refpolicy-base.conf revision 255e72915d4cbddceb435e13d81601755714e9f3
136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass security 236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass process 336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass system 436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass capability 536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass filesystem 636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass file 736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass dir 836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass fd 936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass lnk_file 1036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass chr_file 1136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass blk_file 1236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass sock_file 1336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass fifo_file 1436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass socket 1536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass tcp_socket 1636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass udp_socket 1736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass rawip_socket 1836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass node 1936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netif 2036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_socket 2136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass packet_socket 2236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass key_socket 2336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass unix_stream_socket 2436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass unix_dgram_socket 2536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass sem 2636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass msg 2736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass msgq 2836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass shm 2936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass ipc 3036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass passwd # userspace 3136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass drawable # userspace 3236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass window # userspace 3336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass gc # userspace 3436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass font # userspace 3536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass colormap # userspace 3636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass property # userspace 3736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass cursor # userspace 3836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass xclient # userspace 3936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass xinput # userspace 4036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass xserver # userspace 4136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass xextension # userspace 4236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass pax 4336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_route_socket 4436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_firewall_socket 4536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_tcpdiag_socket 4636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_nflog_socket 4736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_xfrm_socket 4836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_selinux_socket 4936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_audit_socket 5036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_ip6fw_socket 5136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_dnrt_socket 5236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass dbus # userspace 5336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass nscd # userspace 5436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass association 5536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesclass netlink_kobject_uevent_socket 5636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid kernel 5736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid security 5836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid unlabeled 5936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid fs 6036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid file 6136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid file_labels 6236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid init 6336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid any_socket 6436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid port 6536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid netif 6636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid netmsg 6736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid node 6836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid igmp_packet 6936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid icmp_socket 7036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid tcp_socket 7136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl_modprobe 7236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl 7336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl_fs 7436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl_kernel 7536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl_net 7636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl_net_unix 7736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl_vm 7836b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid sysctl_dev 7936b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid kmod 8036b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid policy 8136b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid scmp_packet 8236b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinessid devnull 8336b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinescommon file 8436b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hines{ 8536b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hines ioctl 8636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hines read 8736b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hines write 88 create 89 getattr 90 setattr 91 lock 92 relabelfrom 93 relabelto 94 append 95 unlink 96 link 97 rename 98 execute 99 swapon 100 quotaon 101 mounton 102} 103common socket 104{ 105 ioctl 106 read 107 write 108 create 109 getattr 110 setattr 111 lock 112 relabelfrom 113 relabelto 114 append 115 bind 116 connect 117 listen 118 accept 119 getopt 120 setopt 121 shutdown 122 recvfrom 123 sendto 124 recv_msg 125 send_msg 126 name_bind 127} 128common ipc 129{ 130 create 131 destroy 132 getattr 133 setattr 134 read 135 write 136 associate 137 unix_read 138 unix_write 139} 140class filesystem 141{ 142 mount 143 remount 144 unmount 145 getattr 146 relabelfrom 147 relabelto 148 transition 149 associate 150 quotamod 151 quotaget 152} 153class dir 154inherits file 155{ 156 add_name 157 remove_name 158 reparent 159 search 160 rmdir 161} 162class file 163inherits file 164{ 165 execute_no_trans 166 entrypoint 167 execmod 168} 169class lnk_file 170inherits file 171class chr_file 172inherits file 173{ 174 execute_no_trans 175 entrypoint 176 execmod 177} 178class blk_file 179inherits file 180class sock_file 181inherits file 182class fifo_file 183inherits file 184class fd 185{ 186 use 187} 188class socket 189inherits socket 190class tcp_socket 191inherits socket 192{ 193 connectto 194 newconn 195 acceptfrom 196 node_bind 197 name_connect 198} 199class udp_socket 200inherits socket 201{ 202 node_bind 203} 204class rawip_socket 205inherits socket 206{ 207 node_bind 208} 209class node 210{ 211 tcp_recv 212 tcp_send 213 udp_recv 214 udp_send 215 rawip_recv 216 rawip_send 217 enforce_dest 218} 219class netif 220{ 221 tcp_recv 222 tcp_send 223 udp_recv 224 udp_send 225 rawip_recv 226 rawip_send 227} 228class netlink_socket 229inherits socket 230class packet_socket 231inherits socket 232class key_socket 233inherits socket 234class unix_stream_socket 235inherits socket 236{ 237 connectto 238 newconn 239 acceptfrom 240} 241class unix_dgram_socket 242inherits socket 243class process 244{ 245 fork 246 transition 247 sigchld # commonly granted from child to parent 248 sigkill # cannot be caught or ignored 249 sigstop # cannot be caught or ignored 250 signull # for kill(pid, 0) 251 signal # all other signals 252 ptrace 253 getsched 254 setsched 255 getsession 256 getpgid 257 setpgid 258 getcap 259 setcap 260 share 261 getattr 262 setexec 263 setfscreate 264 noatsecure 265 siginh 266 setrlimit 267 rlimitinh 268 dyntransition 269 setcurrent 270 execmem 271 execstack 272 execheap 273} 274class ipc 275inherits ipc 276class sem 277inherits ipc 278class msgq 279inherits ipc 280{ 281 enqueue 282} 283class msg 284{ 285 send 286 receive 287} 288class shm 289inherits ipc 290{ 291 lock 292} 293class security 294{ 295 compute_av 296 compute_create 297 compute_member 298 check_context 299 load_policy 300 compute_relabel 301 compute_user 302 setenforce # was avc_toggle in system class 303 setbool 304 setsecparam 305 setcheckreqprot 306} 307class system 308{ 309 ipc_info 310 syslog_read 311 syslog_mod 312 syslog_console 313} 314class capability 315{ 316 chown 317 dac_override 318 dac_read_search 319 fowner 320 fsetid 321 kill 322 setgid 323 setuid 324 setpcap 325 linux_immutable 326 net_bind_service 327 net_broadcast 328 net_admin 329 net_raw 330 ipc_lock 331 ipc_owner 332 sys_module 333 sys_rawio 334 sys_chroot 335 sys_ptrace 336 sys_pacct 337 sys_admin 338 sys_boot 339 sys_nice 340 sys_resource 341 sys_time 342 sys_tty_config 343 mknod 344 lease 345 audit_write 346 audit_control 347} 348class passwd 349{ 350 passwd # change another user passwd 