diff options
Diffstat (limited to 'tests/policies/test-cond/refpolicy-base.conf')
| -rw-r--r-- | tests/policies/test-cond/refpolicy-base.conf | 1939 |
1 files changed, 1939 insertions, 0 deletions
diff --git a/tests/policies/test-cond/refpolicy-base.conf b/tests/policies/test-cond/refpolicy-base.conf new file mode 100644 index 0000000..60da11a --- /dev/null +++ b/tests/policies/test-cond/refpolicy-base.conf @@ -0,0 +1,1939 @@ +class security +class process +class system +class capability +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket +class sem +class msg +class msgq +class shm +class ipc +class passwd # userspace +class drawable # userspace +class window # userspace +class gc # userspace +class font # userspace +class colormap # userspace +class property # userspace +class cursor # userspace +class xclient # userspace +class xinput # userspace +class xserver # userspace +class xextension # userspace +class pax +class netlink_route_socket +class netlink_firewall_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_ip6fw_socket +class netlink_dnrt_socket +class dbus # userspace +class nscd # userspace +class association +class netlink_kobject_uevent_socket +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} +common socket +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} +class file +inherits file +{ + execute_no_trans + entrypoint + execmod +} +class lnk_file +inherits file +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod +} +class blk_file +inherits file +class sock_file +inherits file +class fifo_file +inherits file +class fd +{ + use +} +class socket +inherits socket +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind + name_connect +} +class udp_socket +inherits socket +{ + node_bind +} +class rawip_socket +inherits socket +{ + node_bind +} +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest +} +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send +} +class netlink_socket +inherits socket +class packet_socket +inherits socket +class key_socket +inherits socket +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} +class unix_dgram_socket +inherits socket +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap +} +class ipc +inherits ipc +class sem +inherits ipc +class msgq +inherits ipc +{ + enqueue +} +class msg +{ + send + receive +} +class shm +inherits ipc +{ + lock +} +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot +} +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console +} +class capability +{ + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control +} +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} +class drawable +{ + create + destroy + draw + copy + getattr +} +class gc +{ + create + free + getattr + setattr +} +class window +{ + addchild + create + destroy + map + unmap + chstack + chproplist + chprop + listprop + getattr + setattr + setfocus + move + chselection + chparent + ctrllife + enumerate + transparent + mousemotion + clientcomevent + inputevent + drawevent + windowchangeevent + windowchangerequest + serverchangeevent + extensionevent +} +class font +{ + load + free + getattr + use +} +class colormap +{ + create + free + install + uninstall + list + read + store + getattr + setattr +} +class property +{ + create + free + read + write +} +class cursor +{ + create + createglyph + free + assign + setattr +} +class xclient +{ + kill +} +class xinput +{ + lookup + getattr + setattr + setfocus + warppointer + activegrab + passivegrab + ungrab + bell + mousemotion + relabelinput +} +class xserver +{ + screensaver + gethostlist + sethostlist + getfontpath + setfontpath + getattr + grab + ungrab +} +class xextension +{ + query + use +} +class pax +{ + pageexec # Paging based non-executable pages + emutramp # Emulate trampolines + mprotect # Restrict mprotect() + randmmap # Randomize mmap() base + randexec # Randomize ET_EXEC base + segmexec # Segmentation based non-executable pages +} +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_nflog_socket +inherits socket +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_selinux_socket +inherits socket +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv +} +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} +class netlink_dnrt_socket +inherits