9 +1096,13 @@ interface(`logging_admin_audit',`
+@@ -942,11 +1094,16 @@ interface(`logging_admin_audit',`
+ type auditd_t, auditd_etc_t, auditd_log_t;
+ type auditd_var_run_t;
type auditd_initrc_exec_t;
++ type auditd_unit_file_t;
')
- allow $1 auditd_t:process { ptrace signal_perms };
@@ -76999,7 +143882,41 @@ index 831b909..118f708 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -990,10 +1146,15 @@ interface(`logging_admin_syslog',`
+@@ -962,6 +1119,33 @@ interface(`logging_admin_audit',`
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_initrc_exec_t system_r;
+ allow $2 system_r;
++
++ logging_systemctl_audit($1)
++ admin_pattern($1, auditd_unit_file_t)
++ allow $1 auditd_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Execute auditd server in the auditd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`logging_systemctl_audit',`
++ gen_require(`
++ type auditd_t;
++ type auditd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 auditd_unit_file_t:file read_file_perms;
++ allow $1 auditd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, auditd_t)
+ ')
+
+ ########################################
+@@ -990,10 +1174,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -77017,7 +143934,7 @@ index 831b909..118f708 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1015,6 +1176,8 @@ interface(`logging_admin_syslog',`
+@@ -1015,6 +1204,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -77026,8 +143943,34 @@ index 831b909..118f708 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
+@@ -1043,3 +1234,25 @@ interface(`logging_admin',`
+ logging_admin_audit($1, $2)
+ logging_admin_syslog($1, $2)
+ ')
++
++########################################
++## <summary>
++## Transition to logging named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_filetrans_named_content',`
++ gen_require(`
++ type var_log_t;
++ type audit_spool_t;
++ ')
++
++ files_var_filetrans($1, var_log_t, dir, "webmin")
++ files_spool_filetrans($1, var_log_t, dir, "rsyslog")
++ files_spool_filetrans($1, var_log_t, dir, "log")
++ files_spool_filetrans($1, audit_spool_t, dir, "audit")
++')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..709fc74 100644
+index b6ec597..dec9390 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -77059,7 +144002,17 @@ index b6ec597..709fc74 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -64,6 +79,7 @@ files_config_file(syslog_conf_t)
+@@ -33,6 +48,9 @@ init_script_file(auditd_initrc_exec_t)
+ type auditd_var_run_t;
+ files_pid_file(auditd_var_run_t)
+
++type auditd_unit_file_t;
++systemd_unit_file(auditd_unit_file_t)
++
+ type audisp_t;
+ type audisp_exec_t;
+ init_system_domain(audisp_t, audisp_exec_t)
+@@ -64,6 +82,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -77067,7 +144020,16 @@ index b6ec597..709fc74 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +127,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -94,6 +113,8 @@ ifdef(`enable_mls',`
+ allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+
++allow auditctl_t self:process getcap;
++
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
+
+@@ -111,7 +132,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -77076,7 +144038,15 @@ index b6ec597..709fc74 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +199,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -148,6 +169,7 @@ kernel_read_kernel_sysctls(auditd_t)
+ # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
+ kernel_read_system_state(auditd_t)
++kernel_read_network_state(auditd_t)
+
+ dev_read_sysfs(auditd_t)
+
+@@ -183,16 +205,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -77097,7 +144067,7 @@ index b6ec597..709fc74 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +256,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +262,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -77115,7 +144085,7 @@ index b6ec597..709fc74 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +276,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +282,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -77126,7 +144096,7 @@ index b6ec597..709fc74 100644
')
########################################
-@@ -280,11 +310,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +316,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -77147,12 +144117,12 @@ index b6ec597..709fc74 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +393,12 @@ optional_policy(`
+@@ -354,11 +399,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
# setpgid for metalog
@@ -77162,7 +144132,7 @@ index b6ec597..709fc74 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +422,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -77170,7 +144140,7 @@ index b6ec597..709fc74 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +426,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +432,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -77186,7 +144156,7 @@ index b6ec597..709fc74 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +473,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,10 +479,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -77214,7 +144184,7 @@ index b6ec597..709fc74 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -447,7 +511,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -447,7 +517,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -77224,7 +144194,7 @@ index b6ec597..709fc74 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +525,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +531,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -77232,7 +144202,12 @@ index b6ec597..709fc74 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +563,20 @@ optional_policy(`
+@@ -492,15 +565,29 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mysql_read_config(syslogd_t)
+ mysql_stream_connect(syslogd_t)
')
optional_policy(`
@@ -77240,6 +144215,10 @@ index b6ec597..709fc74 100644
+')
+
+optional_policy(`
++ postfix_search_spool(syslogd_t)
++')
++
++optional_policy(`
postgresql_stream_connect(syslogd_t)
')
@@ -77254,15 +144233,14 @@ index b6ec597..709fc74 100644
optional_policy(`
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..1121047 100644
+index 879bb1e..101d1c0 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',`
+@@ -28,23 +28,27 @@ ifdef(`distro_gentoo',`
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
#
# /sbin
@@ -77283,7 +144261,11 @@ index 879bb1e..1121047 100644
/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +92,66 @@ ifdef(`distro_gentoo',`
++/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -88,8 +92,67 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -77304,6 +144286,7 @@ index 879bb1e..1121047 100644
+/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -77352,7 +144335,7 @@ index 879bb1e..1121047 100644
#
# /var
-@@ -97,5 +159,7 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +160,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -77700,7 +144683,7 @@ index 172287e..88fc786 100644
/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..b2d74f7 100644
+index 926ba65..b2a1675 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
@@ -77738,7 +144721,7 @@ index 926ba65..b2d74f7 100644
')
########################################
-@@ -769,3 +788,42 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +788,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -77766,6 +144749,7 @@ index 926ba65..b2d74f7 100644
+
+ files_etc_filetrans($1, locale_t, file, "localtime")
+ files_etc_filetrans($1, locale_t, file, "locale.conf")
++ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
+ files_var_filetrans($1, man_t, dir, "man")
+ files_etc_filetrans($1, locale_t, file, "timezone")
+ files_etc_filetrans($1, locale_t, file, "clock")
@@ -77794,21 +144778,22 @@ index 703944c..1d3a6a9 100644
#
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 532181a..68931fb 100644
+index 532181a..3457437 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
-@@ -10,10 +10,8 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,7 @@ ifdef(`distro_gentoo',`
+ /etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
')
- /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+-/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-
+-
/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-@@ -22,3 +20,16 @@ ifdef(`distro_gentoo',`
+@@ -22,3 +18,15 @@ ifdef(`distro_gentoo',`
/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
@@ -77823,7 +144808,6 @@ index 532181a..68931fb 100644
+/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+
-+/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..91360ac 100644
@@ -77925,7 +144909,7 @@ index 9c0faab..91360ac 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..6b39756 100644
+index a0eef20..ff9ad67 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,9 +1,5 @@
@@ -78029,7 +145013,7 @@ index a0eef20..6b39756 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -118,6 +119,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -118,7 +119,11 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
@@ -78037,9 +145021,11 @@ index a0eef20..6b39756 100644
+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
+
kernel_load_module(insmod_t)
++files_manage_kernel_modules(insmod_t)
kernel_request_load_module(insmod_t)
kernel_read_system_state(insmod_t)
-@@ -126,6 +130,7 @@ kernel_write_proc_files(insmod_t)
+ kernel_read_network_state(insmod_t)
+@@ -126,6 +131,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -78047,7 +145033,7 @@ index a0eef20..6b39756 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +148,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +149,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -78055,7 +145041,19 @@ index a0eef20..6b39756 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +167,18 @@ files_write_kernel_modules(insmod_t)
+@@ -152,20 +159,30 @@ files_read_etc_runtime_files(insmod_t)
+ files_read_etc_files(insmod_t)
+ files_read_usr_files(insmod_t)
+ files_exec_etc_files(insmod_t)
++files_read_kernel_symbol_table(insmod_t)
+ # for nscd:
+ files_dontaudit_search_pids(insmod_t)
+ # for when /var is not mounted early in the boot:
+ files_dontaudit_search_isid_type_dirs(insmod_t)
+ # for locking: (cjp: ????)