351 chfn # change another user finger info 352 chsh # change another user shell 353 rootok # pam_rootok check (skip auth) 354 crontab # crontab on another user 355} 356class drawable 357{ 358 create 359 destroy 360 draw 361 copy 362 getattr 363} 364class gc 365{ 366 create 367 free 368 getattr 369 setattr 370} 371class window 372{ 373 addchild 374 create 375 destroy 376 map 377 unmap 378 chstack 379 chproplist 380 chprop 381 listprop 382 getattr 383 setattr 384 setfocus 385 move 386 chselection 387 chparent 388 ctrllife 389 enumerate 390 transparent 391 mousemotion 392 clientcomevent 393 inputevent 394 drawevent 395 windowchangeevent 396 windowchangerequest 397 serverchangeevent 398 extensionevent 399} 400class font 401{ 402 load 403 free 404 getattr 405 use 406} 407class colormap 408{ 409 create 410 free 411 install 412 uninstall 413 list 414 read 415 store 416 getattr 417 setattr 418} 419class property 420{ 421 create 422 free 423 read 424 write 425} 426class cursor 427{ 428 create 429 createglyph 430 free 431 assign 432 setattr 433} 434class xclient 435{ 436 kill 437} 438class xinput 439{ 440 lookup 441 getattr 442 setattr 443 setfocus 444 warppointer 445 activegrab 446 passivegrab 447 ungrab 448 bell 449 mousemotion 450 relabelinput 451} 452class xserver 453{ 454 screensaver 455 gethostlist 456 sethostlist 457 getfontpath 458 setfontpath 459 getattr 460 grab 461 ungrab 462} 463class xextension 464{ 465 query 466 use 467} 468class pax 469{ 470 pageexec # Paging based non-executable pages 471 emutramp # Emulate trampolines 472 mprotect # Restrict mprotect() 473 randmmap # Randomize mmap() base 474 randexec # Randomize ET_EXEC base 475 segmexec # Segmentation based non-executable pages 476} 477class netlink_route_socket 478inherits socket 479{ 480 nlmsg_read 481 nlmsg_write 482} 483class netlink_firewall_socket 484inherits socket 485{ 486 nlmsg_read 487 nlmsg_write 488} 489class netlink_tcpdiag_socket 490inherits socket 491{ 492 nlmsg_read 493 nlmsg_write 494} 495class netlink_nflog_socket 496inherits socket 497class netlink_xfrm_socket 498inherits socket 499{ 500 nlmsg_read 501 nlmsg_write 502} 503class netlink_selinux_socket 504inherits socket 505class netlink_audit_socket 506inherits socket 507{ 508 nlmsg_read 509 nlmsg_write 510 nlmsg_relay 511 nlmsg_readpriv 512} 513class netlink_ip6fw_socket 514inherits socket 515{ 516 nlmsg_read 517 nlmsg_write 518} 519class netlink_dnrt_socket 520inherits socket 521class dbus 522{ 523 acquire_svc 524 send_msg 525} 526class nscd 527{ 528 getpwd 529 getgrp 530 gethost 531 getstat 532 admin 533 shmempwd 534 shmemgrp 535 shmemhost 536} 537class association 538{ 539 sendto 540 recvfrom 541 setcontext 542} 543class netlink_kobject_uevent_socket 544inherits socket 545sensitivity s0; 546dominance { s0 } 547category c0; category c1; category c2; category c3; 548category c4; category c5; category c6; category c7; 549category c8; category c9; category c10; category c11; 550category c12; category c13; category c14; category c15; 551category c16; category c17; category c18; category c19; 552category c20; category c21; category c22; category c23; 553category c24; category c25; category c26; category c27; 554category c28; category c29; category c30; category c31; 555category c32; category c33; category c34; category c35; 556category c36; category c37; category c38; category c39; 557category c40; category c41; category c42; category c43; 558category c44; category c45; category c46; category c47; 559category c48; category c49; category c50; category c51; 560category c52; category c53; category c54; category c55; 561category c56; category c57; category c58; category c59; 562category c60; category c61; category c62; category c63; 563category c64; category c65; category c66; category c67; 564category c68; category c69; category c70; category c71; 565category c72; category c73; category c74; category c75; 566category c76; category c77; category c78; category c79; 567category c80; category c81; category c82; category c83; 568category c84; category c85; category c86; category c87; 569category c88; category c89; category c90; category c91; 570category c92; category c93; category c94; category c95; 571category c96; category c97; category c98; category c99; 572category c100; category c101; category c102; category c103; 573category c104; category c105; category c106; category c107; 574category c108; category c109; category c110; category c111; 575category c112; category c113; category c114; category c115; 576category c116; category c117; category c118; category c119; 577category c120; category c121; category c122; category c123; 578category c124; category c125; category c126; category c127; 579category c128; category c129; category c130; category c131; 580category c132; category c133; category c134; category c135; 581category c136; category c137; category c138; category c139; 582category c140; category c141; category c142; category c143; 583category c144; category c145; category c146; category c147; 584category c148; category c149; category c150; category c151; 585category c152; category c153; category c154; category c155; 586category c156; category c157; category c158; category c159; 587category c160; category c161; category c162; category c163; 588category c164; category c165; category c166; category c167; 589category c168; category c169; category c170; category c171; 590category c172; category c173; category c174; category c175; 591category c176; category c177; category c178; category c179; 592category c180; category c181; category c182; category c183; 593category c184; category c185; category c186; category c187; 594category c188; category c189; category c190; category c191; 595category c192; category c193; category c194; category c195; 596category c196; category c197; category c198; category c199; 597category c200; category c201; category c202; category c203; 598category c204; category c205; category c206; category c207; 599category c208; category c209; category c210; category c211; 600category c212; category c213; category c214; category c215; 601category c216; category c217; category c218; category c219; 602category c220; category c221; category c222; category c223; 603category c224; category c225; category c226; category c227; 604category c228; category c229; category c230; category c231; 605category c232; category c233; category c234; category c235; 606category c236; category c237; category c238; category c239; 607category c240; category c241; category c242; category c243; 608category c244; category c245; category c246; category c247; 609category c248; category c249; category c250; category c251; 610category c252; category c253; category c254; category c255; 611level s0:c0.c255; 612mlsconstrain file { write setattr append unlink link rename 613 ioctl lock execute relabelfrom } (h1 dom h2); 614mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); 615mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread )); 616mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } 617 ( h1 dom h2 ); 618mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } 619 (( h1 dom h2 ) and ( l2 eq h2 )); 620mlsconstrain process { ptrace } ( h1 dom h2 ); 621mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or 622 ( t1 == mcskillall ); 623mlsconstrain xextension query ( t1 == mlsfileread ); 624attribute netif_type; 625attribute node_type; 626attribute port_type; 627attribute reserved_port_type; 628attribute device_node; 629attribute memory_raw_read; 630attribute memory_raw_write; 631attribute domain; 632attribute unconfined_domain_type; 633attribute set_curr_context; 634attribute entry_type; 635attribute privfd; 636attribute can_change_process_identity; 637attribute can_change_process_role; 638attribute can_change_object_identity; 639attribute can_system_change; 640attribute process_user_target; 641attribute cron_source_domain; 642attribute cron_job_domain; 643attribute process_uncond_exempt; # add userhelperdomain to this one 644attribute file_type; 645attribute lockfile; 646attribute mountpoint; 647attribute pidfile; 648attribute polydir; 649attribute usercanread; 650attribute polyparent; 651attribute polymember; 652attribute security_file_type; 653attribute tmpfile; 654attribute tmpfsfile; 655attribute filesystem_type; 656attribute noxattrfs; 657attribute can_load_kernmodule; 658attribute can_receive_kernel_messages; 659attribute kern_unconfined; 660attribute proc_type; 661attribute sysctl_type; 662attribute mcskillall; 663attribute mlsfileread; 664attribute mlsfilereadtoclr; 665attribute mlsfilewrite; 666attribute mlsfilewritetoclr; 667attribute mlsfileupgrade; 668attribute mlsfiledowngrade; 669attribute mlsnetread; 670attribute mlsnetreadtoclr; 671attribute mlsnetwrite; 672attribute mlsnetwritetoclr; 673attribute mlsnetupgrade; 674attribute mlsnetdowngrade; 675attribute mlsnetrecvall; 676attribute mlsipcread; 677attribute mlsipcreadtoclr; 678attribute mlsipcwrite; 679attribute mlsipcwritetoclr; 680attribute mlsprocread; 681attribute mlsprocreadtoclr; 682attribute mlsprocwrite; 683attribute mlsprocwritetoclr; 684attribute mlsprocsetsl; 685attribute mlsxwinread; 686attribute mlsxwinreadtoclr; 687attribute mlsxwinwrite; 688attribute mlsxwinwritetoclr; 689attribute mlsxwinreadproperty; 690attribute mlsxwinwriteproperty; 691attribute mlsxwinreadcolormap; 692attribute mlsxwinwritecolormap; 693attribute mlsxwinwritexinput; 694attribute mlstrustedobject; 695attribute privrangetrans; 696attribute mlsrangetrans; 697attribute can_load_policy; 698attribute can_setenforce; 699attribute can_setsecparam; 700attribute ttynode; 701attribute ptynode; 702attribute server_ptynode; 703attribute serial_device; 704type bin_t; 705type sbin_t; 706type ls_exec_t; 707type shell_exec_t; 708type chroot_exec_t; 709type ppp_device_t; 