socket +class dbus +{ + acquire_svc + send_msg +} +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost +} +class association +{ + sendto + recvfrom + setcontext +} +class netlink_kobject_uevent_socket +inherits socket +sensitivity s0; +dominance { s0 } +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; +category c24; category c25; category c26; category c27; +category c28; category c29; category c30; category c31; +category c32; category c33; category c34; category c35; +category c36; category c37; category c38; category c39; +category c40; category c41; category c42; category c43; +category c44; category c45; category c46; category c47; +category c48; category c49; category c50; category c51; +category c52; category c53; category c54; category c55; +category c56; category c57; category c58; category c59; +category c60; category c61; category c62; category c63; +category c64; category c65; category c66; category c67; +category c68; category c69; category c70; category c71; +category c72; category c73; category c74; category c75; +category c76; category c77; category c78; category c79; +category c80; category c81; category c82; category c83; +category c84; category c85; category c86; category c87; +category c88; category c89; category c90; category c91; +category c92; category c93; category c94; category c95; +category c96; category c97; category c98; category c99; +category c100; category c101; category c102; category c103; +category c104; category c105; category c106; category c107; +category c108; category c109; category c110; category c111; +category c112; category c113; category c114; category c115; +category c116; category c117; category c118; category c119; +category c120; category c121; category c122; category c123; +category c124; category c125; category c126; category c127; +category c128; category c129; category c130; category c131; +category c132; category c133; category c134; category c135; +category c136; category c137; category c138; category c139; +category c140; category c141; category c142; category c143; +category c144; category c145; category c146; category c147; +category c148; category c149; category c150; category c151; +category c152; category c153; category c154; category c155; +category c156; category c157; category c158; category c159; +category c160; category c161; category c162; category c163; +category c164; category c165; category c166; category c167; +category c168; category c169; category c170; category c171; +category c172; category c173; category c174; category c175; +category c176; category c177; category c178; category c179; +category c180; category c181; category c182; category c183; +category c184; category c185; category c186; category c187; +category c188; category c189; category c190; category c191; +category c192; category c193; category c194; category c195; +category c196; category c197; category c198; category c199; +category c200; category c201; category c202; category c203; +category c204; category c205; category c206; category c207; +category c208; category c209; category c210; category c211; +category c212; category c213; category c214; category c215; +category c216; category c217; category c218; category c219; +category c220; category c221; category c222; category c223; +category c224; category c225; category c226; category c227; +category c228; category c229; category c230; category c231; +category c232; category c233; category c234; category c235; +category c236; category c237; category c238; category c239; +category c240; category c241; category c242; category c243; +category c244; category c245; category c246; category c247; +category c248; category c249; category c250; category c251; +category c252; category c253; category c254; category c255; +level s0:c0.c255; +mlsconstrain file { write setattr append unlink link rename + ioctl lock execute relabelfrom } (h1 dom h2); +mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); +mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread )); +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } + ( h1 dom h2 ); +mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); +mlsconstrain process { ptrace } ( h1 dom h2 ); +mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or + ( t1 == mcskillall ); +mlsconstrain xextension query ( t1 == mlsfileread ); +attribute netif_type; +attribute node_type; +attribute port_type; +attribute reserved_port_type; +attribute device_node; +attribute memory_raw_read; +attribute memory_raw_write; +attribute domain; +attribute unconfined_domain_type; +attribute set_curr_context; +attribute entry_type; +attribute privfd; +attribute can_change_process_identity; +attribute can_change_process_role; +attribute can_change_object_identity; +attribute can_system_change; +attribute process_user_target; +attribute cron_source_domain; +attribute cron_job_domain; +attribute process_uncond_exempt; # add userhelperdomain to this one +attribute file_type; +attribute lockfile; +attribute mountpoint; +attribute pidfile; +attribute polydir; +attribute usercanread; +attribute polyparent; +attribute polymember; +attribute security_file_type; +attribute tmpfile; +attribute tmpfsfile; +attribute filesystem_type; +attribute noxattrfs; +attribute can_load_kernmodule; +attribute can_receive_kernel_messages; +attribute kern_unconfined; +attribute proc_type; +attribute sysctl_type; +attribute mcskillall; +attribute mlsfileread; +attribute mlsfilereadtoclr; +attribute mlsfilewrite; +attribute mlsfilewritetoclr; +attribute mlsfileupgrade; +attribute mlsfiledowngrade; +attribute mlsnetread; +attribute mlsnetreadtoclr; +attribute mlsnetwrite; +attribute mlsnetwritetoclr; +attribute mlsnetupgrade; +attribute mlsnetdowngrade; +attribute mlsnetrecvall; +attribute mlsipcread; +attribute mlsipcreadtoclr; +attribute mlsipcwrite; +attribute mlsipcwritetoclr; +attribute mlsprocread; +attribute mlsprocreadtoclr; +attribute mlsprocwrite; +attribute mlsprocwritetoclr; +attribute mlsprocsetsl; +attribute mlsxwinread; +attribute mlsxwinreadtoclr; +attribute mlsxwinwrite; +attribute mlsxwinwritetoclr; +attribute mlsxwinreadproperty; +attribute mlsxwinwriteproperty; +attribute mlsxwinreadcolormap; +attribute mlsxwinwritecolormap; +attribute mlsxwinwritexinput; +attribute mlstrustedobject; +attribute privrangetrans; +attribute mlsrangetrans; +attribute can_load_policy; +attribute can_setenforce; +attribute can_setsecparam; +attribute ttynode; +attribute ptynode; +attribute server_ptynode; +attribute serial_device; +type bin_t; +type sbin_t; +type ls_exec_t; +type shell_exec_t; +type chroot_exec_t; +type ppp_device_t; +type tun_tap_device_t; +type port_t, port_type; +type reserved_port_t, port_type, reserved_port_type; +type afs_bos_port_t, port_type; +type afs_fs_port_t, port_type; +type afs_ka_port_t, port_type; +type afs_pt_port_t, port_type; +type afs_vl_port_t, port_type; +type amanda_port_t, port_type; +type amavisd_recv_port_t, port_type; +type amavisd_send_port_t, port_type; +type asterisk_port_t, port_type; +type auth_port_t, port_type; +type bgp_port_t, port_type; +type biff_port_t, port_type, reserved_port_type; +type clamd_port_t, port_type; +type clockspeed_port_t, port_type; +type comsat_port_t, port_type; +type cvs_port_t, port_type; +type dcc_port_t, port_type; +type dbskkd_port_t, port_type; +type dhcpc_port_t, port_type; +type dhcpd_port_t, port_type; +type dict_port_t, port_type; +type distccd_port_t, port_type; +type dns_port_t, port_type; +type fingerd_port_t, port_type; +type ftp_data_port_t, port_type; +type ftp_port_t, port_type; +type gatekeeper_port_t, port_type; +type giftd_port_t, port_type; +type gopher_port_t, port_type; +type http_cache_port_t, port_type; +type http_port_t, port_type; +type howl_port_t, port_type; +type hplip_port_t, port_type; +type i18n_input_port_t, port_type; +type imaze_port_t, port_type; +type inetd_child_port_t, port_type; +type innd_port_t, port_type; +type ipp_port_t, port_type; +type ircd_port_t, port_type; +type isakmp_port_t, port_type; +type jabber_client_port_t, port_type; +type jabber_interserver_port_t, port_type; +type kerberos_admin_port_t, port_type; +type kerberos_master_port_t, port_type; +type kerberos_port_t, port_type; +type ktalkd_port_t, port_type; +type ldap_port_t, port_type; +type lrrd_port_t, port_type; +type mail_port_t, port_type; +type monopd_port_t, port_type; +type mysqld_port_t, port_type; +type nessus_port_t, port_type; +type nmbd_port_t, port_type; +type ntp_port_t, port_type; +type openvpn_port_t, port_type; +type