+ files_write_kernel_modules(insmod_t)
++allow insmod_t modules_dep_t:file manage_file_perms;
++files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -78074,7 +145072,7 @@ index a0eef20..6b39756 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,41 +187,38 @@ miscfiles_read_localization(insmod_t)
+@@ -174,41 +191,38 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -78125,7 +145123,15 @@ index a0eef20..6b39756 100644
')
optional_policy(`
-@@ -236,6 +246,10 @@ optional_policy(`
+@@ -228,6 +242,7 @@ optional_policy(`
+
+ optional_policy(`
+ rpm_rw_pipes(insmod_t)
++ rpm_manage_script_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -236,6 +251,10 @@ optional_policy(`
')
optional_policy(`
@@ -78136,7 +145142,7 @@ index a0eef20..6b39756 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +310,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +315,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -79368,7 +146374,7 @@ index 170e2c7..6c56785 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..a5062f7 100644
+index 7ed9819..c0109fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,6 +11,7 @@ gen_require(`
@@ -79413,11 +146419,12 @@ index 7ed9819..a5062f7 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,26 +96,36 @@ role system_r types run_init_t;
+@@ -88,26 +96,37 @@ role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
+dbus_system_domain(semanage_t, semanage_exec_t)
++init_daemon_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
@@ -79452,7 +146459,7 @@ index 7ed9819..a5062f7 100644
########################################
#
# Checkpolicy local policy
-@@ -139,7 +157,7 @@ term_use_console(checkpolicy_t)
+@@ -139,7 +158,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@@ -79461,7 +146468,7 @@ index 7ed9819..a5062f7 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
-@@ -176,13 +194,15 @@ term_list_ptys(load_policy_t)
+@@ -176,13 +195,15 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -79478,7 +146485,7 @@ index 7ed9819..a5062f7 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -204,7 +224,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -204,7 +225,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
@@ -79487,7 +146494,7 @@ index 7ed9819..a5062f7 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -216,7 +236,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -216,7 +237,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -79496,7 +146503,7 @@ index 7ed9819..a5062f7 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -233,6 +253,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -233,6 +254,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -79504,7 +146511,7 @@ index 7ed9819..a5062f7 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -260,25 +281,30 @@ term_relabel_all_ptys(newrole_t)
+@@ -260,25 +282,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -79541,7 +146548,7 @@ index 7ed9819..a5062f7 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +338,10 @@ kernel_use_fds(restorecond_t)
+@@ -312,9 +339,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -79551,8 +146558,12 @@ index 7ed9819..a5062f7 100644
+
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
- fs_getattr_xattr_fs(restorecond_t)
-@@ -323,8 +353,8 @@ selinux_compute_create_context(restorecond_t)
+-fs_getattr_xattr_fs(restorecond_t)
++fs_getattr_all_fs(restorecond_t)
+ fs_list_inotifyfs(restorecond_t)
+
+ selinux_validate_context(restorecond_t)
+@@ -323,8 +354,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
@@ -79563,7 +146574,7 @@ index 7ed9819..a5062f7 100644
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
-@@ -335,6 +365,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +366,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -79572,7 +146583,7 @@ index 7ed9819..a5062f7 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,16 +385,19 @@ optional_policy(`
+@@ -353,16 +386,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -79593,7 +146604,7 @@ index 7ed9819..a5062f7 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -380,6 +415,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +416,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -79602,7 +146613,7 @@ index 7ed9819..a5062f7 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -388,6 +425,7 @@ auth_dontaudit_read_shadow(run_init_t)
+@@ -388,6 +426,7 @@ auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
@@ -79610,7 +146621,7 @@ index 7ed9819..a5062f7 100644
logging_send_syslog_msg(run_init_t)
-@@ -396,7 +434,7 @@ miscfiles_read_localization(run_init_t)
+@@ -396,7 +435,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@@ -79619,7 +146630,7 @@ index 7ed9819..a5062f7 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -405,6 +443,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +444,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -79639,7 +146650,7 @@ index 7ed9819..a5062f7 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,67 +471,29 @@ optional_policy(`
+@@ -420,185 +472,203 @@ optional_policy(`
# semodule local policy
#
@@ -79656,22 +146667,22 @@ index 7ed9819..a5062f7 100644
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-corecmd_exec_bin(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
-
@@ -79688,13 +146699,13 @@ index 7ed9819..a5062f7 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
--
--miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
+-logging_send_syslog_msg(semanage_t)
+-
+-miscfiles_read_localization(semanage_t)
+-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -79716,27 +146727,34 @@ index 7ed9819..a5062f7 100644
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
-@@ -493,112 +506,159 @@ ifdef(`distro_ubuntu',`
- ')
+ files_read_var_lib_symlinks(semanage_t)
+ ')
+
+-ifdef(`distro_ubuntu',`
+- optional_policy(`
+- unconfined_domain(semanage_t)
+- ')
++optional_policy(`
++ mock_manage_lib_files(semanage_t)
++ mock_manage_lib_dirs(semanage_t)
')
-########################################
-+####################################n####
- #
+-#
-# Setfiles local policy
-+# setsebool local policy
- #
-+seutil_semanage_policy(setsebool_t)
-+selinux_set_all_booleans(setsebool_t)
-
+-#
+-
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-dontaudit setfiles_t self:capability sys_tty_config;
-allow setfiles_t self:fifo_file rw_file_perms;
--
++optional_policy(`
++ unconfined_domain(semanage_t)
++')
+
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
--
+
-kernel_read_system_state(setfiles_t)
-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -79748,18 +146766,24 @@ index 7ed9819..a5062f7 100644
-kernel_rw_unix_dgram_sockets(setfiles_t)
-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
++####################################n####
++#
++# setsebool local policy
++#
++seutil_semanage_policy(setsebool_t)
++selinux_set_all_booleans(setsebool_t)
-dev_relabel_all_dev_nodes(setfiles_t)
++init_dontaudit_use_fds(setsebool_t)
+
+-domain_use_interactive_fds(setfiles_t)
+-domain_dontaudit_search_all_domains_state(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
--domain_use_interactive_fds(setfiles_t)
--domain_dontaudit_search_all_domains_state(setfiles_t)
--
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
@@ -79824,19 +146848,22 @@ index 7ed9819..a5062f7 100644
+')
-logging_send_syslog_msg(setfiles_t)
++optional_policy(`
++ xserver_append_xdm_tmp_files(setfiles_t)
++')
+
+-miscfiles_read_localization(setfiles_t)
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ hal_dontaudit_leaks(setfiles_t)
+ ')
--miscfiles_read_localization(setfiles_t)
+-seutil_libselinux_linked(setfiles_t)
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
+ ')
+')
-
--seutil_libselinux_linked(setfiles_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(setfiles_t)
@@ -79855,6 +146882,8 @@ index 7ed9819..a5062f7 100644
+dontaudit setfiles_domain self:file relabelfrom;
+dontaudit setfiles_domain self:lnk_file relabelfrom;
+
++domain_relabelfrom(setfiles_domain)
++
+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
@@ -79921,16 +146950,16 @@ index 7ed9819..a5062f7 100644
# and then relabeled afterwards; thus
# /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-+ fs_rw_tmpfs_chr_files(setfiles_domain)
- ')
-
+-')
+-
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
--')
--
++ fs_rw_tmpfs_chr_files(setfiles_domain)
+ ')
+
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
@@ -80028,7 +147057,7 @@ index 694fd94..ff9af99 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..22c9f0d 100644
+index ff80d0a..b8c1b90 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -49,10 +49,6 @@ interface(`sysnet_run_dhcpc',`
@@ -80181,10 +147210,30 @@ index ff80d0a..22c9f0d 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -554,6 +645,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +645,45 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
++## Send a null signal to ifconfig.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.pwd
++
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sysnet_signull_ifconfig',`
++ gen_require(`
++ type ifconfig_t;
++ ')
++
++ allow $1 ifconfig_t:process signull;
++')
++
++########################################
++## <summary>
+## Send a kill signal to iconfig.
+## </summary>
+## <param name="domain">
@@ -80207,7 +147256,7 @@ index ff80d0a..22c9f0d 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -661,6 +771,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +791,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -80216,7 +147265,7 @@ index ff80d0a..22c9f0d 100644
sysnet_read_config($1)
optional_policy(`
-@@ -698,6 +810,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +830,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
@@ -80226,7 +147275,7 @@ index ff80d0a..22c9f0d 100644
')
########################################
-@@ -731,3 +846,73 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +866,73 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -80301,7 +147350,7 @@ index ff80d0a..22c9f0d 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..9291d3a 100644
+index 34d0ec5..92fa1e9 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -80328,7 +147377,7 @@ index 34d0ec5..9291d3a 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -34,18 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+@@ -34,17 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t;
@@ -80345,12 +147394,11 @@ index 34d0ec5..9291d3a 100644
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
--
-+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
+
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
- allow dhcpc_t self:udp_socket create_socket_perms;
-@@ -57,8 +66,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -80362,7 +147410,7 @@ index 34d0ec5..9291d3a 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -66,6 +78,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -80371,7 +147419,7 @@ index 34d0ec5..9291d3a 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -91,25 +105,28 @@ corecmd_exec_shell(dhcpc_t)
+@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t)
corenet_all_recvfrom_unlabeled(dhcpc_t)
corenet_all_recvfrom_netlabel(dhcpc_t)
@@ -80408,7 +147456,7 @@ index 34d0ec5..9291d3a 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -129,14 +146,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -129,14 +147,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -80428,7 +147476,7 @@ index 34d0ec5..9291d3a 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -151,7 +171,18 @@ ifdef(`distro_ubuntu',`
+@@ -151,7 +172,18 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -80448,7 +147496,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -171,6 +202,8 @@ optional_policy(`
+@@ -171,6 +203,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -80457,7 +147505,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -192,17 +225,31 @@ optional_policy(`
+@@ -192,17 +226,31 @@ optional_policy(`
')
optional_policy(`
@@ -80489,7 +147537,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -213,6 +260,11 @@ optional_policy(`
+@@ -213,6 +261,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -80501,7 +147549,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -255,6 +307,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +308,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -80509,7 +147557,12 @@ index 34d0ec5..9291d3a 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +329,12 @@ dev_read_urand(ifconfig_t)
+@@ -273,11 +327,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+ dev_read_sysfs(ifconfig_t)
+ # for IPSEC setup:
+ dev_read_urand(ifconfig_t)
++# needed by tuned
++dev_rw_netcontrol(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -80522,7 +147575,7 @@ index 34d0ec5..9291d3a 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +347,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,7 +350,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -80531,7 +147584,7 @@ index 34d0ec5..9291d3a 100644
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
-@@ -301,11 +358,11 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +361,11 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -80546,7 +147599,7 @@ index 34d0ec5..9291d3a 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +371,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +374,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -80555,6 +147608,10 @@ index 34d0ec5..9291d3a 100644
+')
+
+optional_policy(`
++ cfengine_dontaudit_write_log(ifconfig_t)
++')
++
++optional_policy(`
+ ctdbd_read_lib_files(ifconfig_t)
+')
+
@@ -80565,7 +147622,7 @@ index 34d0ec5..9291d3a 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +393,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +400,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -80580,7 +147637,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -335,7 +409,15 @@ optional_policy(`
+@@ -335,7 +416,15 @@ optional_policy(`
')
optional_policy(`
@@ -80597,7 +147654,7 @@ index 34d0ec5..9291d3a 100644
')
optional_policy(`
-@@ -356,3 +438,9 @@ optional_policy(`
+@@ -356,3 +445,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -80609,10 +147666,10 @@ index 34d0ec5..9291d3a 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..0d3e625
+index 0000000..161f271
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,23 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -80624,17 +147681,12 @@ index 0000000..0d3e625
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
-+
-+/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
-+/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
-+/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
-+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
-+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
++/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
@@ -80643,10 +147695,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..a142bb1
+index 0000000..0898030
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,567 @@
+@@ -0,0 +1,696 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -80700,6 +147752,7 @@ index 0000000..a142bb1
+ init_list_pid_dirs($1)
+ init_read_state($1)
+ init_stream_send($1)
++ init_stream_connect($1)
+
+ systemd_login_list_pid_dirs($1)
+ systemd_login_read_pid_files($1)
@@ -80762,6 +147815,25 @@ index 0000000..a142bb1
+ allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
++#####################################
++## <summary>
++## Allow domain to getattr all systemd unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_getattr_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:file getattr_file_perms;
++')
++
+######################################
+## <summary>
+## Allow domain to read all systemd unit files.