710type tun_tap_device_t; 711type port_t, port_type; 712type reserved_port_t, port_type, reserved_port_type; 713type afs_bos_port_t, port_type; 714type afs_fs_port_t, port_type; 715type afs_ka_port_t, port_type; 716type afs_pt_port_t, port_type; 717type afs_vl_port_t, port_type; 718type amanda_port_t, port_type; 719type amavisd_recv_port_t, port_type; 720type amavisd_send_port_t, port_type; 721type asterisk_port_t, port_type; 722type auth_port_t, port_type; 723type bgp_port_t, port_type; 724type biff_port_t, port_type, reserved_port_type; 725type clamd_port_t, port_type; 726type clockspeed_port_t, port_type; 727type comsat_port_t, port_type; 728type cvs_port_t, port_type; 729type dcc_port_t, port_type; 730type dbskkd_port_t, port_type; 731type dhcpc_port_t, port_type; 732type dhcpd_port_t, port_type; 733type dict_port_t, port_type; 734type distccd_port_t, port_type; 735type dns_port_t, port_type; 736type fingerd_port_t, port_type; 737type ftp_data_port_t, port_type; 738type ftp_port_t, port_type; 739type gatekeeper_port_t, port_type; 740type giftd_port_t, port_type; 741type gopher_port_t, port_type; 742type http_cache_port_t, port_type; 743type http_port_t, port_type; 744type howl_port_t, port_type; 745type hplip_port_t, port_type; 746type i18n_input_port_t, port_type; 747type imaze_port_t, port_type; 748type inetd_child_port_t, port_type; 749type innd_port_t, port_type; 750type ipp_port_t, port_type; 751type ircd_port_t, port_type; 752type isakmp_port_t, port_type; 753type jabber_client_port_t, port_type; 754type jabber_interserver_port_t, port_type; 755type kerberos_admin_port_t, port_type; 756type kerberos_master_port_t, port_type; 757type kerberos_port_t, port_type; 758type ktalkd_port_t, port_type; 759type ldap_port_t, port_type; 760type lrrd_port_t, port_type; 761type mail_port_t, port_type; 762type monopd_port_t, port_type; 763type mysqld_port_t, port_type; 764type nessus_port_t, port_type; 765type nmbd_port_t, port_type; 766type ntp_port_t, port_type; 767type openvpn_port_t, port_type; 768type pegasus_http_port_t, port_type; 769type pegasus_https_port_t, port_type; 770type pop_port_t, port_type; 771type portmap_port_t, port_type; 772type postgresql_port_t, port_type; 773type postgrey_port_t, port_type; 774type printer_port_t, port_type; 775type ptal_port_t, port_type; 776type pxe_port_t, port_type; 777type pyzor_port_t, port_type; 778type radacct_port_t, port_type; 779type radius_port_t, port_type; 780type razor_port_t, port_type; 781type rlogind_port_t, port_type; 782type rndc_port_t, port_type; 783type router_port_t, port_type; 784type rsh_port_t, port_type; 785type rsync_port_t, port_type; 786type smbd_port_t, port_type; 787type smtp_port_t, port_type; 788type snmp_port_t, port_type; 789type spamd_port_t, port_type; 790type ssh_port_t, port_type; 791type soundd_port_t, port_type; 792type socks_port_t, port_type; type stunnel_port_t, port_type; 793type swat_port_t, port_type; 794type syslogd_port_t, port_type; 795type telnetd_port_t, port_type; 796type tftp_port_t, port_type; 797type transproxy_port_t, port_type; 798type utcpserver_port_t, port_type; 799type uucpd_port_t, port_type; 800type vnc_port_t, port_type; 801type xserver_port_t, port_type; 802type xen_port_t, port_type; 803type zebra_port_t, port_type; 804type zope_port_t, port_type; 805type node_t, node_type; 806type compat_ipv4_node_t alias node_compat_ipv4_t, node_type; 807type inaddr_any_node_t alias node_inaddr_any_t, node_type; 808type node_internal_t, node_type; 809type link_local_node_t alias node_link_local_t, node_type; 810type lo_node_t alias node_lo_t, node_type; 811type mapped_ipv4_node_t alias node_mapped_ipv4_t, node_type; 812type multicast_node_t alias node_multicast_t, node_type; 813type site_local_node_t alias node_site_local_t, node_type; 814type unspec_node_t alias node_unspec_t, node_type; 815type netif_t, netif_type; 816type device_t; 817type agp_device_t; 818type apm_bios_t; 819type cardmgr_dev_t; 820type clock_device_t; 821type cpu_device_t; 822type crypt_device_t; 823type dri_device_t; 824type event_device_t; 825type framebuf_device_t; 826type lvm_control_t; 827type memory_device_t; 828type misc_device_t; 829type mouse_device_t; 830type mtrr_device_t; 831type null_device_t; 832type power_device_t; 833type printer_device_t; 834type random_device_t; 835type scanner_device_t; 836type sound_device_t; 837type sysfs_t; 838type urandom_device_t; 839type usbfs_t alias usbdevfs_t; 840type usb_device_t; 841type v4l_device_t; 842type xserver_misc_device_t; 843type zero_device_t; 844type xconsole_device_t; 845type devfs_control_t; 846type boot_t; 847type default_t, file_type, mountpoint; 848type etc_t, file_type; 849type etc_runtime_t, file_type; 850type file_t, file_type, mountpoint; 851type home_root_t, file_type, mountpoint; 852type lost_found_t, file_type; 853type mnt_t, file_type, mountpoint; 854type modules_object_t; 855type no_access_t, file_type; 856type poly_t, file_type; 857type readable_t, file_type; 858type root_t, file_type, mountpoint; 859type src_t, file_type, mountpoint; 860type system_map_t; 861type tmp_t, mountpoint; #, polydir 862type usr_t, file_type, mountpoint; 863type var_t, file_type, mountpoint; 864type var_lib_t, file_type, mountpoint; 865type var_lock_t, file_type, lockfile; 866type var_run_t, file_type, pidfile; 867type var_spool_t; 868type fs_t; 869type bdev_t; 870type binfmt_misc_fs_t; 871type capifs_t; 872type configfs_t; 873type eventpollfs_t; 874type futexfs_t; 875type hugetlbfs_t; 876type inotifyfs_t; 877type nfsd_fs_t; 878type ramfs_t; 879type romfs_t; 880type rpc_pipefs_t; 881type tmpfs_t; 882type autofs_t, noxattrfs; 883type cifs_t alias sambafs_t, noxattrfs; 884type dosfs_t, noxattrfs; 885type iso9660_t, filesystem_type, noxattrfs; 886type removable_t, noxattrfs; 887type nfs_t, filesystem_type, noxattrfs; 888type kernel_t, can_load_kernmodule; 889type debugfs_t; 890type proc_t, proc_type; 891type proc_kmsg_t, proc_type; 892type proc_kcore_t, proc_type; 893type proc_mdstat_t, proc_type; 894type proc_net_t, proc_type; 895type proc_xen_t, proc_type; 896type sysctl_t, sysctl_type; 897type sysctl_irq_t, sysctl_type; 898type sysctl_rpc_t, sysctl_type; 899type sysctl_fs_t, sysctl_type; 900type sysctl_kernel_t, sysctl_type; 901type sysctl_modprobe_t, sysctl_type; 902type sysctl_hotplug_t, sysctl_type; 903type sysctl_net_t, sysctl_type; 904type sysctl_net_unix_t, sysctl_type; 905type sysctl_vm_t, sysctl_type; 906type sysctl_dev_t, sysctl_type; 907type unlabeled_t; 908type auditd_exec_t; 909type crond_exec_t; 910type cupsd_exec_t; 911type getty_t; 912type init_t; 913type init_exec_t; 914type initrc_t; 915type initrc_exec_t; 916type login_exec_t; 917type sshd_exec_t; 918type su_exec_t; 919type udev_exec_t; 920type unconfined_t; 921type xdm_exec_t; 922type lvm_exec_t; 923type security_t; 924type bsdpty_device_t; 925type console_device_t; 926type devpts_t; 927type devtty_t; 928type ptmx_t; 929type tty_device_t, serial_device; 930type usbtty_device_t, serial_device; 931 bool secure_mode false; 932 bool secure_mode_insmod false; 933 bool secure_mode_policyload false; 934 bool allow_cvs_read_shadow false; 935 bool allow_execheap false; 936 bool allow_execmem true; 937 bool allow_execmod false; 938 bool allow_execstack true; 939 bool allow_ftpd_anon_write false; 940 bool allow_gssd_read_tmp true; 941 bool allow_httpd_anon_write false; 942 bool allow_java_execstack false; 943 bool allow_kerberos true; 944 bool allow_rsync_anon_write false; 945 bool allow_saslauthd_read_shadow false; 946 bool allow_smbd_anon_write false; 947 bool allow_ptrace false; 948 bool allow_ypbind false; 949 bool fcron_crond false; 950 bool ftp_home_dir false; 951 bool ftpd_is_daemon true; 952 bool httpd_builtin_scripting true; 953 bool httpd_can_network_connect false; 954 bool httpd_can_network_connect_db false; 955 bool httpd_can_network_relay false; 956 bool httpd_enable_cgi true; 957 bool httpd_enable_ftp_server false; 958 bool httpd_enable_homedirs true; 959 bool httpd_ssi_exec true; 960 bool httpd_tty_comm false; 961 bool httpd_unified true; 962 bool named_write_master_zones false; 963 bool nfs_export_all_rw true; 964 bool nfs_export_all_ro true; 965 bool pppd_can_insmod false; 966 bool read_default_t true; 967 bool run_ssh_inetd false; 968 bool samba_enable_home_dirs false; 969 bool spamassasin_can_network false; 970 bool squid_connect_any false; 971 bool ssh_sysadm_login false; 972 bool stunnel_is_daemon false; 973 bool use_nfs_home_dirs false; 974 bool use_samba_home_dirs false; 975 bool user_ping true; 976 bool spamd_enable_home_dirs true; 977 allow bin_t fs_t:filesystem associate; 978 allow bin_t noxattrfs:filesystem associate; 979 typeattribute bin_t file_type; 980 allow sbin_t fs_t:filesystem associate; 981 allow sbin_t noxattrfs:filesystem associate; 982 typeattribute sbin_t file_type; 983 allow ls_exec_t fs_t:filesystem associate; 984 allow ls_exec_t noxattrfs:filesystem associate; 985 typeattribute ls_exec_t file_type; 986typeattribute ls_exec_t entry_type; 987 allow shell_exec_t fs_t:filesystem associate; 988 allow shell_exec_t noxattrfs:filesystem associate; 989 typeattribute shell_exec_t file_type; 990 allow chroot_exec_t fs_t:filesystem associate; 991 allow chroot_exec_t noxattrfs:filesystem associate; 992 typeattribute chroot_exec_t file_type; 993 typeattribute ppp_device_t device_node; 994 allow ppp_device_t fs_t:filesystem associate; 995 allow ppp_device_t tmpfs_t:filesystem associate; 996 allow ppp_device_t tmp_t:filesystem associate; 997 typeattribute tun_tap_device_t device_node; 998 allow tun_tap_device_t fs_t:filesystem associate; 999 allow tun_tap_device_t tmpfs_t:filesystem associate; 1000 allow tun_tap_device_t tmp_t:filesystem associate; 1001typeattribute auth_port_t reserved_port_type; 1002typeattribute