pegasus_http_port_t, port_type; +type pegasus_https_port_t, port_type; +type pop_port_t, port_type; +type portmap_port_t, port_type; +type postgresql_port_t, port_type; +type postgrey_port_t, port_type; +type printer_port_t, port_type; +type ptal_port_t, port_type; +type pxe_port_t, port_type; +type pyzor_port_t, port_type; +type radacct_port_t, port_type; +type radius_port_t, port_type; +type razor_port_t, port_type; +type rlogind_port_t, port_type; +type rndc_port_t, port_type; +type router_port_t, port_type; +type rsh_port_t, port_type; +type rsync_port_t, port_type; +type smbd_port_t, port_type; +type smtp_port_t, port_type; +type snmp_port_t, port_type; +type spamd_port_t, port_type; +type ssh_port_t, port_type; +type soundd_port_t, port_type; +type socks_port_t, port_type; type stunnel_port_t, port_type; +type swat_port_t, port_type; +type syslogd_port_t, port_type; +type telnetd_port_t, port_type; +type tftp_port_t, port_type; +type transproxy_port_t, port_type; +type utcpserver_port_t, port_type; +type uucpd_port_t, port_type; +type vnc_port_t, port_type; +type xserver_port_t, port_type; +type xen_port_t, port_type; +type zebra_port_t, port_type; +type zope_port_t, port_type; +type node_t, node_type; +type compat_ipv4_node_t alias node_compat_ipv4_t, node_type; +type inaddr_any_node_t alias node_inaddr_any_t, node_type; +type node_internal_t, node_type; +type link_local_node_t alias node_link_local_t, node_type; +type lo_node_t alias node_lo_t, node_type; +type mapped_ipv4_node_t alias node_mapped_ipv4_t, node_type; +type multicast_node_t alias node_multicast_t, node_type; +type site_local_node_t alias node_site_local_t, node_type; +type unspec_node_t alias node_unspec_t, node_type; +type netif_t, netif_type; +type device_t; +type agp_device_t; +type apm_bios_t; +type cardmgr_dev_t; +type clock_device_t; +type cpu_device_t; +type crypt_device_t; +type dri_device_t; +type event_device_t; +type framebuf_device_t; +type lvm_control_t; +type memory_device_t; +type misc_device_t; +type mouse_device_t; +type mtrr_device_t; +type null_device_t; +type power_device_t; +type printer_device_t; +type random_device_t; +type scanner_device_t; +type sound_device_t; +type sysfs_t; +type urandom_device_t; +type usbfs_t alias usbdevfs_t; +type usb_device_t; +type v4l_device_t; +type xserver_misc_device_t; +type zero_device_t; +type xconsole_device_t; +type devfs_control_t; +type boot_t; +type default_t, file_type, mountpoint; +type etc_t, file_type; +type etc_runtime_t, file_type; +type file_t, file_type, mountpoint; +type home_root_t, file_type, mountpoint; +type lost_found_t, file_type; +type mnt_t, file_type, mountpoint; +type modules_object_t; +type no_access_t, file_type; +type poly_t, file_type; +type readable_t, file_type; +type root_t, file_type, mountpoint; +type src_t, file_type, mountpoint; +type system_map_t; +type tmp_t, mountpoint; #, polydir +type usr_t, file_type, mountpoint; +type var_t, file_type, mountpoint; +type var_lib_t, file_type, mountpoint; +type var_lock_t, file_type, lockfile; +type var_run_t, file_type, pidfile; +type var_spool_t; +type fs_t; +type bdev_t; +type binfmt_misc_fs_t; +type capifs_t; +type configfs_t; +type eventpollfs_t; +type futexfs_t; +type hugetlbfs_t; +type inotifyfs_t; +type nfsd_fs_t; +type ramfs_t; +type romfs_t; +type rpc_pipefs_t; +type tmpfs_t; +type autofs_t, noxattrfs; +type cifs_t alias sambafs_t, noxattrfs; +type dosfs_t, noxattrfs; +type iso9660_t, filesystem_type, noxattrfs; +type removable_t, noxattrfs; +type nfs_t, filesystem_type, noxattrfs; +type kernel_t, can_load_kernmodule; +type debugfs_t; +type proc_t, proc_type; +type proc_kmsg_t, proc_type; +type proc_kcore_t, proc_type; +type proc_mdstat_t, proc_type; +type proc_net_t, proc_type; +type proc_xen_t, proc_type; +type sysctl_t, sysctl_type; +type sysctl_irq_t, sysctl_type; +type sysctl_rpc_t, sysctl_type; +type sysctl_fs_t, sysctl_type; +type sysctl_kernel_t, sysctl_type; +type sysctl_modprobe_t, sysctl_type; +type sysctl_hotplug_t, sysctl_type; +type sysctl_net_t, sysctl_type; +type sysctl_net_unix_t, sysctl_type; +type sysctl_vm_t, sysctl_type; +type sysctl_dev_t, sysctl_type; +type unlabeled_t; +type auditd_exec_t; +type crond_exec_t; +type cupsd_exec_t; +type getty_t; +type init_t; +type