@@ -80955,6 +148027,24 @@ index 0000000..a142bb1
+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+')
+
++#######################################
++## <summary>
++## Execute systemd-tty-ask-password-agent in the caller domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_passwd_agent_exec',`
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
++
++ can_exec($1, systemd_passwd_agent_exec_t)
++')
++
+########################################
+## <summary>
+## Execute a domain transition to run systemd_notify.
@@ -81044,6 +148134,24 @@ index 0000000..a142bb1
+ allow $1 systemd_passwd_agent_t:process signal;
+')
+
++######################################
++## <summary>
++## Allow to domain to read systemd-passwd pipe
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_read_fifo_file_passwd_run',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ ')
++
++ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++')
++
+#######################################
+## <summary>
+## Send generic signals to systemd_passwd_agent processes.
@@ -81207,19 +148315,92 @@ index 0000000..a142bb1
+interface(`systemd_filetrans_named_content',`
+ gen_require(`
+ type systemd_passwd_var_run_t;
++ type systemd_logind_var_run_t;
+ ')
+
++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
++########################################
++## <summary>
++## Get the system status information from systemd_login
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_status',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system status;
++')
++
++########################################
++## <summary>
++## Tell systemd_login to reboot the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_reboot',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system reboot;
++')
++
++########################################
++## <summary>
++## Tell systemd_login to halt the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_halt',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system halt;
++')
++
++########################################
++## <summary>
++## Tell systemd_login to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_undefined',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system undefined;
++')
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d63eb5e
+index 0000000..c41fc7c
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,391 @@
+@@ -0,0 +1,421 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -81280,7 +148461,7 @@ index 0000000..d63eb5e
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -81290,20 +148471,25 @@ index 0000000..d63eb5e
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
++init_status(systemd_logind_t)
++init_reboot(systemd_logind_t)
++init_halt(systemd_logind_t)
++init_undefined(systemd_logind_t)
+
-+dev_read_sysfs(systemd_logind_t)
-+dev_setattr_input_dev(systemd_logind_t)
-+dev_setattr_mouse_dev(systemd_logind_t)
-+dev_write_kmsg(systemd_logind_t)
++kernel_read_system_state(systemd_logind_t)
+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
++dev_rw_sysfs(systemd_logind_t)
++dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
++dev_setattr_generic_usb_dev(systemd_logind_t)
++dev_setattr_input_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
++dev_setattr_mouse_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
-+dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
-+dev_setattr_all_chr_files(systemd_logind_t)
++dev_write_kmsg(systemd_logind_t)
+
+domain_read_all_domains_state(systemd_logind_t)
+
@@ -81316,6 +148502,8 @@ index 0000000..d63eb5e
+# write getattr open setattr
+fs_manage_cgroup_files(systemd_logind_t)
+
++mcs_killall(systemd_logind_t)
++
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
@@ -81339,12 +148527,21 @@ index 0000000..d63eb5e
+miscfiles_read_localization(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
++udev_manage_rules_files(systemd_logind_t)
+
+userdom_read_all_users_state(systemd_logind_t)
+userdom_use_user_ttys(systemd_logind_t)
+userdom_manage_user_tmp_dirs(systemd_logind_t)
+userdom_manage_user_tmp_files(systemd_logind_t)
+userdom_manage_user_tmp_symlinks(systemd_logind_t)
++userdom_manage_user_tmp_sockets(systemd_logind_t)
++userdom_signal_all_users(systemd_logind_t)
++userdom_signull_all_users(systemd_logind_t)
++userdom_kill_all_users(systemd_logind_t)
++
++application_signal(systemd_logind_t)
++application_signull(systemd_logind_t)
++application_sigkill(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
@@ -81365,6 +148562,11 @@ index 0000000..d63eb5e
+ # we label /run/user/$USER/dconf as config_home_t
+ gnome_manage_home_config_dirs(systemd_logind_t)
+ gnome_manage_home_config(systemd_logind_t)
++ gnome_list_gkeyringd_tmp_dirs(systemd_logind_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
@@ -81400,7 +148602,7 @@ index 0000000..d63eb5e
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
-+init_read_pipes(systemd_passwd_agent_t)
++init_rw_pipes(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
@@ -81421,17 +148623,21 @@ index 0000000..d63eb5e
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid };
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_network_state(systemd_tmpfiles_t)
++kernel_request_load_module(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
++dev_rw_sysfs(systemd_tmpfiles_t)
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_relabel_cpu_online(systemd_tmpfiles_t)
+dev_read_cpu_online(systemd_tmpfiles_t)
++dev_manage_printer(systemd_tmpfiles_t)
++dev_relabel_printer(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
@@ -81443,6 +148649,8 @@ index 0000000..d63eb5e
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
++files_getattr_all_sockets(systemd_tmpfiles_t)
++files_getattr_all_symlinks(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
@@ -81450,7 +148658,10 @@ index 0000000..d63eb5e
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
++files_delete_boot_flag(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
@@ -81537,7 +148748,7 @@ index 0000000..d63eb5e
+#
+# systemd_notify local policy
+#
-+allow systemd_notify_t self:capability { chown };
++allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
@@ -81612,7 +148823,7 @@ index 0000000..d63eb5e
+
+miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..741f594 100644
+index 0291685..3e3668c 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,8 @@
@@ -81635,11 +148846,11 @@ index 0291685..741f594 100644
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -20,5 +23,19 @@
+@@ -20,5 +23,21 @@
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -81649,8 +148860,10 @@ index 0291685..741f594 100644
+/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
++/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
@@ -81856,7 +149069,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..7983cfa 100644
+index d88f7c3..d0a8469 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -81875,7 +149088,7 @@ index d88f7c3..7983cfa 100644
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -36,9 +34,15 @@ ifdef(`enable_mcs',`
+@@ -36,9 +34,10 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -81884,16 +149097,11 @@ index d88f7c3..7983cfa 100644
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
-+ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit udev_t self:capability sys_module;
-+')
-+
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +51,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -81901,7 +149109,7 @@ index d88f7c3..7983cfa 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,31 +67,34 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,31 +62,35 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -81923,6 +149131,7 @@ index d88f7c3..7983cfa 100644
+allow udev_t udev_var_run_t:file mounton;
+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
++kernel_load_module(udev_t)
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
kernel_getattr_core_if(udev_t)
@@ -81943,7 +149152,7 @@ index d88f7c3..7983cfa 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +105,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +101,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -81951,7 +149160,7 @@ index d88f7c3..7983cfa 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,23 +114,30 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,23 +110,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -81983,10 +149192,11 @@ index d88f7c3..7983cfa 100644
-mcs_ptrace_all(udev_t)
+fs_list_auto_mountpoints(udev_t)
+fs_list_hugetlbfs(udev_t)
++fs_read_cgroup_files(udev_t)
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -81994,7 +149204,7 @@ index d88f7c3..7983cfa 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -154,6 +171,8 @@ miscfiles_read_hwdata(udev_t)
+@@ -154,6 +168,8 @@ miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
@@ -82003,7 +149213,7 @@ index d88f7c3..7983cfa 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -82012,10 +149222,18 @@ index d88f7c3..7983cfa 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,8 +207,9 @@ ifdef(`distro_redhat',`
- fs_manage_tmpfs_chr_files(udev_t)
- fs_relabel_tmpfs_blk_file(udev_t)
- fs_relabel_tmpfs_chr_file(udev_t)
+@@ -178,16 +196,9 @@ ifdef(`distro_gentoo',`
+ ')
+
+ ifdef(`distro_redhat',`
+- fs_manage_tmpfs_dirs(udev_t)
+- fs_manage_tmpfs_files(udev_t)
+- fs_manage_tmpfs_symlinks(udev_t)
+- fs_manage_tmpfs_sockets(udev_t)
+- fs_manage_tmpfs_blk_files(udev_t)
+- fs_manage_tmpfs_chr_files(udev_t)
+- fs_relabel_tmpfs_blk_file(udev_t)
+- fs_relabel_tmpfs_chr_file(udev_t)
+ fs_manage_hugetlbfs_dirs(udev_t)
- term_search_ptys(udev_t)
@@ -82023,7 +149241,7 @@ index d88f7c3..7983cfa 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +238,16 @@ optional_policy(`
+@@ -216,11 +227,16 @@ optional_policy(`
')
optional_policy(`
@@ -82040,7 +149258,7 @@ index d88f7c3..7983cfa 100644
')
optional_policy(`
-@@ -230,10 +257,20 @@ optional_policy(`
+@@ -230,10 +246,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -82061,7 +149279,7 @@ index d88f7c3..7983cfa 100644
')
optional_policy(`
-@@ -259,6 +296,10 @@ optional_policy(`
+@@ -259,6 +285,10 @@ optional_policy(`
')
optional_policy(`
@@ -82072,7 +149290,7 @@ index d88f7c3..7983cfa 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +314,11 @@ optional_policy(`
+@@ -273,6 +303,11 @@ optional_policy(`
')
optional_policy(`
@@ -82084,7 +149302,7 @@ index d88f7c3..7983cfa 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +331,7 @@ optional_policy(`
+@@ -285,6 +320,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -82113,10 +149331,10 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..0515074 100644
+index 416e668..6fc471d 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
-@@ -12,53 +12,63 @@
+@@ -12,53 +12,59 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
@@ -82130,11 +149348,7 @@ index 416e668..0515074 100644
- allow $1 self:capability *;
- allow $1 self:fifo_file manage_fifo_file_perms;
+
-+ allow $1 self:capability ~{ sys_module sys_ptrace };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 self:capability sys_ptrace;
-+ ')
-+
++ allow $1 self:capability ~{ sys_module };
+ allow $1 self:capability2 syslog;
+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
@@ -82194,7 +149408,7 @@ index 416e668..0515074 100644
# auditallow $1 self:process execstack;
')
-@@ -69,6 +79,7 @@ interface(`unconfined_domain_noaudit',`
+@@ -69,6 +75,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -82202,7 +149416,7 @@ index 416e668..0515074 100644
')
optional_policy(`
-@@ -122,6 +133,10 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,6 +129,10 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
@@ -82213,7 +149427,7 @@ index 416e668..0515074 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -150,7 +165,7 @@ interface(`unconfined_domain',`
+@@ -150,7 +161,7 @@ interface(`unconfined_domain',`
## </param>
#
interface(`unconfined_alias_domain',`
@@ -82222,7 +149436,7 @@ index 416e668..0515074 100644
')
########################################
-@@ -176,414 +191,5 @@ interface(`unconfined_alias_domain',`
+@@ -176,414 +187,5 @@ interface(`unconfined_alias_domain',`
## </param>
#
interface(`unconfined_execmem_alias_program',`
@@ -82902,7 +150116,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..aa2d1cb 100644
+index 4b2878a..b0c7451 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -83217,7 +150431,33 @@ index 4b2878a..aa2d1cb 100644
')
')
-@@ -286,17 +331,64 @@ interface(`userdom_manage_home_role',`
+@@ -272,6 +317,25 @@ interface(`userdom_manage_home_role',`
+ ## <summary>
+ ## Manage user temporary files
+ ## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolebase/>
++#
++interface(`userdom_manage_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file manage_file_perms;
++')
++
++#######################################
++## <summary>
++## Manage user temporary files
++## </summary>
+ ## <param name="role">
+ ## <summary>
+ ## Role allowed access.
