Re-add policy modules from old refpolicy-contrib submodule.

policy/modules/contrib/abrt.fc

@@ -0,0 +1,34 @@
+/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+/usr/bin/abrtd			--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/bin/abrt-dbus		--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/bin/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-retrace-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-upload-watch	--	gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/usr/bin/coredump2packages	--	gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+
+/usr/libexec/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-handle-event	--	gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
+/usr/libexec/abrt-hook-python	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+/usr/sbin/abrtd	--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus	--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch	--	gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+
+/var/cache/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+
+/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/run/abrt\.pid	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/run/abrtd?\.lock	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/run/abrtd?\.socket	-s	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/run/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+/var/spool/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)

policy/modules/contrib/abrt.if

@@ -0,0 +1,307 @@
+## <summary>Automated bug-reporting tool.</summary>
+
+######################################
+## <summary>
+##	Execute abrt in the abrt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_domtrans',`
+	gen_require(`
+		type abrt_t, abrt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, abrt_exec_t, abrt_t)
+')
+
+######################################
+## <summary>
+##	Execute abrt in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_exec',`
+	gen_require(`
+		type abrt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, abrt_exec_t)
+')
+
+########################################
+## <summary>
+##	Send null signals to abrt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_signull',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	allow $1 abrt_t:process signull;
+')
+
+########################################
+## <summary>
+##	Read process state of abrt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_state',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	ps_process_pattern($1, abrt_t)
+')
+
+########################################
+## <summary>
+##	Connect to abrt over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_stream_connect',`
+	gen_require(`
+		type abrt_t, abrt_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	abrt over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_dbus_chat',`
+	gen_require(`
+		type abrt_t;
+		class dbus send_msg;
+	')
+
+	allow $1 abrt_t:dbus send_msg;
+	allow abrt_t $1:dbus send_msg;
+')
+
+#####################################
+## <summary>
+##	Execute abrt-helper in the abrt
+##	helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_domtrans_helper',`
+	gen_require(`
+		type abrt_helper_t, abrt_helper_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+')
+
+########################################
+## <summary>
+##	Execute abrt helper in the abrt
+##	helper domain, and allow the
+##	specified role the abrt helper domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_run_helper',`
+	gen_require(`
+		attribute_role abrt_helper_roles;
+	')
+
+	abrt_domtrans_helper($1)
+	roleattribute $2 abrt_helper_roles;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	abrt cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_manage_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+	manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+	manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+####################################
+## <summary>
+##	Read abrt configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_config',`
+	gen_require(`
+		type abrt_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+')
+
+######################################
+## <summary>
+##	Read abrt log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_log',`
+	gen_require(`
+		type abrt_var_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
+')
+
+######################################
+## <summary>
+##	Read abrt PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_pid_files',`
+	gen_require(`
+		type abrt_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+')
+
+######################################
+## <summary>
+##	Create, read, write, and delete
+##	abrt PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_manage_pid_files',`
+	gen_require(`
+		type abrt_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+')
+
+#####################################
+## <summary>
+##	All of the rules required to
+##	administrate an abrt environment,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_admin',`
+	gen_require(`
+		attribute abrt_domain;
+		type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
+		type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
+		type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
+	')
+
+	allow $1 abrt_domain:process { ptrace signal_perms };
+	ps_process_pattern($1, abrt_domain)
+
+	init_startstop_service($1, $2, abrt_t, abrt_initrc_exec_t)
+
+	files_search_etc($1)
+	admin_pattern($1, abrt_etc_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, abrt_var_log_t)
+
+	files_search_var($1)
+	admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+
+	files_search_pids($1)
+	admin_pattern($1, abrt_var_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, abrt_tmp_t)
+')

policy/modules/contrib/abrt.te

@@ -0,0 +1,441 @@
+policy_module(abrt, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether ABRT can modify
+##	public files used for public file
+##	transfer services.
+##	</p>
+## </desc>
+gen_tunable(abrt_anon_write, false)
+
+## <desc>
+##	<p>
+##	Determine whether abrt-handle-upload
+##	can modify public files used for public file
+##	transfer services in /var/spool/abrt-upload/.
+##	</p>
+## </desc>
+gen_tunable(abrt_upload_watch_anon_write, true)
+
+## <desc>
+##	<p>
+##	Determine whether ABRT can run in
+##	the abrt_handle_event_t domain to
+##	handle ABRT event scripts.
+##	</p>
+## </desc>
+gen_tunable(abrt_handle_event, false)
+
+attribute abrt_domain;
+
+attribute_role abrt_helper_roles;
+roleattribute system_r abrt_helper_roles;
+
+type abrt_t, abrt_domain;
+type abrt_exec_t;
+init_daemon_domain(abrt_t, abrt_exec_t)
+
+type abrt_initrc_exec_t;
+init_script_file(abrt_initrc_exec_t)
+
+type abrt_etc_t;
+files_config_file(abrt_etc_t)
+
+type abrt_var_log_t;
+logging_log_file(abrt_var_log_t)
+
+type abrt_tmp_t;
+files_tmp_file(abrt_tmp_t)
+
+type abrt_var_cache_t;
+files_type(abrt_var_cache_t)
+
+type abrt_var_run_t;
+files_pid_file(abrt_var_run_t)
+
+type abrt_dump_oops_t, abrt_domain;
+type abrt_dump_oops_exec_t;
+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
+type abrt_handle_event_t, abrt_domain;
+type abrt_handle_event_exec_t;
+domain_type(abrt_handle_event_t)
+domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+role system_r types abrt_handle_event_t;
+
+type abrt_helper_t, abrt_domain;
+type abrt_helper_exec_t;
+application_domain(abrt_helper_t, abrt_helper_exec_t)
+role abrt_helper_roles types abrt_helper_t;
+
+type abrt_retrace_coredump_t, abrt_domain;
+type abrt_retrace_coredump_exec_t;
+domain_type(abrt_retrace_coredump_t)
+domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
+type abrt_retrace_worker_t, abrt_domain;
+type abrt_retrace_worker_exec_t;
+domain_type(abrt_retrace_worker_t)
+domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+role system_r types abrt_retrace_worker_t;
+
+type abrt_retrace_cache_t;
+files_type(abrt_retrace_cache_t)
+
+type abrt_retrace_spool_t;
+files_type(abrt_retrace_spool_t)
+
+type abrt_watch_log_t, abrt_domain;
+type abrt_watch_log_exec_t;
+init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+
+type abrt_upload_watch_t, abrt_domain;
+type abrt_upload_watch_exec_t;
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+allow abrt_t self:fifo_file rw_fifo_file_perms;
+allow abrt_t self:tcp_socket { accept listen };
+
+allow abrt_t abrt_etc_t:dir list_dir_perms;
+rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+
+manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
+logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+
+manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+
+manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+
+manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
+
+can_exec(abrt_t, abrt_tmp_t)
+
+kernel_read_ring_buffer(abrt_t)
+kernel_read_system_state(abrt_t)
+kernel_request_load_module(abrt_t)
+kernel_rw_kernel_sysctl(abrt_t)
+
+corecmd_exec_bin(abrt_t)
+corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
+
+corenet_all_recvfrom_netlabel(abrt_t)
+corenet_all_recvfrom_unlabeled(abrt_t)
+corenet_tcp_sendrecv_generic_if(abrt_t)
+corenet_tcp_sendrecv_generic_node(abrt_t)
+corenet_tcp_sendrecv_all_ports(abrt_t)
+corenet_tcp_bind_generic_node(abrt_t)
+
+corenet_sendrecv_all_client_packets(abrt_t)
+corenet_tcp_connect_http_port(abrt_t)
+corenet_tcp_connect_ftp_port(abrt_t)
+corenet_tcp_connect_all_ports(abrt_t)
+
+dev_getattr_all_chr_files(abrt_t)
+dev_getattr_all_blk_files(abrt_t)
+dev_read_rand(abrt_t)
+dev_read_urand(abrt_t)
+dev_rw_sysfs(abrt_t)
+dev_dontaudit_read_raw_memory(abrt_t)
+
+domain_getattr_all_domains(abrt_t)
+domain_read_all_domains_state(abrt_t)
+domain_signull_all_domains(abrt_t)
+
+files_getattr_all_files(abrt_t)
+files_read_config_files(abrt_t)
+files_read_etc_runtime_files(abrt_t)
+files_read_var_symlinks(abrt_t)
+files_read_usr_files(abrt_t)
+files_read_kernel_modules(abrt_t)
+files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
+files_dontaudit_getattr_all_sockets(abrt_t)
+files_list_mnt(abrt_t)
+
+fs_getattr_all_fs(abrt_t)
+fs_getattr_all_dirs(abrt_t)
+fs_list_inotifyfs(abrt_t)
+fs_read_fusefs_files(abrt_t)
+fs_read_noxattr_fs_files(abrt_t)
+fs_read_nfs_files(abrt_t)
+fs_read_nfs_symlinks(abrt_t)
+fs_search_all(abrt_t)
+
+auth_use_nsswitch(abrt_t)
+
+logging_read_generic_logs(abrt_t)
+
+miscfiles_read_public_files(abrt_t)
+
+userdom_dontaudit_read_user_home_content_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+	miscfiles_manage_public_files(abrt_t)
+')
+
+optional_policy(`
+	apache_list_modules(abrt_t)
+	apache_read_module_files(abrt_t)
+')
+
+optional_policy(`
+	dbus_system_domain(abrt_t, abrt_exec_t)
+
+	optional_policy(`
+		policykit_dbus_chat(abrt_t)
+	')
+')
+
+optional_policy(`
+	dmesg_domtrans(abrt_t)
+')
+
+optional_policy(`
+	policykit_domtrans_auth(abrt_t)
+	policykit_read_lib(abrt_t)
+	policykit_read_reload(abrt_t)
+')
+
+optional_policy(`
+	prelink_exec(abrt_t)
+	libs_exec_ld_so(abrt_t)
+	corecmd_exec_all_executables(abrt_t)
+')
+
+optional_policy(`
+	rpm_exec(abrt_t)
+	rpm_dontaudit_manage_db(abrt_t)
+	rpm_manage_cache(abrt_t)
+	rpm_manage_log(abrt_t)
+	rpm_manage_pid_files(abrt_t)
+	rpm_read_db(abrt_t)
+	rpm_signull(abrt_t)
+')
+
+optional_policy(`
+	sendmail_domtrans(abrt_t)
+')
+
+optional_policy(`
+	sosreport_domtrans(abrt_t)
+	sosreport_read_tmp_files(abrt_t)
+	sosreport_delete_tmp_files(abrt_t)
+')
+
+#######################################
+#
+# Handle-event local policy
+#
+
+allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
+
+tunable_policy(`abrt_handle_event',`
+	domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t)
+',`
+	can_exec(abrt_t, abrt_handle_event_exec_t)
+')
+
+########################################
+#
+# Helper local policy
+#
+
+allow abrt_helper_t self:capability { chown setgid sys_nice };
+allow abrt_helper_t self:process signal;
+
+read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
+
+files_search_spool(abrt_helper_t)
+manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+
+read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+
+corecmd_read_all_executables(abrt_helper_t)
+
+domain_read_all_domains_state(abrt_helper_t)
+
+fs_list_inotifyfs(abrt_helper_t)
+fs_getattr_all_fs(abrt_helper_t)
+
+auth_use_nsswitch(abrt_helper_t)
+
+term_dontaudit_use_all_ttys(abrt_helper_t)
+term_dontaudit_use_all_ptys(abrt_helper_t)
+
+ifdef(`hide_broken_symptoms',`
+	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+	dev_dontaudit_read_all_blk_files(abrt_helper_t)
+	dev_dontaudit_read_all_chr_files(abrt_helper_t)
+	dev_dontaudit_write_all_chr_files(abrt_helper_t)
+	dev_dontaudit_write_all_blk_files(abrt_helper_t)
+	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+')
+
+#######################################
+#
+# Retrace coredump policy
+#
+
+allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
+
+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+
+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+
+corecmd_exec_bin(abrt_retrace_coredump_t)
+corecmd_exec_shell(abrt_retrace_coredump_t)
+
+dev_read_urand(abrt_retrace_coredump_t)
+
+files_read_usr_files(abrt_retrace_coredump_t)
+
+sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+
+optional_policy(`
+	rpm_exec(abrt_retrace_coredump_t)
+	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
+	rpm_manage_cache(abrt_retrace_coredump_t)
+	rpm_manage_log(abrt_retrace_coredump_t)
+	rpm_manage_pid_files(abrt_retrace_coredump_t)
+	rpm_read_db(abrt_retrace_coredump_t)
+	rpm_signull(abrt_retrace_coredump_t)
+')
+
+#######################################
+#
+# Retrace worker policy
+#
+
+allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
+
+domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
+allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
+
+manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+
+allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
+
+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+
+corecmd_exec_bin(abrt_retrace_worker_t)
+corecmd_exec_shell(abrt_retrace_worker_t)
+
+dev_read_urand(abrt_retrace_worker_t)
+
+files_read_usr_files(abrt_retrace_worker_t)
+
+sysnet_dns_name_resolve(abrt_retrace_worker_t)
+
+########################################
+#
+# Dump oops local policy
+#
+
+allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
+allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+
+files_search_spool(abrt_dump_oops_t)
+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+
+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
+read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
+
+domain_use_interactive_fds(abrt_dump_oops_t)
+
+fs_list_inotifyfs(abrt_dump_oops_t)
+
+logging_read_generic_logs(abrt_dump_oops_t)
+logging_mmap_generic_logs(abrt_dump_oops_t)
+logging_mmap_journal(abrt_dump_oops_t)
+
+#######################################
+#
+# Watch log local policy
+#
+
+allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
+allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+
+read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
+
+domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+
+corecmd_exec_bin(abrt_watch_log_t)
+
+logging_read_all_logs(abrt_watch_log_t)
+
+#######################################
+#
+# Upload watch local policy
+#
+
+corecmd_exec_bin(abrt_upload_watch_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+	miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+#######################################
+#
+# Global local policy
+#
+
+kernel_read_system_state(abrt_domain)
+
+files_read_etc_files(abrt_domain)
+
+logging_send_syslog_msg(abrt_domain)
+
+miscfiles_read_localization(abrt_domain)

policy/modules/contrib/accountsd.fc

@@ -0,0 +1,5 @@
+/usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+/usr/lib/accountsservice/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+/var/lib/AccountsService(/.*)?	gen_context(system_u:object_r:accountsd_var_lib_t,s0)

policy/modules/contrib/accountsd.if

@@ -0,0 +1,148 @@
+## <summary>AccountsService and daemon for manipulating user account information via D-Bus.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to
+##	run accountsd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`accountsd_domtrans',`
+	gen_require(`
+		type accountsd_t, accountsd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, accountsd_exec_t, accountsd_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write Accounts Daemon fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dontaudit_rw_fifo_file',`
+	gen_require(`
+		type accountsd_t;
+	')
+
+	dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	accountsd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_dbus_chat',`
+	gen_require(`
+		type accountsd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 accountsd_t:dbus send_msg;
+	allow accountsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Search accountsd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_search_lib',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	allow $1 accountsd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read accountsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_read_lib_files',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 accountsd_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	accountsd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`accountsd_manage_lib_files',`
+	gen_require(`
+		type accountsd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an accountsd environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role" unused="true">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`accountsd_admin',`
+	gen_require(`
+		type accountsd_t;
+	')
+
+	allow $1 accountsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, accountsd_t)
+
+	accountsd_manage_lib_files($1)
+')

policy/modules/contrib/accountsd.te

@@ -0,0 +1,75 @@
+policy_module(accountsd, 1.2.1)
+
+gen_require(`
+	class passwd all_passwd_perms;
+')
+
+########################################
+#
+# Declarations
+#
+
+type accountsd_t;
+type accountsd_exec_t;
+dbus_system_domain(accountsd_t, accountsd_exec_t)
+
+type accountsd_var_lib_t;
+files_type(accountsd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
+allow accountsd_t self:process signal;
+allow accountsd_t self:fifo_file rw_fifo_file_perms;
+allow accountsd_t self:passwd { rootok passwd chfn chsh };
+
+manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
+
+kernel_read_crypto_sysctls(accountsd_t)
+kernel_read_kernel_sysctls(accountsd_t)
+kernel_read_system_state(accountsd_t)
+
+corecmd_exec_bin(accountsd_t)
+
+dev_read_sysfs(accountsd_t)
+
+files_read_mnt_files(accountsd_t)
+files_read_usr_files(accountsd_t)
+
+fs_getattr_xattr_fs(accountsd_t)
+fs_list_inotifyfs(accountsd_t)
+fs_read_noxattr_fs_files(accountsd_t)
+
+auth_use_nsswitch(accountsd_t)
+auth_read_login_records(accountsd_t)
+auth_read_shadow(accountsd_t)
+
+miscfiles_read_localization(accountsd_t)
+
+logging_list_logs(accountsd_t)
+logging_send_syslog_msg(accountsd_t)
+logging_set_loginuid(accountsd_t)
+
+userdom_read_user_tmp_files(accountsd_t)
+userdom_read_user_home_content_files(accountsd_t)
+
+usermanage_domtrans_useradd(accountsd_t)
+usermanage_domtrans_passwd(accountsd_t)
+
+optional_policy(`
+	consolekit_dbus_chat(accountsd_t)
+	consolekit_read_log(accountsd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(accountsd_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_tmp_files(accountsd_t)
+')

policy/modules/contrib/acct.fc

@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/psacct	--	gen_context(system_u:object_r:acct_initrc_exec_t,s0)
+
+/usr/bin/accton		--	gen_context(system_u:object_r:acct_exec_t,s0)
+
+/usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
+
+/var/account(/.*)?	gen_context(system_u:object_r:acct_data_t,s0)
+
+/var/log/account(/.*)?	gen_context(system_u:object_r:acct_data_t,s0)

policy/modules/contrib/acct.if

@@ -0,0 +1,113 @@
+## <summary>Berkeley process accounting.</summary>
+
+########################################
+## <summary>
+##	Transition to the accounting
+##	management domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`acct_domtrans',`
+	gen_require(`
+		type acct_t, acct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, acct_exec_t, acct_t)
+')
+
+########################################
+## <summary>
+##	Execute accounting management tools
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acct_exec',`
+	gen_require(`
+		type acct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, acct_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute accounting management data
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acct_exec_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	files_search_var($1)
+	can_exec($1, acct_data_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	process accounting data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acct_manage_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, acct_data_t, acct_data_t)
+	manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an acct environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`acct_admin',`
+	gen_require(`
+		type acct_t, acct_initrc_exec_t, acct_data_t;
+	')
+
+	allow $1 acct_t:process { ptrace signal_perms };
+	ps_process_pattern($1, acct_t)
+
+	init_startstop_service($1, $2, acct_t, acct_initrc_exec_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, acct_data_t)
+')

policy/modules/contrib/acct.te

@@ -0,0 +1,83 @@
+policy_module(acct, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type acct_t;
+type acct_exec_t;
+init_system_domain(acct_t, acct_exec_t)
+
+type acct_initrc_exec_t;
+init_script_file(acct_initrc_exec_t)
+
+type acct_data_t;
+logging_log_file(acct_data_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow acct_t self:capability { chown fsetid kill sys_pacct };
+dontaudit acct_t self:capability sys_tty_config;
+allow acct_t self:process signal_perms;
+allow acct_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(acct_t, acct_data_t, acct_data_t)
+manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)
+
+can_exec(acct_t, acct_exec_t)
+
+kernel_list_proc(acct_t)
+kernel_read_system_state(acct_t)
+kernel_read_kernel_sysctls(acct_t)
+
+corecmd_exec_bin(acct_t)
+corecmd_exec_shell(acct_t)
+
+dev_read_sysfs(acct_t)
+dev_read_urand(acct_t)
+
+domain_use_interactive_fds(acct_t)
+
+fs_search_auto_mountpoints(acct_t)
+fs_getattr_xattr_fs(acct_t)
+
+term_dontaudit_use_console(acct_t)
+term_dontaudit_use_generic_ptys(acct_t)
+
+files_read_etc_runtime_files(acct_t)
+files_list_usr(acct_t)
+
+auth_use_nsswitch(acct_t)
+
+init_use_fds(acct_t)
+init_use_script_ptys(acct_t)
+init_exec_script_files(acct_t)
+
+logging_send_syslog_msg(acct_t)
+
+miscfiles_read_localization(acct_t)
+
+userdom_dontaudit_search_user_home_dirs(acct_t)
+userdom_dontaudit_use_unpriv_user_fds(acct_t)
+
+optional_policy(`
+	optional_policy(`
+		# for monthly cron job
+		auth_log_filetrans_login_records(acct_t)
+		auth_manage_login_records(acct_t)
+	')
+
+	cron_system_entry(acct_t, acct_exec_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(acct_t)
+')
+
+optional_policy(`
+	udev_read_db(acct_t)
+')