init_exec_t; +type initrc_t; +type initrc_exec_t; +type login_exec_t; +type sshd_exec_t; +type su_exec_t; +type udev_exec_t; +type unconfined_t; +type xdm_exec_t; +type lvm_exec_t; +type security_t; +type bsdpty_device_t; +type console_device_t; +type devpts_t; +type devtty_t; +type ptmx_t; +type tty_device_t, serial_device; +type usbtty_device_t, serial_device; + bool secure_mode false; + bool secure_mode_insmod false; + bool secure_mode_policyload false; + bool allow_cvs_read_shadow false; + bool allow_execheap false; + bool allow_execmem true; + bool allow_execmod false; + bool allow_execstack true; + bool allow_ftpd_anon_write false; + bool allow_gssd_read_tmp true; + bool allow_httpd_anon_write false; + bool allow_java_execstack false; + bool allow_kerberos true; + bool allow_rsync_anon_write false; + bool allow_saslauthd_read_shadow false; + bool allow_smbd_anon_write false; + bool allow_ptrace false; + bool allow_ypbind false; + bool fcron_crond false; + bool ftp_home_dir false; + bool ftpd_is_daemon true; + bool httpd_builtin_scripting true; + bool httpd_can_network_connect false; + bool httpd_can_network_connect_db false; + bool httpd_can_network_relay false; + bool httpd_enable_cgi true; + bool httpd_enable_ftp_server false; + bool httpd_enable_homedirs true; + bool httpd_ssi_exec true; + bool httpd_tty_comm false; + bool httpd_unified true; + bool named_write_master_zones false; + bool nfs_export_all_rw true; + bool nfs_export_all_ro true; + bool pppd_can_insmod false; + bool read_default_t true; + bool run_ssh_inetd false; + bool samba_enable_home_dirs false; + bool spamassasin_can_network false; + bool squid_connect_any false; + bool ssh_sysadm_login false; + bool stunnel_is_daemon false; + bool use_nfs_home_dirs false; + bool use_samba_home_dirs false; + bool user_ping true; + bool spamd_enable_home_dirs true; + allow bin_t fs_t:filesystem associate; + allow bin_t noxattrfs:filesystem associate; + typeattribute bin_t file_type; + allow sbin_t fs_t:filesystem associate; + allow sbin_t noxattrfs:filesystem associate; + typeattribute sbin_t file_type; + allow ls_exec_t fs_t:filesystem associate; + allow ls_exec_t noxattrfs:filesystem associate; + typeattribute ls_exec_t file_type; +typeattribute ls_exec_t entry_type; + allow shell_exec_t fs_t:filesystem associate; + allow shell_exec_t noxattrfs:filesystem associate; + typeattribute shell_exec_t file_type; + allow chroot_exec_t fs_t:filesystem associate; + allow chroot_exec_t noxattrfs:filesystem associate; + typeattribute chroot_exec_t file_type; + typeattribute ppp_device_t device_node; + allow ppp_device_t fs_t:filesystem associate; + allow ppp_device_t tmpfs_t:filesystem associate; + allow ppp_device_t tmp_t:filesystem associate; + typeattribute tun_tap_device_t device_node; + allow tun_tap_device_t fs_t:filesystem associate; + allow tun_tap_device_t tmpfs_t:filesystem associate; + allow tun_tap_device_t tmp_t:filesystem associate; +typeattribute auth_port_t reserved_port_type; +typeattribute bgp_port_t reserved_port_type; +typeattribute bgp_port_t reserved_port_type; +typeattribute comsat_port_t reserved_port_type; +typeattribute dhcpc_port_t reserved_port_type; +typeattribute dhcpd_port_t reserved_port_type; +typeattribute dhcpd_port_t reserved_port_type; +typeattribute dhcpd_port_t reserved_port_type; +typeattribute dhcpd_port_t reserved_port_type; +typeattribute dhcpd_port_t reserved_port_type; +typeattribute dns_port_t reserved_port_type; +typeattribute dns_port_t reserved_port_type; +typeattribute fingerd_port_t reserved_port_type; +typeattribute ftp_data_port_t reserved_port_type; +typeattribute ftp_port_t reserved_port_type; +typeattribute gopher_port_t reserved_port_type; +typeattribute gopher_port_t reserved_port_type; +typeattribute http_port_t reserved_port_type; +typeattribute http_port_t reserved_port_type; +typeattribute http_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute inetd_child_port_t reserved_port_type; +typeattribute innd_port_t reserved_port_type; +typeattribute ipp_port_t reserved_port_type; +typeattribute ipp_port_t reserved_port_type; +typeattribute isakmp_port_t reserved_port_type; +typeattribute kerberos_admin_port_t reserved_port_type; +typeattribute kerberos_admin_port_t reserved_port_type; +typeattribute