bgp_port_t reserved_port_type; 1003typeattribute bgp_port_t reserved_port_type; 1004typeattribute comsat_port_t reserved_port_type; 1005typeattribute dhcpc_port_t reserved_port_type; 1006typeattribute dhcpd_port_t reserved_port_type; 1007typeattribute dhcpd_port_t reserved_port_type; 1008typeattribute dhcpd_port_t reserved_port_type; 1009typeattribute dhcpd_port_t reserved_port_type; 1010typeattribute dhcpd_port_t reserved_port_type; 1011typeattribute dns_port_t reserved_port_type; 1012typeattribute dns_port_t reserved_port_type; 1013typeattribute fingerd_port_t reserved_port_type; 1014typeattribute ftp_data_port_t reserved_port_type; 1015typeattribute ftp_port_t reserved_port_type; 1016typeattribute gopher_port_t reserved_port_type; 1017typeattribute gopher_port_t reserved_port_type; 1018typeattribute http_port_t reserved_port_type; 1019typeattribute http_port_t reserved_port_type; 1020typeattribute http_port_t reserved_port_type; 1021typeattribute inetd_child_port_t reserved_port_type; 1022typeattribute inetd_child_port_t reserved_port_type; 1023typeattribute inetd_child_port_t reserved_port_type; 1024typeattribute inetd_child_port_t reserved_port_type; 1025typeattribute inetd_child_port_t reserved_port_type; 1026typeattribute inetd_child_port_t reserved_port_type; 1027typeattribute inetd_child_port_t reserved_port_type; 1028typeattribute inetd_child_port_t reserved_port_type; 1029typeattribute inetd_child_port_t reserved_port_type; 1030typeattribute inetd_child_port_t reserved_port_type; 1031typeattribute inetd_child_port_t reserved_port_type; 1032typeattribute inetd_child_port_t reserved_port_type; 1033typeattribute inetd_child_port_t reserved_port_type; 1034typeattribute inetd_child_port_t reserved_port_type; 1035typeattribute inetd_child_port_t reserved_port_type; 1036typeattribute inetd_child_port_t reserved_port_type; 1037typeattribute inetd_child_port_t reserved_port_type; 1038typeattribute innd_port_t reserved_port_type; 1039typeattribute ipp_port_t reserved_port_type; 1040typeattribute ipp_port_t reserved_port_type; 1041typeattribute isakmp_port_t reserved_port_type; 1042typeattribute kerberos_admin_port_t reserved_port_type; 1043typeattribute kerberos_admin_port_t reserved_port_type; 1044typeattribute kerberos_admin_port_t reserved_port_type; 1045typeattribute kerberos_port_t reserved_port_type; 1046typeattribute kerberos_port_t reserved_port_type; 1047typeattribute kerberos_port_t reserved_port_type; 1048typeattribute kerberos_port_t reserved_port_type; 1049typeattribute ktalkd_port_t reserved_port_type; 1050typeattribute ktalkd_port_t reserved_port_type; 1051typeattribute ldap_port_t reserved_port_type; 1052typeattribute ldap_port_t reserved_port_type; 1053typeattribute ldap_port_t reserved_port_type; 1054typeattribute ldap_port_t reserved_port_type; 1055typeattribute nmbd_port_t reserved_port_type; 1056typeattribute nmbd_port_t reserved_port_type; 1057typeattribute nmbd_port_t reserved_port_type; 1058typeattribute ntp_port_t reserved_port_type; 1059typeattribute pop_port_t reserved_port_type; 1060typeattribute pop_port_t reserved_port_type; 1061typeattribute pop_port_t reserved_port_type; 1062typeattribute pop_port_t reserved_port_type; 1063typeattribute pop_port_t reserved_port_type; 1064typeattribute pop_port_t reserved_port_type; 1065typeattribute pop_port_t reserved_port_type; 1066typeattribute portmap_port_t reserved_port_type; 1067typeattribute portmap_port_t reserved_port_type; 1068typeattribute printer_port_t reserved_port_type; 1069typeattribute rlogind_port_t reserved_port_type; 1070typeattribute rndc_port_t reserved_port_type; 1071typeattribute router_port_t reserved_port_type; 1072typeattribute rsh_port_t reserved_port_type; 1073typeattribute rsync_port_t reserved_port_type; 1074typeattribute rsync_port_t reserved_port_type; 1075typeattribute smbd_port_t reserved_port_type; 1076typeattribute smbd_port_t reserved_port_type; 1077typeattribute smtp_port_t reserved_port_type; 1078typeattribute smtp_port_t reserved_port_type; 1079typeattribute smtp_port_t reserved_port_type; 1080typeattribute snmp_port_t reserved_port_type; 1081typeattribute snmp_port_t reserved_port_type; 1082typeattribute snmp_port_t reserved_port_type; 1083typeattribute spamd_port_t reserved_port_type; 1084typeattribute ssh_port_t reserved_port_type; 1085typeattribute swat_port_t reserved_port_type; 1086typeattribute syslogd_port_t reserved_port_type; 1087typeattribute telnetd_port_t reserved_port_type; 1088typeattribute tftp_port_t reserved_port_type; 1089typeattribute uucpd_port_t reserved_port_type; 1090 allow device_t tmpfs_t:filesystem associate; 1091 allow device_t fs_t:filesystem associate; 1092 allow device_t noxattrfs:filesystem associate; 1093 typeattribute device_t file_type; 1094 allow device_t fs_t:filesystem associate; 1095 allow device_t noxattrfs:filesystem associate; 1096 typeattribute device_t file_type; 1097 typeattribute device_t mountpoint; 1098 allow device_t tmp_t:filesystem associate; 1099 typeattribute agp_device_t device_node; 1100 allow agp_device_t fs_t:filesystem associate; 1101 allow agp_device_t tmpfs_t:filesystem associate; 1102 allow agp_device_t tmp_t:filesystem associate; 1103 typeattribute apm_bios_t device_node; 1104 allow apm_bios_t fs_t:filesystem associate; 1105 allow apm_bios_t tmpfs_t:filesystem associate; 1106 allow apm_bios_t tmp_t:filesystem associate; 1107 typeattribute cardmgr_dev_t device_node; 1108 allow cardmgr_dev_t fs_t:filesystem associate; 1109 allow cardmgr_dev_t tmpfs_t:filesystem associate; 1110 allow cardmgr_dev_t tmp_t:filesystem associate; 1111 allow cardmgr_dev_t fs_t:filesystem associate; 1112 allow cardmgr_dev_t noxattrfs:filesystem associate; 1113 typeattribute cardmgr_dev_t file_type; 1114 allow cardmgr_dev_t fs_t:filesystem associate; 1115 allow cardmgr_dev_t noxattrfs:filesystem associate; 1116 typeattribute cardmgr_dev_t file_type; 1117 typeattribute cardmgr_dev_t polymember; 1118 allow cardmgr_dev_t tmpfs_t:filesystem associate; 1119 typeattribute cardmgr_dev_t tmpfile; 1120 allow cardmgr_dev_t tmp_t:filesystem associate; 1121 typeattribute clock_device_t device_node; 1122 allow clock_device_t fs_t:filesystem associate; 1123 allow clock_device_t tmpfs_t:filesystem associate; 1124 allow clock_device_t tmp_t:filesystem associate; 1125 typeattribute cpu_device_t device_node; 1126 allow cpu_device_t fs_t:filesystem associate; 1127 allow cpu_device_t tmpfs_t:filesystem associate; 1128 allow cpu_device_t tmp_t:filesystem associate; 1129 typeattribute crypt_device_t device_node; 1130 allow crypt_device_t fs_t:filesystem associate; 1131 allow crypt_device_t tmpfs_t:filesystem associate; 1132 allow crypt_device_t tmp_t:filesystem associate; 1133 typeattribute dri_device_t device_node; 1134 allow dri_device_t fs_t:filesystem associate; 1135 allow dri_device_t tmpfs_t:filesystem associate; 1136 allow dri_device_t tmp_t:filesystem associate; 1137 typeattribute event_device_t device_node; 1138 allow event_device_t fs_t:filesystem associate; 1139 allow event_device_t tmpfs_t:filesystem associate; 1140 allow event_device_t tmp_t:filesystem associate; 1141 typeattribute framebuf_device_t device_node; 1142 allow framebuf_device_t fs_t:filesystem associate; 1143 allow framebuf_device_t tmpfs_t:filesystem associate; 1144 allow framebuf_device_t tmp_t:filesystem associate; 1145 typeattribute lvm_control_t device_node; 1146 allow lvm_control_t fs_t:filesystem associate; 1147 allow lvm_control_t tmpfs_t:filesystem associate; 1148 allow lvm_control_t tmp_t:filesystem associate; 1149 typeattribute memory_device_t device_node; 1150 allow memory_device_t fs_t:filesystem associate; 1151 allow memory_device_t tmpfs_t:filesystem associate; 1152 allow memory_device_t tmp_t:filesystem associate; 1153neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read; 1154neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write }; 1155 typeattribute misc_device_t device_node; 1156 allow misc_device_t fs_t:filesystem associate; 1157 allow misc_device_t tmpfs_t:filesystem associate; 1158 allow misc_device_t tmp_t:filesystem associate; 1159 typeattribute mouse_device_t device_node; 1160 allow mouse_device_t fs_t:filesystem associate; 1161 allow mouse_device_t tmpfs_t:filesystem associate; 1162 allow mouse_device_t tmp_t:filesystem associate; 1163 typeattribute mtrr_device_t device_node; 1164 allow mtrr_device_t fs_t:filesystem associate; 1165 allow mtrr_device_t tmpfs_t:filesystem associate; 1166 allow mtrr_device_t tmp_t:filesystem associate; 1167 typeattribute null_device_t device_node; 1168 allow null_device_t fs_t:filesystem associate; 1169 allow null_device_t tmpfs_t:filesystem associate; 1170 allow null_device_t tmp_t:filesystem associate; 1171 typeattribute null_device_t mlstrustedobject; 1172 typeattribute power_device_t device_node; 1173 allow power_device_t fs_t:filesystem associate; 1174 allow power_device_t tmpfs_t:filesystem associate; 1175 allow power_device_t tmp_t:filesystem associate; 1176 typeattribute printer_device_t device_node; 1177 allow printer_device_t fs_t:filesystem associate; 1178 allow printer_device_t tmpfs_t:filesystem associate; 1179 allow printer_device_t tmp_t:filesystem associate; 1180 typeattribute random_device_t device_node; 1181 allow random_device_t fs_t:filesystem associate; 1182 allow random_device_t tmpfs_t:filesystem associate; 1183 allow random_device_t tmp_t:filesystem associate; 1184 typeattribute scanner_device_t device_node; 1185 allow scanner_device_t fs_t:filesystem associate; 1186 allow scanner_device_t tmpfs_t:filesystem associate; 1187 allow scanner_device_t tmp_t:filesystem associate; 1188 typeattribute sound_device_t device_node; 1189 allow sound_device_t fs_t:filesystem associate; 1190 allow sound_device_t tmpfs_t:filesystem associate; 