policy/modules/contrib/acpi.fc

@@ -0,0 +1,24 @@
+/etc/rc\.d/init\.d/acpid	--	gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+
+/usr/bin/acpid	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/bin/apm	--	gen_context(system_u:object_r:acpi_exec_t,s0)
+/usr/bin/apmd	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/bin/powersaved	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
+
+/usr/sbin/acpid	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/apmd	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/powersaved	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/var/lock/subsys/acpid	--	gen_context(system_u:object_r:acpid_lock_t,s0)
+
+/var/log/acpid.*	--	gen_context(system_u:object_r:acpid_log_t,s0)
+
+/run/\.?acpid\.socket	-s	gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/acpid\.pid	--	gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/apmd\.pid	--	gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersaved\.pid	--	gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersave_socket	-s	gen_context(system_u:object_r:acpid_var_run_t,s0)
+
+/var/lib/acpi(/.*)?	gen_context(system_u:object_r:acpid_var_lib_t,s0)

policy/modules/contrib/acpi.if

@@ -0,0 +1,187 @@
+## <summary>Advanced power management.</summary>
+
+########################################
+## <summary>
+##	Execute apm in the apm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`acpi_domtrans_client',`
+	gen_require(`
+		type acpi_t, acpi_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, acpi_exec_t, acpi_t)
+')
+
+########################################
+## <summary>
+##	Execute apm in the apm domain
+##	and allow the specified role
+##	the apm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_run_client',`
+	gen_require(`
+		attribute_role acpi_roles;
+	')
+
+	acpi_domtrans_client($1)
+	roleattribute $2 acpi_roles;
+')
+
+########################################
+## <summary>
+##	Use apmd file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_use_fds',`
+	gen_require(`
+		type acpid_t;
+	')
+
+	allow $1 acpid_t:fd use;
+')
+
+########################################
+## <summary>
+##	Write apmd unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_write_pipes',`
+	gen_require(`
+		type acpid_t;
+	')
+
+	allow $1 acpid_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Read and write to apmd unix
+##	stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_rw_stream_sockets',`
+	gen_require(`
+		type acpid_t;
+	')
+
+	allow $1 acpid_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Append apmd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_append_log',`
+	gen_require(`
+		type acpid_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 acpid_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to apmd over an unix
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`acpi_stream_connect',`
+	gen_require(`
+		type acpid_t, acpid_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an apm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`acpi_admin',`
+	gen_require(`
+		type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+		type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+		type acpid_tmp_t;
+	')
+
+	allow $1 acpid_t:process { ptrace signal_perms };
+	ps_process_pattern($1, acpid_t)
+
+	init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, acpid_log_t)
+
+	files_search_locks($1)
+	admin_pattern($1, acpid_lock_t)
+
+	files_search_pids($1)
+	admin_pattern($1, acpid_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, acpid_var_lib_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, acpid_tmp_t)
+
+	acpi_run_client($1, $2)
+')

policy/modules/contrib/acpi.te

@@ -0,0 +1,247 @@
+policy_module(acpi, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role acpi_roles;
+roleattribute system_r acpi_roles;
+
+type acpid_t;
+type acpid_exec_t;
+typealias acpid_t alias apmd_t;
+typealias acpid_exec_t alias apmd_exec_t;
+init_daemon_domain(acpid_t, acpid_exec_t)
+
+type acpid_initrc_exec_t;
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
+init_script_file(acpid_initrc_exec_t)
+
+type acpi_t;
+type acpi_exec_t;
+typealias acpi_t alias apm_t;
+typealias acpi_exec_t alias apm_exec_t;
+application_domain(acpi_t, acpi_exec_t)
+role acpi_roles types acpi_t;
+
+type acpid_lock_t;
+typealias acpid_lock_t alias apmd_lock_t;
+files_lock_file(acpid_lock_t)
+
+type acpid_log_t;
+typealias acpid_log_t alias apmd_log_t;
+logging_log_file(acpid_log_t)
+
+type acpid_tmp_t;
+typealias acpid_tmp_t alias apmd_tmp_t;
+files_tmp_file(acpid_tmp_t)
+
+type acpid_unit_t;
+typealias acpid_unit_t alias apmd_unit_t;
+init_unit_file(acpid_unit_t)
+
+type acpid_var_lib_t;
+typealias acpid_var_lib_t alias apmd_var_lib_t;
+files_type(acpid_var_lib_t)
+
+type acpid_var_run_t;
+typealias acpid_var_run_t alias apmd_var_run_t;
+files_pid_file(acpid_var_run_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow acpi_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(acpi_t)
+
+dev_rw_acpi_bios(acpi_t)
+
+fs_getattr_xattr_fs(acpi_t)
+
+term_use_all_terms(acpi_t)
+
+domain_use_interactive_fds(acpi_t)
+
+logging_send_syslog_msg(acpi_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
+allow acpid_t self:process { signal_perms getsession };
+allow acpid_t self:fifo_file rw_fifo_file_perms;
+allow acpid_t self:netlink_socket create_socket_perms;
+allow acpid_t self:netlink_generic_socket create_socket_perms;
+allow acpid_t self:unix_stream_socket { accept listen };
+
+allow acpid_t acpid_lock_t:file manage_file_perms;
+files_lock_filetrans(acpid_t, acpid_lock_t, file)
+
+allow acpid_t acpid_log_t:file manage_file_perms;
+logging_log_filetrans(acpid_t, acpid_log_t, file)
+
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
+
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
+
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
+
+can_exec(acpid_t, acpid_var_run_t)
+
+kernel_read_kernel_sysctls(acpid_t)
+kernel_rw_all_sysctls(acpid_t)
+kernel_read_system_state(acpid_t)
+kernel_write_proc_files(acpid_t)
+kernel_request_load_module(acpid_t)
+
+dev_read_input(acpid_t)
+dev_read_mouse(acpid_t)
+dev_read_realtime_clock(acpid_t)
+dev_read_urand(acpid_t)
+dev_rw_acpi_bios(acpid_t)
+dev_rw_sysfs(acpid_t)
+dev_dontaudit_getattr_all_chr_files(acpid_t)
+dev_dontaudit_getattr_all_blk_files(acpid_t)
+
+files_exec_etc_files(acpid_t)
+files_read_etc_runtime_files(acpid_t)
+files_dontaudit_getattr_all_files(acpid_t)
+files_dontaudit_getattr_all_symlinks(acpid_t)
+files_dontaudit_getattr_all_pipes(acpid_t)
+files_dontaudit_getattr_all_sockets(acpid_t)
+
+fs_dontaudit_list_tmpfs(acpid_t)
+fs_getattr_all_fs(acpid_t)
+fs_search_auto_mountpoints(acpid_t)
+fs_dontaudit_getattr_all_files(acpid_t)
+fs_dontaudit_getattr_all_symlinks(acpid_t)
+fs_dontaudit_getattr_all_pipes(acpid_t)
+fs_dontaudit_getattr_all_sockets(acpid_t)
+
+selinux_search_fs(acpid_t)
+
+corecmd_exec_all_executables(acpid_t)
+
+domain_read_all_domains_state(acpid_t)
+domain_dontaudit_ptrace_all_domains(acpid_t)
+domain_use_interactive_fds(acpid_t)
+domain_dontaudit_getattr_all_sockets(acpid_t)
+domain_dontaudit_getattr_all_key_sockets(acpid_t)
+domain_dontaudit_list_all_domains_state(acpid_t)
+
+auth_use_nsswitch(acpid_t)
+
+init_domtrans_script(acpid_t)
+
+libs_exec_ld_so(acpid_t)
+libs_exec_lib_files(acpid_t)
+
+logging_send_audit_msgs(acpid_t)
+logging_send_syslog_msg(acpid_t)
+
+miscfiles_read_localization(acpid_t)
+miscfiles_read_hwdata(acpid_t)
+
+modutils_domtrans(acpid_t)
+modutils_read_module_config(acpid_t)
+
+seutil_dontaudit_read_config(acpid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acpid_t)
+userdom_dontaudit_search_user_home_dirs(acpid_t)
+userdom_dontaudit_search_user_home_content(acpid_t)
+
+optional_policy(`
+	automount_domtrans(acpid_t)
+')
+
+optional_policy(`
+	clock_domtrans(acpid_t)
+	clock_rw_adjtime(acpid_t)
+')
+
+optional_policy(`
+	cron_system_entry(acpid_t, acpid_exec_t)
+	cron_anacron_domtrans_system_job(acpid_t)
+')
+
+optional_policy(`
+	devicekit_manage_pid_files(acpid_t)
+	devicekit_manage_log_files(acpid_t)
+	devicekit_relabel_log_files(acpid_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(acpid_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(acpid_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(acpid_t)
+	')
+')
+
+optional_policy(`
+	fstools_domtrans(acpid_t)
+')
+
+optional_policy(`
+	iptables_domtrans(acpid_t)
+')
+
+optional_policy(`
+	logrotate_use_fds(acpid_t)
+')
+
+optional_policy(`
+	mta_send_mail(acpid_t)
+')
+
+optional_policy(`
+	netutils_domtrans(acpid_t)
+')
+
+optional_policy(`
+	pcmcia_domtrans_cardmgr(acpid_t)
+	pcmcia_domtrans_cardctl(acpid_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(acpid_t)
+')
+
+optional_policy(`
+	shutdown_domtrans(acpid_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_ifconfig(acpid_t)
+')
+
+optional_policy(`
+	udev_read_db(acpid_t)
+	udev_read_state(acpid_t)
+')
+
+optional_policy(`
+	vbetool_domtrans(acpid_t)
+')
+
+optional_policy(`
+	xserver_domtrans(acpid_t)
+')

policy/modules/contrib/ada.fc

@@ -0,0 +1,5 @@
+/usr/bin/gnatbind	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatls	--	gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatmake	--	gen_context(system_u:object_r:ada_exec_t,s0)
+
+/usr/libexec/gcc(/.*)?/gnat1	--	gen_context(system_u:object_r:ada_exec_t,s0)

policy/modules/contrib/ada.if

@@ -0,0 +1,45 @@
+## <summary>GNAT Ada95 compiler.</summary>
+
+########################################
+## <summary>
+##	Execute the ada program in the ada domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ada_domtrans',`
+	gen_require(`
+		type ada_t, ada_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ada_exec_t, ada_t)
+')
+
+########################################
+## <summary>
+##	Execute ada in the ada domain, and
+##	allow the specified role the ada domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`ada_run',`
+	gen_require(`
+		attribute_role ada_roles;
+	')
+
+	ada_domtrans($1)
+	roleattribute $2 ada_roles;
+')

policy/modules/contrib/ada.te

@@ -0,0 +1,27 @@
+policy_module(ada, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role ada_roles;
+roleattribute system_r ada_roles;
+
+type ada_t;
+type ada_exec_t;
+application_domain(ada_t, ada_exec_t)
+role ada_roles types ada_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ada_t self:process { execstack execmem };
+
+userdom_use_user_terminals(ada_t)
+
+optional_policy(`
+	unconfined_domain(ada_t)
+')

policy/modules/contrib/afs.fc

@@ -0,0 +1,52 @@
+/etc/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
+
+/etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openafs-server	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+
+/usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+/usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
+/usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+
+/usr/afs/db	-d	gen_context(system_u:object_r:afs_dbdir_t,s0)
+/usr/afs/db/pr.*	--	gen_context(system_u:object_r:afs_pt_db_t,s0)
+/usr/afs/db/ka.*	--	gen_context(system_u:object_r:afs_ka_db_t,s0)
+/usr/afs/db/vl.*	--	gen_context(system_u:object_r:afs_vl_db_t,s0)
+
+/usr/afs/etc(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/local(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/logs(/.*)?	gen_context(system_u:object_r:afs_logfile_t,s0)
+
+/usr/bin/afsd		--	gen_context(system_u:object_r:afs_exec_t,s0)
+/usr/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+
+/usr/libexec/openafs/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+/usr/libexec/openafs/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
+/usr/libexec/openafs/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/salvagerserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+
+/usr/sbin/afsd	--	gen_context(system_u:object_r:afs_exec_t,s0)
+/usr/sbin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+
+/usr/vice/cache(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
+/usr/vice/etc/afsd	--	gen_context(system_u:object_r:afs_exec_t,s0)
+
+/var/cache/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
+
+/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)

policy/modules/contrib/afs.if

@@ -0,0 +1,122 @@
+## <summary>Andrew Filesystem server.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run the
+##	afs client.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`afs_domtrans',`
+	gen_require(`
+		type afs_t, afs_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, afs_exec_t, afs_t)
+')
+
+########################################
+## <summary>
+##	Read and write afs client UDP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`afs_rw_udp_sockets',`
+	gen_require(`
+		type afs_t;
+	')
+
+	allow $1 afs_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read and write afs cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`afs_rw_cache',`
+	gen_require(`
+		type afs_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 afs_cache_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Execute afs server in the afs domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`afs_initrc_domtrans',`
+	gen_require(`
+		type afs_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, afs_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an afs environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`afs_admin',`
+	gen_require(`
+		attribute afs_domain;
+		type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+		type afs_ka_db_t, afs_vl_db_t, afs_config_t;
+		type afs_logfile_t, afs_cache_t, afs_files_t;
+	')
+
+	allow $1 afs_domain:process { ptrace signal_perms };
+	ps_process_pattern($1, afs_domain)
+
+	init_startstop_service($1, $2, afs_domain, afs_initrc_exec_t)
+
+	files_search_etc($1)
+	admin_pattern($1, afs_config_t)
+
+	files_search_var($1)
+	admin_pattern($1, afs_cache_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, { afs_dbdir_t afs_pt_db_t afs_ka_db_t })
+	admin_pattern($1, afs_vl_db_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, afs_logfile_t)
+
+	admin_pattern($1, afs_files_t)
+')

policy/modules/contrib/afs.te

@@ -0,0 +1,325 @@
+policy_module(afs, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute afs_domain;
+
+type afs_t, afs_domain;
+type afs_exec_t;
+init_daemon_domain(afs_t, afs_exec_t)
+
+type afs_bosserver_t, afs_domain;
+type afs_bosserver_exec_t;
+init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t)
+
+type afs_cache_t;
+files_type(afs_cache_t)
+
+type afs_config_t;
+files_type(afs_config_t)
+
+type afs_dbdir_t;
+files_type(afs_dbdir_t)
+
+# exported files
+type afs_files_t;
+files_type(afs_files_t)
+
+type afs_fsserver_t, afs_domain;
+type afs_fsserver_exec_t;
+domain_type(afs_fsserver_t)
+domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t)
+role system_r types afs_fsserver_t;
+
+type afs_initrc_exec_t;
+init_script_file(afs_initrc_exec_t)
+
+type afs_ka_db_t;
+files_type(afs_ka_db_t)
+
+type afs_kaserver_t, afs_domain;
+type afs_kaserver_exec_t;
+domain_type(afs_kaserver_t)
+domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t)
+role system_r types afs_kaserver_t;
+
+type afs_logfile_t;
+logging_log_file(afs_logfile_t)
+
+type afs_pt_db_t;
+files_type(afs_pt_db_t)
+
+type afs_ptserver_t, afs_domain;
+type afs_ptserver_exec_t;
+domain_type(afs_ptserver_t)
+domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t)
+role system_r types afs_ptserver_t;
+
+type afs_vl_db_t;
+files_type(afs_vl_db_t)
+
+type afs_vlserver_t, afs_domain;
+type afs_vlserver_exec_t;
+domain_type(afs_vlserver_t)
+domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t)
+role system_r types afs_vlserver_t;
+
+########################################
+#
+# afs client local policy
+#
+
+allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
+allow afs_t self:process { setsched signal };
+allow afs_t self:fifo_file rw_fifo_file_perms;
+allow afs_t self:unix_stream_socket { accept listen };
+
+manage_files_pattern(afs_t, afs_cache_t, afs_cache_t)
+manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t)
+files_var_filetrans(afs_t, afs_cache_t, { file dir })
+
+kernel_rw_afs_state(afs_t)
+
+files_mounton_mnt(afs_t)
+files_read_usr_files(afs_t)
+files_rw_etc_runtime_files(afs_t)
+
+fs_getattr_xattr_fs(afs_t)
+fs_mount_nfs(afs_t)
+fs_read_nfs_symlinks(afs_t)
+
+logging_send_syslog_msg(afs_t)
+
+########################################
+#
+# AFS bossserver local policy
+#
+
+allow afs_bosserver_t self:process { setsched signal_perms };
+allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(afs_bosserver_t, afs_bosserver_exec_t)
+
+manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+
+allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
+
+allow afs_bosserver_t afs_fsserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
+
+allow afs_bosserver_t afs_kaserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
+
+allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
+allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
+
+allow afs_bosserver_t afs_ptserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
+
+allow afs_bosserver_t afs_vlserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+
+kernel_read_kernel_sysctls(afs_bosserver_t)
+
+corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_all_recvfrom_netlabel(afs_bosserver_t)
+corenet_udp_sendrecv_generic_if(afs_bosserver_t)
+corenet_udp_sendrecv_generic_node(afs_bosserver_t)
+corenet_udp_bind_generic_node(afs_bosserver_t)
+
+corenet_udp_bind_afs_bos_port(afs_bosserver_t)
+corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
+
+dev_read_urand(afs_bosserver_t)
+
+files_list_home(afs_bosserver_t)
+files_read_usr_files(afs_bosserver_t)
+
+seutil_read_config(afs_bosserver_t)
+
+########################################
+#
+# fileserver local policy
+#
+
+allow afs_fsserver_t self:capability { chown dac_override fowner kill sys_nice };
+dontaudit afs_fsserver_t self:capability fsetid;
+allow afs_fsserver_t self:process { setsched signal_perms };
+allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
+allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+
+manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file })
+
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+
+manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
+
+kernel_read_system_state(afs_fsserver_t)
+kernel_read_kernel_sysctls(afs_fsserver_t)
+
+corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+corenet_udp_sendrecv_generic_if(afs_fsserver_t)
+corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
+corenet_udp_sendrecv_generic_node(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
+
+corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
+corenet_udp_bind_afs_fs_port(afs_fsserver_t)
+corenet_tcp_sendrecv_afs_fs_port(afs_fsserver_t)
+corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
+
+dev_read_urand(afs_fsserver_t)
+
+files_read_etc_runtime_files(afs_fsserver_t)
+files_list_home(afs_fsserver_t)
+files_read_usr_files(afs_fsserver_t)
+files_list_pids(afs_fsserver_t)
+files_dontaudit_search_mnt(afs_fsserver_t)
+
+fs_getattr_xattr_fs(afs_fsserver_t)
+
+term_dontaudit_use_console(afs_fsserver_t)
+
+init_dontaudit_use_script_fds(afs_fsserver_t)
+
+logging_send_syslog_msg(afs_fsserver_t)
+
+seutil_read_config(afs_fsserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_fsserver_t)
+
+########################################
+#
+# kaserver local policy
+#
+
+allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t)
+
+manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t)
+filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file)
+
+manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+
+kernel_read_kernel_sysctls(afs_kaserver_t)
+
+corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_all_recvfrom_netlabel(afs_kaserver_t)
+corenet_udp_sendrecv_generic_if(afs_kaserver_t)
+corenet_udp_sendrecv_generic_node(afs_kaserver_t)
+corenet_udp_bind_generic_node(afs_kaserver_t)
+
+corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
+corenet_udp_bind_afs_ka_port(afs_kaserver_t)
+corenet_udp_sendrecv_afs_ka_port(afs_kaserver_t)
+
+corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
+corenet_udp_bind_kerberos_port(afs_kaserver_t)
+corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
+
+files_list_home(afs_kaserver_t)
+files_read_usr_files(afs_kaserver_t)
+
+seutil_read_config(afs_kaserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_kaserver_t)
+
+########################################
+#
+# ptserver local policy
+#
+
+allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
+allow afs_ptserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+
+manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
+filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
+
+corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_all_recvfrom_netlabel(afs_ptserver_t)
+corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
+corenet_udp_sendrecv_generic_if(afs_ptserver_t)
+corenet_tcp_sendrecv_generic_node(afs_ptserver_t)
+corenet_udp_sendrecv_generic_node(afs_ptserver_t)
+corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_bind_generic_node(afs_ptserver_t)
+corenet_udp_bind_afs_pt_port(afs_ptserver_t)
+corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+
+dev_read_urand(afs_ptserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+
+########################################
+#
+# vlserver local policy
+#
+
+allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
+allow afs_vlserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+
+manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
+filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
+
+corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_all_recvfrom_netlabel(afs_vlserver_t)
+corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
+corenet_udp_sendrecv_generic_if(afs_vlserver_t)
+corenet_tcp_sendrecv_generic_node(afs_vlserver_t)
+corenet_udp_sendrecv_generic_node(afs_vlserver_t)
+corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_bind_generic_node(afs_vlserver_t)
+corenet_udp_bind_afs_vl_port(afs_vlserver_t)
+corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
+
+dev_read_urand(afs_vlserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+
+########################################
+#
+# Global local policy
+#
+
+allow afs_domain self:udp_socket create_socket_perms;
+
+files_read_etc_files(afs_domain)
+
+miscfiles_read_localization(afs_domain)
+
+sysnet_read_config(afs_domain)

policy/modules/contrib/aiccu.fc

@@ -0,0 +1,9 @@
+/etc/aiccu\.conf	--	gen_context(system_u:object_r:aiccu_etc_t,s0)
+
+/etc/rc\.d/init\.d/aiccu	--	gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
+/usr/bin/aiccu	--	gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/usr/sbin/aiccu	--	gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/run/aiccu\.pid	--	gen_context(system_u:object_r:aiccu_var_run_t,s0)