+@@ -286,17 +350,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -83287,7 +150527,7 @@ index 4b2878a..aa2d1cb 100644
')
#######################################
-@@ -316,6 +408,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +427,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -83295,7 +150535,7 @@ index 4b2878a..aa2d1cb 100644
files_search_tmp($1)
')
-@@ -347,59 +440,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,59 +459,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -83390,7 +150630,7 @@ index 4b2878a..aa2d1cb 100644
')
#######################################
-@@ -430,6 +526,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +545,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -83398,7 +150638,7 @@ index 4b2878a..aa2d1cb 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -462,8 +559,8 @@ template(`userdom_change_password_template',`
+@@ -462,8 +578,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -83409,7 +150649,7 @@ index 4b2878a..aa2d1cb 100644
')
')
-@@ -490,7 +587,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +606,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -83418,7 +150658,7 @@ index 4b2878a..aa2d1cb 100644
##############################
#
-@@ -500,73 +597,83 @@ template(`userdom_common_user_template',`
+@@ -500,73 +616,83 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -83440,27 +150680,27 @@ index 4b2878a..aa2d1cb 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -83484,10 +150724,10 @@ index 4b2878a..aa2d1cb 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
-+
-+ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
++ application_getattr_socket($1_usertype)
++
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@@ -83544,7 +150784,7 @@ index 4b2878a..aa2d1cb 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +681,113 @@ template(`userdom_common_user_template',`
+@@ -574,67 +700,113 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -83553,15 +150793,15 @@ index 4b2878a..aa2d1cb 100644
- alsa_relabel_home_files($1_t)
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ canna_stream_connect($1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
++ canna_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ chrome_role($1_r, $1_usertype)
')
@@ -83579,75 +150819,75 @@ index 4b2878a..aa2d1cb 100644
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ policykit_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ bluetooth_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
- ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ ')
+ ')
+
+ optional_policy(`
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
+ git_session_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
- ')
-
- optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
++ ')
++
++ optional_policy(`
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
@@ -83679,7 +150919,7 @@ index 4b2878a..aa2d1cb 100644
')
optional_policy(`
-@@ -650,40 +803,52 @@ template(`userdom_common_user_template',`
+@@ -650,40 +822,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -83715,46 +150955,53 @@ index 4b2878a..aa2d1cb 100644
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
++ slrnpull_search_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -712,13 +877,26 @@ template(`userdom_login_user_template', `
+@@ -708,17 +892,33 @@ template(`userdom_common_user_template',`
+ template(`userdom_login_user_template', `
+ gen_require(`
+ class context contains;
++ attribute login_userdomain;
+ ')
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
++ typeattribute $1_t login_userdomain;
+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -83775,12 +151022,18 @@ index 4b2878a..aa2d1cb 100644
userdom_change_password_template($1)
-@@ -730,78 +908,82 @@ template(`userdom_login_user_template', `
- allow $1_t self:capability { setgid chown fowner };
+@@ -727,81 +927,98 @@ template(`userdom_login_user_template', `
+ # User domain Local policy
+ #
+
+- allow $1_t self:capability { setgid chown fowner };
++ allow $1_t self:capability { setgid setuid chown fowner };
++ allow $1_t self:process setcurrent;
++ domain_dyntrans_type($1_t)
dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
-+ allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
++ allow $1_t self:process ~{ ptrace setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -83793,6 +151046,7 @@ index 4b2878a..aa2d1cb 100644
- dev_read_sysfs($1_t)
- dev_read_urand($1_t)
+ dev_read_sysfs($1_usertype)
++ dev_read_rand($1_usertype)
+ dev_read_urand($1_usertype)
- domain_use_interactive_fds($1_t)
@@ -83823,8 +151077,11 @@ index 4b2878a..aa2d1cb 100644
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
- auth_dontaudit_write_login_records($1_t)
++ auth_role($1_r, $1_t)
+ auth_rw_cache($1_t)
++ auth_search_pam_console_data($1_t)
++ auth_dontaudit_read_login_records($1_t)
+ auth_dontaudit_write_login_records($1_t)
application_exec_all($1_t)
-
@@ -83850,22 +151107,29 @@ index 4b2878a..aa2d1cb 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
++ seutil_read_file_contexts($1_usertype)
++ seutil_read_default_contexts($1_usertype)
++ seutil_exec_setfiles($1_usertype)
- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
-+
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
++
++ optional_policy(`
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
++ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
++ mysql_filetrans_named_content($1_usertype)
')
optional_policy(`
@@ -83892,24 +151156,26 @@ index 4b2878a..aa2d1cb 100644
')
')
-@@ -833,6 +1015,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1050,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
++
##############################
#
# Local policy
-@@ -874,45 +1059,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -873,46 +1096,115 @@ template(`userdom_restricted_xwindows_user_template',`
+ # Local policy
#
- auth_role($1_r, $1_t)
+- auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
-+ auth_search_pam_console_data($1_usertype)
-+ auth_dontaudit_read_login_records($1_usertype)
-
+-
- dev_read_sound($1_t)
- dev_write_sound($1_t)
+ dev_read_sound($1_usertype)
@@ -84032,7 +151298,7 @@ index 4b2878a..aa2d1cb 100644
')
')
-@@ -947,7 +1205,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1239,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -84041,7 +151307,7 @@ index 4b2878a..aa2d1cb 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1214,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1248,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -84059,7 +151325,7 @@ index 4b2878a..aa2d1cb 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1239,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1273,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -84102,9 +151368,11 @@ index 4b2878a..aa2d1cb 100644
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ gnomeclock_dbus_chat($1_t)
+ ')
+
@@ -84119,17 +151387,15 @@ index 4b2878a..aa2d1cb 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1301,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1335,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -84140,7 +151406,7 @@ index 4b2878a..aa2d1cb 100644
')
')
-@@ -1039,7 +1339,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1373,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -84149,20 +151415,15 @@ index 4b2878a..aa2d1cb 100644
')
##############################
-@@ -1065,7 +1365,11 @@ template(`userdom_admin_user_template',`
- # $1_t local policy
+@@ -1066,6 +1400,7 @@ template(`userdom_admin_user_template',`
#
-- allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1_t self:capability sys_ptrace;
-+ ')
+ allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1378,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1409,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -84172,7 +151433,7 @@ index 4b2878a..aa2d1cb 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1395,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1426,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -84180,7 +151441,7 @@ index 4b2878a..aa2d1cb 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1413,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1444,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -84194,7 +151455,7 @@ index 4b2878a..aa2d1cb 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1430,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1461,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -84237,7 +151498,7 @@ index 4b2878a..aa2d1cb 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1471,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1502,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -84246,7 +151507,18 @@ index 4b2878a..aa2d1cb 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1532,8 @@ template(`userdom_security_admin_template',`
+@@ -1165,6 +1518,10 @@ template(`userdom_admin_user_template',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
++ tunable_policy(`user_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_t)
++ ')
++
+ optional_policy(`
+ postgresql_unconfined($1_t)
+ ')
+@@ -1210,6 +1567,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -84255,7 +151527,7 @@ index 4b2878a..aa2d1cb 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1546,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1581,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -84266,7 +151538,7 @@ index 4b2878a..aa2d1cb 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1559,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1594,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -84295,7 +151567,7 @@ index 4b2878a..aa2d1cb 100644
')
optional_policy(`
-@@ -1251,12 +1587,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1622,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -84311,7 +151583,7 @@ index 4b2878a..aa2d1cb 100644
')
optional_policy(`
-@@ -1279,11 +1615,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,25 +1650,74 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -84320,24 +151592,29 @@ index 4b2878a..aa2d1cb 100644
allow $1 user_home_t:filesystem associate;
files_type($1)
-+ ubac_constrained($1)
+- files_poly_member($1)
+ ubac_constrained($1)
+
- files_poly_member($1)
++ files_poly_member($1)
+ typeattribute $1 user_home_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow domain to attach to TUN devices created by administrative users.