kerberos_admin_port_t reserved_port_type; +typeattribute kerberos_port_t reserved_port_type; +typeattribute kerberos_port_t reserved_port_type; +typeattribute kerberos_port_t reserved_port_type; +typeattribute kerberos_port_t reserved_port_type; +typeattribute ktalkd_port_t reserved_port_type; +typeattribute ktalkd_port_t reserved_port_type; +typeattribute ldap_port_t reserved_port_type; +typeattribute ldap_port_t reserved_port_type; +typeattribute ldap_port_t reserved_port_type; +typeattribute ldap_port_t reserved_port_type; +typeattribute nmbd_port_t reserved_port_type; +typeattribute nmbd_port_t reserved_port_type; +typeattribute nmbd_port_t reserved_port_type; +typeattribute ntp_port_t reserved_port_type; +typeattribute pop_port_t reserved_port_type; +typeattribute pop_port_t reserved_port_type; +typeattribute pop_port_t reserved_port_type; +typeattribute pop_port_t reserved_port_type; +typeattribute pop_port_t reserved_port_type; +typeattribute pop_port_t reserved_port_type; +typeattribute pop_port_t reserved_port_type; +typeattribute portmap_port_t reserved_port_type; +typeattribute portmap_port_t reserved_port_type; +typeattribute printer_port_t reserved_port_type; +typeattribute rlogind_port_t reserved_port_type; +typeattribute rndc_port_t reserved_port_type; +typeattribute router_port_t reserved_port_type; +typeattribute rsh_port_t reserved_port_type; +typeattribute rsync_port_t reserved_port_type; +typeattribute rsync_port_t reserved_port_type; +typeattribute smbd_port_t reserved_port_type; +typeattribute smbd_port_t reserved_port_type; +typeattribute smtp_port_t reserved_port_type; +typeattribute smtp_port_t reserved_port_type; +typeattribute smtp_port_t reserved_port_type; +typeattribute snmp_port_t reserved_port_type; +typeattribute snmp_port_t reserved_port_type; +typeattribute snmp_port_t reserved_port_type; +typeattribute spamd_port_t reserved_port_type; +typeattribute ssh_port_t reserved_port_type; +typeattribute swat_port_t reserved_port_type; +typeattribute syslogd_port_t reserved_port_type; +typeattribute telnetd_port_t reserved_port_type; +typeattribute tftp_port_t reserved_port_type; +typeattribute uucpd_port_t reserved_port_type; + allow device_t tmpfs_t:filesystem associate; + allow device_t fs_t:filesystem associate; + allow device_t noxattrfs:filesystem associate; + typeattribute device_t file_type; + allow device_t fs_t:filesystem associate; + allow device_t noxattrfs:filesystem associate; + typeattribute device_t file_type; + typeattribute device_t mountpoint; + allow device_t tmp_t:filesystem associate; + typeattribute agp_device_t device_node; + allow agp_device_t fs_t:filesystem associate; + allow agp_device_t tmpfs_t:filesystem associate; + allow agp_device_t tmp_t:filesystem associate; + typeattribute apm_bios_t device_node; + allow apm_bios_t fs_t:filesystem associate; + allow apm_bios_t tmpfs_t:filesystem associate; + allow apm_bios_t tmp_t:filesystem associate; + typeattribute cardmgr_dev_t device_node; + allow cardmgr_dev_t fs_t:filesystem associate; + allow cardmgr_dev_t tmpfs_t:filesystem associate; + allow cardmgr_dev_t tmp_t:filesystem associate; + allow cardmgr_dev_t fs_t:filesystem associate; + allow cardmgr_dev_t noxattrfs:filesystem associate; + typeattribute cardmgr_dev_t file_type; + allow cardmgr_dev_t fs_t:filesystem associate; + allow cardmgr_dev_t noxattrfs:filesystem associate; + typeattribute cardmgr_dev_t file_type; + typeattribute cardmgr_dev_t polymember; + allow cardmgr_dev_t tmpfs_t:filesystem associate; + typeattribute cardmgr_dev_t tmpfile; + allow cardmgr_dev_t tmp_t:filesystem associate; + typeattribute clock_device_t device_node; + allow clock_device_t fs_t:filesystem associate; + allow clock_device_t tmpfs_t:filesystem associate; + allow clock_device_t tmp_t:filesystem associate; + typeattribute cpu_device_t device_node; + allow cpu_device_t fs_t:filesystem associate; + allow cpu_device_t tmpfs_t:filesystem associate; + allow cpu_device_t tmp_t:filesystem associate; + typeattribute crypt_device_t device_node; + allow crypt_device_t fs_t:filesystem associate; + allow crypt_device_t tmpfs_t:filesystem associate; + allow crypt_device_t tmp_t:filesystem associate; + typeattribute dri_device_t device_node; + allow dri_device_t