policy/modules/contrib/aiccu.if

@@ -0,0 +1,92 @@
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run aiccu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aiccu_domtrans',`
+	gen_require(`
+		type aiccu_t, aiccu_exec_t;
+	')
+
+	domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute aiccu server in the aiccu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aiccu_initrc_domtrans',`
+	gen_require(`
+		type aiccu_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read aiccu PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aiccu_read_pid_files',`
+	gen_require(`
+		type aiccu_var_run_t;
+	')
+
+	allow $1 aiccu_var_run_t:file read_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an aiccu environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aiccu_admin',`
+	gen_require(`
+		type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+		type aiccu_var_run_t;
+	')
+
+	allow $1 aiccu_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aiccu_t)
+
+	init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t)
+
+	admin_pattern($1, aiccu_etc_t)
+	files_list_etc($1)
+
+	admin_pattern($1, aiccu_var_run_t)
+	files_list_pids($1)
+')

policy/modules/contrib/aiccu.te

@@ -0,0 +1,76 @@
+policy_module(aiccu, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type aiccu_t;
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow aiccu_t self:capability { kill net_admin net_raw };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_fifo_file_perms;
+allow aiccu_t self:netlink_route_socket nlmsg_write;
+allow aiccu_t self:tcp_socket { accept listen };
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket { accept listen };
+allow aiccu_t self:unix_stream_socket { accept listen };
+
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+optional_policy(`
+	modutils_domtrans(aiccu_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(aiccu_t)
+	sysnet_domtrans_ifconfig(aiccu_t)
+')

policy/modules/contrib/aide.fc

@@ -0,0 +1,7 @@
+/usr/bin/aide	--	gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+/usr/sbin/aide	--	gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+
+/var/lib/aide(/.*)?	gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+
+/var/log/aide(/.*)?	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+/var/log/aide\.log.*	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)

policy/modules/contrib/aide.if

@@ -0,0 +1,80 @@
+## <summary>Aide filesystem integrity checker.</summary>
+
+########################################
+## <summary>
+##	Execute aide in the aide domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aide_domtrans',`
+	gen_require(`
+		type aide_t, aide_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, aide_exec_t, aide_t)
+')
+
+########################################
+## <summary>
+##	Execute aide programs in the AIDE
+##	domain and allow the specified role
+##	the AIDE domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`aide_run',`
+	gen_require(`
+		attribute_role aide_roles;
+	')
+
+	aide_domtrans($1)
+	roleattribute $2 aide_roles;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an aide environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aide_admin',`
+	gen_require(`
+		type aide_t, aide_db_t, aide_log_t;
+	')
+
+	allow $1 aide_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aide_t)
+
+	aide_run($1, $2)
+
+	files_list_etc($1)
+	admin_pattern($1, aide_db_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, aide_log_t)
+')

policy/modules/contrib/aide.te

@@ -0,0 +1,45 @@
+policy_module(aide, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role aide_roles;
+
+type aide_t;
+type aide_exec_t;
+application_domain(aide_t, aide_exec_t)
+role aide_roles types aide_t;
+
+type aide_log_t;
+logging_log_file(aide_log_t)
+
+type aide_db_t;
+files_type(aide_db_t)
+
+########################################
+#
+# Local policy
+#
+
+allow aide_t self:capability { dac_override fowner };
+
+manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+
+create_files_pattern(aide_t, aide_log_t, aide_log_t)
+append_files_pattern(aide_t, aide_log_t, aide_log_t)
+setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
+logging_log_filetrans(aide_t, aide_log_t, file)
+
+files_read_all_files(aide_t)
+files_read_all_symlinks(aide_t)
+
+logging_send_audit_msgs(aide_t)
+logging_send_syslog_msg(aide_t)
+
+userdom_use_user_terminals(aide_t)
+
+optional_policy(`
+	seutil_use_newrole_fds(aide_t)
+')

policy/modules/contrib/aisexec.fc

@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/openais	--	gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+
+/usr/bin/aisexec	--	gen_context(system_u:object_r:aisexec_exec_t,s0)
+
+/usr/sbin/aisexec	--	gen_context(system_u:object_r:aisexec_exec_t,s0)
+
+/var/lib/openais(/.*)?	gen_context(system_u:object_r:aisexec_var_lib_t,s0)
+
+/var/log/cluster/aisexec\.log.*	--	gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/run/aisexec.*	gen_context(system_u:object_r:aisexec_var_run_t,s0)

policy/modules/contrib/aisexec.if

@@ -0,0 +1,104 @@
+## <summary>Aisexec Cluster Engine.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run aisexec.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aisexec_domtrans',`
+	gen_require(`
+		type aisexec_t, aisexec_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, aisexec_exec_t, aisexec_t)
+')
+
+#####################################
+## <summary>
+##	Connect to aisexec over a unix
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aisexec_stream_connect',`
+	gen_require(`
+		type aisexec_t, aisexec_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
+')
+
+#######################################
+## <summary>
+##	Read aisexec log files content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aisexec_read_log',`
+	gen_require(`
+		type aisexec_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+	read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to
+##	administrate an aisexec environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aisexecd_admin',`
+	gen_require(`
+		type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
+		type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
+		type aisexec_initrc_exec_t;
+	')
+
+	allow $1 aisexec_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aisexec_t)
+
+	init_startstop_service($1, $2, aisexec_t, aisexec_initrc_exec_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, aisexec_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, aisexec_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, aisexec_var_run_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, aisexec_tmp_t)
+
+	admin_pattern($1, aisexec_tmpfs_t)
+')

policy/modules/contrib/aisexec.te

@@ -0,0 +1,117 @@
+policy_module(aisexec, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type aisexec_t;
+type aisexec_exec_t;
+init_daemon_domain(aisexec_t, aisexec_exec_t)
+
+type aisexec_initrc_exec_t;
+init_script_file(aisexec_initrc_exec_t)
+
+type aisexec_tmp_t;
+files_tmp_file(aisexec_tmp_t)
+
+type aisexec_tmpfs_t;
+files_tmpfs_file(aisexec_tmpfs_t)
+
+type aisexec_var_lib_t;
+files_type(aisexec_var_lib_t)
+
+type aisexec_var_log_t;
+logging_log_file(aisexec_var_log_t)
+
+type aisexec_var_run_t;
+files_pid_file(aisexec_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource };
+allow aisexec_t self:process { setrlimit setsched signal };
+allow aisexec_t self:fifo_file rw_fifo_file_perms;
+allow aisexec_t self:sem create_sem_perms;
+allow aisexec_t self:unix_stream_socket { accept listen connectto };
+
+manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { dir file })
+
+manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
+
+manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, dir)
+
+append_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+create_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+setattr_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+logging_log_filetrans(aisexec_t, aisexec_var_log_t, file)
+
+manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+
+kernel_read_system_state(aisexec_t)
+
+corecmd_exec_bin(aisexec_t)
+
+corenet_all_recvfrom_unlabeled(aisexec_t)
+corenet_all_recvfrom_netlabel(aisexec_t)
+corenet_tcp_sendrecv_generic_if(aisexec_t)
+corenet_udp_sendrecv_generic_if(aisexec_t)
+corenet_tcp_sendrecv_generic_node(aisexec_t)
+corenet_udp_sendrecv_generic_node(aisexec_t)
+corenet_tcp_bind_generic_node(aisexec_t)
+corenet_udp_bind_generic_node(aisexec_t)
+
+corenet_sendrecv_netsupport_server_packets(aisexec_t)
+corenet_udp_bind_netsupport_port(aisexec_t)
+corenet_udp_sendrecv_netsupport_port(aisexec_t)
+
+corenet_sendrecv_generic_server_packets(aisexec_t)
+corenet_tcp_bind_reserved_port(aisexec_t)
+corenet_tcp_sendrecv_reserved_port(aisexec_t)
+
+corenet_sendrecv_cluster_server_packets(aisexec_t)
+corenet_udp_bind_cluster_port(aisexec_t)
+corenet_udp_sendrecv_cluster_port(aisexec_t)
+
+dev_read_urand(aisexec_t)
+
+files_manage_mounttab(aisexec_t)
+
+auth_use_nsswitch(aisexec_t)
+
+init_rw_script_tmp_files(aisexec_t)
+
+logging_send_syslog_msg(aisexec_t)
+
+miscfiles_read_localization(aisexec_t)
+
+userdom_rw_unpriv_user_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
+optional_policy(`
+	ccs_stream_connect(aisexec_t)
+')
+
+optional_policy(`
+	rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
+	rhcs_rw_fenced_semaphores(aisexec_t)
+
+	rhcs_rw_gfs_controld_semaphores(aisexec_t)
+	rhcs_rw_gfs_controld_shm(aisexec_t)
+
+	rhcs_rw_groupd_semaphores(aisexec_t)
+	rhcs_rw_groupd_shm(aisexec_t)
+')

policy/modules/contrib/alsa.fc

@@ -0,0 +1,24 @@
+HOME_DIR/\.asoundrc				--	gen_context(system_u:object_r:alsa_home_t,s0)
+
+/etc/alsa(/.*)?						gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf				--	gen_context(system_u:object_r:alsa_etc_t,s0)
+
+/run/alsa(/.*)?						gen_context(system_u:object_r:alsa_runtime_t,s0)
+
+/usr/bin/ainit					--	gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/alsactl				--	gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/alsaunmute				--	gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/salsa					--	gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/usr/lib/systemd/system/[^/]*alsa-restore.*	--	gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.*	--	gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.*	--	gen_context(system_u:object_r:alsa_unit_t,s0)
+
+/usr/sbin/alsactl				--	gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/sbin/salsa					--	gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/usr/share/alsa(/.*)?					gen_context(system_u:object_r:alsa_etc_t,s0)
+
+/var/lib/alsa(/.*)?					gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/var/lock/asound\.state\.lock			--	gen_context(system_u:object_r:alsa_var_lock_t,s0)

policy/modules/contrib/alsa.if

@@ -0,0 +1,250 @@
+## <summary>Advanced Linux Sound Architecture utilities.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run Alsa.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`alsa_domtrans',`
+	gen_require(`
+		type alsa_t, alsa_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, alsa_exec_t, alsa_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Alsa, and allow the specified role
+##	the Alsa domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_run',`
+	gen_require(`
+		attribute_role alsa_roles;
+	')
+
+	alsa_domtrans($1)
+	roleattribute $2 alsa_roles;
+')
+
+########################################
+## <summary>
+##	Read and write Alsa semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_rw_semaphores',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	allow $1 alsa_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Read and write Alsa shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_rw_shared_mem',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	allow $1 alsa_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_config',`
+	gen_require(`
+		type alsa_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 alsa_etc_t:dir list_dir_perms;
+	read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage Alsa config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_config',`
+	gen_require(`
+		type alsa_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 alsa_etc_t:dir list_dir_perms;
+	manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read Alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_relabel_home_files',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in user home
+##	directories with the generic alsa
+##	home type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`alsa_home_filetrans_alsa_home',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read Alsa lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
+#########################################
+## <summary>
+##	Write Alsa lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_write_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')

policy/modules/contrib/alsa.te

@@ -0,0 +1,111 @@
+policy_module(alsa, 1.18.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role alsa_roles;
+
+type alsa_t;
+type alsa_exec_t;
+init_system_domain(alsa_t, alsa_exec_t)
+role alsa_roles types alsa_t;
+
+type alsa_etc_t alias alsa_etc_rw_t;
+files_config_file(alsa_etc_t)
+
+type alsa_home_t;
+userdom_user_home_content(alsa_home_t)
+
+type alsa_runtime_t;
+files_pid_file(alsa_runtime_t)
+
+type alsa_tmp_t;
+files_tmp_file(alsa_tmp_t)
+
+type alsa_tmpfs_t;
+files_tmpfs_file(alsa_tmpfs_t)
+
+type alsa_unit_t;
+init_unit_file(alsa_unit_t)
+
+type alsa_var_lib_t;
+files_type(alsa_var_lib_t)
+
+type alsa_var_lock_t;
+files_lock_file(alsa_var_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
+# kill : kill pulseaudio
+dontaudit alsa_t self:capability { kill sys_admin };
+allow alsa_t self:sem create_sem_perms;
+allow alsa_t self:shm create_shm_perms;
+allow alsa_t self:unix_stream_socket { accept listen };
+
+allow alsa_t alsa_home_t:file read_file_perms;
+
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+allow alsa_t alsa_etc_t:file map;
+
+can_exec(alsa_t, alsa_exec_t)
+
+allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
+files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+
+manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+
+allow alsa_t alsa_tmpfs_t:file { manage_file_perms map };
+fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
+
+manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+
+allow alsa_t alsa_var_lock_t:file manage_file_perms;
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
+
+kernel_read_system_state(alsa_t)
+
+corecmd_exec_bin(alsa_t)
+
+dev_getattr_fs(alsa_t)
+dev_read_input(alsa_t)
+dev_read_sound(alsa_t)
+dev_read_sysfs(alsa_t)
+dev_read_urand(alsa_t)
+dev_write_sound(alsa_t)
+
+files_read_usr_files(alsa_t)
+files_search_var_lib(alsa_t)
+
+fs_getattr_tmpfs(alsa_t)
+
+term_dontaudit_use_console(alsa_t)
+term_dontaudit_use_generic_ptys(alsa_t)
+term_dontaudit_use_all_ptys(alsa_t)
+
+auth_use_nsswitch(alsa_t)
+
+logging_send_syslog_msg(alsa_t)
+
+miscfiles_read_localization(alsa_t)
+
+userdom_manage_unpriv_user_semaphores(alsa_t)
+userdom_manage_unpriv_user_shared_mem(alsa_t)
+userdom_search_user_home_dirs(alsa_t)
+
+optional_policy(`
+	hal_use_fds(alsa_t)
+	hal_write_log(alsa_t)
+')

policy/modules/contrib/amanda.fc

@@ -0,0 +1,30 @@
+/etc/amanda(/.*)?	gen_context(system_u:object_r:amanda_config_t,s0)
+/etc/amanda/.*/tapelist(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amandates	gen_context(system_u:object_r:amanda_amandates_t,s0)
+/etc/dumpdates	gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+# empty m4 string so the index macro is not invoked
+/etc/amanda/.*/index`'(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
+
+/root/restore	-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
+/usr/bin/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/bin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
+/usr/lib/amanda	-d	gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib/amanda/.+	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib/amanda/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
+/usr/sbin/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
+/var/lib/amanda	-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/[^/]+(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/[^/]*/log(/.*)?	gen_context(system_u:object_r:amanda_log_t,s0)
+/var/lib/amanda/\.amandahosts	--	gen_context(system_u:object_r:amanda_config_t,s0)
+/var/lib/amanda/gnutar-lists(/.*)?	gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
+# the null string in here because index is a m4 builtin function
+/var/lib/amanda/[^/]+/index`'(/.*)?	gen_context(system_u:object_r:amanda_var_lib_t,s0)
+
+/var/log/amanda(/.*)?	gen_context(system_u:object_r:amanda_log_t,s0)

policy/modules/contrib/amanda.if

@@ -0,0 +1,161 @@
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Amanda recover.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amanda_domtrans_recover',`
+	gen_require(`
+		type amanda_recover_t, amanda_recover_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Amanda recover, and allow the specified
+##	role the Amanda recover domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`amanda_run_recover',`
+	gen_require(`
+		attribute_role amanda_recover_roles;
+	')
+
+	amanda_domtrans_recover($1)
+	roleattribute $2 amanda_recover_roles;
+')
+
+########################################
+## <summary>
+##	Search Amanda library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_search_lib',`
+	gen_require(`
+		type amanda_usr_lib_t;
+	')
+
+	files_search_usr($1)
+	allow $1 amanda_usr_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read /etc/dumpdates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`amanda_dontaudit_read_dumpdates',`
+	gen_require(`
+		type amanda_dumpdates_t;
+	')
+
+	dontaudit $1 amanda_dumpdates_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write /etc/dumpdates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_rw_dumpdates_files',`
+	gen_require(`
+		type amanda_dumpdates_t;
+	')
+
+	files_search_etc($1)
+	allow $1 amanda_dumpdates_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage Amanda library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_manage_lib',`
+	gen_require(`
+		type amanda_usr_lib_t;
+	')
+
+	files_search_usr($1)
+	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and append amanda log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_append_log_files',`
+	gen_require(`
+		type amanda_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
+')
+
+#######################################
+## <summary>
+##	Search Amanda var library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amanda_search_var_lib',`
+	gen_require(`
+		type amanda_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 amanda_var_lib_t:dir search_dir_perms;
+')

policy/modules/contrib/amanda.te

@@ -0,0 +1,206 @@
+policy_module(amanda, 1.17.0)
+
+#######################################
+#
+# Declarations
+#
+
+attribute_role amanda_recover_roles;
+roleattribute system_r amanda_recover_roles;
+
+type amanda_t;
+type amanda_inetd_exec_t;
+inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+
+type amanda_exec_t;
+domain_entry_file(amanda_t, amanda_exec_t)
+
+type amanda_log_t;
+logging_log_file(amanda_log_t)
+
+type amanda_config_t;
+files_type(amanda_config_t)
+
+type amanda_usr_lib_t;
+files_type(amanda_usr_lib_t)
+
+type amanda_var_lib_t;
+files_type(amanda_var_lib_t)
+
+type amanda_gnutarlists_t;
+files_type(amanda_gnutarlists_t)
+
+type amanda_tmp_t;
+files_tmp_file(amanda_tmp_t)
+
+type amanda_amandates_t;
+files_type(amanda_amandates_t)
+
+type amanda_dumpdates_t;
+files_type(amanda_dumpdates_t)
+
+type amanda_data_t;
+files_type(amanda_data_t)
+
+type amanda_recover_t;
+type amanda_recover_exec_t;
+application_domain(amanda_recover_t, amanda_recover_exec_t)
+role amanda_recover_roles types amanda_recover_t;
+
+type amanda_recover_dir_t;
+files_type(amanda_recover_dir_t)
+
+optional_policy(`
+	prelink_object_file(amanda_usr_lib_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow amanda_t self:capability { chown dac_override kill setuid };
+allow amanda_t self:process { setpgid signal };
+allow amanda_t self:fifo_file rw_fifo_file_perms;
+allow amanda_t self:unix_stream_socket { accept listen };
+allow amanda_t self:tcp_socket { accept listen };
+
+allow amanda_t amanda_amandates_t:file rw_file_perms;
+
+allow amanda_t amanda_config_t:file read_file_perms;
+
+manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
+
+allow amanda_t amanda_dumpdates_t:file rw_file_perms;
+
+allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
+allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
+allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+
+manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+
+manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
+manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
+logging_log_filetrans(amanda_t, amanda_log_t, dir)
+
+manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+
+can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
+
+kernel_read_kernel_sysctls(amanda_t)
+kernel_read_system_state(amanda_t)
+kernel_dontaudit_getattr_unlabeled_files(amanda_t)
+kernel_dontaudit_read_proc_symlinks(amanda_t)
+
+corecmd_exec_shell(amanda_t)
+corecmd_exec_bin(amanda_t)
+
+corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_all_recvfrom_netlabel(amanda_t)
+corenet_tcp_sendrecv_generic_if(amanda_t)
+corenet_tcp_sendrecv_generic_node(amanda_t)
+corenet_tcp_sendrecv_all_ports(amanda_t)
+corenet_tcp_bind_generic_node(amanda_t)
+
+corenet_sendrecv_all_server_packets(amanda_t)
+corenet_tcp_bind_all_rpc_ports(amanda_t)
+corenet_tcp_bind_generic_port(amanda_t)
+corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+
+dev_getattr_all_blk_files(amanda_t)
+dev_getattr_all_chr_files(amanda_t)
+
+files_read_etc_runtime_files(amanda_t)
+files_list_all(amanda_t)
+files_read_all_files(amanda_t)
+files_read_all_symlinks(amanda_t)
+files_read_all_blk_files(amanda_t)
+files_read_all_chr_files(amanda_t)
+files_getattr_all_pipes(amanda_t)
+files_getattr_all_sockets(amanda_t)
+
+fs_getattr_xattr_fs(amanda_t)
+fs_list_all(amanda_t)
+
+storage_raw_read_fixed_disk(amanda_t)
+storage_read_tape(amanda_t)
+storage_write_tape(amanda_t)
+
+auth_use_nsswitch(amanda_t)
+auth_read_shadow(amanda_t)
+
+logging_send_syslog_msg(amanda_t)
+
+########################################
+#
+# Recover local policy
+#
+
+allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
+allow amanda_recover_t self:process { sigkill sigstop signal };
+allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
+allow amanda_recover_t self:unix_stream_socket create_socket_perms;
+allow amanda_recover_t self:tcp_socket { accept listen };
+
+manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
+
+manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(amanda_recover_t)
+kernel_read_system_state(amanda_recover_t)
+
+corecmd_exec_shell(amanda_recover_t)
+corecmd_exec_bin(amanda_recover_t)
+
+corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_all_recvfrom_netlabel(amanda_recover_t)
+corenet_tcp_sendrecv_generic_if(amanda_recover_t)
+corenet_udp_sendrecv_generic_if(amanda_recover_t)
+corenet_tcp_sendrecv_generic_node(amanda_recover_t)
+corenet_udp_sendrecv_generic_node(amanda_recover_t)
+corenet_tcp_sendrecv_all_ports(amanda_recover_t)
+corenet_udp_sendrecv_all_ports(amanda_recover_t)
+corenet_tcp_bind_generic_node(amanda_recover_t)
+corenet_udp_bind_generic_node(amanda_recover_t)
+
+corenet_sendrecv_generic_server_packets(amanda_recover_t)
+corenet_tcp_bind_reserved_port(amanda_recover_t)
+
+corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+corenet_tcp_connect_amanda_port(amanda_recover_t)
+
+domain_use_interactive_fds(amanda_recover_t)
+
+files_read_etc_runtime_files(amanda_recover_t)
+files_search_pids(amanda_recover_t)
+files_search_tmp(amanda_recover_t)
+
+auth_use_nsswitch(amanda_recover_t)
+
+fstools_domtrans(amanda_t)
+fstools_signal(amanda_t)
+
+logging_search_logs(amanda_recover_t)
+
+miscfiles_read_localization(amanda_recover_t)
+
+userdom_use_user_terminals(amanda_recover_t)
+userdom_search_user_home_content(amanda_recover_t)