+## Make the specified type usable in a
+## generic temporary directory.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a file in the
+## generic temporary directory.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_attach_admin_tun_iface',`
+interface(`userdom_user_tmp_content',`
+ gen_require(`
+ attribute user_tmp_type;
@@ -84369,10 +151646,24 @@ index 4b2878a..aa2d1cb 100644
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
- ubac_constrained($1)
- ')
-
-@@ -1395,6 +1780,7 @@ interface(`userdom_search_user_home_dirs',`
++ ubac_constrained($1)
++')
++
++########################################
++## <summary>
++## Allow domain to attach to TUN devices created by administrative users.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_attach_admin_tun_iface',`
+ gen_require(`
+ attribute admindomain;
+ ')
+@@ -1395,11 +1815,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -84380,15 +151671,35 @@ index 4b2878a..aa2d1cb 100644
files_search_home($1)
')
-@@ -1441,11 +1827,19 @@ interface(`userdom_list_user_home_dirs',`
+ ########################################
+ ## <summary>
++## Search user tmp directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_search_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 user_tmp_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to search user home directories.
+ ## </summary>
+ ## <desc>
+@@ -1441,6 +1881,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
--')
-
--########################################
--## <summary>
--## Do not audit attempts to list user home subdirectories.
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -84396,15 +151707,10 @@ index 4b2878a..aa2d1cb 100644
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to list user home subdirectories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1456,9 +1850,11 @@ interface(`userdom_list_user_home_dirs',`
+ ')
+
+ ########################################
+@@ -1456,9 +1904,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -84416,7 +151722,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -1515,6 +1911,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1965,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -84459,7 +151765,7 @@ index 4b2878a..aa2d1cb 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2021,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2075,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -84468,7 +151774,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -1603,10 +2037,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2091,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -84483,7 +151789,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -1649,6 +2085,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2139,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -84527,7 +151833,7 @@ index 4b2878a..aa2d1cb 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2141,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2195,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -84553,7 +151859,7 @@ index 4b2878a..aa2d1cb 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2190,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2244,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -84591,7 +151897,7 @@ index 4b2878a..aa2d1cb 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2230,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2284,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -84609,7 +151915,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -1779,6 +2296,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2350,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -84670,7 +151976,7 @@ index 4b2878a..aa2d1cb 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2381,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2435,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -84680,7 +151986,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -1827,21 +2397,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2451,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -84694,19 +152000,18 @@ index 4b2878a..aa2d1cb 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -1941,6 +2505,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2559,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -84731,7 +152036,7 @@ index 4b2878a..aa2d1cb 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2590,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2644,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -84740,7 +152045,7 @@ index 4b2878a..aa2d1cb 100644
files_search_home($1)
')
-@@ -2039,7 +2621,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2675,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -84749,7 +152054,7 @@ index 4b2878a..aa2d1cb 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2740,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2794,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -84764,7 +152069,7 @@ index 4b2878a..aa2d1cb 100644
files_search_tmp($1)
')
-@@ -2182,7 +2764,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2818,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -84773,7 +152078,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -2390,7 +2972,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +3026,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -84782,7 +152087,7 @@ index 4b2878a..aa2d1cb 100644
files_search_tmp($1)
')
-@@ -2419,6 +3001,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3055,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -84808,7 +152113,7 @@ index 4b2878a..aa2d1cb 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3036,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3090,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -84824,7 +152129,7 @@ index 4b2878a..aa2d1cb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3064,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3118,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -84833,7 +152138,7 @@ index 4b2878a..aa2d1cb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3072,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3126,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -84868,11 +152173,34 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -2572,6 +3190,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3244,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
+-## Read and write a user domain pty.
+## Read and write a inherited user domain tty.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2580,32 +3252,62 @@ interface(`userdom_use_user_ttys',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_use_user_ptys',`
++interface(`userdom_use_inherited_user_ttys',`
+ gen_require(`
+- type user_devpts_t;
++ type user_tty_device_t;
+ ')
+
+- allow $1 user_devpts_t:chr_file rw_term_perms;
++ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write a user TTYs and PTYs.
++## Read and write a user domain pty.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -84880,24 +152208,16 @@ index 4b2878a..aa2d1cb 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_use_inherited_user_ttys',`
++interface(`userdom_use_user_ptys',`
+ gen_require(`
-+ type user_tty_device_t;
++ type user_devpts_t;
+ ')
+
-+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++ allow $1 user_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
- ## Read and write a user domain pty.
- ## </summary>
- ## <param name="domain">
-@@ -2590,22 +3226,34 @@ interface(`userdom_use_user_ptys',`
-
- ########################################
- ## <summary>
--## Read and write a user TTYs and PTYs.
+## Read and write a inherited user domain pty.
+## </summary>
+## <param name="domain">
@@ -84936,7 +152256,7 @@ index 4b2878a..aa2d1cb 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3262,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3316,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -84974,7 +152294,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -2640,36 +3307,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3361,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -84982,118 +152302,70 @@ index 4b2878a..aa2d1cb 100644
- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
- ')
-
++')
+
- ########################################
- ## <summary>
--## Execute a shell in all user domains. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
++
++########################################
++## <summary>
+## Get attributes of user domain tty and pty.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed to transition.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`userdom_spec_domtrans_all_users',`
++## </summary>
++## </param>
++#
+interface(`userdom_getattr_user_terminals',`
- gen_require(`
-- attribute userdomain;
++ gen_require(`
+ type user_tty_device_t, user_devpts_t;
- ')
-
-- corecmd_shell_spec_domtrans($1, userdomain)
-- allow userdomain $1:fd use;
-- allow userdomain $1:fifo_file rw_file_perms;
-- allow userdomain $1:process sigchld;
++ ')
++
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
')
########################################
- ## <summary>
--## Execute an Xserver session in all unprivileged user domains. This
-+## Execute a shell in all user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
- ## </summary>
-@@ -2679,12 +3342,12 @@ interface(`userdom_spec_domtrans_all_users',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_xsession_spec_domtrans_all_users',`
-+interface(`userdom_spec_domtrans_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
-- xserver_xsession_spec_domtrans($1, userdomain)
-+ corecmd_shell_spec_domtrans($1, userdomain)
- allow userdomain $1:fd use;
- allow userdomain $1:fifo_file rw_file_perms;
- allow userdomain $1:process sigchld;
-@@ -2692,7 +3355,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
-
- ########################################
- ## <summary>
--## Execute a shell in all unprivileged user domains. This
-+## Execute an Xserver session in all unprivileged user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
- ## </summary>
-@@ -2702,20 +3365,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_spec_domtrans_unpriv_users',`
-+interface(`userdom_xsession_spec_domtrans_all_users',`
- gen_require(`
-- attribute unpriv_userdomain;
-+ attribute userdomain;
- ')
-
-- corecmd_shell_spec_domtrans($1, unpriv_userdomain)
-- allow unpriv_userdomain $1:fd use;
-- allow unpriv_userdomain $1:fifo_file rw_file_perms;
-- allow unpriv_userdomain $1:process sigchld;
-+ xserver_xsession_spec_domtrans($1, userdomain)
-+ allow userdomain $1:fd use;
-+ allow userdomain $1:fifo_file rw_file_perms;
-+ allow userdomain $1:process sigchld;
+@@ -2713,69 +3453,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ allow unpriv_userdomain $1:process sigchld;
')
- ########################################
+-########################################
++#####################################
## <summary>
-## Execute an Xserver session in all unprivileged user domains. This
-+## Execute a shell in all unprivileged user domains. This
- ## is an explicit transition, requiring the
- ## caller to use setexeccon().
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
++## Allow domain dyntrans to unpriv userdomain.
## </summary>
-@@ -2725,57 +3388,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
- ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
## </param>
#
-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
-+interface(`userdom_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
++interface(`userdom_dyntransition_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
-+ corecmd_shell_spec_domtrans($1, unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
++ allow $1 unpriv_userdomain:process dyntransition;
')
-#######################################
-+#####################################
++####################################
## <summary>
-## Read and write unpriviledged user SysV sempaphores.
-+## Allow domain dyntrans to unpriv userdomain.
++## Allow domain dyntrans to admin userdomain.
## </summary>
## <param name="domain">
-## <summary>
@@ -85108,13 +152380,13 @@ index 4b2878a..aa2d1cb 100644
- gen_require(`
- attribute unpriv_userdomain;
- ')
-+interface(`userdom_dyntransition_unpriv_users',`
++interface(`userdom_dyntransition_admin_users',`
+ gen_require(`
-+ attribute unpriv_userdomain;
++ attribute admindomain;
+ ')
- allow $1 unpriv_userdomain:sem rw_sem_perms;
-+ allow $1 unpriv_userdomain:process dyntransition;
++ allow $1 admindomain:process dyntransition;
')
########################################
@@ -85153,7 +152425,7 @@ index 4b2878a..aa2d1cb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3450,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3522,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -85168,7 +152440,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -2852,7 +3519,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3591,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -85177,7 +152449,7 @@ index 4b2878a..aa2d1cb 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3535,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3607,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -85211,7 +152483,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -2972,7 +3623,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3695,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -85220,7 +152492,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -3027,7 +3678,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3750,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -85267,7 +152539,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -3045,7 +3734,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3806,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -85276,7 +152548,7 @@ index 4b2878a..aa2d1cb 100644
')
########################################
-@@ -3064,6 +3753,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3825,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -85284,10 +152556,30 @@ index 4b2878a..aa2d1cb 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3832,24 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3902,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process signal;
+ ')
- ########################################
- ## <summary>
++#######################################
++## <summary>
++## Send signull to all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_signull_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process signull;
++')
++
++########################################
++## <summary>
+## Send kill signals to all user domains.