1191 allow sound_device_t tmp_t:filesystem associate; 1192 allow sysfs_t fs_t:filesystem associate; 1193 allow sysfs_t noxattrfs:filesystem associate; 1194 typeattribute sysfs_t file_type; 1195 typeattribute sysfs_t mountpoint; 1196 typeattribute sysfs_t filesystem_type; 1197 allow sysfs_t self:filesystem associate; 1198 typeattribute urandom_device_t device_node; 1199 allow urandom_device_t fs_t:filesystem associate; 1200 allow urandom_device_t tmpfs_t:filesystem associate; 1201 allow urandom_device_t tmp_t:filesystem associate; 1202 allow usbfs_t fs_t:filesystem associate; 1203 allow usbfs_t noxattrfs:filesystem associate; 1204 typeattribute usbfs_t file_type; 1205 typeattribute usbfs_t mountpoint; 1206 typeattribute usbfs_t filesystem_type; 1207 allow usbfs_t self:filesystem associate; 1208 typeattribute usbfs_t noxattrfs; 1209 typeattribute usb_device_t device_node; 1210 allow usb_device_t fs_t:filesystem associate; 1211 allow usb_device_t tmpfs_t:filesystem associate; 1212 allow usb_device_t tmp_t:filesystem associate; 1213 typeattribute v4l_device_t device_node; 1214 allow v4l_device_t fs_t:filesystem associate; 1215 allow v4l_device_t tmpfs_t:filesystem associate; 1216 allow v4l_device_t tmp_t:filesystem associate; 1217 typeattribute xserver_misc_device_t device_node; 1218 allow xserver_misc_device_t fs_t:filesystem associate; 1219 allow xserver_misc_device_t tmpfs_t:filesystem associate; 1220 allow xserver_misc_device_t tmp_t:filesystem associate; 1221 typeattribute zero_device_t device_node; 1222 allow zero_device_t fs_t:filesystem associate; 1223 allow zero_device_t tmpfs_t:filesystem associate; 1224 allow zero_device_t tmp_t:filesystem associate; 1225 typeattribute zero_device_t mlstrustedobject; 1226 allow xconsole_device_t fs_t:filesystem associate; 1227 allow xconsole_device_t noxattrfs:filesystem associate; 1228 typeattribute xconsole_device_t file_type; 1229 allow xconsole_device_t tmpfs_t:filesystem associate; 1230 allow xconsole_device_t tmp_t:filesystem associate; 1231 typeattribute devfs_control_t device_node; 1232 allow devfs_control_t fs_t:filesystem associate; 1233 allow devfs_control_t tmpfs_t:filesystem associate; 1234 allow devfs_control_t tmp_t:filesystem associate; 1235neverallow domain ~domain:process { transition dyntransition }; 1236neverallow { domain -set_curr_context } self:process setcurrent; 1237neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; 1238neverallow ~{ domain unlabeled_t } *:process *; 1239allow file_type self:filesystem associate; 1240 allow boot_t fs_t:filesystem associate; 1241 allow boot_t noxattrfs:filesystem associate; 1242 typeattribute boot_t file_type; 1243 allow boot_t fs_t:filesystem associate; 1244 allow boot_t noxattrfs:filesystem associate; 1245 typeattribute boot_t file_type; 1246 typeattribute boot_t mountpoint; 1247 allow default_t fs_t:filesystem associate; 1248 allow default_t noxattrfs:filesystem associate; 1249 allow etc_t fs_t:filesystem associate; 1250 allow etc_t noxattrfs:filesystem associate; 1251 allow etc_runtime_t fs_t:filesystem associate; 1252 allow etc_runtime_t noxattrfs:filesystem associate; 1253 allow file_t fs_t:filesystem associate; 1254 allow file_t noxattrfs:filesystem associate; 1255 allow kernel_t file_t:dir mounton; 1256 allow home_root_t fs_t:filesystem associate; 1257 allow home_root_t noxattrfs:filesystem associate; 1258 allow home_root_t fs_t:filesystem associate; 1259 allow home_root_t noxattrfs:filesystem associate; 1260 typeattribute home_root_t file_type; 1261 typeattribute home_root_t polyparent; 1262 allow lost_found_t fs_t:filesystem associate; 1263 allow lost_found_t noxattrfs:filesystem associate; 1264 allow mnt_t fs_t:filesystem associate; 1265 allow mnt_t noxattrfs:filesystem associate; 1266 allow modules_object_t fs_t:filesystem associate; 1267 allow modules_object_t noxattrfs:filesystem associate; 1268 typeattribute modules_object_t file_type; 1269 allow no_access_t fs_t:filesystem associate; 1270 allow no_access_t noxattrfs:filesystem associate; 1271 allow poly_t fs_t:filesystem associate; 1272 allow poly_t noxattrfs:filesystem associate; 1273 allow readable_t fs_t:filesystem associate; 1274 allow readable_t noxattrfs:filesystem associate; 1275 allow root_t fs_t:filesystem associate; 1276 allow root_t noxattrfs:filesystem associate; 1277 allow root_t fs_t:filesystem associate; 1278 allow root_t noxattrfs:filesystem associate; 1279 typeattribute root_t file_type; 1280 typeattribute root_t polyparent; 1281 allow kernel_t root_t:dir mounton; 1282 allow src_t fs_t:filesystem associate; 1283 allow src_t noxattrfs:filesystem associate; 1284 allow system_map_t fs_t:filesystem associate; 1285 allow system_map_t noxattrfs:filesystem associate; 1286 typeattribute system_map_t file_type; 1287 allow tmp_t fs_t:filesystem associate; 1288 allow tmp_t noxattrfs:filesystem associate; 1289 typeattribute tmp_t file_type; 1290 allow tmp_t fs_t:filesystem associate; 1291 allow tmp_t noxattrfs:filesystem associate; 1292 typeattribute tmp_t file_type; 1293 typeattribute tmp_t polymember; 1294 allow tmp_t tmpfs_t:filesystem associate; 1295 typeattribute tmp_t tmpfile; 1296 allow tmp_t tmp_t:filesystem associate; 1297 allow tmp_t fs_t:filesystem associate; 1298 allow tmp_t noxattrfs:filesystem associate; 1299 typeattribute tmp_t file_type; 1300 typeattribute tmp_t polyparent; 1301 allow usr_t fs_t:filesystem associate; 1302 allow usr_t noxattrfs:filesystem associate; 1303 allow var_t fs_t:filesystem associate; 1304 allow var_t noxattrfs:filesystem associate; 1305 allow var_lib_t fs_t:filesystem associate; 1306 allow var_lib_t noxattrfs:filesystem associate; 1307 allow var_lock_t fs_t:filesystem associate; 1308 allow var_lock_t noxattrfs:filesystem associate; 1309 allow var_run_t fs_t:filesystem associate; 1310 allow var_run_t noxattrfs:filesystem associate; 1311 allow var_spool_t fs_t:filesystem associate; 1312 allow var_spool_t noxattrfs:filesystem associate; 1313 typeattribute var_spool_t file_type; 1314 allow var_spool_t fs_t:filesystem associate; 1315 allow var_spool_t noxattrfs:filesystem associate; 1316 typeattribute var_spool_t file_type; 1317 typeattribute var_spool_t polymember; 1318 allow var_spool_t tmpfs_t:filesystem associate; 1319 typeattribute var_spool_t tmpfile; 1320 allow var_spool_t tmp_t:filesystem associate; 1321 typeattribute fs_t filesystem_type; 1322 allow fs_t self:filesystem associate; 1323 typeattribute bdev_t filesystem_type; 1324 allow bdev_t self:filesystem associate; 1325 typeattribute binfmt_misc_fs_t filesystem_type; 1326 allow binfmt_misc_fs_t self:filesystem associate; 1327 allow binfmt_misc_fs_t fs_t:filesystem associate; 1328 allow binfmt_misc_fs_t noxattrfs:filesystem associate; 1329 typeattribute binfmt_misc_fs_t file_type; 1330 typeattribute binfmt_misc_fs_t mountpoint; 1331 typeattribute capifs_t filesystem_type; 1332 allow capifs_t self:filesystem associate; 1333 typeattribute configfs_t filesystem_type; 1334 allow configfs_t self:filesystem associate; 1335 typeattribute eventpollfs_t filesystem_type; 1336 allow eventpollfs_t self:filesystem associate; 1337 typeattribute futexfs_t filesystem_type; 1338 allow futexfs_t self:filesystem associate; 1339 typeattribute hugetlbfs_t filesystem_type; 1340 allow hugetlbfs_t self:filesystem associate; 1341 allow hugetlbfs_t fs_t:filesystem associate; 1342 allow hugetlbfs_t noxattrfs:filesystem associate; 1343 typeattribute hugetlbfs_t file_type; 1344 typeattribute hugetlbfs_t mountpoint; 1345 typeattribute inotifyfs_t filesystem_type; 1346 allow inotifyfs_t self:filesystem associate; 1347 typeattribute nfsd_fs_t filesystem_type; 1348 allow nfsd_fs_t self:filesystem associate; 1349 typeattribute ramfs_t filesystem_type; 1350 allow ramfs_t self:filesystem associate; 1351 typeattribute romfs_t filesystem_type; 1352 allow romfs_t self:filesystem associate; 1353 typeattribute rpc_pipefs_t filesystem_type; 1354 allow rpc_pipefs_t self:filesystem associate; 1355 typeattribute tmpfs_t filesystem_type; 1356 allow tmpfs_t self:filesystem associate; 1357 allow tmpfs_t fs_t:filesystem associate; 1358 allow tmpfs_t noxattrfs:filesystem associate; 1359 typeattribute tmpfs_t file_type; 1360 allow tmpfs_t fs_t:filesystem associate; 1361 allow tmpfs_t noxattrfs:filesystem associate; 1362 typeattribute tmpfs_t file_type; 1363 typeattribute tmpfs_t mountpoint; 1364allow tmpfs_t noxattrfs:filesystem associate; 1365 typeattribute autofs_t filesystem_type; 1366 allow autofs_t self:filesystem associate; 1367 allow autofs_t fs_t:filesystem associate; 1368 allow autofs_t noxattrfs:filesystem associate; 1369 typeattribute autofs_t file_type; 1370 typeattribute autofs_t mountpoint; 1371 typeattribute cifs_t filesystem_type; 1372 allow cifs_t self:filesystem associate; 1373 typeattribute dosfs_t filesystem_type; 1374 allow dosfs_t self:filesystem associate; 1375allow dosfs_t fs_t:filesystem associate; 1376 typeattribute iso9660_t filesystem_type; 1377 allow iso9660_t self:filesystem associate; 1378allow removable_t noxattrfs:filesystem associate; 1379 typeattribute removable_t filesystem_type; 1380 allow removable_t self:filesystem associate; 1381 allow removable_t fs_t:filesystem associate; 1382 allow removable_t noxattrfs:filesystem associate; 1383 typeattribute removable_t file_type; 1384 typeattribute removable_t usercanread; 1385 typeattribute nfs_t filesystem_type; 1386 allow nfs_t self:filesystem associate; 1387 allow nfs_t fs_t:filesystem associate; 1388 allow nfs_t noxattrfs:filesystem associate; 1389 typeattribute nfs_t file_type; 1390 typeattribute nfs_t mountpoint; 1391neverallow ~can_load_kernmodule self:capability sys_module; 1392role system_r; 1393role sysadm_r; 1394role staff_r; 1395role user_r; 1396 typeattribute kernel_t domain; 1397 allow kernel_t self:dir { read getattr lock search ioctl }; 1398 allow kernel_t self:lnk_file { read getattr lock ioctl }; 1399 allow kernel_t self:file { getattr read write append ioctl lock }; 1400 allow kernel_t self:process { fork sigchld }; 1401 role secadm_r types kernel_t; 1402 role sysadm_r types kernel_t; 1403 role user_r types kernel_t; 1404 role staff_r types kernel_t; 1405 typeattribute kernel_t privrangetrans; 1406role system_r types kernel_t; 1407 typeattribute debugfs_t filesystem_type; 1408 allow debugfs_t self:filesystem associate; 1409allow debugfs_t self:filesystem associate; 1410 allow proc_t fs_t:filesystem associate; 1411 allow proc_t noxattrfs:filesystem associate; 1412 typeattribute proc_t file_type; 1413 typeattribute proc_t mountpoint; 1414 typeattribute proc_t filesystem_type; 1415 allow proc_t self:filesystem associate; 1416neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; 1417neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; 1418 allow sysctl_t fs_t:filesystem associate; 1419 allow sysctl_t noxattrfs:filesystem associate; 1420 typeattribute sysctl_t file_type; 1421 typeattribute sysctl_t mountpoint; 1422 allow sysctl_fs_t fs_t:filesystem associate; 1423 allow sysctl_fs_t noxattrfs:filesystem associate; 1424 typeattribute sysctl_fs_t file_type; 1425 typeattribute sysctl_fs_t mountpoint; 1426allow kernel_t self:capability *; 1427allow kernel_t unlabeled_t:dir mounton; 1428allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; 1429allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; 1430allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; 1431allow kernel_t self:msg { send receive }; 1432allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; 1433allow kernel_t self:unix_dgram_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 1434allow kernel_t self:unix_stream_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } listen accept }; 1435allow kernel_t self:unix_dgram_socket sendto; 1436allow kernel_t self:unix_stream_socket connectto; 1437allow kernel_t self:fifo_file { getattr read write append ioctl lock }; 1438allow kernel_t self:sock_file { read getattr lock ioctl }; 1439allow kernel_t self:fd use; 1440allow kernel_t proc_t:dir { read getattr lock search ioctl }; 1441allow kernel_t proc_t:{ lnk_file file } { read getattr lock ioctl }; 1442allow kernel_t proc_net_t:dir { read getattr lock search ioctl }; 1443allow kernel_t proc_net_t:file { read getattr lock ioctl }; 1444allow kernel_t proc_mdstat_t:file { read getattr lock ioctl }; 1445allow kernel_t proc_kcore_t:file getattr; 1446allow kernel_t proc_kmsg_t:file getattr; 1447allow kernel_t sysctl_t:dir { read getattr lock search ioctl }; 1448allow kernel_t sysctl_kernel_t:dir { read getattr lock search ioctl }; 1449allow kernel_t sysctl_kernel_t:file { read getattr lock ioctl }; 1450allow kernel_t unlabeled_t:fifo_file { getattr read write append ioctl lock }; 1451 allow kernel_t unlabeled_t:association { sendto recvfrom }; 1452 allow kernel_t netif_type:netif rawip_send; 1453 allow kernel_t netif_type:netif rawip_recv; 1454 allow kernel_t node_type:node rawip_send; 1455 allow kernel_t node_type:node rawip_recv; 1456 allow kernel_t netif_t:netif rawip_send; 1457 allow kernel_t netif_type:netif { tcp_send tcp_recv }; 1458 allow kernel_t node_type:node { tcp_send tcp_recv }; 1459 allow kernel_t node_t:node rawip_send; 1460 allow kernel_t multicast_node_t:node rawip_send; 1461 allow kernel_t sysfs_t:dir { read getattr lock search ioctl }; 1462 allow kernel_t sysfs_t:{ file lnk_file } { read getattr lock ioctl }; 1463 allow kernel_t usbfs_t:dir search; 1464 allow kernel_t filesystem_type:filesystem mount; 1465 allow kernel_t security_t:dir { read search getattr }; 1466 allow kernel_t security_t:file { getattr read write }; 1467 typeattribute kernel_t can_load_policy; 1468 if(!secure_mode_policyload) { 1469 allow kernel_t security_t:security load_policy; 1470 auditallow kernel_t security_t:security load_policy; 1471 } 1472 allow kernel_t device_t:dir { read getattr lock search ioctl }; 1473 allow kernel_t device_t:lnk_file { getattr read }; 1474 allow kernel_t console_device_t:chr_file { getattr read write append ioctl lock }; 1475 allow kernel_t bin_t:dir { read getattr lock search ioctl }; 1476 allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; 1477 allow kernel_t shell_exec_t:file { { read getattr lock execute ioctl } execute_no_trans }; 1478 allow kernel_t sbin_t:dir { read getattr lock search ioctl }; 1479 allow kernel_t bin_t:dir { read getattr lock search ioctl }; 1480 allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; 1481 allow kernel_t bin_t:file { { read getattr lock execute ioctl } execute_no_trans }; 1482 allow kernel_t domain:process signal; 1483 allow kernel_t proc_t:dir search; 1484 allow kernel_t domain:dir search; 1485 allow kernel_t root_t:dir { read getattr lock search ioctl }; 1486 allow kernel_t root_t:lnk_file { read getattr lock ioctl }; 1487 allow kernel_t etc_t:dir { read getattr lock search ioctl }; 1488 allow kernel_t home_root_t:dir { read getattr lock search ioctl }; 1489 allow kernel_t usr_t:dir { read getattr lock search ioctl }; 1490 allow kernel_t usr_t:{ file lnk_file } { read getattr lock ioctl }; 1491 typeattribute kernel_t mlsprocread; 1492 typeattribute kernel_t mlsprocwrite; 1493 allow kernel_t self:capability *; 1494 allow kernel_t self:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; 1495 allow kernel_t self:process transition; 1496 allow kernel_t self:file { getattr read write append ioctl lock }; 1497 allow kernel_t self:nscd *; 1498 allow kernel_t self:dbus *; 1499 allow kernel_t self:passwd *; 1500 allow kernel_t proc_type:{ dir file } *; 1501 allow kernel_t sysctl_t:{ dir file } *; 1502 allow kernel_t kernel_t:system *; 1503 allow kernel_t unlabeled_t:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; 1504 allow kernel_t unlabeled_t:filesystem *; 1505 allow kernel_t unlabeled_t:association *; 1506 typeattribute kernel_t can_load_kernmodule, can_receive_kernel_messages; 1507 typeattribute kernel_t kern_unconfined; 1508 allow kernel_t { proc_t proc_net_t }:dir search; 1509 allow kernel_t sysctl_type:dir { read getattr lock search ioctl }; 1510 allow kernel_t sysctl_type:file { { getattr read write append ioctl lock } setattr }; 1511 allow kernel_t node_type:node *; 1512 allow kernel_t netif_type:netif *; 1513 allow kernel_t port_type:tcp_socket { send_msg recv_msg name_connect }; 1514 allow kernel_t port_type:udp_socket { send_msg recv_msg }; 1515 allow kernel_t port_type:{ tcp_socket udp_socket rawip_socket } name_bind; 1516 allow kernel_t node_type:{ tcp_socket udp_socket rawip_socket } node_bind; 1517 allow kernel_t unlabeled_t:association { sendto recvfrom }; 1518 allow kernel_t device_node:{ chr_file blk_file } *; 1519 allow kernel_t mtrr_device_t:{ dir file } *; 1520 allow kernel_t self:capability sys_rawio; 1521 typeattribute kernel_t memory_raw_write, memory_raw_read; 1522 typeattribute kernel_t unconfined_domain_type; 1523 typeattribute kernel_t can_change_process_identity; 1524 typeattribute kernel_t can_change_process_role; 1525 typeattribute kernel_t can_change_object_identity; 1526 typeattribute kernel_t set_curr_context; 1527 allow kernel_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } socket key_socket } *; 1528 allow kernel_t domain:fd use; 1529 allow kernel_t domain:fifo_file { getattr read write append ioctl lock }; 1530 allow kernel_t domain:process ~{ transition dyntransition execmem execstack execheap }; 1531 allow kernel_t domain:{ sem msgq shm } *; 1532 allow kernel_t domain:msg { send receive }; 1533 allow kernel_t domain:dir { read getattr lock search ioctl }; 1534 allow kernel_t domain:file { read getattr lock ioctl }; 1535 allow kernel_t domain:lnk_file { read getattr lock ioctl }; 1536 dontaudit kernel_t domain:dir { read getattr lock search ioctl }; 1537 dontaudit kernel_t domain:lnk_file { read getattr lock ioctl }; 1538 dontaudit kernel_t domain:file { read getattr lock ioctl }; 1539 dontaudit kernel_t domain:sock_file { read getattr lock ioctl }; 1540 dontaudit kernel_t domain:fifo_file { read getattr lock ioctl }; 1541 allow kernel_t file_type:{ file chr_file } ~execmod; 1542 allow kernel_t file_type:{ dir lnk_file sock_file fifo_file blk_file } *; 1543 allow kernel_t file_type:filesystem *; 1544 allow kernel_t file_type:{ unix_stream_socket unix_dgram_socket } name_bind; 1545 if (allow_execmod) { 1546 allow kernel_t file_type:file execmod; 1547 } 1548 allow kernel_t filesystem_type:filesystem *; 1549 allow kernel_t filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; 1550 allow kernel_t security_t:dir { getattr search read }; 1551 allow kernel_t security_t:file { getattr read write }; 1552 typeattribute kernel_t can_load_policy, can_setenforce, can_setsecparam; 1553 if(!secure_mode_policyload) { 1554 allow kernel_t security_t:security *; 1555 auditallow kernel_t security_t:security { load_policy setenforce setbool }; 1556 } 1557 if (allow_execheap) { 1558 allow kernel_t self:process execheap; 1559 } 1560 if (allow_execmem) { 1561 allow kernel_t self:process execmem; 1562 } 1563 if (allow_execmem && allow_execstack) { 1564 allow kernel_t self:process execstack; 1565 auditallow kernel_t self:process execstack; 1566 } else { 1567 } 1568 if (allow_execheap) { 1569 auditallow kernel_t self:process execheap; 1570 } 1571 if (allow_execmem) { 1572 auditallow kernel_t self:process execmem; 1573 } 1574 if (read_default_t) { 1575 allow kernel_t default_t:dir { read getattr lock search ioctl }; 1576 allow kernel_t default_t:file { read getattr lock ioctl }; 1577 allow kernel_t default_t:lnk_file { read getattr lock ioctl }; 1578 allow kernel_t default_t:sock_file { read getattr lock ioctl }; 1579 allow kernel_t default_t:fifo_file { read getattr lock ioctl }; 1580 } 1581 allow unlabeled_t self:filesystem associate; 1582range_transition getty_t login_exec_t s0 - s0:c0.c255; 1583range_transition init_t xdm_exec_t s0 - s0:c0.c255; 1584range_transition initrc_t crond_exec_t s0 - s0:c0.c255; 1585range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; 1586range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; 1587range_transition initrc_t udev_exec_t s0 - s0:c0.c255; 1588range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; 1589range_transition kernel_t udev_exec_t s0 - s0:c0.c255; 1590range_transition unconfined_t su_exec_t s0 - s0:c0.c255; 1591range_transition unconfined_t initrc_exec_t s0; 1592 typeattribute security_t filesystem_type; 1593 allow security_t self:filesystem associate; 1594 typeattribute security_t mlstrustedobject; 1595neverallow ~can_load_policy security_t:security load_policy; 1596neverallow ~can_setenforce security_t:security setenforce; 1597neverallow ~can_setsecparam security_t:security setsecparam; 1598 typeattribute bsdpty_device_t device_node; 1599 allow bsdpty_device_t fs_t:filesystem associate; 1600 allow bsdpty_device_t tmpfs_t:filesystem associate; 1601 allow bsdpty_device_t tmp_t:filesystem associate; 1602 typeattribute console_device_t device_node; 1603 allow console_device_t fs_t:filesystem associate; 1604 allow console_device_t tmpfs_t:filesystem associate; 1605 allow console_device_t tmp_t:filesystem associate; 1606 allow devpts_t fs_t:filesystem associate; 1607 allow devpts_t noxattrfs:filesystem associate; 1608 typeattribute devpts_t file_type; 1609 typeattribute devpts_t mountpoint; 1610 allow devpts_t tmpfs_t:filesystem associate; 1611 allow devpts_t tmp_t:filesystem associate; 1612 typeattribute devpts_t filesystem_type; 1613 allow devpts_t self:filesystem associate; 1614 typeattribute devpts_t ttynode, ptynode; 1615 typeattribute devtty_t device_node; 1616 allow devtty_t fs_t:filesystem associate; 1617 allow devtty_t tmpfs_t:filesystem associate; 1618 allow devtty_t tmp_t:filesystem associate; 1619 typeattribute devtty_t mlstrustedobject; 1620 typeattribute ptmx_t device_node; 1621 allow ptmx_t fs_t:filesystem associate; 1622 allow ptmx_t tmpfs_t:filesystem associate; 1623 allow ptmx_t tmp_t:filesystem associate; 1624 typeattribute ptmx_t mlstrustedobject; 1625 typeattribute tty_device_t device_node; 1626 allow tty_device_t fs_t:filesystem associate; 1627 allow tty_device_t tmpfs_t:filesystem associate; 1628 allow tty_device_t tmp_t:filesystem associate; 1629 typeattribute tty_device_t ttynode; 1630 typeattribute usbtty_device_t device_node; 1631 allow usbtty_device_t fs_t:filesystem associate; 1632 allow usbtty_device_t tmpfs_t:filesystem associate; 1633 allow usbtty_device_t tmp_t:filesystem associate; 1634user system_u roles { system_r } level s0 range s0 - s0:c0.c255; 1635user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; 1636 user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; 1637constrain process transition 1638 ( u1 == u2 1639 or t1 == can_change_process_identity 1640); 1641constrain process transition 1642 ( r1 == r2 1643 or t1 == can_change_process_role 1644); 1645constrain process dyntransition 1646 ( u1 == u2 and r1 == r2 ); 1647constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create relabelto relabelfrom } 1648 ( u1 == u2 or t1 == can_change_object_identity ); 1649constrain { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } { create relabelto relabelfrom } 1650 ( u1 == u2 or t1 == can_change_object_identity ); 1651sid port system_u:object_r:port_t:s0 1652sid node system_u:object_r:node_t:s0 1653sid netif system_u:object_r:netif_t:s0 1654sid devnull system_u:object_r:null_device_t:s0 1655sid file system_u:object_r:file_t:s0 1656sid fs system_u:object_r:fs_t:s0 1657sid kernel system_u:system_r:kernel_t:s0 1658sid sysctl system_u:object_r:sysctl_t:s0 1659sid unlabeled system_u:object_r:unlabeled_t:s0 1660sid any_socket system_u:object_r:unlabeled_t:s0 1661sid file_labels system_u:object_r:unlabeled_t:s0 1662sid icmp_socket system_u:object_r:unlabeled_t:s0 1663sid igmp_packet system_u:object_r:unlabeled_t:s0 1664sid init system_u:object_r:unlabeled_t:s0 1665sid kmod system_u:object_r:unlabeled_t:s0 1666sid netmsg system_u:object_r:unlabeled_t:s0 1667sid policy system_u:object_r:unlabeled_t:s0 1668sid scmp_packet system_u:object_r:unlabeled_t:s0 1669sid sysctl_modprobe system_u:object_r:unlabeled_t:s0 1670sid sysctl_fs system_u:object_r:unlabeled_t:s0 1671sid sysctl_kernel system_u:object_r:unlabeled_t:s0 1672sid sysctl_net system_u:object_r:unlabeled_t:s0 1673sid sysctl_net_unix system_u:object_r:unlabeled_t:s0 1674sid sysctl_vm system_u:object_r:unlabeled_t:s0 1675sid sysctl_dev system_u:object_r:unlabeled_t:s0 1676sid tcp_socket system_u:object_r:unlabeled_t:s0 1677sid security system_u:object_r:security_t:s0 1678fs_use_xattr ext2 system_u:object_r:fs_t:s0; 1679fs_use_xattr ext3 system_u:object_r:fs_t:s0; 1680fs_use_xattr gfs system_u:object_r:fs_t:s0; 1681fs_use_xattr jfs system_u:object_r:fs_t:s0; 1682fs_use_xattr reiserfs system_u:object_r:fs_t:s0; 1683fs_use_xattr xfs system_u:object_r:fs_t:s0; 1684fs_use_task pipefs system_u:object_r:fs_t:s0; 1685fs_use_task sockfs system_u:object_r:fs_t:s0; 1686fs_use_trans mqueue system_u:object_r:tmpfs_t:s0; 1687fs_use_trans shm system_u:object_r:tmpfs_t:s0; 1688fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; 1689fs_use_trans devpts system_u:object_r:devpts_t:s0; 1690genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 1691genfscon sysfs / system_u:object_r:sysfs_t:s0 1692genfscon usbfs / system_u:object_r:usbfs_t:s0 1693genfscon usbdevfs / system_u:object_r:usbfs_t:s0 1694genfscon rootfs / system_u:object_r:root_t:s0 1695genfscon bdev / system_u:object_r:bdev_t:s0 1696genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 1697genfscon capifs / system_u:object_r:capifs_t:s0 1698genfscon configfs / system_u:object_r:configfs_t:s0 1699genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 1700genfscon futexfs / system_u:object_r:futexfs_t:s0 1701genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 1702genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 1703genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 1704genfscon ramfs / system_u:object_r:ramfs_t:s0 1705genfscon romfs / system_u:object_r:romfs_t:s0 1706genfscon cramfs / system_u:object_r:romfs_t:s0 1707genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 1708genfscon autofs / system_u:object_r:autofs_t:s0 1709genfscon automount / system_u:object_r:autofs_t:s0 1710genfscon cifs / system_u:object_r:cifs_t:s0 1711genfscon smbfs / system_u:object_r:cifs_t:s0 1712genfscon fat / system_u:object_r:dosfs_t:s0 1713genfscon msdos / system_u:object_r:dosfs_t:s0 1714genfscon ntfs / system_u:object_r:dosfs_t:s0 1715genfscon vfat / system_u:object_r:dosfs_t:s0 1716genfscon iso9660 / system_u:object_r:iso9660_t:s0 1717genfscon udf / system_u:object_r:iso9660_t:s0 1718genfscon nfs / system_u:object_r:nfs_t:s0 1719genfscon nfs4 / system_u:object_r:nfs_t:s0 1720genfscon afs / system_u:object_r:nfs_t:s0 1721genfscon hfsplus / system_u:object_r:nfs_t:s0 1722genfscon debugfs / system_u:object_r:debugfs_t:s0 1723genfscon proc / system_u:object_r:proc_t:s0 1724genfscon proc /sysvipc system_u:object_r:proc_t:s0 1725genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0 1726genfscon proc /kcore system_u:object_r:proc_kcore_t:s0 1727genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 1728genfscon proc /net system_u:object_r:proc_net_t:s0 1729genfscon proc /xen system_u:object_r:proc_xen_t:s0 1730genfscon proc /sys system_u:object_r:sysctl_t:s0 1731genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 1732genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 1733genfscon proc /sys/fs system_u:object_r:sysctl_fs_t:s0 1734genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 1735genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 1736genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 1737genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 1738genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 1739genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 1740genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 1741genfscon selinuxfs / system_u:object_r:security_t:s0 1742portcon udp 7007 system_u:object_r:afs_bos_port_t:s0 1743portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0 1744portcon udp 7000 system_u:object_r:afs_fs_port_t:s0 1745portcon udp 7005 system_u:object_r:afs_fs_port_t:s0 1746portcon udp 7004 system_u:object_r:afs_ka_port_t:s0 1747portcon udp 7002 system_u:object_r:afs_pt_port_t:s0 1748portcon udp 7003 system_u:object_r:afs_vl_port_t:s0 1749portcon udp 10080 system_u:object_r:amanda_port_t:s0 1750portcon tcp 10080 system_u:object_r:amanda_port_t:s0 1751portcon udp 10081 system_u:object_r:amanda_port_t:s0 1752portcon tcp 10081 system_u:object_r:amanda_port_t:s0 1753portcon tcp 10082 system_u:object_r:amanda_port_t:s0 1754portcon tcp 10083 system_u:object_r:amanda_port_t:s0 1755portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0 1756portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0 1757portcon tcp 1720 system_u:object_r:asterisk_port_t:s0 1758portcon udp 2427 system_u:object_r:asterisk_port_t:s0 1759portcon udp 2727 system_u:object_r:asterisk_port_t:s0 1760portcon udp 4569 system_u:object_r:asterisk_port_t:s0 1761portcon udp 5060 system_u:object_r:asterisk_port_t:s0 1762portcon tcp 113 system_u:object_r:auth_port_t:s0 1763portcon tcp 179 system_u:object_r:bgp_port_t:s0 1764portcon udp 179 system_u:object_r:bgp_port_t:s0 1765portcon tcp 3310 system_u:object_r:clamd_port_t:s0 1766portcon udp 4041 system_u:object_r:clockspeed_port_t:s0 1767portcon udp 512 system_u:object_r:comsat_port_t:s0 