policy/modules/contrib/amavis.fc

@@ -0,0 +1,30 @@
+/etc/amavis(d)?\.conf	--	gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/amavisd(/.*)?	gen_context(system_u:object_r:amavis_etc_t,s0)
+
+/etc/rc\.d/init\.d/amavis	--	gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/amavisd-snmp	--	gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+
+/usr/bin/amavisd.*	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+
+/usr/lib/AntiVir/antivir	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+
+/usr/sbin/amavisd.*	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+')
+
+/var/opt/f-secure(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
+
+/var/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
+
+/var/lib/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
+
+/var/log/amavisd\.log.*	--	gen_context(system_u:object_r:amavis_var_log_t,s0)
+
+/run/amavis(d)?(/.*)?	gen_context(system_u:object_r:amavis_var_run_t,s0)
+/run/amavisd-snmp-subagent\.pid	--	gen_context(system_u:object_r:amavis_var_run_t,s0)
+
+/var/spool/amavisd(/.*)?	gen_context(system_u:object_r:amavis_spool_t,s0)
+
+/var/virusmails(/.*)?	gen_context(system_u:object_r:amavis_quarantine_t,s0)

policy/modules/contrib/amavis.if

@@ -0,0 +1,261 @@
+## <summary>High-performance interface between an email server and content checkers.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run amavis.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amavis_domtrans',`
+	gen_require(`
+		type amavis_t, amavis_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, amavis_exec_t, amavis_t)
+')
+
+########################################
+## <summary>
+##	Execute amavis server in the amavis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amavis_initrc_domtrans',`
+	gen_require(`
+		type amavis_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read amavis spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_read_spool_files',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	amavis spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_manage_spool_files',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t)
+	manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
+')
+
+########################################
+## <summary>
+##	Create objects in the amavis spool directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`amavis_spool_filetrans',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	filetrans_pattern($1, amavis_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Search amavis lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_search_lib',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	allow $1 amavis_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read amavis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_read_lib_files',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	allow $1 amavis_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	amavis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_manage_lib_files',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Set attributes of amavis pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_setattr_pid_files',`
+	gen_require(`
+		type amavis_var_run_t;
+	')
+
+	allow $1 amavis_var_run_t:file setattr_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Create amavis pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_create_pid_files',`
+	gen_require(`
+		type amavis_var_run_t;
+	')
+
+	allow $1 amavis_var_run_t:dir add_entry_dir_perms;
+	allow $1 amavis_var_run_t:file create_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an amavis environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`amavis_admin',`
+	gen_require(`
+		type amavis_t, amavis_tmp_t, amavis_var_log_t;
+		type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
+		type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
+	')
+
+	allow $1 amavis_t:process { ptrace signal_perms };
+	ps_process_pattern($1, amavis_t)
+
+	init_startstop_service($1, $2, amavis_t, amavis_initrc_exec_t)
+
+	files_list_etc($1)
+	admin_pattern($1, amavis_etc_t)
+
+	admin_pattern($1, amavis_quarantine_t)
+
+	files_list_spool($1)
+	admin_pattern($1, amavis_spool_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, amavis_tmp_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, amavis_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, amavis_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, amavis_var_run_t)
+')

policy/modules/contrib/amavis.te

@@ -0,0 +1,199 @@
+policy_module(amavis, 1.18.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether amavis can
+##	use JIT compiler.
+##	</p>
+## </desc>
+gen_tunable(amavis_use_jit, false)
+
+type amavis_t;
+type amavis_exec_t;
+init_daemon_domain(amavis_t, amavis_exec_t)
+
+type amavis_etc_t;
+files_config_file(amavis_etc_t)
+
+type amavis_initrc_exec_t;
+init_script_file(amavis_initrc_exec_t)
+
+type amavis_var_run_t;
+files_pid_file(amavis_var_run_t)
+
+type amavis_var_lib_t;
+files_type(amavis_var_lib_t)
+
+type amavis_var_log_t;
+logging_log_file(amavis_var_log_t)
+
+type amavis_tmp_t;
+files_tmp_file(amavis_tmp_t)
+
+type amavis_quarantine_t;
+files_type(amavis_quarantine_t)
+
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
+########################################
+#
+# Local policy
+#
+
+allow amavis_t self:capability { chown dac_override kill setgid setuid };
+dontaudit amavis_t self:capability sys_tty_config;
+allow amavis_t self:process signal_perms;
+allow amavis_t self:fifo_file rw_fifo_file_perms;
+allow amavis_t self:unix_stream_socket { accept connectto listen };
+allow amavis_t self:tcp_socket { listen accept };
+
+allow amavis_t amavis_etc_t:dir list_dir_perms;
+read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+
+manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+
+manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+
+manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+
+manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
+manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
+
+manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
+
+can_exec(amavis_t, amavis_exec_t)
+
+kernel_read_kernel_sysctls(amavis_t)
+kernel_read_system_state(amavis_t)
+kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_proc_symlinks(amavis_t)
+
+corecmd_exec_bin(amavis_t)
+corecmd_exec_shell(amavis_t)
+
+corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_all_recvfrom_netlabel(amavis_t)
+corenet_tcp_sendrecv_generic_if(amavis_t)
+corenet_udp_sendrecv_generic_if(amavis_t)
+corenet_tcp_sendrecv_generic_node(amavis_t)
+corenet_udp_sendrecv_generic_node(amavis_t)
+corenet_tcp_sendrecv_all_ports(amavis_t)
+corenet_udp_sendrecv_all_ports(amavis_t)
+corenet_tcp_bind_generic_node(amavis_t)
+corenet_udp_bind_generic_node(amavis_t)
+
+corenet_sendrecv_amavisd_send_client_packets(amavis_t)
+corenet_tcp_connect_amavisd_send_port(amavis_t)
+
+corenet_sendrecv_amavisd_recv_server_packets(amavis_t)
+corenet_tcp_bind_amavisd_recv_port(amavis_t)
+
+corenet_sendrecv_generic_server_packets(amavis_t)
+corenet_udp_bind_generic_port(amavis_t)
+corenet_dontaudit_udp_bind_all_ports(amavis_t)
+
+corenet_sendrecv_razor_client_packets(amavis_t)
+corenet_tcp_connect_razor_port(amavis_t)
+
+dev_read_rand(amavis_t)
+dev_read_sysfs(amavis_t)
+dev_read_urand(amavis_t)
+
+domain_use_interactive_fds(amavis_t)
+domain_dontaudit_read_all_domains_state(amavis_t)
+
+files_read_etc_runtime_files(amavis_t)
+files_read_usr_files(amavis_t)
+files_search_spool(amavis_t)
+
+fs_getattr_xattr_fs(amavis_t)
+
+auth_use_nsswitch(amavis_t)
+auth_dontaudit_read_shadow(amavis_t)
+
+init_read_state(amavis_t)
+init_read_utmp(amavis_t)
+init_stream_connect_script(amavis_t)
+
+logging_send_syslog_msg(amavis_t)
+
+miscfiles_read_localization(amavis_t)
+
+userdom_dontaudit_search_user_home_dirs(amavis_t)
+
+tunable_policy(`amavis_use_jit',`
+	allow amavis_t self:process execmem;
+',`
+	dontaudit amavis_t self:process execmem;
+')
+
+optional_policy(`
+	clamav_stream_connect(amavis_t)
+	clamav_domtrans_clamscan(amavis_t)
+	clamav_read_state_clamd(amavis_t)
+')
+
+optional_policy(`
+	cron_use_fds(amavis_t)
+	cron_use_system_job_fds(amavis_t)
+	cron_rw_pipes(amavis_t)
+')
+
+optional_policy(`
+	dcc_domtrans_client(amavis_t)
+	dcc_stream_connect_dccifd(amavis_t)
+')
+
+optional_policy(`
+	mta_read_config(amavis_t)
+')
+
+optional_policy(`
+	postfix_read_config(amavis_t)
+	postfix_list_spool(amavis_t)
+')
+
+optional_policy(`
+	pyzor_domtrans(amavis_t)
+	pyzor_signal(amavis_t)
+')
+
+optional_policy(`
+	razor_domtrans(amavis_t)
+')
+
+optional_policy(`
+	snmp_manage_var_lib_dirs(amavis_t)
+	snmp_manage_var_lib_files(amavis_t)
+	snmp_stream_connect(amavis_t)
+')
+
+optional_policy(`
+	spamassassin_exec(amavis_t)
+	spamassassin_exec_client(amavis_t)
+	spamassassin_read_lib_files(amavis_t)
+')

policy/modules/contrib/amtu.fc

@@ -0,0 +1,4 @@
+/etc/rc\.d/init\.d/amtu	--	gen_context(system_u:object_r:amtu_initrc_exec_t,s0)
+
+/usr/bin/amtu	--	gen_context(system_u:object_r:amtu_exec_t,s0)
+/usr/sbin/amtu	--	gen_context(system_u:object_r:amtu_exec_t,s0)

policy/modules/contrib/amtu.if

@@ -0,0 +1,74 @@
+## <summary>Abstract Machine Test Utility.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run Amtu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`amtu_domtrans',`
+	gen_require(`
+		type amtu_t, amtu_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, amtu_exec_t, amtu_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Amtu, and allow the specified role
+##	the Amtu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`amtu_run',`
+	gen_require(`
+		attribute_role amtu_roles;
+	')
+
+	amtu_domtrans($1)
+	roleattribute $2 amtu_roles;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an amtu environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`amtu_admin',`
+	gen_require(`
+		type amtu_t, amtu_initrc_exec_t;
+	')
+
+	allow $1 amtu_t:process { ptrace signal_perms };
+	ps_process_pattern($1, amtu_t)
+
+	init_startstop_service($1, $2, amtu_t, amtu_initrc_exec_t)
+')

policy/modules/contrib/amtu.te

@@ -0,0 +1,39 @@
+policy_module(amtu, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role amtu_roles;
+
+type amtu_t;
+type amtu_exec_t;
+init_system_domain(amtu_t, amtu_exec_t)
+role amtu_roles types amtu_t;
+
+type amtu_initrc_exec_t;
+init_script_file(amtu_initrc_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+kernel_read_system_state(amtu_t)
+
+files_manage_boot_files(amtu_t)
+files_read_etc_runtime_files(amtu_t)
+files_read_etc_files(amtu_t)
+
+logging_send_audit_msgs(amtu_t)
+
+userdom_use_user_terminals(amtu_t)
+
+optional_policy(`
+	nscd_dontaudit_search_pid(amtu_t)
+')
+
+optional_policy(`
+	seutil_use_newrole_fds(amtu_t)
+')

policy/modules/contrib/anaconda.fc

@@ -0,0 +1 @@
+# No file context specifications.

policy/modules/contrib/anaconda.if

@@ -0,0 +1 @@
+## <summary>Anaconda installer.</summary>

policy/modules/contrib/anaconda.te

@@ -0,0 +1,54 @@
+policy_module(anaconda, 1.8.0)
+
+gen_require(`
+	class passwd all_passwd_perms;
+')
+
+########################################
+#
+# Declarations
+#
+
+type anaconda_t;
+type anaconda_exec_t;
+domain_type(anaconda_t)
+domain_entry_file(anaconda_t, anaconda_exec_t)
+domain_obj_id_change_exemption(anaconda_t)
+role system_r types anaconda_t;
+
+########################################
+#
+# Local policy
+#
+
+allow anaconda_t self:process execmem;
+allow anaconda_t self:passwd { rootok passwd chfn chsh };
+
+kernel_domtrans_to(anaconda_t, anaconda_exec_t)
+
+init_domtrans_script(anaconda_t)
+
+logging_send_syslog_msg(anaconda_t)
+
+modutils_domtrans(anaconda_t)
+
+seutil_domtrans_semanage(anaconda_t)
+
+userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+	rpm_domtrans(anaconda_t)
+	rpm_domtrans_script(anaconda_t)
+')
+
+optional_policy(`
+	ssh_domtrans_keygen(anaconda_t)
+')
+
+optional_policy(`
+	udev_domtrans(anaconda_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(anaconda_t)
+')

policy/modules/contrib/apache.fc

@@ -0,0 +1,204 @@
+HOME_DIR/((www)|(web)|(public_html))(/.+)?			gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?		gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
+
+/etc/apache(2)?(/.*)?						gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)?					gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)?						gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.*							gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)?							gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/hiawatha(/.*)?						gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/horde(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)?						gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab					--	gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs							gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules						gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)?						gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/etc/rc\.d/init\.d/cherokee				--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hiawatha				--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/httpd				--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd				--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/etc/vhosts						--	gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/opt/.*\.cgi						--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/srv/([^/]*/)?www(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/.*\.cgi						--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/usr/bin/apache(2)?					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache(2)?ctl					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache-ssl(2)?					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cgi-wrapper					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cherokee					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/hiawatha					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass					--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/httpd\.event					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/httpd(\.worker)?				--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/lighttpd					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/mongrel_rails					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/rotatelogs					--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/bin/ssi-cgi					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/suexec						--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/bin/wigwam						--	gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/lib/apache-ssl/.+					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/apache(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)?					gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)?				--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin(/.*)?						gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?			--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/dirsrv/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/httpd(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/apache[^/]*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/httpd.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/jetty.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
+
+/usr/libexec/httpd-ssl-pass-dialog			--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
+/usr/sbin/apache(2)?					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)?				--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cgi-wrapper					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/hiawatha					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)?				--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs					--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec					--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/wigwam					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse',`
+/usr/sbin/httpd2-.*					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+')
+
+/usr/share/dirsrv(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)?					gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal.*						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/glpi(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)?					gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/jetty/bin/jetty\.sh				--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/share/mythweb(/.*)?					gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/data(/.*)?					gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)?					gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)?					gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/postfixadmin/templates_c(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php				--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php			--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php		--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/cache/apache2(/.*)?					gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/httpd(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)?					gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)?					gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.*						gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)?					gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)?					gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)?					gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.*						gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)?				gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)?					gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem					--	gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)?					gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.*						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/glpi(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/hiawatha(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/htdig(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)?					gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/pootle/po(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)?				gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/squirrelmail/prefs(/.*)?				gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/stickshift/.httpd.d(/.*)?				gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)?					gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lock/apache2(/.*)?						gen_context(system_u:object_r:httpd_lock_t,s0)
+
+/var/log/apache(2)?(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/dirsrv/admin-serv(/.*)?				gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/hiawatha(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/httpd(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horde2(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/piranha(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/run/apache.*							gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/dirsrv/admin-serv.*					gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/gcache_port					-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/httpd.*							gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/mod_.*							gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/wsgi.*						-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/user/apache(/.*)?						gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)?					gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)?							gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/roundcubemail/logs(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/roundcubemail/temp(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)?						gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/gallery/albums(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)?				gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html/[^/]*/sites/default/settings\.php		--	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/[^/]*/sites/default/files(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/wp-content(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www/moodledata(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/nextcloud/config(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/nextcloud/data(.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www(/.*)?/nextcloud/apps(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/perl(/.*)?						gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/sessions(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/www/svn(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/conf(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/svn/hooks(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/uploads(/.*)?						gen_context(system_u:object_r:httpd_cache_t,s0)

policy/modules/contrib/apcupsd.fc

@@ -0,0 +1,20 @@
+/etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
+
+/usr/bin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+/usr/sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+/var/lock/subsys/apcupsd	--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
+
+/var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+
+/run/apcupsd\.pid	--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)?	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)

policy/modules/contrib/apcupsd.if

@@ -0,0 +1,165 @@
+## <summary>APC UPS monitoring daemon.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to
+##	run apcupsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_domtrans',`
+	gen_require(`
+		type apcupsd_t, apcupsd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
+')
+
+########################################
+## <summary>
+##	Execute apcupsd server in the
+##	apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_initrc_domtrans',`
+	gen_require(`
+		type apcupsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read apcupsd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_read_pid_files',`
+	gen_require(`
+		type apcupsd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 apcupsd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read apcupsd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_read_log',`
+	gen_require(`
+		type apcupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 apcupsd_log_t:dir list_dir_perms;
+	allow $1 apcupsd_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Append apcupsd log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`apcupsd_append_log',`
+	gen_require(`
+		type apcupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 apcupsd_log_t:dir list_dir_perms;
+	allow $1 apcupsd_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to
+##	run httpd_apcupsd_cgi_script.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_cgi_script_domtrans',`
+	gen_require(`
+		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+	')
+
+	files_search_var($1)
+	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+
+	optional_policy(`
+		apache_search_sys_content($1)
+	')
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an apcupsd environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_admin',`
+	gen_require(`
+		type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
+		type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+	')
+
+	allow $1 apcupsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, apcupsd_t)
+
+	init_startstop_service($1, $2, apcupsd_t, apcupsd_initrc_exec_t)
+
+	files_list_var($1)
+	admin_pattern($1, apcupsd_lock_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, apcupsd_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, apcupsd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, apcupsd_var_run_t)
+')

policy/modules/contrib/apcupsd.te

@@ -0,0 +1,130 @@
+policy_module(apcupsd, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type apcupsd_t;
+type apcupsd_exec_t;
+init_daemon_domain(apcupsd_t, apcupsd_exec_t)
+
+type apcupsd_lock_t;
+files_lock_file(apcupsd_lock_t)
+
+type apcupsd_initrc_exec_t;
+init_script_file(apcupsd_initrc_exec_t)
+
+type apcupsd_log_t;
+logging_log_file(apcupsd_log_t)
+
+type apcupsd_tmp_t;
+files_tmp_file(apcupsd_tmp_t)
+
+type apcupsd_unit_t;
+init_unit_file(apcupsd_unit_t)
+
+type apcupsd_var_run_t;
+files_pid_file(apcupsd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+allow apcupsd_t self:process signal;
+allow apcupsd_t self:fifo_file rw_file_perms;
+allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
+allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+
+allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
+
+append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
+
+manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
+
+manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
+files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
+
+kernel_read_system_state(apcupsd_t)
+
+corecmd_exec_bin(apcupsd_t)
+corecmd_exec_shell(apcupsd_t)
+
+corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_all_recvfrom_netlabel(apcupsd_t)
+corenet_tcp_sendrecv_generic_if(apcupsd_t)
+corenet_tcp_sendrecv_generic_node(apcupsd_t)
+corenet_tcp_bind_generic_node(apcupsd_t)
+corenet_udp_sendrecv_generic_if(apcupsd_t)
+corenet_udp_sendrecv_generic_node(apcupsd_t)
+corenet_udp_bind_generic_node(apcupsd_t)
+
+corenet_tcp_bind_apcupsd_port(apcupsd_t)
+corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
+corenet_tcp_connect_apcupsd_port(apcupsd_t)
+
+corenet_udp_bind_snmp_port(apcupsd_t)
+corenet_sendrecv_snmp_server_packets(apcupsd_t)
+corenet_udp_sendrecv_snmp_port(apcupsd_t)
+
+dev_rw_generic_usb_dev(apcupsd_t)
+
+files_read_etc_files(apcupsd_t)
+files_manage_etc_runtime_files(apcupsd_t)
+files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
+
+term_use_unallocated_ttys(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
+
+miscfiles_read_localization(apcupsd_t)
+
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_user_ttys(apcupsd_t)
+
+optional_policy(`
+	hostname_exec(apcupsd_t)
+')
+
+optional_policy(`
+	mta_send_mail(apcupsd_t)
+	mta_system_content(apcupsd_tmp_t)
+')
+
+optional_policy(`
+	shutdown_domtrans(apcupsd_t)
+')
+
+########################################
+#
+# CGI local policy
+#
+
+optional_policy(`
+	apache_content_template(apcupsd_cgi)
+
+	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+	corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+
+	sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+')

policy/modules/contrib/apt.fc

@@ -0,0 +1,23 @@
+/etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
+/var/lib/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
+')
+
+/var/cache/apt(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
+
+/var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/apt-xapian-inde(x)(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+/var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
+
+/var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
+
+/var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)