+## </summary>
+## <param name="domain">
@@ -85304,12 +152596,10 @@ index 4b2878a..aa2d1cb 100644
+ allow $1 userdomain:process sigkill;
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
## Send a SIGCHLD signal to all user domains.
- ## </summary>
- ## <param name="domain">
-@@ -3160,6 +3868,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3958,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -85334,7 +152624,7 @@ index 4b2878a..aa2d1cb 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3920,1254 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +4010,1292 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -85904,6 +153194,25 @@ index 4b2878a..aa2d1cb 100644
+
+########################################
+## <summary>
++## Read/Write files inherited
++## in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_inherited_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Append files inherited
+## in a user home subdirectory.
+## </summary>
@@ -86130,6 +153439,7 @@ index 4b2878a..aa2d1cb 100644
+ ')
+
+ allow $1 home_cert_t:dir list_dir_perms;
++ manage_dirs_pattern($1, home_cert_t, home_cert_t)
+ manage_files_pattern($1, home_cert_t, home_cert_t)
+ manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
+
@@ -86323,6 +153633,24 @@ index 4b2878a..aa2d1cb 100644
+
+########################################
+## <summary>
++## Write all inherited users home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_inherited_user_home_sock_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:sock_file write;
++')
++
++########################################
++## <summary>
+## Delete all users files in /tmp
+## </summary>
+## <param name="domain">
@@ -86590,7 +153918,7 @@ index 4b2878a..aa2d1cb 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..0e7648c 100644
+index 9b4a930..fd86f24 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -86602,7 +153930,7 @@ index 9b4a930..0e7648c 100644
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect, false)
-@@ -43,6 +43,20 @@ gen_tunable(user_rw_noexattrfile, false)
+@@ -43,12 +43,27 @@ gen_tunable(user_rw_noexattrfile, false)
## <desc>
## <p>
@@ -86623,7 +153951,14 @@ index 9b4a930..0e7648c 100644
## Allow w to display everyone
## </p>
## </desc>
-@@ -59,6 +73,22 @@ attribute unpriv_userdomain;
+ gen_tunable(user_ttyfile_stat, false)
+
+ attribute admindomain;
++attribute login_userdomain;
+
+ # all user domains
+ attribute userdomain;
+@@ -59,6 +74,22 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
@@ -86646,7 +153981,7 @@ index 9b4a930..0e7648c 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +101,111 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,111 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -86890,7 +154225,7 @@ index 77d41b6..138efd8 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..29cee30 100644
+index 4350ba0..74465c4 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -86980,7 +154315,7 @@ index 4350ba0..29cee30 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +346,22 @@ optional_policy(`
+@@ -349,6 +346,23 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -86997,13 +154332,14 @@ index 4350ba0..29cee30 100644
+')
+
+optional_policy(`
++ virt_search_images(xend_t)
+ virt_read_config(xend_t)
+')
+
########################################
#
# Xen console local policy
-@@ -374,8 +387,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +388,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -87012,7 +154348,7 @@ index 4350ba0..29cee30 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -413,9 +424,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +425,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -87024,7 +154360,7 @@ index 4350ba0..29cee30 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +454,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +455,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -87036,7 +154372,7 @@ index 4350ba0..29cee30 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +471,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +472,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -87133,7 +154469,7 @@ index 4350ba0..29cee30 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +486,4 @@ optional_policy(`
+@@ -559,8 +487,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
@@ -87187,7 +154523,7 @@ index 22ca011..18e1b2f 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index f7380b3..fb62555 100644
+index f7380b3..cc007d8 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -87287,12 +154623,17 @@ index f7380b3..fb62555 100644
#
# Sockets
-@@ -317,3 +324,15 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+@@ -317,3 +324,20 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
++# Service
++#
++define(`manage_service_perms', `{ start stop status reload kill load } ')
++
++#
+# All
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
@@ -87301,7 +154642,7 @@ index f7380b3..fb62555 100644
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
-+define(`all_service_perms', `{ start stop status reload kill } ')
++define(`all_service_perms', `{ enable disable manage_service_perms } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c31e4b5..4ba84fa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -15,16 +15,15 @@
%endif
%define POLICYVER 27
%define POLICYCOREUTILSVER 2.1.9-4
-%define CHECKPOLICYVER 2.1.7-3
+%define CHECKPOLICYVER 2.1.9-4
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 85%{?dist}
+Release: 128%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F16.patch
-patch1: unconfined_permissive.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -45,39 +44,46 @@ Source23: users-targeted
Source25: users-minimum
Source26: file_contexts.subs_dist
Source27: selinux-policy.conf
+Source28: permissivedomains.pp
Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-6
-Requires(post): /bin/awk /usr/bin/md5sum
+Requires(post): /bin/awk /usr/bin/sha512sum
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
-Obsoletes: selinux-policy-devel <= %{version}-%{release}
-Provides: selinux-policy-devel = %{version}-%{release}
%description
SELinux Base package
%files
%defattr(-,root,root,-)
-%{_mandir}/man*/*
-# policycoreutils owns these manpage directories, we only own the files within them
-%{_mandir}/ru/*/*
%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/devel
-%dir %{_usr}/share/selinux/devel/include
%dir %{_usr}/share/selinux/packages
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
+%{_usr}/lib/tmpfiles.d/selinux-policy.conf
+
+%package devel
+Summary: SELinux policy devel
+Group: System Environment/Base
+Requires(pre): selinux-policy = %{version}-%{release}
+
+%description devel
+SELinux policy development and man page package
+
+%files devel
+%defattr(-,root,root,-)
+%{_mandir}/man*/*
+%{_mandir}/ru/*/*
+%dir %{_usr}/share/selinux/devel
+%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/example.*
-%{_usr}/share/selinux/devel/policy.*
-%{_usr}/lib/tmpfiles.d/selinux-policy.conf
-%if %{BUILD_DOC}
%package doc
Summary: SELinux policy documentation
Group: System Environment/Base
@@ -91,7 +97,7 @@ SELinux policy documentation package
%defattr(-,root,root,-)
%doc %{_usr}/share/doc/%{name}-%{version}
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
-%endif
+%{_usr}/share/selinux/devel/policy.*
%define makeCmds() \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
@@ -105,6 +111,7 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
+%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
@@ -127,8 +134,9 @@ rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
-/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5; \
-rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
+/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
+rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
+rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
%nil
%define fileList() \
@@ -137,13 +145,14 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
+%dir %{_sysconfdir}/selinux/%1/logins \
%dir %{_sysconfdir}/selinux/%1/modules \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
-%verify(not md5 size md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
+%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
@@ -157,7 +166,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
%dir %{_sysconfdir}/selinux/%1/policy/ \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
-%{_sysconfdir}/selinux/%1/.policymd5 \
+%{_sysconfdir}/selinux/%1/.policy.sha512 \
%dir %{_sysconfdir}/selinux/%1/contexts \
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
@@ -166,6 +175,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
+%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
@@ -191,8 +201,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
/usr/sbin/selinuxenabled; \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
- /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore; \
- /sbin/restorecon -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
+ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
+ /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi;
@@ -204,10 +214,10 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch /etc/selinux/%1/.rebuild; \
- if [ -e /etc/selinux/%1/.policymd5 ]; then \
- md5=`md5sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
- checkmd5=`cat /etc/selinux/%1/.policymd5`; \
- if [ "$md5" == "$checkmd5" ] ; then \
+ if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
+ sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
+ checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
+ if [ "$sha512" == "$checksha512" ] ; then \
rm /etc/selinux/%1/.rebuild; \
fi; \
fi; \
@@ -218,7 +228,7 @@ fi;
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
if [ %1 -ne 1 ]; then \
- /usr/sbin/semodule -n -s %2 -r kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+ /usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
fi \
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \
/usr/sbin/semodule -B -n -s %2; \
@@ -242,7 +252,6 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-%{version} -q
%patch -p1
-#%patch1 -p1 -b .unconfined
%install
mkdir selinux_config
@@ -252,8 +261,6 @@ done
tar zxvf selinux_config/config.tgz
# Build targeted policy
%{__rm} -fR %{buildroot}
-mkdir -p %{buildroot}%{_mandir}
-cp -R man/* %{buildroot}%{_mandir}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
touch %{buildroot}%{_sysconfdir}/selinux/config
@@ -269,6 +276,8 @@ make clean
%if %{BUILD_TARGETED}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
+mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
+cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
%makeCmds targeted mcs n allow
%installCmds targeted mcs n allow
%endif
@@ -276,6 +285,8 @@ make clean
%if %{BUILD_MINIMUM}
# Build minimum policy
# Commented out because only minimum ref policy currently builds
+mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
+cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
%makeCmds minimum mcs n allow
%installCmds minimum mcs n allow
%modulesList minimum
@@ -287,22 +298,20 @@ make clean
%installCmds mls mls n deny
%endif
-%if %{BUILD_DOC}
+mkdir -p %{buildroot}%{_mandir}
+cp -R man/* %{buildroot}%{_mandir}
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
-%endif
-
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
-
mkdir %{buildroot}%{_usr}/share/selinux/devel/
-mkdir %{buildroot}%{_usr}/share/selinux/packages/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
-%if %{BUILD_DOC}
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
-%endif
+
+mkdir %{buildroot}%{_usr}/share/selinux/packages/
+
rm -rf selinux_config
%clean
%{__rm} -fR %{buildroot}
@@ -321,6 +330,7 @@ echo "
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
+# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
@@ -483,7 +493,470 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Mon Feb 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-85
+* Wed May 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-128
+- Fix description of authlogin_nsswitch_use_ldap
+- Fix transition rule for rhsmcertd_t needed for RHEL7
+- Allow useradd to list nfs state data
+- Allow openvpn to manage its log file and directory
+- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
+- Allow thumb to use nvidia devices
+- Allow local_login to create user_tmp_t files for kerberos
+- Pulseaudio needs to read systemd_login /var/run content
+- virt should only transition named system_conf_t config files
+- Allow munin to execute its plugins
+- Allow nagios system plugin to read /etc/passwd
+- Allow plugin to connect to soundd port
+- Fix httpd_passwd to be able to ask passwords
+- Radius servers can use ldap for backing store
+- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
+- Allow systemd_logind to list the contents of gnome keyring
+- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
+- Add policy for isns-utils
+
+* Mon May 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-127
+- Add policy for subversion daemon
+- Allow boinc to read passwd
+- Allow pads to read kernel network state
+- Fix man2html interface for sepolgen-ifgen
+- Remove extra /usr/lib/systemd/system/smb
+- Remove all /lib/systemd and replace with /usr/lib/systemd
+- Add policy for man2html
+- Fix the label of kerberos_home_t to krb5_home_t
+- Allow mozilla plugins to use Citrix
+- Allow tuned to read /proc/sys/kernel/nmi_watchdog
+- Allow tune /sys options via systemd's tmpfiles.d "w" type
+
+* Wed May 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-126
+- Dontaudit lpr_t to read/write leaked mozilla tmp files
+- Add file name transition for .grl-podcasts directory
+- Allow corosync to read user tmp files
+- Allow fenced to create snmp lib dirs/files
+- More fixes for sge policy
+- Allow mozilla_plugin_t to execute any application
+- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
+- Allow mongod to read system state information
+- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
+- Allow polipo to manage polipo_cache dirs
+- Add jabbar_client port to mozilla_plugin_t
+- Cleanup procmail policy
+- system bus will pass around open file descriptors on files that do not have labels on them
+- Allow l2tpd_t to read system state
+- Allow tuned to run ls /dev
+- Allow sudo domains to read usr_t files
+- Add label to machine-id
+- Fix corecmd_read_bin_symlinks cut and paste error
+
+* Wed May 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-125
+- Fix pulseaudio port definition
+- Add labeling for condor_starter
+- Allow chfn_t to creat user_tmp_files
+- Allow chfn_t to execute bin_t
+- Allow prelink_cron_system_t to getpw calls
+- Allow sudo domains to manage kerberos rcache files
+- Allow user_mail_domains to work with courie
+- Port definitions necessary for running jboss apps within openshift
+- Add support for openstack-nova-metadata-api
+- Add support for nova-console*
+- Add support for openstack-nova-xvpvncproxy
+- Fixes to make privsep+SELinux working if we try to use chage to change passwd
+- Fix auth_role() interface
+- Allow numad to read sysfs
+- Allow matahari-rpcd to execute shell
+- Add label for ~/.spicec
+- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
+- Devicekit_disk wants to read the logind sessions file when writing a cd
+- Add fixes for condor to make condor jobs working correctly
+- Change label of /var/log/rpmpkgs to cron_log_t
+- Access requires to allow systemd-tmpfiles --create to work.