1768portcon tcp 2401 system_u:object_r:cvs_port_t:s0 1769portcon udp 2401 system_u:object_r:cvs_port_t:s0 1770portcon udp 6276 system_u:object_r:dcc_port_t:s0 1771portcon udp 6277 system_u:object_r:dcc_port_t:s0 1772portcon tcp 1178 system_u:object_r:dbskkd_port_t:s0 1773portcon udp 68 system_u:object_r:dhcpc_port_t:s0 1774portcon udp 67 system_u:object_r:dhcpd_port_t:s0 1775portcon tcp 647 system_u:object_r:dhcpd_port_t:s0 1776portcon udp 647 system_u:object_r:dhcpd_port_t:s0 1777portcon tcp 847 system_u:object_r:dhcpd_port_t:s0 1778portcon udp 847 system_u:object_r:dhcpd_port_t:s0 1779portcon tcp 2628 system_u:object_r:dict_port_t:s0 1780portcon tcp 3632 system_u:object_r:distccd_port_t:s0 1781portcon udp 53 system_u:object_r:dns_port_t:s0 1782portcon tcp 53 system_u:object_r:dns_port_t:s0 1783portcon tcp 79 system_u:object_r:fingerd_port_t:s0 1784portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 1785portcon tcp 21 system_u:object_r:ftp_port_t:s0 1786portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0 1787portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0 1788portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0 1789portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0 1790portcon tcp 1213 system_u:object_r:giftd_port_t:s0 1791portcon tcp 70 system_u:object_r:gopher_port_t:s0 1792portcon udp 70 system_u:object_r:gopher_port_t:s0 1793portcon tcp 3128 system_u:object_r:http_cache_port_t:s0 1794portcon udp 3130 system_u:object_r:http_cache_port_t:s0 1795portcon tcp 8080 system_u:object_r:http_cache_port_t:s0 1796portcon tcp 8118 system_u:object_r:http_cache_port_t:s0 1797portcon tcp 80 system_u:object_r:http_port_t:s0 1798portcon tcp 443 system_u:object_r:http_port_t:s0 1799portcon tcp 488 system_u:object_r:http_port_t:s0 1800portcon tcp 8008 system_u:object_r:http_port_t:s0 1801portcon tcp 9050 system_u:object_r:http_port_t:s0 1802portcon tcp 5335 system_u:object_r:howl_port_t:s0 1803portcon udp 5353 system_u:object_r:howl_port_t:s0 1804portcon tcp 50000 system_u:object_r:hplip_port_t:s0 1805portcon tcp 50002 system_u:object_r:hplip_port_t:s0 1806portcon tcp 9010 system_u:object_r:i18n_input_port_t:s0 1807portcon tcp 5323 system_u:object_r:imaze_port_t:s0 1808portcon udp 5323 system_u:object_r:imaze_port_t:s0 1809portcon tcp 7 system_u:object_r:inetd_child_port_t:s0 1810portcon udp 7 system_u:object_r:inetd_child_port_t:s0 1811portcon tcp 9 system_u:object_r:inetd_child_port_t:s0 1812portcon udp 9 system_u:object_r:inetd_child_port_t:s0 1813portcon tcp 13 system_u:object_r:inetd_child_port_t:s0 1814portcon udp 13 system_u:object_r:inetd_child_port_t:s0 1815portcon tcp 19 system_u:object_r:inetd_child_port_t:s0 1816portcon udp 19 system_u:object_r:inetd_child_port_t:s0 1817portcon tcp 37 system_u:object_r:inetd_child_port_t:s0 1818portcon udp 37 system_u:object_r:inetd_child_port_t:s0 1819portcon tcp 512 system_u:object_r:inetd_child_port_t:s0 1820portcon tcp 543 system_u:object_r:inetd_child_port_t:s0 1821portcon tcp 544 system_u:object_r:inetd_child_port_t:s0 1822portcon tcp 891 system_u:object_r:inetd_child_port_t:s0 1823portcon udp 891 system_u:object_r:inetd_child_port_t:s0 1824portcon tcp 892 system_u:object_r:inetd_child_port_t:s0 1825portcon udp 892 system_u:object_r:inetd_child_port_t:s0 1826portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0 1827portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0 1828portcon tcp 119 system_u:object_r:innd_port_t:s0 1829portcon tcp 631 system_u:object_r:ipp_port_t:s0 1830portcon udp 631 system_u:object_r:ipp_port_t:s0 1831portcon tcp 6667 system_u:object_r:ircd_port_t:s0 1832portcon udp 500 system_u:object_r:isakmp_port_t:s0 1833portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0 1834portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0 1835portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0 1836portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0 1837portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0 1838portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0 1839portcon tcp 4444 system_u:object_r:kerberos_master_port_t:s0 1840portcon udp 4444 system_u:object_r:kerberos_master_port_t:s0 1841portcon tcp 88 system_u:object_r:kerberos_port_t:s0 1842portcon udp 88 system_u:object_r:kerberos_port_t:s0 1843portcon tcp 750 system_u:object_r:kerberos_port_t:s0 1844portcon udp 750 system_u:object_r:kerberos_port_t:s0 1845portcon udp 517 system_u:object_r:ktalkd_port_t:s0 1846portcon udp 518 system_u:object_r:ktalkd_port_t:s0 1847portcon tcp 389 system_u:object_r:ldap_port_t:s0 1848portcon udp 389 system_u:object_r:ldap_port_t:s0 1849portcon tcp 636 system_u:object_r:ldap_port_t:s0 1850portcon udp 636 system_u:object_r:ldap_port_t:s0 1851portcon tcp 2000 system_u:object_r:mail_port_t:s0 1852portcon tcp 1234 system_u:object_r:monopd_port_t:s0 1853portcon tcp 3306 system_u:object_r:mysqld_port_t:s0 1854portcon tcp 1241 system_u:object_r:nessus_port_t:s0 1855portcon udp 137 system_u:object_r:nmbd_port_t:s0 1856portcon udp 138 system_u:object_r:nmbd_port_t:s0 1857portcon udp 139 system_u:object_r:nmbd_port_t:s0 1858portcon udp 123 system_u:object_r:ntp_port_t:s0 1859portcon udp 5000 system_u:object_r:openvpn_port_t:s0 1860portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0 1861portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0 1862portcon tcp 106 system_u:object_r:pop_port_t:s0 1863portcon tcp 109 system_u:object_r:pop_port_t:s0 1864portcon tcp 110 system_u:object_r:pop_port_t:s0 1865portcon tcp 143 system_u:object_r:pop_port_t:s0 1866portcon tcp 220 system_u:object_r:pop_port_t:s0 1867portcon tcp 993 system_u:object_r:pop_port_t:s0 1868portcon tcp 995 system_u:object_r:pop_port_t:s0 1869portcon tcp 1109 system_u:object_r:pop_port_t:s0 1870portcon udp 111 system_u:object_r:portmap_port_t:s0 1871portcon tcp 111 system_u:object_r:portmap_port_t:s0 1872portcon tcp 5432 system_u:object_r:postgresql_port_t:s0 1873portcon tcp 60000 system_u:object_r:postgrey_port_t:s0 1874portcon tcp 515 system_u:object_r:printer_port_t:s0 1875portcon tcp 5703 system_u:object_r:ptal_port_t:s0 1876portcon udp 4011 system_u:object_r:pxe_port_t:s0 1877portcon udp 24441 system_u:object_r:pyzor_port_t:s0 1878portcon udp 1646 system_u:object_r:radacct_port_t:s0 1879portcon udp 1813 system_u:object_r:radacct_port_t:s0 1880portcon udp 1645 system_u:object_r:radius_port_t:s0 1881portcon udp 1812 system_u:object_r:radius_port_t:s0 1882portcon tcp 2703 system_u:object_r:razor_port_t:s0 1883portcon tcp 513 system_u:object_r:rlogind_port_t:s0 1884portcon tcp 953 system_u:object_r:rndc_port_t:s0 1885portcon udp 520 system_u:object_r:router_port_t:s0 1886portcon tcp 514 system_u:object_r:rsh_port_t:s0 1887portcon tcp 873 system_u:object_r:rsync_port_t:s0 1888portcon udp 873 system_u:object_r:rsync_port_t:s0 1889portcon tcp 137-139 system_u:object_r:smbd_port_t:s0 1890portcon tcp 445 system_u:object_r:smbd_port_t:s0 1891portcon tcp 25 system_u:object_r:smtp_port_t:s0 1892portcon tcp 465 system_u:object_r:smtp_port_t:s0 1893portcon tcp 587 system_u:object_r:smtp_port_t:s0 1894portcon udp 161 system_u:object_r:snmp_port_t:s0 1895portcon udp 162 system_u:object_r:snmp_port_t:s0 1896portcon tcp 199 system_u:object_r:snmp_port_t:s0 1897portcon tcp 783 system_u:object_r:spamd_port_t:s0 1898portcon tcp 22 system_u:object_r:ssh_port_t:s0 1899portcon tcp 8000 system_u:object_r:soundd_port_t:s0 1900portcon tcp 9433 system_u:object_r:soundd_port_t:s0 1901portcon tcp 901 system_u:object_r:swat_port_t:s0 1902portcon udp 514 system_u:object_r:syslogd_port_t:s0 1903portcon tcp 23 system_u:object_r:telnetd_port_t:s0 1904portcon udp 69 system_u:object_r:tftp_port_t:s0 1905portcon tcp 8081 system_u:object_r:transproxy_port_t:s0 1906portcon tcp 540 system_u:object_r:uucpd_port_t:s0 1907portcon tcp 5900 system_u:object_r:vnc_port_t:s0 1908portcon tcp 6001 system_u:object_r:xserver_port_t:s0 1909portcon tcp 6002 system_u:object_r:xserver_port_t:s0 1910portcon tcp 6003 system_u:object_r:xserver_port_t:s0 1911portcon tcp 6004 system_u:object_r:xserver_port_t:s0 1912portcon tcp 6005 system_u:object_r:xserver_port_t:s0 1913portcon tcp 6006 system_u:object_r:xserver_port_t:s0 1914portcon tcp 6007 system_u:object_r:xserver_port_t:s0 1915portcon tcp 6008 system_u:object_r:xserver_port_t:s0 1916portcon tcp 6009 system_u:object_r:xserver_port_t:s0 1917portcon tcp 6010 system_u:object_r:xserver_port_t:s0 1918portcon tcp 6011 system_u:object_r:xserver_port_t:s0 1919portcon tcp 6012 system_u:object_r:xserver_port_t:s0 1920portcon tcp 6013 system_u:object_r:xserver_port_t:s0 1921portcon tcp 6014 system_u:object_r:xserver_port_t:s0 1922portcon tcp 6015 system_u:object_r:xserver_port_t:s0 1923portcon tcp 6016 system_u:object_r:xserver_port_t:s0 1924portcon tcp 6017 system_u:object_r:xserver_port_t:s0 1925portcon tcp 6018 system_u:object_r:xserver_port_t:s0 1926portcon tcp 6019 system_u:object_r:xserver_port_t:s0 1927portcon tcp 8002 system_u:object_r:xen_port_t:s0 1928portcon tcp 2601 system_u:object_r:zebra_port_t:s0 1929portcon tcp 8021 system_u:object_r:zope_port_t:s0 1930portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0 1931portcon udp 1-1023 system_u:object_r:reserved_port_t:s0 1932nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:compat_ipv4_node_t:s0 1933nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t:s0 1934nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:link_local_node_t:s0 1935nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 1936nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:mapped_ipv4_node_t:s0 1937nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 1938nodecon fec0:: ffc0:: system_u:object_r:site_local_node_t:s0 1939nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:unspec_node_t:s0 1940