policy/modules/contrib/apt.if

@@ -0,0 +1,259 @@
+## <summary>Advanced package tool.</summary>
+
+########################################
+## <summary>
+##	Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apt_domtrans',`
+	gen_require(`
+		type apt_t, apt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, apt_exec_t, apt_t)
+')
+
+########################################
+## <summary>
+##	Execute the apt in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_exec',`
+	gen_require(`
+		type apt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, apt_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apt_run',`
+	gen_require(`
+		attribute_role apt_roles;
+	')
+
+	apt_domtrans($1)
+	roleattribute $2 apt_roles;
+')
+
+########################################
+## <summary>
+##	Use apt file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	allow $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	apt file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read apt unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_read_pipes',`
+	gen_require(`
+		type apt_t;
+	')
+
+	allow $1 apt_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write apt unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_rw_pipes',`
+	gen_require(`
+		type apt_t;
+	')
+
+	allow $1 apt_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_read_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir list_dir_perms;
+	allow $1 apt_var_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read apt package database content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_read_db',`
+	gen_require(`
+		type apt_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 apt_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+	read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	apt package database content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_manage_db',`
+	gen_require(`
+		type apt_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+	manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete apt
+##	package database content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apt_dontaudit_manage_db',`
+	gen_require(`
+		type apt_var_lib_t;
+	')
+
+	dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
+	dontaudit $1 apt_var_lib_t:file manage_file_perms;
+	dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
+')

policy/modules/contrib/apt.te

@@ -0,0 +1,171 @@
+policy_module(apt, 1.11.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role apt_roles;
+
+type apt_t;
+type apt_exec_t;
+init_system_domain(apt_t, apt_exec_t)
+domain_system_change_exemption(apt_t)
+role apt_roles types apt_t;
+
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
+type apt_tmp_t;
+files_tmp_file(apt_tmp_t)
+
+type apt_tmpfs_t;
+files_tmpfs_file(apt_tmpfs_t)
+
+type apt_var_cache_t alias var_cache_apt_t;
+files_type(apt_var_cache_t)
+
+type apt_var_lib_t alias var_lib_apt_t;
+files_type(apt_var_lib_t)
+
+type apt_var_log_t;
+logging_log_file(apt_var_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
+allow apt_t self:process { signal setpgid fork };
+allow apt_t self:fd use;
+allow apt_t self:fifo_file rw_fifo_file_perms;
+allow apt_t self:unix_dgram_socket sendto;
+allow apt_t self:unix_stream_socket { accept connectto listen };
+allow apt_t self:udp_socket { connect create_socket_perms };
+allow apt_t self:tcp_socket create_stream_socket_perms;
+allow apt_t self:shm create_shm_perms;
+allow apt_t self:sem create_sem_perms;
+allow apt_t self:msgq create_msgq_perms;
+allow apt_t self:msg { send receive };
+allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t, apt_lock_t, { dir file })
+
+manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
+
+manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+files_var_filetrans(apt_t, apt_var_cache_t, dir)
+
+manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
+files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+
+allow apt_t apt_var_log_t:file manage_file_perms;
+allow apt_t apt_var_log_t:dir manage_dir_perms;
+logging_log_filetrans(apt_t, apt_var_log_t, file)
+
+can_exec(apt_t, apt_exec_t)
+
+kernel_read_system_state(apt_t)
+kernel_read_kernel_sysctls(apt_t)
+
+corecmd_exec_bin(apt_t)
+corecmd_exec_shell(apt_t)
+
+corenet_all_recvfrom_unlabeled(apt_t)
+corenet_all_recvfrom_netlabel(apt_t)
+corenet_tcp_sendrecv_generic_if(apt_t)
+corenet_tcp_sendrecv_generic_node(apt_t)
+corenet_tcp_sendrecv_all_ports(apt_t)
+
+corenet_sendrecv_all_client_packets(apt_t)
+corenet_tcp_connect_all_ports(apt_t)
+
+dev_list_sysfs(apt_t)
+dev_read_urand(apt_t)
+
+domain_getattr_all_domains(apt_t)
+domain_use_interactive_fds(apt_t)
+
+files_exec_usr_files(apt_t)
+files_read_etc_files(apt_t)
+files_read_etc_runtime_files(apt_t)
+
+fs_getattr_all_fs(apt_t)
+
+term_create_pty(apt_t, apt_devpts_t)
+term_list_ptys(apt_t)
+term_use_all_terms(apt_t)
+
+libs_exec_ld_so(apt_t)
+libs_exec_lib_files(apt_t)
+
+logging_send_syslog_msg(apt_t)
+
+miscfiles_read_localization(apt_t)
+
+seutil_use_newrole_fds(apt_t)
+
+sysnet_read_config(apt_t)
+
+userdom_use_user_terminals(apt_t)
+
+optional_policy(`
+	backup_manage_store_files(apt_t)
+')
+
+optional_policy(`
+	cron_system_entry(apt_t, apt_exec_t)
+')
+
+optional_policy(`
+	dbus_system_domain(apt_t, apt_exec_t)
+
+	optional_policy(`
+		# for packagekitd
+		policykit_dbus_chat(apt_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_send(apt_t)
+	')
+')
+
+optional_policy(`
+	dpkg_read_db(apt_t)
+	dpkg_domtrans(apt_t)
+	dpkg_lock_db(apt_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(apt_t)
+')
+
+optional_policy(`
+	# rkhunter trigger
+	rkhunter_domtrans(apt_t)
+')
+
+optional_policy(`
+	rpm_read_db(apt_t)
+	rpm_domtrans(apt_t)
+')
+
+optional_policy(`
+	unconfined_domain(apt_t)
+')

policy/modules/contrib/arpwatch.fc

@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/arpwatch		--	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+
+/usr/bin/arpwatch			--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+/usr/sbin/arpwatch			--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+/var/arpwatch(/.*)?				gen_context(system_u:object_r:arpwatch_data_t,s0)
+
+/var/lib/arpwatch(/.*)?				gen_context(system_u:object_r:arpwatch_data_t,s0)
+
+/run/arpwatch.*\.pid			--	gen_context(system_u:object_r:arpwatch_pid_t,s0)

policy/modules/contrib/arpwatch.if

@@ -0,0 +1,155 @@
+## <summary>Ethernet activity monitor.</summary>
+
+########################################
+## <summary>
+##	Execute arpwatch server in the
+##	arpwatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_initrc_domtrans',`
+	gen_require(`
+		type arpwatch_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search arpwatch data file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_search_data',`
+	gen_require(`
+		type arpwatch_data_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 arpwatch_data_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	arpwatch data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_manage_data_files',`
+	gen_require(`
+		type arpwatch_data_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
+')
+
+########################################
+## <summary>
+##	Read and write arpwatch temporary
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_rw_tmp_files',`
+	gen_require(`
+		type arpwatch_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 arpwatch_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	arpwatch temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_manage_tmp_files',`
+	gen_require(`
+		type arpwatch_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 arpwatch_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write arpwatch packet sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_dontaudit_rw_packet_sockets',`
+	gen_require(`
+		type arpwatch_t;
+	')
+
+	dontaudit $1 arpwatch_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an arpwatch environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`arpwatch_admin',`
+	gen_require(`
+		type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
+		type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
+	')
+
+	admin_process_pattern($1, arpwatch_t)
+
+	init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, arpwatch_tmp_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, arpwatch_data_t)
+
+	files_search_pids($1)
+	admin_pattern($1, arpwatch_pid_t)
+')

policy/modules/contrib/arpwatch.te

@@ -0,0 +1,90 @@
+policy_module(arpwatch, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+type arpwatch_t;
+type arpwatch_exec_t;
+init_daemon_domain(arpwatch_t, arpwatch_exec_t)
+
+type arpwatch_initrc_exec_t;
+init_script_file(arpwatch_initrc_exec_t)
+
+type arpwatch_data_t;
+files_type(arpwatch_data_t)
+
+type arpwatch_tmp_t;
+files_tmp_file(arpwatch_tmp_t)
+
+type arpwatch_unit_t;
+init_unit_file(arpwatch_unit_t)
+
+type arpwatch_pid_t alias arpwatch_var_run_t;
+files_pid_file(arpwatch_pid_t)
+
+########################################
+#
+# Local policy
+#
+
+allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid };
+allow arpwatch_t self:process signal_perms;
+allow arpwatch_t self:unix_stream_socket { accept listen };
+allow arpwatch_t self:tcp_socket { accept listen };
+allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:socket { create ioctl };
+allow arpwatch_t self:netlink_netfilter_socket { create read write };
+
+manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+
+manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
+manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
+files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+
+manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
+files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)
+
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_network_state(arpwatch_t)
+kernel_read_system_state(arpwatch_t)
+kernel_request_load_module(arpwatch_t)
+# /sys/kernel/debug/usb/usbmon/\d+t
+kernel_dontaudit_search_debugfs(arpwatch_t)
+
+# /sys/class/net
+dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
+dev_rw_generic_usb_dev(arpwatch_t)
+
+fs_getattr_all_fs(arpwatch_t)
+fs_search_auto_mountpoints(arpwatch_t)
+
+domain_use_interactive_fds(arpwatch_t)
+
+files_read_usr_files(arpwatch_t)
+files_search_var_lib(arpwatch_t)
+
+auth_use_nsswitch(arpwatch_t)
+
+logging_send_syslog_msg(arpwatch_t)
+
+miscfiles_read_localization(arpwatch_t)
+
+userdom_dontaudit_search_user_home_dirs(arpwatch_t)
+userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+
+optional_policy(`
+	mta_send_mail(arpwatch_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(arpwatch_t)
+')
+
+optional_policy(`
+	udev_read_db(arpwatch_t)
+')

policy/modules/contrib/asterisk.fc

@@ -0,0 +1,15 @@
+/etc/asterisk(/.*)?	gen_context(system_u:object_r:asterisk_etc_t,s0)
+
+/etc/rc\.d/init\.d/asterisk	--	gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
+
+/usr/bin/asterisk	--	gen_context(system_u:object_r:asterisk_exec_t,s0)
+
+/usr/sbin/asterisk	--	gen_context(system_u:object_r:asterisk_exec_t,s0)
+
+/var/lib/asterisk(/.*)?	gen_context(system_u:object_r:asterisk_var_lib_t,s0)
+
+/var/log/asterisk(/.*)?	gen_context(system_u:object_r:asterisk_log_t,s0)
+
+/run/asterisk.*	gen_context(system_u:object_r:asterisk_var_run_t,s0)
+
+/var/spool/asterisk(/.*)?	gen_context(system_u:object_r:asterisk_spool_t,s0)

policy/modules/contrib/asterisk.if

@@ -0,0 +1,151 @@
+## <summary>Asterisk IP telephony server.</summary>
+
+######################################
+## <summary>
+##	Execute asterisk in the asterisk domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`asterisk_domtrans',`
+	gen_require(`
+		type asterisk_t, asterisk_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, asterisk_exec_t, asterisk_t)
+')
+
+######################################
+## <summary>
+##	Execute asterisk in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`asterisk_exec',`
+	gen_require(`
+		type asterisk_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, asterisk_exec_t)
+')
+
+#####################################
+## <summary>
+##	Connect to asterisk over a unix domain.
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`asterisk_stream_connect',`
+	gen_require(`
+		type asterisk_t, asterisk_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
+')
+
+#######################################
+## <summary>
+##	Set attributes of asterisk log
+##	files and directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`asterisk_setattr_logs',`
+	gen_require(`
+		type asterisk_log_t;
+	')
+
+	setattr_files_pattern($1, asterisk_log_t, asterisk_log_t)
+	setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t)
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Set attributes of the asterisk
+##	PID content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`asterisk_setattr_pid_files',`
+	gen_require(`
+		type asterisk_var_run_t;
+	')
+
+	setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+	setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an asterisk environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`asterisk_admin',`
+	gen_require(`
+		type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
+		type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
+		type asterisk_var_lib_t, asterisk_initrc_exec_t;
+	')
+
+	allow $1 asterisk_t:process { ptrace signal_perms };
+	ps_process_pattern($1, asterisk_t)
+
+	init_startstop_service($1, $2, asterisk_t, asterisk_initrc_exec_t)
+
+	asterisk_exec($1)
+
+	files_list_tmp($1)
+	admin_pattern($1, asterisk_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, asterisk_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, asterisk_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, asterisk_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, asterisk_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, asterisk_var_run_t)
+')

policy/modules/contrib/asterisk.te

@@ -0,0 +1,193 @@
+policy_module(asterisk, 1.18.0)
+
+########################################
+#
+# Declarations
+#
+
+type asterisk_t;
+type asterisk_exec_t;
+init_daemon_domain(asterisk_t, asterisk_exec_t)
+
+type asterisk_initrc_exec_t;
+init_script_file(asterisk_initrc_exec_t)
+
+type asterisk_etc_t;
+files_config_file(asterisk_etc_t)
+
+type asterisk_log_t;
+logging_log_file(asterisk_log_t)
+
+type asterisk_spool_t;
+files_type(asterisk_spool_t)
+
+type asterisk_tmp_t;
+files_tmp_file(asterisk_tmp_t)
+
+type asterisk_tmpfs_t;
+files_tmpfs_file(asterisk_tmpfs_t)
+
+type asterisk_var_lib_t;
+files_type(asterisk_var_lib_t)
+
+type asterisk_var_run_t;
+files_pid_file(asterisk_var_run_t)
+init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk")
+
+########################################
+#
+# Local policy
+#
+
+allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice };
+dontaudit asterisk_t self:capability { sys_module sys_tty_config };
+allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
+allow asterisk_t self:fifo_file rw_fifo_file_perms;
+allow asterisk_t self:sem create_sem_perms;
+allow asterisk_t self:shm create_shm_perms;
+allow asterisk_t self:unix_stream_socket { accept connectto listen };
+allow asterisk_t self:tcp_socket { accept listen };
+
+allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+
+manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
+
+manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+files_spool_filetrans(asterisk_t, asterisk_spool_t, { dir file })
+
+manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
+
+manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+
+manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+
+can_exec(asterisk_t, asterisk_exec_t)
+
+kernel_read_kernel_sysctls(asterisk_t)
+kernel_read_network_state(asterisk_t)
+kernel_read_system_state(asterisk_t)
+kernel_request_load_module(asterisk_t)
+
+corecmd_exec_bin(asterisk_t)
+corecmd_exec_shell(asterisk_t)
+
+corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_all_recvfrom_netlabel(asterisk_t)
+corenet_tcp_sendrecv_generic_if(asterisk_t)
+corenet_udp_sendrecv_generic_if(asterisk_t)
+corenet_tcp_sendrecv_generic_node(asterisk_t)
+corenet_udp_sendrecv_generic_node(asterisk_t)
+corenet_tcp_sendrecv_all_ports(asterisk_t)
+corenet_udp_sendrecv_all_ports(asterisk_t)
+corenet_tcp_bind_generic_node(asterisk_t)
+corenet_udp_bind_generic_node(asterisk_t)
+
+corenet_sendrecv_asterisk_server_packets(asterisk_t)
+corenet_tcp_bind_asterisk_port(asterisk_t)
+corenet_udp_bind_asterisk_port(asterisk_t)
+
+corenet_sendrecv_embrace_dp_c_client_packets(asterisk_t)
+corenet_tcp_connect_embrace_dp_c_port(asterisk_t)
+
+corenet_sendrecv_sip_server_packets(asterisk_t)
+corenet_tcp_bind_sip_port(asterisk_t)
+corenet_udp_bind_sip_port(asterisk_t)
+
+corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_bind_generic_port(asterisk_t)
+corenet_udp_bind_generic_port(asterisk_t)
+corenet_dontaudit_udp_bind_all_ports(asterisk_t)
+
+corenet_sendrecv_jabber_client_client_packets(asterisk_t)
+corenet_tcp_connect_jabber_client_port(asterisk_t)
+
+corenet_sendrecv_pdps_client_packets(asterisk_t)
+corenet_tcp_connect_pdps_port(asterisk_t)
+
+corenet_sendrecv_pktcable_cops_client_packets(asterisk_t)
+corenet_tcp_connect_pktcable_cops_port(asterisk_t)
+
+corenet_sendrecv_sip_client_packets(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
+
+dev_rw_generic_usb_dev(asterisk_t)
+dev_read_sysfs(asterisk_t)
+dev_read_sound(asterisk_t)
+dev_write_sound(asterisk_t)
+dev_read_rand(asterisk_t)
+dev_read_urand(asterisk_t)
+
+domain_use_interactive_fds(asterisk_t)
+
+files_read_usr_files(asterisk_t)
+files_search_spool(asterisk_t)
+files_dontaudit_search_home(asterisk_t)
+
+fs_getattr_all_fs(asterisk_t)
+fs_list_inotifyfs(asterisk_t)
+fs_read_anon_inodefs_files(asterisk_t)
+fs_search_auto_mountpoints(asterisk_t)
+
+auth_use_nsswitch(asterisk_t)
+
+logging_search_logs(asterisk_t)
+logging_send_syslog_msg(asterisk_t)
+
+miscfiles_read_localization(asterisk_t)
+
+userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+userdom_dontaudit_search_user_home_dirs(asterisk_t)
+
+optional_policy(`
+	alsa_read_config(asterisk_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(asterisk_t)
+	mysql_tcp_connect(asterisk_t)
+')
+
+optional_policy(`
+	mta_send_mail(asterisk_t)
+	mta_system_content(asterisk_tmp_t)
+')
+
+optional_policy(`
+	postfix_domtrans_postdrop(asterisk_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(asterisk_t)
+	postgresql_tcp_connect(asterisk_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(asterisk_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(asterisk_t)
+	snmp_stream_connect(asterisk_t)
+	snmp_tcp_connect(asterisk_t)
+')
+
+optional_policy(`
+	udev_read_db(asterisk_t)
+')

policy/modules/contrib/automount.fc

@@ -0,0 +1,12 @@
+/etc/apm/event\.d/autofs	--	gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/rc\.d/init\.d/autofs	--	gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0)
+
+/usr/bin/automount	--	gen_context(system_u:object_r:automount_exec_t,s0)
+
+/usr/sbin/automount	--	gen_context(system_u:object_r:automount_exec_t,s0)
+
+/var/lock/subsys/autofs	--	gen_context(system_u:object_r:automount_lock_t,s0)
+
+/run/autofs.*	gen_context(system_u:object_r:automount_var_run_t,s0)

policy/modules/contrib/automount.if

@@ -0,0 +1,160 @@
+## <summary>Filesystem automounter service.</summary>
+
+########################################
+## <summary>
+##	Execute automount in the automount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`automount_domtrans',`
+	gen_require(`
+		type automount_t, automount_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, automount_exec_t, automount_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to automount.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`automount_signal',`
+	gen_require(`
+		type automount_t;
+	')
+
+	allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read automount process state.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow access.
+##	</summary>
+## </param>
+#
+interface(`automount_read_state',`
+	gen_require(`
+		type automount_t;
+	')
+
+	kernel_search_proc($1)
+	allow $1 automount_t:dir list_dir_perms;
+	read_files_pattern($1, automount_t, automount_t)
+	read_lnk_files_pattern($1, automount_t, automount_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use
+##	automount file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+	gen_require(`
+		type automount_t;
+	')
+
+	dontaudit $1 automount_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write
+##	automount unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_write_pipes',`
+	gen_require(`
+		type automount_t;
+	')
+
+	dontaudit $1 automount_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get
+##	attributes of automount temporary
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_getattr_tmp_dirs',`
+	gen_require(`
+		type automount_tmp_t;
+	')
+
+	dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an automount environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`automount_admin',`
+	gen_require(`
+		type automount_t, automount_lock_t, automount_tmp_t;
+		type automount_var_run_t, automount_initrc_exec_t;
+		type automount_keytab_t;
+	')
+
+	allow $1 automount_t:process { ptrace signal_perms };
+	ps_process_pattern($1, automount_t)
+
+	init_startstop_service($1, $2, automount_t, automount_initrc_exec_t)
+
+	files_list_etc($1)
+	admin_pattern($1, automount_keytab_t)
+
+	files_list_var($1)
+	admin_pattern($1, automount_lock_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, automount_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, automount_var_run_t)
+')