fs_t:filesystem associate; + allow dri_device_t tmpfs_t:filesystem associate; + allow dri_device_t tmp_t:filesystem associate; + typeattribute event_device_t device_node; + allow event_device_t fs_t:filesystem associate; + allow event_device_t tmpfs_t:filesystem associate; + allow event_device_t tmp_t:filesystem associate; + typeattribute framebuf_device_t device_node; + allow framebuf_device_t fs_t:filesystem associate; + allow framebuf_device_t tmpfs_t:filesystem associate; + allow framebuf_device_t tmp_t:filesystem associate; + typeattribute lvm_control_t device_node; + allow lvm_control_t fs_t:filesystem associate; + allow lvm_control_t tmpfs_t:filesystem associate; + allow lvm_control_t tmp_t:filesystem associate; + typeattribute memory_device_t device_node; + allow memory_device_t fs_t:filesystem associate; + allow memory_device_t tmpfs_t:filesystem associate; + allow memory_device_t tmp_t:filesystem associate; +neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read; +neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write }; + typeattribute misc_device_t device_node; + allow misc_device_t fs_t:filesystem associate; + allow misc_device_t tmpfs_t:filesystem associate; + allow misc_device_t tmp_t:filesystem associate; + typeattribute mouse_device_t device_node; + allow mouse_device_t fs_t:filesystem associate; + allow mouse_device_t tmpfs_t:filesystem associate; + allow mouse_device_t tmp_t:filesystem associate; + typeattribute mtrr_device_t device_node; + allow mtrr_device_t fs_t:filesystem associate; + allow mtrr_device_t tmpfs_t:filesystem associate; + allow mtrr_device_t tmp_t:filesystem associate; + typeattribute null_device_t device_node; + allow null_device_t fs_t:filesystem associate; + allow null_device_t tmpfs_t:filesystem associate; + allow null_device_t tmp_t:filesystem associate; + typeattribute null_device_t mlstrustedobject; + typeattribute power_device_t device_node; + allow power_device_t fs_t:filesystem associate; + allow power_device_t tmpfs_t:filesystem associate; + allow power_device_t tmp_t:filesystem associate; + typeattribute printer_device_t device_node; + allow printer_device_t fs_t:filesystem associate; + allow printer_device_t tmpfs_t:filesystem associate; + allow printer_device_t tmp_t:filesystem associate; + typeattribute random_device_t device_node; + allow random_device_t fs_t:filesystem associate; + allow random_device_t tmpfs_t:filesystem associate; + allow random_device_t tmp_t:filesystem associate; + typeattribute scanner_device_t device_node; + allow scanner_device_t fs_t:filesystem associate; + allow scanner_device_t tmpfs_t:filesystem associate; + allow scanner_device_t tmp_t:filesystem associate; + typeattribute sound_device_t device_node; + allow sound_device_t fs_t:filesystem associate; + allow sound_device_t tmpfs_t:filesystem associate; + allow sound_device_t tmp_t:filesystem associate; + allow sysfs_t fs_t:filesystem associate; + allow sysfs_t noxattrfs:filesystem associate; + typeattribute sysfs_t file_type; + typeattribute sysfs_t mountpoint; + typeattribute sysfs_t filesystem_type; + allow sysfs_t self:filesystem associate; + typeattribute urandom_device_t device_node; + allow urandom_device_t fs_t:filesystem associate; + allow urandom_device_t tmpfs_t:filesystem associate; + allow urandom_device_t tmp_t:filesystem associate; + allow usbfs_t fs_t:filesystem associate; + allow usbfs_t noxattrfs:filesystem associate; + typeattribute usbfs_t file_type; + typeattribute usbfs_t mountpoint; + typeattribute usbfs_t filesystem_type; + allow usbfs_t self:filesystem associate; + typeattribute usbfs_t noxattrfs; + typeattribute usb_device_t device_node; + allow usb_device_t fs_t:filesystem associate; + allow usb_device_t tmpfs_t:filesystem associate; + allow usb_device_t tmp_t:filesystem associate; + typeattribute v4l_device_t device_node; + allow v4l_device_t fs_t:filesystem associate; + allow v4l_device_t tmpfs_t:filesystem associate; + allow v4l_device_t tmp_t:filesystem associate; + typeattribute xserver_misc_device_t device_node; + allow xserver_misc_device_t fs_t:filesystem associate; + allow xserver_misc_device_t tmpfs_t:filesystem associate; + allow xserver_misc_device_t tmp_t:filesystem associate; + typeattribute zero_device_t