+- Fix obex to be a user application started by the session bus.
+- Add additional filename trans rules for kerberos
+- Fix /var/run/heartbeat labeling
+- Allow apps that are managing rcache to file trans correctly
+- Allow openvpn to authenticate against ldap server
+- Containers need to listen to network starting and stopping events
+
+* Wed May 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-124
+- Make systemd unit files less specific
+
+* Tue May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
+- Fix zarafa labeling
+- Allow guest_t to fix labeling
+- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
+- add lxc_contexts
+- Allow accountsd to read /proc
+- Allow restorecond to getattr on all file sytems
+- tmpwatch now calls getpw
+- Allow apache daemon to transition to pwauth domain
+- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
+- The obex socket seems to be a stream socket
+- dd label for /var/run/nologin
+
+* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
+- Allow jetty running as httpd_t to read hugetlbfs files
+- Allow sys_nice and setsched for rhsmcertd
+- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
+- Allow setfiles to append to xdm_tmp_t
+- Add labeling for /export as a usr_t directory
+- Add labels for .grl files created by gstreamer
+
+* Fri May 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-121
+- Add labeling for /usr/share/jetty/bin/jetty.sh
+- Add jetty policy which contains file type definitios
+- Allow jockey to use its own fifo_file and make this the default for all domains
+- Allow mozilla_plugins to use spice (vnc_port/couchdb)
+- asterisk wants to read the network state
+- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
+- Allow mozilla_plugin_t to create ~/.pki directory and content
+
+* Wed May 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-120
+- Add clamscan_can_scan_system boolean
+- Allow mysqld to read kernel network state
+- Allow sshd to read/write condor lib files
+- Allow sshd to read/write condor-startd tcp socket
+- Fix description on httpd_graceful_shutdown
+- Allow glance_registry to communicate with mysql
+- dbus_system_domain is using systemd to lauch applications
+- add interfaces to allow domains to send kill signals to user mail agents
+- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
+- Lots of new access required for secure containers
+- Corosync needs sys_admin capability
+- ALlow colord to create shm
+- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
+- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
+- Add new interface to allow domains to list msyql_db directories, needed for libra
+- shutdown has to be allowed to delete etc_runtime_t
+- Fail2ban needs to read /etc/passwd
+- Allow ldconfig to create /var/cache/ldconfig
+- Allow tgtd to read hardware state information
+- Allow collectd to create packet socket
+- Allow chronyd to send signal to itself
+- Allow collectd to read /dev/random
+- Allow collectd to send signal to itself
+- firewalld needs to execute restorecon
+- Allow restorecon and other login domains to execute restorecon
+
+* Tue Apr 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-119
+- Allow logrotate to getattr on systemd unit files
+- Add support for tor systemd unit file
+- Allow apmd to create /var/run/pm-utils with the correct label
+- Allow l2tpd to send sigkill to pppd
+- Allow pppd to stream connect to l2tpd
+- Add label for scripts in /etc/gdm/
+- Allow systemd_logind_t to ignore mcs constraints on sigkill
+- Fix files_filetrans_system_conf_named_files() interface
+- Add labels for /usr/share/wordpress/wp-includes/*.php
+- Allow cobbler to get SELinux mode and booleans
+
+* Mon Apr 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-118
+- Add unconfined_execmem_exec_t as an alias to bin_t
+- Allow fenced to read snmp var lib files, also allow it to read usr_t
+- ontaudit access checks on all executables from mozilla_plugin
+- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode
+- Allow systemd_tmpfiles_t to getattr all pipes and sockets
+- Allow glance-registry to send system log messages
+- semanage needs to manage mock lib files/dirs
+
+* Sun Apr 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-117
+- Add policy for abrt-watch-log
+- Add definitions for jboss_messaging ports
+- Allow systemd_tmpfiles to manage printer devices
+- Allow oddjob to use nsswitch
+- Fix labeling of log files for postgresql
+- Allow mozilla_plugin_t to execmem and execstack by default
+- Allow firewalld to execute shell
+- Fix /etc/wicd content files to get created with the correct label
+- Allow mcelog to exec shell
+- Add ~/.orc as a gstreamer_home_t
+- /var/spool/postfix/lib64 should be labeled lib_t
+- mpreaper should be able to list all file system labeled directories
+- Add support for apache to use openstack
+- Add labeling for /etc/zipl.conf and zipl binary
+- Turn on allow_execstack and turn off telepathy transition for final release
+
+* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-116
+- More access required for virt_qmf_t
+- Additional assess required for systemd-logind to support multi-seat
+- Allow mozilla_plugin to setrlimit
+- Revert changes to fuse file system to stop deadlock
+
+* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-115
+- Allow condor domains to connect to ephemeral ports
+- More fixes for condor policy
+- Allow keystone to stream connect to mysqld
+- Allow mozilla_plugin_t to read generic USB device to support GPS devices
+- Allow thum to file name transition gstreamer home content
+- Allow thum to read all non security files
+- Allow glance_api_t to connect to ephemeral ports
+- Allow nagios plugins to read /dev/urandom
+- Allow syslogd to search postfix spool to support postfix chroot env
+- Fix labeling for /var/spool/postfix/dev
+- Allow wdmd chown
+- Label .esd_auth as pulseaudio_home_t
+- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
+
+* Fri Apr 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-114
+- Add support for clamd+systemd
+- Allow fresclam to execute systemctl to handle clamd
+- Change labeling for /usr/sbin/rpc.ypasswd.env
+ - Allow yppaswd_t to execute yppaswd_exec_t
+ - Allow yppaswd_t to read /etc/passwd
+- Gnomekeyring socket has been moved to /run/user/USER/
+- Allow samba-net to connect to ldap port
+- Allow signal for vhostmd
+- allow mozilla_plugin_t to read user_home_t socket
+- New access required for secure Linux Containers
+- zfs now supports xattrs
+- Allow quantum to execute sudo and list sysfs
+- Allow init to dbus chat with the firewalld
+- Allow zebra to read /etc/passwd
+
+* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-113
+- Allow svirt_t to create content in the users homedir under ~/.libvirt
+- Fix label on /var/lib/heartbeat
+- Allow systemd_logind_t to send kill signals to all processes started by a user
+- Fuse now supports Xattr Support
+
+* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112
+- upowered needs to setsched on the kernel
+- Allow mpd_t to manage log files
+- Allow xdm_t to create /var/run/systemd/multi-session-x
+- Add rules for missedfont.log to be used by thumb.fc
+- Additional access required for virt_qmf_t
+- Allow dhclient to dbus chat with the firewalld
+- Add label for lvmetad
+- Allow systemd_logind_t to remove userdomain sock_files
+- Allow cups to execute usr_t files
+- Fix labeling on nvidia shared libraries
+- wdmd_t needs access to sssd and /etc/passwd
+- Add boolean to allow ftp servers to run in passive mode
+- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
+- Fix using httpd_use_fusefs
+- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
+
+* Fri Apr 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-111
+- Rename rdate port to time port, and allow gnomeclock to connect to it
+- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
+- /etc/auto.* should be labeled bin_t
+- Add httpd_use_fusefs boolean
+- Add fixes for heartbeat
+- Allow sshd_t to signal processes that it transitions to
+- Add condor policy
+- Allow svirt to create monitors in ~/.libvirt
+- Allow dovecot to domtrans sendmail to handle sieve scripts
+- Lot of fixes for cfengine
+
+* Tue Apr 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-110
+- /var/run/postmaster.* labeling is no longer needed
+- Alllow drbdadmin to read /dev/urandom
+- l2tpd_t seems to use ptmx
+- group+ and passwd+ should be labeled as /etc/passwd
+- Zarafa-indexer is a socket
+
+* Fri Mar 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-109
+- Ensure lastlog is labeled correctly
+- Allow accountsd to read /proc data about gdm
+- Add fixes for tuned
+- Add bcfg2 fixes which were discovered during RHEL6 testing
+- More fixes for gnome-keyring socket being moved
+- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
+- Fix description for files_dontaudit_read_security_files() interface
+
+* Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-108
+- Add new policy and man page for bcfg2
+- cgconfig needs to use getpw calls
+- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt
+- gnome-keyring wants to create a directory in cache_home_t
+- sanlock calls getpw
+
+* Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-107
+- Add numad policy and numad man page
+- Add fixes for interface bugs discovered by SEWatch
+- Add /tmp support for squid
+- Add fix for #799102
+ * change default labeling for /var/run/slapd.* sockets
+- Make thumb_t as userdom_home_reader
+- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
+- Allow smbspool running as cups_t to stream connect to nmbd
+- accounts needs to be able to execute passwd on behalf of users
+- Allow systemd_tmpfiles_t to delete boot flags
+- Allow dnssec_trigger to connect to apache ports