policy/modules/contrib/automount.te

@@ -0,0 +1,171 @@
+policy_module(automount, 1.19.0)
+
+########################################
+#
+# Declarations
+#
+
+type automount_t;
+type automount_exec_t;
+init_daemon_domain(automount_t, automount_exec_t)
+
+type automount_initrc_exec_t;
+init_script_file(automount_initrc_exec_t)
+
+type automount_keytab_t;
+files_type(automount_keytab_t)
+
+type automount_lock_t;
+files_lock_file(automount_lock_t)
+
+type automount_tmp_t;
+files_tmp_file(automount_tmp_t)
+files_mountpoint(automount_tmp_t)
+
+type automount_unit_t;
+init_unit_file(automount_unit_t)
+
+type automount_var_run_t;
+files_pid_file(automount_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource };
+dontaudit automount_t self:capability sys_tty_config;
+allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+allow automount_t self:fifo_file rw_fifo_file_perms;
+allow automount_t self:tcp_socket { accept listen };
+allow automount_t self:rawip_socket create_socket_perms;
+
+can_exec(automount_t, automount_exec_t)
+
+allow automount_t automount_keytab_t:file read_file_perms;
+
+allow automount_t automount_lock_t:file manage_file_perms;
+files_lock_filetrans(automount_t, automount_lock_t, file)
+
+manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t)
+manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t)
+files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
+files_home_filetrans(automount_t, automount_tmp_t, dir)
+files_root_filetrans(automount_t, automount_tmp_t, dir)
+
+manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
+
+kernel_read_kernel_sysctls(automount_t)
+kernel_read_irq_sysctls(automount_t)
+kernel_read_fs_sysctls(automount_t)
+kernel_read_vm_sysctls(automount_t)
+kernel_read_proc_symlinks(automount_t)
+kernel_read_system_state(automount_t)
+kernel_read_network_state(automount_t)
+kernel_list_proc(automount_t)
+kernel_getattr_unlabeled_dirs(automount_t)
+kernel_dontaudit_search_xen_state(automount_t)
+
+corecmd_exec_bin(automount_t)
+corecmd_exec_shell(automount_t)
+
+corenet_all_recvfrom_unlabeled(automount_t)
+corenet_all_recvfrom_netlabel(automount_t)
+corenet_tcp_sendrecv_generic_if(automount_t)
+corenet_udp_sendrecv_generic_if(automount_t)
+corenet_tcp_sendrecv_generic_node(automount_t)
+corenet_udp_sendrecv_generic_node(automount_t)
+corenet_tcp_sendrecv_all_ports(automount_t)
+corenet_udp_sendrecv_all_ports(automount_t)
+corenet_tcp_bind_generic_node(automount_t)
+corenet_udp_bind_generic_node(automount_t)
+
+corenet_sendrecv_all_client_packets(automount_t)
+corenet_sendrecv_all_server_packets(automount_t)
+corenet_tcp_connect_portmap_port(automount_t)
+corenet_tcp_connect_all_ports(automount_t)
+# Automount execs showmount when you browse /net.  This is required until
+# Someone writes a showmount policy
+corenet_tcp_bind_reserved_port(automount_t)
+corenet_tcp_bind_all_rpc_ports(automount_t)
+corenet_udp_bind_reserved_port(automount_t)
+corenet_udp_bind_all_rpc_ports(automount_t)
+
+files_dontaudit_write_var_dirs(automount_t)
+files_getattr_all_dirs(automount_t)
+files_getattr_default_dirs(automount_t)
+files_getattr_home_dir(automount_t)
+files_exec_etc_files(automount_t)
+files_list_mnt(automount_t)
+files_manage_non_security_dirs(automount_t)
+files_mount_all_file_type_fs(automount_t)
+files_mounton_all_mountpoints(automount_t)
+files_mounton_mnt(automount_t)
+files_read_etc_runtime_files(automount_t)
+files_read_usr_files(automount_t)
+files_search_boot(automount_t)
+files_search_all(automount_t)
+files_unmount_all_file_type_fs(automount_t)
+
+fs_getattr_all_dirs(automount_t)
+fs_getattr_all_fs(automount_t)
+fs_manage_auto_mountpoints(automount_t)
+fs_manage_autofs_symlinks(automount_t)
+fs_mount_all_fs(automount_t)
+fs_mount_autofs(automount_t)
+fs_read_nfs_files(automount_t)
+fs_search_all(automount_t)
+fs_search_auto_mountpoints(automount_t)
+fs_unmount_all_fs(automount_t)
+fs_unmount_autofs(automount_t)
+
+dev_read_rand(automount_t)
+dev_read_sysfs(automount_t)
+dev_read_urand(automount_t)
+dev_rw_autofs(automount_t)
+
+domain_use_interactive_fds(automount_t)
+domain_dontaudit_read_all_domains_state(automount_t)
+
+storage_rw_fuse(automount_t)
+
+term_dontaudit_getattr_pty_dirs(automount_t)
+
+auth_use_nsswitch(automount_t)
+
+logging_send_syslog_msg(automount_t)
+logging_search_logs(automount_t)
+
+miscfiles_read_localization(automount_t)
+miscfiles_read_generic_certs(automount_t)
+
+mount_domtrans(automount_t)
+mount_signal(automount_t)
+
+userdom_dontaudit_use_unpriv_user_fds(automount_t)
+
+optional_policy(`
+	fstools_domtrans(automount_t)
+')
+
+optional_policy(`
+	kerberos_read_config(automount_t)
+	kerberos_read_keytab(automount_t)
+	kerberos_use(automount_t)
+	kerberos_dontaudit_write_config(automount_t)
+')
+
+optional_policy(`
+	samba_read_config(automount_t)
+	samba_manage_var_files(automount_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(automount_t)
+')
+
+optional_policy(`
+	udev_read_db(automount_t)
+')

policy/modules/contrib/avahi.fc

@@ -0,0 +1,15 @@
+/etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
+/usr/bin/avahi-daemon	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-dnsconfd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-autoipd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+
+/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0)
+
+/usr/sbin/avahi-daemon	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-dnsconfd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-autoipd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+
+/run/avahi-daemon(/.*)?	gen_context(system_u:object_r:avahi_var_run_t,s0)
+
+/var/lib/avahi-autoipd(/.*)?	gen_context(system_u:object_r:avahi_var_lib_t,s0)

policy/modules/contrib/avahi.if

@@ -0,0 +1,274 @@
+## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.</summary>
+
+########################################
+## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`avahi_domtrans',`
+	gen_require(`
+		type avahi_exec_t, avahi_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, avahi_exec_t, avahi_t)
+')
+
+########################################
+## <summary>
+##	Execute avahi init scripts in the
+##	init script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`avahi_initrc_domtrans',`
+	gen_require(`
+		type avahi_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to avahi.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_signal',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send kill signals to avahi.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_kill',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send null signals to avahi.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_signull',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	avahi over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_dbus_chat',`
+	gen_require(`
+		type avahi_t;
+		class dbus send_msg;
+	')
+
+	allow $1 avahi_t:dbus send_msg;
+	allow avahi_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Connect to avahi using a unix
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_stream_connect',`
+	gen_require(`
+		type avahi_t, avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
+')
+
+########################################
+## <summary>
+##	Create avahi pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_create_pid_dirs',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 avahi_var_run_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Set attributes of avahi pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_setattr_pid_dirs',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 avahi_var_run_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, and write avahi pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_manage_pid_files',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	avahi pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`avahi_dontaudit_search_pid',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	dontaudit $1 avahi_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	pid directories with the avahi pid file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`avahi_filetrans_pid',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_pid_filetrans($1, avahi_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an avahi environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`avahi_admin',`
+	gen_require(`
+		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+		type avahi_var_lib_t;
+	')
+
+	allow $1 avahi_t:process { ptrace signal_perms };
+	ps_process_pattern($1, avahi_t)
+
+	init_startstop_service($1, $2, avahi_t, avahi_initrc_exec_t)
+
+	files_search_pids($1)
+	admin_pattern($1, avahi_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, avahi_var_lib_t)
+')

policy/modules/contrib/avahi.te

@@ -0,0 +1,118 @@
+policy_module(avahi, 1.19.0)
+
+########################################
+#
+# Declarations
+#
+
+type avahi_t;
+type avahi_exec_t;
+init_daemon_domain(avahi_t, avahi_exec_t)
+init_named_socket_activation(avahi_t, avahi_var_run_t)
+
+type avahi_initrc_exec_t;
+init_script_file(avahi_initrc_exec_t)
+
+type avahi_unit_t;
+init_unit_file(avahi_unit_t)
+
+type avahi_var_lib_t;
+files_pid_file(avahi_var_lib_t)
+
+type avahi_var_run_t;
+files_pid_file(avahi_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot };
+dontaudit avahi_t self:capability sys_tty_config;
+allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+allow avahi_t self:fifo_file rw_fifo_file_perms;
+allow avahi_t self:unix_stream_socket { accept connectto listen };
+allow avahi_t self:tcp_socket { accept listen };
+allow avahi_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
+
+manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
+files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(avahi_t)
+kernel_read_network_state(avahi_t)
+kernel_read_system_state(avahi_t)
+kernel_request_load_module(avahi_t)
+
+corecmd_exec_bin(avahi_t)
+corecmd_exec_shell(avahi_t)
+
+corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_all_recvfrom_netlabel(avahi_t)
+corenet_tcp_sendrecv_generic_if(avahi_t)
+corenet_udp_sendrecv_generic_if(avahi_t)
+corenet_tcp_sendrecv_generic_node(avahi_t)
+corenet_udp_sendrecv_generic_node(avahi_t)
+corenet_tcp_sendrecv_all_ports(avahi_t)
+corenet_udp_sendrecv_all_ports(avahi_t)
+corenet_tcp_bind_generic_node(avahi_t)
+corenet_udp_bind_generic_node(avahi_t)
+
+corenet_sendrecv_howl_server_packets(avahi_t)
+corenet_tcp_bind_howl_port(avahi_t)
+corenet_udp_bind_howl_port(avahi_t)
+
+dev_read_sysfs(avahi_t)
+dev_read_urand(avahi_t)
+
+fs_getattr_all_fs(avahi_t)
+fs_search_auto_mountpoints(avahi_t)
+fs_list_inotifyfs(avahi_t)
+
+domain_use_interactive_fds(avahi_t)
+
+files_read_etc_runtime_files(avahi_t)
+files_read_usr_files(avahi_t)
+
+auth_use_nsswitch(avahi_t)
+
+init_signal_script(avahi_t)
+init_signull_script(avahi_t)
+
+logging_send_syslog_msg(avahi_t)
+
+miscfiles_read_localization(avahi_t)
+miscfiles_read_generic_certs(avahi_t)
+
+sysnet_domtrans_ifconfig(avahi_t)
+sysnet_manage_config(avahi_t)
+sysnet_etc_filetrans_config(avahi_t)
+
+userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+userdom_dontaudit_search_user_home_dirs(avahi_t)
+
+optional_policy(`
+	dbus_system_domain(avahi_t, avahi_exec_t)
+
+	optional_policy(`
+		init_dbus_chat_script(avahi_t)
+	')
+')
+
+optional_policy(`
+	rpcbind_signull(avahi_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(avahi_t)
+')
+
+optional_policy(`
+	udev_read_db(avahi_t)
+')

policy/modules/contrib/awstats.fc

@@ -0,0 +1,5 @@
+/usr/share/awstats/tools/.+\.pl	--	gen_context(system_u:object_r:awstats_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)?	gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+
+/var/lib/awstats(/.*)?	gen_context(system_u:object_r:awstats_var_lib_t,s0)

policy/modules/contrib/awstats.if

@@ -0,0 +1,21 @@
+## <summary>Log file analyzer for advanced statistics.</summary>
+
+########################################
+## <summary>
+##	Execute the awstats program in
+##	the awstats domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`awstats_domtrans',`
+	gen_require(`
+		type awstats_t, awstats_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, awstats_exec_t, awstats_t)
+')

policy/modules/contrib/awstats.te

@@ -0,0 +1,98 @@
+policy_module(awstats, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether awstats can
+##	purge httpd log files.
+##	</p>
+## </desc>
+gen_tunable(awstats_purge_apache_log_files, false)
+
+type awstats_t;
+type awstats_exec_t;
+domain_type(awstats_t)
+domain_entry_file(awstats_t, awstats_exec_t)
+role system_r types awstats_t;
+
+type awstats_tmp_t;
+files_tmp_file(awstats_tmp_t)
+
+type awstats_var_lib_t;
+files_type(awstats_var_lib_t)
+
+apache_content_template(awstats)
+
+########################################
+#
+# Local policy
+#
+
+allow awstats_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+
+allow awstats_t { httpd_awstats_content_t  httpd_awstats_script_exec_t }:dir search_dir_perms;
+
+can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
+
+kernel_dontaudit_read_system_state(awstats_t)
+
+corecmd_exec_bin(awstats_t)
+corecmd_exec_shell(awstats_t)
+
+dev_read_urand(awstats_t)
+
+files_dontaudit_search_all_mountpoints(awstats_t)
+files_read_etc_files(awstats_t)
+files_read_usr_files(awstats_t)
+
+fs_list_inotifyfs(awstats_t)
+
+libs_read_lib_files(awstats_t)
+
+logging_read_generic_logs(awstats_t)
+
+miscfiles_read_localization(awstats_t)
+
+sysnet_dns_name_resolve(awstats_t)
+
+tunable_policy(`awstats_purge_apache_log_files',`
+	apache_write_log(awstats_t)
+')
+
+optional_policy(`
+	apache_read_log(awstats_t)
+')
+
+optional_policy(`
+	cron_system_entry(awstats_t, awstats_exec_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(awstats_t)
+')
+
+optional_policy(`
+	squid_read_log(awstats_t)
+')
+
+########################################
+#
+# CGI local policy
+#
+
+allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
+read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(httpd_awstats_script_t)
+
+apache_read_log(httpd_awstats_script_t)

policy/modules/contrib/backup.fc

@@ -0,0 +1,5 @@
+/etc/cron\.daily/aptitude	--	gen_context(system_u:object_r:backup_exec_t,s0)
+/etc/cron\.daily/passwd	--	gen_context(system_u:object_r:backup_exec_t,s0)
+/etc/cron\.daily/standard	--	gen_context(system_u:object_r:backup_exec_t,s0)
+
+/var/backups(/.*)?	gen_context(system_u:object_r:backup_store_t,s0)

policy/modules/contrib/backup.if

@@ -0,0 +1,67 @@
+## <summary>System backup scripts.</summary>
+
+########################################
+## <summary>
+##	Execute backup in the backup domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`backup_domtrans',`
+	gen_require(`
+		type backup_t, backup_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, backup_exec_t, backup_t)
+')
+
+########################################
+## <summary>
+##	Execute backup in the backup
+##	domain, and allow the specified
+##	role the backup domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`backup_run',`
+	gen_require(`
+		attribute_role backup_roles;
+	')
+
+	backup_domtrans($1)
+	roleattribute $2 backup_roles;
+')
+
+########################################
+## <summary>
+##	Create, read, and write backup
+##	store files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`backup_manage_store_files',`
+	gen_require(`
+		type backup_store_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, backup_store_t, backup_store_t)
+')

policy/modules/contrib/backup.te

@@ -0,0 +1,82 @@
+policy_module(backup, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role backup_roles;
+roleattribute system_r backup_roles;
+
+type backup_t;
+type backup_exec_t;
+application_domain(backup_t, backup_exec_t)
+role backup_roles types backup_t;
+
+type backup_store_t;
+files_type(backup_store_t)
+
+########################################
+#
+# Local policy
+#
+
+allow backup_t self:capability { chown dac_override fsetid };
+allow backup_t self:process signal;
+allow backup_t self:fifo_file rw_fifo_file_perms;
+allow backup_t self:tcp_socket create_socket_perms;
+allow backup_t self:udp_socket create_socket_perms;
+
+allow backup_t backup_store_t:file setattr_file_perms;
+manage_files_pattern(backup_t, backup_store_t, backup_store_t)
+rw_files_pattern(backup_t, backup_store_t, backup_store_t)
+read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
+
+kernel_read_system_state(backup_t)
+kernel_read_kernel_sysctls(backup_t)
+
+corecmd_exec_bin(backup_t)
+corecmd_exec_shell(backup_t)
+
+corenet_all_recvfrom_unlabeled(backup_t)
+corenet_all_recvfrom_netlabel(backup_t)
+corenet_tcp_sendrecv_generic_if(backup_t)
+corenet_tcp_sendrecv_generic_node(backup_t)
+corenet_tcp_sendrecv_all_ports(backup_t)
+
+corenet_tcp_connect_all_ports(backup_t)
+corenet_sendrecv_all_client_packets(backup_t)
+
+dev_getattr_all_blk_files(backup_t)
+dev_getattr_all_chr_files(backup_t)
+dev_read_urand(backup_t)
+
+domain_use_interactive_fds(backup_t)
+
+files_read_all_files(backup_t)
+files_read_all_symlinks(backup_t)
+files_getattr_all_pipes(backup_t)
+files_getattr_all_sockets(backup_t)
+
+fs_getattr_xattr_fs(backup_t)
+fs_list_all(backup_t)
+
+auth_read_shadow(backup_t)
+
+logging_send_syslog_msg(backup_t)
+
+sysnet_read_config(backup_t)
+
+userdom_use_user_terminals(backup_t)
+
+optional_policy(`
+	cron_system_entry(backup_t, backup_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(backup_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(backup_t)
+')

policy/modules/contrib/bacula.fc

@@ -0,0 +1,21 @@
+/bacula(/.*)?	gen_context(system_u:object_r:bacula_store_t,s0)
+
+/etc/bacula.*	gen_context(system_u:object_r:bacula_etc_t,s0)
+
+/etc/rc\.d/init\.d/bacula.*	--	gen_context(system_u:object_r:bacula_initrc_exec_t,s0)
+
+/usr/bin/bacula.*	--	gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/bin/bat	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/bin/bconsole	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
+/usr/sbin/bacula.*	--	gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/sbin/bat	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/sbin/bconsole	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
+/var/lib/bacula.*	gen_context(system_u:object_r:bacula_var_lib_t,s0)
+
+/var/log/bacula.*	gen_context(system_u:object_r:bacula_log_t,s0)
+
+/run/bacula.*	--	gen_context(system_u:object_r:bacula_var_run_t,s0)
+
+/var/spool/bacula.*	gen_context(system_u:object_r:bacula_spool_t,s0)

policy/modules/contrib/bacula.if

@@ -0,0 +1,93 @@
+## <summary>Cross platform network backup.</summary>
+
+########################################
+## <summary>
+##	Execute bacula admin bacula
+##	admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bacula_domtrans_admin',`
+	gen_require(`
+		type bacula_admin_t, bacula_admin_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
+')
+
+########################################
+## <summary>
+##	Execute user interfaces in the
+##	bacula admin domain, and allow the
+##	specified role the bacula admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bacula_run_admin',`
+	gen_require(`
+		attribute_role bacula_admin_roles;
+	')
+
+	bacula_domtrans_admin($1)
+	roleattribute $2 bacula_admin_roles;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an bacula environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bacula_admin',`
+	gen_require(`
+		type bacula_t, bacula_etc_t, bacula_log_t;
+		type bacula_spool_t, bacula_var_lib_t;
+		type bacula_var_run_t, bacula_initrc_exec_t;
+	')
+
+	allow $1 bacula_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bacula_t)
+
+	init_startstop_service($1, $2, bacula_t, bacula_initrc_exec_t)
+
+	files_search_etc($1)
+	admin_pattern($1, bacula_etc_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, bacula_log_t)
+
+	files_search_var($1)
+	admin_pattern($1, bacula_spool_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, bacula_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, bacula_var_run_t)
+')

policy/modules/contrib/bacula.te

@@ -0,0 +1,158 @@
+policy_module(bacula, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role bacula_admin_roles;
+
+type bacula_t;
+type bacula_exec_t;
+init_daemon_domain(bacula_t, bacula_exec_t)
+
+type bacula_initrc_exec_t;
+init_script_file(bacula_initrc_exec_t)
+
+type bacula_etc_t;
+files_type(bacula_etc_t)
+
+type bacula_log_t;
+logging_log_file(bacula_log_t)
+
+type bacula_spool_t;
+files_type(bacula_spool_t)
+
+type bacula_store_t;
+files_type(bacula_store_t)
+files_mountpoint(bacula_store_t)
+
+type bacula_var_lib_t;
+files_type(bacula_var_lib_t)
+
+type bacula_var_run_t;
+files_pid_file(bacula_var_run_t)
+
+type bacula_admin_t;
+type bacula_admin_exec_t;
+application_domain(bacula_admin_t, bacula_admin_exec_t)
+role bacula_admin_roles types bacula_admin_t;
+
+########################################
+#
+# Local policy
+#
+
+allow bacula_t self:capability { chown dac_override dac_read_search fowner fsetid };
+allow bacula_t self:process signal;
+allow bacula_t self:fifo_file rw_fifo_file_perms;
+allow bacula_t self:tcp_socket { accept listen };
+
+read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
+
+append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+
+manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
+
+manage_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_lnk_files_pattern(bacula_t, bacula_store_t, bacula_store_t)
+manage_dirs_pattern(bacula_t, bacula_store_t, bacula_store_t)
+
+manage_dirs_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
+manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t)
+files_var_lib_filetrans(bacula_t, bacula_var_lib_t, dir)
+
+allow bacula_t bacula_var_run_t:file manage_file_perms;
+files_pid_filetrans(bacula_t, bacula_var_run_t, file)
+
+kernel_read_kernel_sysctls(bacula_t)
+kernel_read_system_state(bacula_t)
+
+corecmd_exec_bin(bacula_t)
+corecmd_exec_shell(bacula_t)
+
+corenet_all_recvfrom_unlabeled(bacula_t)
+corenet_all_recvfrom_netlabel(bacula_t)
+corenet_tcp_sendrecv_generic_if(bacula_t)
+corenet_udp_sendrecv_generic_if(bacula_t)
+corenet_tcp_sendrecv_generic_node(bacula_t)
+corenet_udp_sendrecv_generic_node(bacula_t)
+corenet_tcp_sendrecv_all_ports(bacula_t)
+corenet_udp_sendrecv_all_ports(bacula_t)
+corenet_tcp_bind_generic_node(bacula_t)
+corenet_udp_bind_generic_node(bacula_t)
+
+corenet_sendrecv_generic_server_packets(bacula_t)
+corenet_udp_bind_generic_port(bacula_t)
+
+corenet_sendrecv_hplip_server_packets(bacula_t)
+corenet_tcp_bind_hplip_port(bacula_t)
+corenet_udp_bind_hplip_port(bacula_t)
+
+corenet_sendrecv_all_client_packets(bacula_t)
+corenet_tcp_connect_all_ports(bacula_t)
+
+dev_getattr_all_blk_files(bacula_t)
+dev_getattr_all_chr_files(bacula_t)
+
+files_dontaudit_getattr_all_sockets(bacula_t)
+files_read_all_files(bacula_t)
+files_read_all_symlinks(bacula_t)
+
+fs_getattr_xattr_fs(bacula_t)
+fs_list_all(bacula_t)
+
+auth_read_shadow(bacula_t)
+
+logging_send_syslog_msg(bacula_t)
+
+sysnet_dns_name_resolve(bacula_t)
+
+optional_policy(`
+	mysql_stream_connect(bacula_t)
+	mysql_tcp_connect(bacula_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(bacula_t)
+')
+
+optional_policy(`
+	sysnet_use_ldap(bacula_t)
+	ldap_stream_connect(bacula_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow bacula_admin_t self:process signal;
+allow bacula_admin_t self:tcp_socket { accept listen };
+allow bacula_admin_t self:dgram_socket_class_set create_socket_perms;
+
+read_files_pattern(bacula_admin_t, bacula_etc_t, bacula_etc_t)
+
+corenet_all_recvfrom_unlabeled(bacula_admin_t)
+corenet_all_recvfrom_netlabel(bacula_admin_t)
+corenet_tcp_sendrecv_generic_if(bacula_admin_t)
+corenet_tcp_sendrecv_generic_node(bacula_admin_t)
+corenet_tcp_sendrecv_all_ports(bacula_admin_t)
+corenet_tcp_bind_generic_node(bacula_admin_t)
+
+corenet_sendrecv_hplip_client_packets(bacula_admin_t)
+corenet_tcp_connect_hplip_port(bacula_admin_t)
+
+domain_use_interactive_fds(bacula_admin_t)
+
+files_read_etc_files(bacula_admin_t)
+
+miscfiles_read_localization(bacula_admin_t)
+
+sysnet_dns_name_resolve(bacula_admin_t)
+
+userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
+userdom_use_user_ptys(bacula_admin_t)

policy/modules/contrib/bcfg2.fc

@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+
+/usr/bin/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
+/usr/sbin/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
+/var/lib/bcfg2(/.*)?	gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
+
+/run/bcfg2-server\.pid	--	gen_context(system_u:object_r:bcfg2_var_run_t,s0)

policy/modules/contrib/bcfg2.if

@@ -0,0 +1,151 @@
+## <summary>configuration management suite.</summary>
+
+########################################
+## <summary>
+##	Execute bcfg2 in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_domtrans',`
+	gen_require(`
+		type bcfg2_t, bcfg2_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
+')
+
+########################################
+## <summary>
+##	Execute bcfg2 server in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_initrc_domtrans',`
+	gen_require(`
+		type bcfg2_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_search_lib',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	allow $1 bcfg2_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read bcfg2 lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_read_lib_files',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	bcfg2 lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_files',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_dirs',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an bcfg2 environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bcfg2_admin',`
+	gen_require(`
+		type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
+		type bcfg2_var_run_t;
+	')
+
+	allow $1 bcfg2_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bcfg2_t)
+
+	init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t)
+
+	files_search_pids($1)
+	admin_pattern($1, bcfg2_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, bcfg2_var_lib_t)
+')

policy/modules/contrib/bcfg2.te

@@ -0,0 +1,61 @@
+policy_module(bcfg2, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type bcfg2_t;
+type bcfg2_exec_t;
+init_daemon_domain(bcfg2_t, bcfg2_exec_t)
+
+type bcfg2_initrc_exec_t;
+init_script_file(bcfg2_initrc_exec_t)
+
+type bcfg2_var_lib_t;
+files_type(bcfg2_var_lib_t)
+
+type bcfg2_var_run_t;
+files_pid_file(bcfg2_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow bcfg2_t self:fifo_file rw_fifo_file_perms;
+allow bcfg2_t self:tcp_socket { accept listen };
+allow bcfg2_t self:unix_stream_socket { accept connectto listen };
+
+manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
+manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
+files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir)
+
+manage_files_pattern(bcfg2_t, bcfg2_var_run_t, bcfg2_var_run_t)
+files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file)
+
+kernel_read_system_state(bcfg2_t)
+
+corenet_all_recvfrom_unlabeled(bcfg2_t)
+corenet_all_recvfrom_netlabel(bcfg2_t)
+corenet_tcp_sendrecv_generic_if(bcfg2_t)
+corenet_tcp_sendrecv_generic_node(bcfg2_t)
+corenet_tcp_bind_generic_node(bcfg2_t)
+
+corenet_sendrecv_cyphesis_server_packets(bcfg2_t)
+corenet_tcp_bind_cyphesis_port(bcfg2_t)
+corenet_tcp_sendrecv_cyphesis_port(bcfg2_t)
+
+corecmd_exec_bin(bcfg2_t)
+
+dev_read_urand(bcfg2_t)
+
+domain_use_interactive_fds(bcfg2_t)
+
+files_read_usr_files(bcfg2_t)
+
+auth_use_nsswitch(bcfg2_t)
+
+logging_send_syslog_msg(bcfg2_t)
+
+miscfiles_read_localization(bcfg2_t)

policy/modules/contrib/bind.fc

@@ -0,0 +1,66 @@
+/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+/etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc.*	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/bin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named-checkconf	--	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/bin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
+
+/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+
+/usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf	--	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
+
+/var/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
+
+/var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+
+/var/lib/unbound(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+
+/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+
+/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)?	<<none>>
+/var/named/chroot/var/run/named.*	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+
+/run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid	-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
+/run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)

policy/modules/contrib/bind.if

@@ -0,0 +1,376 @@
+## <summary>Berkeley Internet name domain DNS server.</summary>
+
+########################################
+## <summary>
+##	Execute bind init scripts in
+##	the init script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_initrc_domtrans',`
+	gen_require(`
+		type named_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, named_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ndc in the ndc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_domtrans_ndc',`
+	gen_require(`
+		type ndc_t, ndc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ndc_exec_t, ndc_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to bind.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_signal',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send null signals to bind.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_signull',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send kill signals to bind.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_kill',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Execute ndc in the ndc domain, and
+##	allow the specified role the ndc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_run_ndc',`
+	gen_require(`
+		attribute_role ndc_roles;
+	')
+
+	bind_domtrans_ndc($1)
+	roleattribute $2 ndc_roles;
+')
+
+########################################
+## <summary>
+##	Execute bind in the named domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_domtrans',`
+	gen_require(`
+		type named_t, named_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, named_exec_t, named_t)
+')
+
+########################################
+## <summary>
+##	Read dnssec key files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_dnssec_keys',`
+	gen_require(`
+		type named_conf_t, named_zone_t, dnssec_t;
+	')
+
+	read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t)
+')
+
+########################################
+## <summary>
+##	Read bind named configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_config',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	read_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+##	Write bind named configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_write_config',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	write_files_pattern($1, named_conf_t, named_conf_t)
+	allow $1 named_conf_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	bind configuration directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_config_dirs',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	manage_dirs_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+##	Search bind cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_search_cache',`
+	gen_require(`
+		type named_conf_t, named_cache_t, named_zone_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_conf_t:dir search_dir_perms;
+	allow $1 named_zone_t:dir search_dir_perms;
+	allow $1 named_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	bind cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_cache',`
+	gen_require(`
+		type named_cache_t, named_zone_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_zone_t:dir search_dir_perms;
+	manage_files_pattern($1, named_cache_t, named_cache_t)
+	manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
+')
+
+########################################
+## <summary>
+##	Set attributes of bind pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_setattr_pid_dirs',`
+	gen_require(`
+		type named_var_run_t;
+	')
+
+	allow $1 named_var_run_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Set attributes of bind zone directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_setattr_zone_dirs',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	allow $1 named_zone_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read bind zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_zone',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	bind zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_zone',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an bind environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_admin',`
+	gen_require(`
+		type named_t, named_tmp_t, named_log_t;
+		type named_cache_t, named_zone_t, named_initrc_exec_t;
+		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+		type named_keytab_t;
+	')
+
+	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { named_t ndc_t })
+
+	init_startstop_service($1, $2, named_t, named_initrc_exec_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, named_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, named_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, { named_keytab_t named_conf_t })
+
+	files_list_var($1)
+	admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
+
+	files_list_pids($1)
+	admin_pattern($1, named_var_run_t)
+')

policy/modules/contrib/bind.te

@@ -0,0 +1,279 @@
+policy_module(bind, 1.20.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Bind can bind tcp socket to http ports.
+##	</p>
+## </desc>
+gen_tunable(named_tcp_bind_http_port, false)
+
+## <desc>
+##	<p>
+##	Determine whether Bind can write to master zone files.
+##	Generally this is used for dynamic DNS or zone transfers.
+##	</p>
+## </desc>
+gen_tunable(named_write_master_zones, false)
+
+attribute_role ndc_roles;
+
+type dnssec_t;
+files_security_file(dnssec_t)
+files_mountpoint(dnssec_t)
+
+type named_t;
+type named_exec_t;
+init_daemon_domain(named_t, named_exec_t)
+
+type named_checkconf_exec_t;
+init_system_domain(named_t, named_checkconf_exec_t)
+
+type named_conf_t;
+files_type(named_conf_t)
+files_mountpoint(named_conf_t)
+
+# for secondary zone files
+type named_cache_t;
+files_type(named_cache_t)
+
+type named_initrc_exec_t;
+init_script_file(named_initrc_exec_t)
+
+type named_keytab_t;
+files_type(named_keytab_t)
+
+type named_log_t;
+logging_log_file(named_log_t)
+
+type named_tmp_t;
+files_tmp_file(named_tmp_t)
+
+type named_unit_t;
+init_unit_file(named_unit_t)
+
+type named_var_run_t;
+files_pid_file(named_var_run_t)
+init_daemon_pid_file(named_var_run_t, dir, "named")
+
+# for primary zone files
+type named_zone_t;
+files_type(named_zone_t)
+
+type ndc_t;
+type ndc_exec_t;
+init_system_domain(ndc_t, ndc_exec_t)
+role ndc_roles types ndc_t;
+
+########################################
+#
+# Local policy
+#
+
+allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit named_t self:capability sys_tty_config;
+allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:fifo_file rw_fifo_file_perms;
+allow named_t self:unix_stream_socket { accept listen };
+allow named_t self:tcp_socket { accept listen };
+
+allow named_t dnssec_t:file read_file_perms;
+
+allow named_t named_conf_t:dir list_dir_perms;
+read_files_pattern(named_t, named_conf_t, named_conf_t)
+read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+
+manage_files_pattern(named_t, named_cache_t, named_cache_t)
+manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+
+allow named_t named_keytab_t:file read_file_perms;
+
+append_files_pattern(named_t, named_log_t, named_log_t)
+create_files_pattern(named_t, named_log_t, named_log_t)
+setattr_files_pattern(named_t, named_log_t, named_log_t)
+logging_log_filetrans(named_t, named_log_t, file)
+
+manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
+files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+
+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
+manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
+
+can_exec(named_t, named_exec_t)
+
+allow named_t named_zone_t:dir list_dir_perms;
+read_files_pattern(named_t, named_zone_t, named_zone_t)
+read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
+kernel_read_kernel_sysctls(named_t)
+kernel_read_vm_overcommit_sysctl(named_t)
+kernel_read_system_state(named_t)
+kernel_read_network_state(named_t)
+
+corecmd_search_bin(named_t)
+
+corenet_all_recvfrom_unlabeled(named_t)
+corenet_all_recvfrom_netlabel(named_t)
+corenet_tcp_sendrecv_generic_if(named_t)
+corenet_udp_sendrecv_generic_if(named_t)
+corenet_tcp_sendrecv_generic_node(named_t)
+corenet_udp_sendrecv_generic_node(named_t)
+corenet_tcp_bind_generic_node(named_t)
+corenet_udp_bind_generic_node(named_t)
+
+corenet_sendrecv_all_server_packets(named_t)
+corenet_tcp_bind_dns_port(named_t)
+corenet_udp_bind_dns_port(named_t)
+corenet_tcp_sendrecv_dns_port(named_t)
+corenet_udp_sendrecv_dns_port(named_t)
+
+corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_sendrecv_rndc_port(named_t)
+
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
+corenet_udp_bind_all_unreserved_ports(named_t)
+corenet_udp_sendrecv_all_ports(named_t)
+
+corenet_sendrecv_all_client_packets(named_t)
+corenet_tcp_connect_all_ports(named_t)
+corenet_tcp_sendrecv_all_ports(named_t)
+
+dev_read_sysfs(named_t)
+dev_read_rand(named_t)
+dev_read_urand(named_t)
+
+domain_use_interactive_fds(named_t)
+
+files_read_etc_runtime_files(named_t)
+files_read_usr_files(named_t)
+
+fs_getattr_all_fs(named_t)
+fs_search_auto_mountpoints(named_t)
+
+auth_use_nsswitch(named_t)
+
+logging_send_syslog_msg(named_t)
+
+miscfiles_read_generic_certs(named_t)
+miscfiles_read_localization(named_t)
+miscfiles_read_generic_tls_privkey(named_t)
+
+userdom_dontaudit_use_unpriv_user_fds(named_t)
+userdom_dontaudit_search_user_home_dirs(named_t)
+
+tunable_policy(`named_tcp_bind_http_port',`
+	corenet_sendrecv_http_server_packets(named_t)
+	corenet_tcp_bind_http_port(named_t)
+	corenet_tcp_sendrecv_http_port(named_t)
+')
+
+tunable_policy(`named_write_master_zones',`
+	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
+	manage_files_pattern(named_t, named_zone_t, named_zone_t)
+	manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+')
+
+optional_policy(`
+	dbus_system_domain(named_t, named_exec_t)
+
+	init_dbus_chat_script(named_t)
+
+	sysnet_dbus_chat_dhcpc(named_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(named_t)
+	')
+')
+
+optional_policy(`
+	kerberos_read_keytab(named_t)
+	kerberos_use(named_t)
+')
+
+optional_policy(`
+	ldap_stream_connect(named_t)
+')
+
+optional_policy(`
+	networkmanager_rw_udp_sockets(named_t)
+	networkmanager_rw_packet_sockets(named_t)
+	networkmanager_rw_routing_sockets(named_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(named_t)
+')
+
+optional_policy(`
+	udev_read_db(named_t)
+')
+
+########################################
+#
+# NDC local policy
+#
+
+allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process signal_perms;
+allow ndc_t self:fifo_file rw_fifo_file_perms;
+allow ndc_t self:unix_stream_socket { accept listen };
+
+allow ndc_t dnssec_t:file read_file_perms;
+allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
+
+stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+
+allow ndc_t named_conf_t:file read_file_perms;
+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+
+allow ndc_t named_zone_t:dir search_dir_perms;
+
+kernel_read_kernel_sysctls(ndc_t)
+kernel_read_system_state(ndc_t)
+
+corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_all_recvfrom_netlabel(ndc_t)
+corenet_tcp_sendrecv_generic_if(ndc_t)
+corenet_tcp_sendrecv_generic_node(ndc_t)
+corenet_tcp_sendrecv_all_ports(ndc_t)
+corenet_tcp_bind_generic_node(ndc_t)
+
+corenet_tcp_connect_rndc_port(ndc_t)
+corenet_sendrecv_rndc_client_packets(ndc_t)
+
+domain_use_interactive_fds(ndc_t)
+
+files_search_pids(ndc_t)
+
+fs_getattr_xattr_fs(ndc_t)
+
+term_dontaudit_use_console(ndc_t)
+
+auth_use_nsswitch(ndc_t)
+
+init_use_fds(ndc_t)
+init_use_script_ptys(ndc_t)
+
+logging_send_syslog_msg(ndc_t)
+
+miscfiles_read_localization(ndc_t)
+
+userdom_use_user_terminals(ndc_t)
+
+ifdef(`distro_redhat',`
+	allow ndc_t named_conf_t:dir search_dir_perms;
+')
+
+optional_policy(`
+	ppp_dontaudit_use_fds(ndc_t)
+')

policy/modules/contrib/bird.fc

@@ -0,0 +1,13 @@
+/etc/bird\.conf	--	gen_context(system_u:object_r:bird_etc_t,s0)
+
+/etc/default/bird	--	gen_context(system_u:object_r:bird_etc_t,s0)
+
+/etc/rc\.d/init\.d/bird	--	gen_context(system_u:object_r:bird_initrc_exec_t,s0)
+
+/usr/bin/bird	--	gen_context(system_u:object_r:bird_exec_t,s0)
+
+/usr/sbin/bird	--	gen_context(system_u:object_r:bird_exec_t,s0)
+
+/var/log/bird\.log.*	--	gen_context(system_u:object_r:bird_log_t,s0)
+
+/run/bird\.ctl	-s	gen_context(system_u:object_r:bird_var_run_t,s0)

policy/modules/contrib/bird.if

@@ -0,0 +1,39 @@
+## <summary>BIRD Internet Routing Daemon.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an bird environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bird_admin',`
+	gen_require(`
+		type bird_t, bird_etc_t, bird_log_t;
+		type bird_var_run_t, bird_initrc_exec_t;
+	')
+
+	allow $1 bird_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bird_t)
+
+	init_startstop_service($1, $2, bird_t, bird_initrc_exec_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bird_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bird_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bird_var_run_t)
+')

policy/modules/contrib/bird.te

@@ -0,0 +1,58 @@
+policy_module(bird, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type bird_t;
+type bird_exec_t;
+init_daemon_domain(bird_t, bird_exec_t)
+
+type bird_initrc_exec_t;
+init_script_file(bird_initrc_exec_t)
+
+type bird_etc_t;
+files_config_file(bird_etc_t)
+
+type bird_log_t;
+logging_log_file(bird_log_t)
+
+type bird_var_run_t;
+files_pid_file(bird_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow bird_t self:capability net_admin;
+allow bird_t self:netlink_route_socket create_netlink_socket_perms;
+allow bird_t self:tcp_socket create_stream_socket_perms;
+
+allow bird_t bird_etc_t:file read_file_perms;
+
+allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms };
+logging_log_filetrans(bird_t, bird_log_t, file)
+
+allow bird_t bird_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(bird_t, bird_var_run_t, sock_file)
+
+corenet_all_recvfrom_unlabeled(bird_t)
+corenet_all_recvfrom_netlabel(bird_t)
+corenet_tcp_sendrecv_generic_if(bird_t)
+corenet_tcp_bind_generic_node(bird_t)
+corenet_tcp_sendrecv_generic_node(bird_t)
+
+corenet_sendrecv_bgp_client_packets(bird_t)
+corenet_sendrecv_bgp_server_packets(bird_t)
+corenet_tcp_bind_bgp_port(bird_t)
+corenet_tcp_connect_bgp_port(bird_t)
+corenet_tcp_sendrecv_bgp_port(bird_t)
+
+# /etc/iproute2/rt_realms
+files_read_etc_files(bird_t)
+
+logging_send_syslog_msg(bird_t)
+
+miscfiles_read_localization(bird_t)

policy/modules/contrib/bitlbee.fc

@@ -0,0 +1,15 @@
+/etc/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_conf_t,s0)
+
+/etc/rc\.d/init\.d/bitlbee	--	gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
+
+/usr/bin/bip	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/usr/bin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
+/var/lib/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_var_t,s0)
+
+/var/log/bip(/.*)?	gen_context(system_u:object_r:bitlbee_log_t,s0)
+
+/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/run/bip(/.*)?	gen_context(system_u:object_r:bitlbee_var_run_t,s0)

policy/modules/contrib/bitlbee.if

@@ -0,0 +1,66 @@
+## <summary>Tunnels instant messaging traffic to a virtual IRC channel.</summary>
+
+########################################
+## <summary>
+##	Read bitlbee configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bitlbee_read_config',`
+	gen_require(`
+		type bitlbee_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 bitlbee_conf_t:dir list_dir_perms;
+	allow $1 bitlbee_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an bitlbee environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bitlbee_admin',`
+	gen_require(`
+		type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
+		type bitlbee_initrc_exec_t, bitlbee_var_run_t;
+		type bitlbee_log_t, bitlbee_tmp_t;
+	')
+
+	allow $1 bitlbee_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitlbee_t)
+
+	init_startstop_service($1, $2, bitlbee_t, bitlbee_initrc_exec_t)
+
+	files_search_etc($1)
+	admin_pattern($1, bitlbee_conf_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, bitlbee_log_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, bitlbee_tmp_t)
+
+	files_search_pids($1)
+	admin_pattern($1, bitlbee_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, bitlbee_var_t)
+')