+- Allow gnome keyring to create sock_files in ~/.cache
+- google_authenticator is using .google_authenticator
+- sandbox running from within firefox is exposing more leaks
+- Dontaudit thumb to read/write /dev/card0
+- Dontaudit getattr on init_exec_t for gnomeclock_t
+- Allow certmonger to do a transition to certmonger_unconfined_t
+- Allow dhcpc setsched which is caused by nmcli
+- Add rpm_exec_t for /usr/sbin/bcfg2
+- system cronjobs are sending dbus messages to systemd_logind
+- Thumnailers read /dev/urand
+
+* Thu Mar 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-106
+- Allow auditctl getcap
+- Allow vdagent to use libsystemd-login
+- Allow abrt-dump-oops to search /etc/abrt
+- Got these avc's while trying to print a boarding pass from firefox
+- Devicekit is now putting the media directory under /run/media
+- Allow thumbnailers to create content in ~/.thumbails directory
+- Add support for proL2TPd by Dominick Grift
+- Allow all domains to call getcap
+- wdmd seems to get a random chown capability check that it does not need
+- Allow vhostmd to read kernel sysctls
+
+* Wed Mar 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-105
+- Allow chronyd to read unix
+- Allow hpfax to read /etc/passwd
+- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them
+- Allow rpcd to read quota_db_t
+- Update to man pages to match latest policy
+- Fix bug in jockey interface for sepolgen-ifgen
+- Add initial svirt_prot_exec_t policy
+
+* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-104
+- More fixes for systemd from Dan Walsh
+
+* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-103
+- Add a new type for /etc/firewalld and allow firewalld to write to this directory
+- Add definition for ~/Maildir, and allow mail deliver domains to write there
+- Allow polipo to run from a cron job
+- Allow rtkit to schedule wine processes
+- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label
+- Allow users domains to send signals to consolehelper domains
+
+* Fri Mar 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-102
+- More fixes for boinc policy
+- Allow polipo domain to create its own cache dir and pid file
+- Add systemctl support to httpd domain
+- Add systemctl support to polipo, allow NetworkManager to manage the service
+- Add policy for jockey-backend
+- Add support for motion daemon which is now covered by zoneminder policy
+- Allow colord to read/write motion tmpfs
+- Allow vnstat to search through var_lib_t directories
+- Stop transitioning to quota_t, from init an sysadm_t
+
+* Wed Mar 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-101
+- Add svirt_lxc_file_t as a customizable type
+
+* Wed Mar 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-100
+- Add additional fixes for icmp nagios plugin
+- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
+- Add certmonger_unconfined_exec_t
+- Make sure tap22 device is created with the correct label
+- Allow staff users to read systemd unit files
+- Merge in previously built policy
+- Arpwatch needs to be able to start netlink sockets in order to start
+- Allow cgred_t to sys_ptrace to look at other DAC Processes
+
+* Mon Mar 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-99
+- Back port some of the access that was allowed in nsplugin_t
+- Add definitiona for couchdb ports
+- Allow nagios to use inherited users ttys
+- Add git support for mock
+- Allow inetd to use rdate port
+- Add own type for rdate port
+- Allow samba to act as a portmapper
+- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
+- New fixes needed for samba4
+- Allow apps that use lib_t to read lib_t symlinks
+
+* Fri Mar 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-98
+- Add policy for nove-cert
+- Add labeling for nova-openstack systemd unit files
+- Add policy for keystoke
+
+* Thu Mar 8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-97
+- Fix man pages fro domains
+- Add man pages for SELinux users and roles
+- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon
+- Add policy for matahari-rpcd
+- nfsd executes mount command on restart
+- Matahari domains execute renice and setsched
+- Dontaudit leaked tty in mozilla_plugin_config
+- mailman is changing to a per instance naming
+- Add 7600 and 4447 as jboss_management ports
+- Add fixes for nagios event handlers
+- Label httpd.event as httpd_exec_t, it is an apache daemon
+
+* Mon Mar 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-96
+- Add labeling for /var/spool/postfix/dev/log
+- NM reads sysctl.conf
+- Iscsi log file context specification fix
+- Allow mozilla plugins to send dbus messages to user domains that transition to it
+- Allow mysql to read the passwd file
+- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
+- Allow deltacloud to read kernel sysctl
+- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
+- Allow postgresql_t to connectto itself
+- Add login_userdomain attribute for users which can log in using terminal
+
+* Tue Feb 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-95
+- Allow sysadm_u to reach system_r by default #784011
+- Allow nagios plugins to use inherited user terminals
+- Razor labeling is not used no longer
+- Add systemd support for matahari
+- Add port_types to man page, move booleans to the top, fix some english
+- Add support for matahari-sysconfig-console
+- Clean up matahari.fc
+- Fix matahari_admin() interfac
+- Add labels for/etc/ssh/ssh_host_*.pub keys
+
+* Mon Feb 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-94
+- Allow ksysguardproces to send system log msgs
+- Allow boinc setpgid and signull
+- Allow xdm_t to sys_ptrace to run pidof command
+- Allow smtpd_t to manage spool files/directories and symbolic links
+- Add labeling for jetty
+- Needed changes to get unbound/dnssec to work with openswan
+
+* Thu Feb 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-93
+- Add user_fonts_t alias xfs_tmp_t
+- Since depmod now runs as insmod_t we need to write to kernel_object_t
+- Allow firewalld to dbus chat with networkmanager
+- Allow qpidd to connect to matahari ports
+- policykit needs to read /proc for uses not owned by it
+- Allow systemctl apps to connecto the init stream
+
+* Wed Feb 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-92
+- Turn on deny_ptrace boolean
+
+* Tue Feb 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-91
+- Remove pam_selinux.8 man page. There was a conflict.
+
+* Tue Feb 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-90
+- Add proxy class and read access for gssd_proxy
+- Separate out the sharing public content booleans
+- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate
+- Add label transition for gstream-0.10 and 12
+- Add booleans to allow rsync to share nfs and cifs file sytems
+- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it
+- Fix filename transitions for cups files
+- Allow denyhosts to read "unix"
+- Add file name transition for locale.conf.new
+- Allow boinc projects to gconf config files
+- sssd needs to be able to increase the socket limit under certain loads
+- sge_execd needs to read /etc/passwd
+- Allow denyhost to check network state
+- NetworkManager needs to read sessions data
+- Allow denyhost to check network state
+- Allow xen to search virt images directories
+- Add label for /dev/megaraid_sas_ioctl_node
+- Add autogenerated man pages
+
+* Thu Feb 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-89
+- Allow boinc project to getattr on fs
+- Allow init to execute initrc_state_t
+- rhev-agent package was rename to ovirt-guest-agent
+- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
+- sytemd writes content to /run/initramfs and executes it on shutdown
+- kdump_t needs to read /etc/mtab, should be back ported to F16
+- udev needs to load kernel modules in early system boot
+
+* Tue Feb 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-88
+- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
+- Add additional systemd interfaces which are needed fro *_admin interfaces
+- Fix bind_admin() interface
+
+* Mon Feb 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-87
- Allow firewalld to read urand
- Alias java, execmem_mono to bin_t to allow third parties
- Add label for kmod
@@ -493,6 +966,31 @@ SELinux Reference policy mls base module.
- Allow systemd_tmpfiles_t to delete all file types
- Allow collectd to ipc_lock
+* Fri Feb 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-86
+- make consoletype_exec optional, so we can remove consoletype policy
+- remove unconfined_permisive.patch
+- Allow openvpn_t to inherit user home content and tmp content
+- Fix dnssec-trigger labeling
+- Turn on obex policy for staff_t
+- Pem files should not be secret
+- Add lots of rules to fix AVC's when playing with containers
+- Fix policy for dnssec
+- Label ask-passwd directories correctly for systemd
+
+* Thu Feb 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-85
+- sshd fixes seem to be causing unconfined domains to dyntrans to themselves
+- fuse file system is now being mounted in /run/user
+- systemd_logind is sending signals to processes that are dbus messaging with it
+- Add support for winshadow port and allow iscsid to connect to this port
+- httpd should be allowed to bind to the http_port_t udp socket
+- zarafa_var_lib_t can be a lnk_file
+- A couple of new .xsession-errors files
+- Seems like user space and login programs need to read logind_sessions_files
+- Devicekit disk seems to be being launched by systemd
+- Cleanup handling of setfiles so most of rules in te file
+- Correct port number for dnssec
+- logcheck has the home dir set to its cache
+
* Tue Feb 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-84
- Add policy for grindengine MPI jobs
More information about the scm-commits
mailing list