policy/modules/contrib/bitlbee.te

@@ -0,0 +1,125 @@
+policy_module(bitlbee, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type bitlbee_t;
+type bitlbee_exec_t;
+init_daemon_domain(bitlbee_t, bitlbee_exec_t)
+inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
+
+type bitlbee_conf_t;
+files_config_file(bitlbee_conf_t)
+
+type bitlbee_initrc_exec_t;
+init_script_file(bitlbee_initrc_exec_t)
+
+type bitlbee_tmp_t;
+files_tmp_file(bitlbee_tmp_t)
+
+type bitlbee_var_t;
+files_type(bitlbee_var_t)
+
+type bitlbee_log_t;
+logging_log_file(bitlbee_log_t)
+
+type bitlbee_var_run_t;
+files_pid_file(bitlbee_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+allow bitlbee_t self:tcp_socket { accept listen };
+allow bitlbee_t self:unix_stream_socket { accept listen };
+
+allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
+allow bitlbee_t bitlbee_conf_t:file read_file_perms;
+
+manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+
+manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
+
+manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(bitlbee_t)
+kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)
+
+corenet_all_recvfrom_unlabeled(bitlbee_t)
+corenet_all_recvfrom_netlabel(bitlbee_t)
+corenet_tcp_sendrecv_generic_if(bitlbee_t)
+corenet_tcp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_bind_generic_node(bitlbee_t)
+
+corenet_sendrecv_jabber_client_client_packets(bitlbee_t)
+corenet_tcp_connect_jabber_client_port(bitlbee_t)
+corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+
+corenet_sendrecv_aol_client_packets(bitlbee_t)
+corenet_tcp_connect_aol_port(bitlbee_t)
+corenet_tcp_sendrecv_aol_port(bitlbee_t)
+
+corenet_sendrecv_gatekeeper_client_packets(bitlbee_t)
+corenet_tcp_connect_gatekeeper_port(bitlbee_t)
+corenet_tcp_sendrecv_gatekeeper_port(bitlbee_t)
+
+corenet_sendrecv_mmcc_client_packets(bitlbee_t)
+corenet_tcp_connect_mmcc_port(bitlbee_t)
+corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
+
+corenet_sendrecv_msnp_client_packets(bitlbee_t)
+corenet_tcp_connect_msnp_port(bitlbee_t)
+corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+
+corenet_sendrecv_http_client_packets(bitlbee_t)
+corenet_tcp_connect_http_port(bitlbee_t)
+corenet_tcp_sendrecv_http_port(bitlbee_t)
+
+corenet_sendrecv_http_cache_client_packets(bitlbee_t)
+corenet_tcp_connect_http_cache_port(bitlbee_t)
+corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+
+corenet_sendrecv_ircd_server_packets(bitlbee_t)
+corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_sendrecv_ircd_client_packets(bitlbee_t)
+corenet_tcp_connect_ircd_port(bitlbee_t)
+corenet_tcp_sendrecv_ircd_port(bitlbee_t)
+
+corenet_sendrecv_interwise_server_packets(bitlbee_t)
+corenet_tcp_bind_interwise_port(bitlbee_t)
+corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
+
+files_read_usr_files(bitlbee_t)
+
+libs_legacy_use_shared_libs(bitlbee_t)
+
+auth_use_nsswitch(bitlbee_t)
+
+logging_send_syslog_msg(bitlbee_t)
+
+miscfiles_read_localization(bitlbee_t)
+
+optional_policy(`
+	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+')

policy/modules/contrib/blueman.fc

@@ -0,0 +1,3 @@
+/usr/libexec/blueman-mechanism	--	gen_context(system_u:object_r:blueman_exec_t,s0)
+
+/var/lib/blueman(/.*)?	gen_context(system_u:object_r:blueman_var_lib_t,s0)

policy/modules/contrib/blueman.if

@@ -0,0 +1,99 @@
+## <summary>Tool to manage Bluetooth devices.</summary>
+
+########################################
+## <summary>
+##	Execute blueman in the blueman domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`blueman_domtrans',`
+	gen_require(`
+		type blueman_t, blueman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, blueman_exec_t, blueman_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	blueman over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blueman_dbus_chat',`
+	gen_require(`
+		type blueman_t;
+		class dbus send_msg;
+	')
+
+	allow $1 blueman_t:dbus send_msg;
+	allow blueman_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Search blueman lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blueman_search_lib',`
+	gen_require(`
+		type blueman_var_lib_t;
+	')
+
+	allow $1 blueman_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read blueman lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blueman_read_lib_files',`
+	gen_require(`
+		type blueman_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	blueman lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blueman_manage_lib_files',`
+	gen_require(`
+		type blueman_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
+')

policy/modules/contrib/blueman.te

@@ -0,0 +1,70 @@
+policy_module(blueman, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type blueman_t;
+type blueman_exec_t;
+dbus_system_domain(blueman_t, blueman_exec_t)
+
+type blueman_var_lib_t;
+files_type(blueman_var_lib_t)
+
+type blueman_var_run_t;
+files_pid_file(blueman_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow blueman_t self:capability { net_admin sys_nice };
+allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir)
+
+manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
+manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
+files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
+
+kernel_read_net_sysctls(blueman_t)
+kernel_read_system_state(blueman_t)
+kernel_request_load_module(blueman_t)
+
+corecmd_exec_bin(blueman_t)
+
+dev_read_rand(blueman_t)
+dev_read_urand(blueman_t)
+dev_rw_wireless(blueman_t)
+
+domain_use_interactive_fds(blueman_t)
+
+files_list_tmp(blueman_t)
+files_map_usr_files(blueman_t)
+files_read_usr_files(blueman_t)
+
+auth_use_nsswitch(blueman_t)
+
+logging_send_syslog_msg(blueman_t)
+
+miscfiles_read_localization(blueman_t)
+
+sysnet_domtrans_ifconfig(blueman_t)
+
+optional_policy(`
+	avahi_domtrans(blueman_t)
+')
+
+optional_policy(`
+	dnsmasq_domtrans(blueman_t)
+	dnsmasq_read_pid_files(blueman_t)
+')
+
+optional_policy(`
+	iptables_domtrans(blueman_t)
+')

policy/modules/contrib/bluetooth.fc

@@ -0,0 +1,32 @@
+/etc/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_conf_t,s0)
+/etc/bluetooth/link_key	--	gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
+
+/etc/rc\.d/init\.d/bluetooth	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+
+/usr/bin/blue.*pin	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/dund	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hcid	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hid2hci	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hidd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/rfcomm	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/sdpd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
+
+/usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hcid	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hid2hci	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/sdpd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+/var/lib/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
+
+/var/lock/subsys/bluetoothd	--	gen_context(system_u:object_r:bluetooth_lock_t,s0)
+
+/run/bluetoothd_address	--	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/run/sdp	-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)

policy/modules/contrib/bluetooth.if

@@ -0,0 +1,195 @@
+## <summary>Bluetooth tools and system services.</summary>
+
+########################################
+## <summary>
+##	Role access for bluetooth.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`bluetooth_role',`
+	gen_require(`
+		attribute_role bluetooth_helper_roles;
+		type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t;
+		type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_var_run_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 bluetooth_helper_roles;
+
+	########################################
+	#
+	# Policy
+	#
+
+	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
+
+	ps_process_pattern($2, bluetooth_helper_t)
+	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+	allow $2 bluetooth_t:socket rw_socket_perms;
+
+	allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+	allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+	files_search_pids($2)
+')
+
+#####################################
+## <summary>
+##	Connect to bluetooth over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_stream_connect',`
+	gen_require(`
+		type bluetooth_t, bluetooth_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 bluetooth_t:socket rw_socket_perms;
+	stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+')
+
+########################################
+## <summary>
+##	Execute bluetooth in the bluetooth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_domtrans',`
+	gen_require(`
+		type bluetooth_t, bluetooth_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
+')
+
+########################################
+## <summary>
+##	Read bluetooth configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_read_config',`
+	gen_require(`
+		type bluetooth_conf_t;
+	')
+
+	allow $1 bluetooth_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	bluetooth over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_dbus_chat',`
+	gen_require(`
+		type bluetooth_t;
+		class dbus send_msg;
+	')
+
+	allow $1 bluetooth_t:dbus send_msg;
+	allow bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	bluetooth process state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_read_helper_state',`
+	gen_require(`
+		type bluetooth_helper_t;
+	')
+
+	dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
+	dontaudit $1 bluetooth_helper_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an bluetooth environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_admin',`
+	gen_require(`
+		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+		type bluetooth_var_lib_t, bluetooth_var_run_t;
+		type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
+		type bluetooth_initrc_exec_t;
+	')
+
+	allow $1 bluetooth_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bluetooth_t)
+
+	init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, bluetooth_tmp_t)
+
+	files_list_var($1)
+	admin_pattern($1, bluetooth_lock_t)
+
+	files_list_etc($1)
+	admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t })
+
+	files_list_var_lib($1)
+	admin_pattern($1, bluetooth_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bluetooth_var_run_t)
+')

policy/modules/contrib/bluetooth.te

@@ -0,0 +1,228 @@
+policy_module(bluetooth, 3.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role bluetooth_helper_roles;
+
+type bluetooth_t;
+type bluetooth_exec_t;
+init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+
+type bluetooth_conf_t;
+files_config_file(bluetooth_conf_t)
+
+type bluetooth_conf_rw_t;
+files_type(bluetooth_conf_rw_t)
+
+type bluetooth_helper_t;
+type bluetooth_helper_exec_t;
+typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t };
+typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t };
+userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
+role bluetooth_helper_roles types bluetooth_helper_t;
+
+type bluetooth_helper_tmp_t;
+typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
+typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
+userdom_user_tmp_file(bluetooth_helper_tmp_t)
+
+type bluetooth_helper_tmpfs_t;
+typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
+typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t };
+userdom_user_tmpfs_file(bluetooth_helper_tmpfs_t)
+
+type bluetooth_initrc_exec_t;
+init_script_file(bluetooth_initrc_exec_t)
+
+type bluetooth_lock_t;
+files_lock_file(bluetooth_lock_t)
+
+type bluetooth_tmp_t;
+files_tmp_file(bluetooth_tmp_t)
+
+type bluetooth_unit_t;
+init_unit_file(bluetooth_unit_t)
+
+type bluetooth_var_lib_t;
+files_type(bluetooth_var_lib_t)
+
+type bluetooth_var_run_t;
+files_pid_file(bluetooth_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config };
+dontaudit bluetooth_t self:capability sys_tty_config;
+allow bluetooth_t self:process { getcap setcap getsched signal_perms };
+allow bluetooth_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_t self:shm create_shm_perms;
+allow bluetooth_t self:socket create_stream_socket_perms;
+allow bluetooth_t self:unix_stream_socket { accept connectto listen };
+allow bluetooth_t self:tcp_socket { accept listen };
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+
+manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file })
+
+allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
+files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+
+manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+
+manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
+
+manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
+manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
+files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+
+can_exec(bluetooth_t, bluetooth_helper_exec_t)
+
+kernel_read_kernel_sysctls(bluetooth_t)
+kernel_read_system_state(bluetooth_t)
+kernel_read_network_state(bluetooth_t)
+kernel_request_load_module(bluetooth_t)
+kernel_search_debugfs(bluetooth_t)
+
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
+dev_read_sysfs(bluetooth_t)
+dev_rw_usbfs(bluetooth_t)
+dev_rw_generic_usb_dev(bluetooth_t)
+dev_read_urand(bluetooth_t)
+dev_rw_input_dev(bluetooth_t)
+dev_rw_wireless(bluetooth_t)
+
+domain_use_interactive_fds(bluetooth_t)
+domain_dontaudit_search_all_domains_state(bluetooth_t)
+
+files_read_etc_runtime_files(bluetooth_t)
+files_read_usr_files(bluetooth_t)
+
+fs_getattr_all_fs(bluetooth_t)
+fs_search_auto_mountpoints(bluetooth_t)
+fs_list_inotifyfs(bluetooth_t)
+
+term_use_unallocated_ttys(bluetooth_t)
+
+auth_use_nsswitch(bluetooth_t)
+
+logging_send_syslog_msg(bluetooth_t)
+
+miscfiles_read_localization(bluetooth_t)
+miscfiles_read_fonts(bluetooth_t)
+miscfiles_read_hwdata(bluetooth_t)
+
+userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+userdom_dontaudit_use_user_terminals(bluetooth_t)
+userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
+optional_policy(`
+	dbus_system_bus_client(bluetooth_t)
+	dbus_connect_system_bus(bluetooth_t)
+
+	optional_policy(`
+		cups_dbus_chat(bluetooth_t)
+	')
+
+	optional_policy(`
+		devicekit_dbus_chat_power(bluetooth_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(bluetooth_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(bluetooth_t)
+	')
+
+	optional_policy(`
+		pulseaudio_dbus_chat(bluetooth_t)
+	')
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(bluetooth_t)
+')
+
+optional_policy(`
+	udev_read_db(bluetooth_t)
+')
+
+optional_policy(`
+	ppp_domtrans(bluetooth_t)
+')
+
+########################################
+#
+# Helper local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
+allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket { accept connectto listen };
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file })
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctls(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+dev_read_urand(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+term_dontaudit_use_all_ttys(bluetooth_helper_t)
+
+auth_use_nsswitch(bluetooth_helper_t)
+
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t)
+
+optional_policy(`
+	bluetooth_dbus_chat(bluetooth_helper_t)
+
+	dbus_system_bus_client(bluetooth_helper_t)
+	dbus_connect_system_bus(bluetooth_helper_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+')

policy/modules/contrib/boinc.fc

@@ -0,0 +1,13 @@
+/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/etc/rc\.d/init\.d/boinc-client	--	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc		--	gen_context(system_u:object_r:boinc_exec_t,s0)
+/usr/bin/boinc_client	--	gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc-client(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
+/var/log/boincerr\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)

policy/modules/contrib/boinc.if

@@ -0,0 +1,41 @@
+## <summary>Platform for computing using volunteered resources.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an boinc environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`boinc_admin',`
+	gen_require(`
+
+		type boinc_t, boinc_project_t, boinc_log_t;
+		type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
+		type boinc_project_var_lib_t, boinc_project_tmp_t;
+	')
+
+	allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { boinc_t boinc_project_t })
+
+	init_startstop_service($1, $2, boinc_t, boinc_initrc_exec_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, boinc_log_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+
+	files_search_var_lib($1)
+	admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+')

policy/modules/contrib/boinc.te

@@ -0,0 +1,214 @@
+policy_module(boinc, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether boinc can execmem/execstack.
+##	</p>
+## </desc>
+gen_tunable(boinc_execmem, true)
+
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
+type boinc_initrc_exec_t;
+init_script_file(boinc_initrc_exec_t)
+
+type boinc_tmp_t;
+files_tmp_file(boinc_tmp_t)
+
+type boinc_tmpfs_t;
+files_tmpfs_file(boinc_tmpfs_t)
+
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+type boinc_log_t;
+logging_log_file(boinc_log_t)
+
+type boinc_project_t;
+domain_type(boinc_project_t)
+domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
+role system_r types boinc_project_t;
+
+type boinc_project_tmp_t;
+files_tmp_file(boinc_project_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:unix_stream_socket { accept listen };
+allow boinc_t self:tcp_socket { accept listen };
+allow boinc_t self:shm create_shm_perms;
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:sem create_sem_perms;
+
+can_exec(boinc_t, boinc_exec_t)
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+
+# entry files to the boinc_project_t domain
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
+
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, file)
+
+can_exec(boinc_t, boinc_var_lib_t)
+libs_exec_lib_files(boinc_t)
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+
+kernel_read_system_state(boinc_t)
+kernel_search_vm_sysctl(boinc_t)
+kernel_read_crypto_sysctls(boinc_t)
+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_tcp_bind_generic_node(boinc_t)
+
+corenet_sendrecv_boinc_client_packets(boinc_t)
+corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_sendrecv_boinc_port(boinc_t)
+
+corenet_sendrecv_boinc_client_server_packets(boinc_t)
+corenet_tcp_bind_boinc_client_port(boinc_t)
+corenet_tcp_sendrecv_boinc_client_port(boinc_t)
+
+corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_sendrecv_http_port(boinc_t)
+
+corenet_sendrecv_http_cache_client_packets(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+corenet_tcp_sendrecv_http_cache_port(boinc_t)
+
+corenet_sendrecv_squid_client_packets(boinc_t)
+corenet_tcp_connect_squid_port(boinc_t)
+corenet_tcp_sendrecv_squid_port(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
+
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
+dev_rw_xserver_misc(boinc_t)
+
+domain_read_all_domains_state(boinc_t)
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+files_read_etc_files(boinc_t)
+files_read_etc_runtime_files(boinc_t)
+files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
+term_getattr_all_ptys(boinc_t)
+term_getattr_unallocated_ttys(boinc_t)
+
+init_read_utmp(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
+miscfiles_read_fonts(boinc_t)
+miscfiles_read_localization(boinc_t)
+
+tunable_policy(`boinc_execmem',`
+	allow boinc_t self:process { execstack execmem };
+')
+
+optional_policy(`
+	mta_send_mail(boinc_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(boinc_t)
+')
+
+optional_policy(`
+	corenet_tcp_connect_xserver_port(boinc_t)
+
+	xserver_list_xdm_tmp(boinc_t)
+	xserver_non_drawing_client(boinc_t)
+')
+
+########################################
+#
+# Project local policy
+#
+
+allow boinc_project_t self:capability { setgid setuid };
+allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+can_exec(boinc_project_t, boinc_project_var_lib_t)
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file { read write };
+
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+
+corenet_all_recvfrom_unlabeled(boinc_project_t)
+corenet_all_recvfrom_netlabel(boinc_project_t)
+corenet_tcp_sendrecv_generic_if(boinc_project_t)
+corenet_tcp_sendrecv_generic_node(boinc_project_t)
+corenet_tcp_bind_generic_node(boinc_project_t)
+
+corenet_sendrecv_boinc_client_packets(boinc_project_t)
+corenet_tcp_connect_boinc_port(boinc_project_t)
+corenet_tcp_sendrecv_boinc_port(boinc_project_t)
+
+dev_getattr_input_dev(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+
+files_dontaudit_search_home(boinc_project_t)
+
+term_getattr_ptmx(boinc_t)
+term_getattr_generic_ptys(boinc_t)
+
+userdom_getattr_user_ttys(boinc_t)
+
+optional_policy(`
+	java_exec(boinc_project_t)
+')

policy/modules/contrib/brctl.fc

@@ -0,0 +1,3 @@
+/usr/bin/brctl	--	gen_context(system_u:object_r:brctl_exec_t,s0)
+
+/usr/sbin/brctl	--	gen_context(system_u:object_r:brctl_exec_t,s0)

policy/modules/contrib/brctl.if

@@ -0,0 +1,45 @@
+## <summary>Utilities for configuring the Linux ethernet bridge.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run brctl.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brctl_domtrans',`
+	gen_require(`
+		type brctl_t, brctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, brctl_exec_t, brctl_t)
+')
+
+########################################
+## <summary>
+##	Execute brctl in the brctl domain, and
+##	allow the specified role the brctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`brctl_run',`
+	gen_require(`
+		attribute_role brctl_roles;
+	')
+
+	brctl_domtrans($1)
+	roleattribute $2 brctl_roles;
+')

policy/modules/contrib/brctl.te

@@ -0,0 +1,47 @@
+policy_module(brctl, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role brctl_roles;
+
+type brctl_t;
+type brctl_exec_t;
+init_system_domain(brctl_t, brctl_exec_t)
+role brctl_roles types brctl_t;
+
+########################################
+#
+# Local policy
+#
+
+allow brctl_t self:capability net_admin;
+allow brctl_t self:fifo_file rw_fifo_file_perms;
+allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+allow brctl_t self:tcp_socket create_socket_perms;
+
+kernel_request_load_module(brctl_t)
+kernel_read_network_state(brctl_t)
+kernel_read_sysctl(brctl_t)
+
+corenet_rw_tun_tap_dev(brctl_t)
+
+dev_create_sysfs_files(brctl_t)
+dev_rw_sysfs(brctl_t)
+dev_write_sysfs_dirs(brctl_t)
+
+domain_use_interactive_fds(brctl_t)
+
+files_read_etc_files(brctl_t)
+
+term_dontaudit_use_console(brctl_t)
+
+miscfiles_read_localization(brctl_t)
+
+optional_policy(`
+	xen_append_log(brctl_t)
+	xen_dontaudit_rw_unix_stream_sockets(brctl_t)
+')

policy/modules/contrib/bugzilla.fc

@@ -0,0 +1,4 @@
+/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+
+/var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)

policy/modules/contrib/bugzilla.if

@@ -0,0 +1,80 @@
+## <summary>Bugtracker.</summary>
+
+########################################
+## <summary>
+##	Search bugzilla directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bugzilla_search_content',`
+	gen_require(`
+		type httpd_bugzilla_content_t;
+	')
+
+	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write bugzilla script unix domain
+##	stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`bugzilla_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type httpd_bugzilla_script_t;
+	')
+
+	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an bugzilla environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role" unused="true">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bugzilla_admin',`
+	gen_require(`
+		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+		type httpd_bugzilla_htaccess_t;
+	')
+
+	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+	ps_process_pattern($1, httpd_bugzilla_script_t)
+
+	files_search_usr($1)
+	admin_pattern($1, httpd_bugzilla_script_exec_t)
+	admin_pattern($1, httpd_bugzilla_script_t)
+	admin_pattern($1, httpd_bugzilla_content_t)
+	admin_pattern($1, httpd_bugzilla_htaccess_t)
+	admin_pattern($1, httpd_bugzilla_ra_content_t)
+
+	files_search_tmp($1)
+	files_search_var_lib($1)
+	admin_pattern($1, httpd_bugzilla_rw_content_t)
+
+	apache_list_sys_content($1)
+')

policy/modules/contrib/bugzilla.te

@@ -0,0 +1,47 @@
+policy_module(bugzilla, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(bugzilla)
+
+########################################
+#
+# Local policy
+#
+
+allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+
+corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
+
+corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+	mta_send_mail(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(httpd_bugzilla_script_t)
+	mysql_tcp_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_bugzilla_script_t)
+	postgresql_tcp_connect(httpd_bugzilla_script_t)
+')