device_node; + allow zero_device_t fs_t:filesystem associate; + allow zero_device_t tmpfs_t:filesystem associate; + allow zero_device_t tmp_t:filesystem associate; + typeattribute zero_device_t mlstrustedobject; + allow xconsole_device_t fs_t:filesystem associate; + allow xconsole_device_t noxattrfs:filesystem associate; + typeattribute xconsole_device_t file_type; + allow xconsole_device_t tmpfs_t:filesystem associate; + allow xconsole_device_t tmp_t:filesystem associate; + typeattribute devfs_control_t device_node; + allow devfs_control_t fs_t:filesystem associate; + allow devfs_control_t tmpfs_t:filesystem associate; + allow devfs_control_t tmp_t:filesystem associate; +neverallow domain ~domain:process { transition dyntransition }; +neverallow { domain -set_curr_context } self:process setcurrent; +neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; +neverallow ~{ domain unlabeled_t } *:process *; +allow file_type self:filesystem associate; + allow boot_t fs_t:filesystem associate; + allow boot_t noxattrfs:filesystem associate; + typeattribute boot_t file_type; + allow boot_t fs_t:filesystem associate; + allow boot_t noxattrfs:filesystem associate; + typeattribute boot_t file_type; + typeattribute boot_t mountpoint; + allow default_t fs_t:filesystem associate; + allow default_t noxattrfs:filesystem associate; + allow etc_t fs_t:filesystem associate; + allow etc_t noxattrfs:filesystem associate; + allow etc_runtime_t fs_t:filesystem associate; + allow etc_runtime_t noxattrfs:filesystem associate; + allow file_t fs_t:filesystem associate; + allow file_t noxattrfs:filesystem associate; + allow kernel_t file_t:dir mounton; + allow home_root_t fs_t:filesystem associate; + allow home_root_t noxattrfs:filesystem associate; + allow home_root_t fs_t:filesystem associate; + allow home_root_t noxattrfs:filesystem associate; + typeattribute home_root_t file_type; + typeattribute home_root_t polyparent; + allow lost_found_t fs_t:filesystem associate; + allow lost_found_t noxattrfs:filesystem associate; + allow mnt_t fs_t:filesystem associate; + allow mnt_t noxattrfs:filesystem associate; + allow modules_object_t fs_t:filesystem associate; + allow modules_object_t noxattrfs:filesystem associate; + typeattribute modules_object_t file_type; + allow no_access_t fs_t:filesystem associate; + allow no_access_t noxattrfs:filesystem associate; + allow poly_t fs_t:filesystem associate; + allow poly_t noxattrfs:filesystem associate; + allow readable_t fs_t:filesystem associate; + allow readable_t noxattrfs:filesystem associate; + allow root_t fs_t:filesystem associate; + allow root_t noxattrfs:filesystem associate; + allow root_t fs_t:filesystem associate; + allow root_t noxattrfs:filesystem associate; + typeattribute root_t file_type; + typeattribute root_t polyparent; + allow kernel_t root_t:dir mounton; + allow src_t fs_t:filesystem associate; + allow src_t noxattrfs:filesystem associate; + allow system_map_t fs_t:filesystem associate; + allow system_map_t noxattrfs:filesystem associate; + typeattribute system_map_t file_type; + allow tmp_t fs_t:filesystem associate; + allow tmp_t noxattrfs:filesystem associate; + typeattribute tmp_t file_type; + allow tmp_t fs_t:filesystem associate; + allow tmp_t noxattrfs:filesystem associate; + typeattribute tmp_t file_type; + typeattribute tmp_t polymember; + allow tmp_t tmpfs_t:filesystem associate; + typeattribute tmp_t tmpfile; + allow tmp_t tmp_t:filesystem associate; + allow tmp_t fs_t:filesystem associate; + allow tmp_t noxattrfs:filesystem associate; + typeattribute tmp_t file_type; + typeattribute tmp_t polyparent; + allow usr_t fs_t:filesystem associate; + allow usr_t noxattrfs:filesystem associate; + allow var_t fs_t:filesystem associate; + allow var_t noxattrfs:filesystem associate; + allow var_lib_t fs_t:filesystem associate; + allow var_lib_t noxattrfs:filesystem associate; + allow var_lock_t fs_t:filesystem associate; + allow var_lock_t noxattrfs:filesystem associate; + allow var_run_t fs_t:filesystem associate; + allow var_run_t noxattrfs:filesystem associate; + allow var_spool_t fs_t:filesystem associate; + allow var_spool_t noxattrfs:filesystem associate; + typeattribute var_spool_t file_type; + allow var_spool_t fs_t:filesystem associate; + allow var_spool_t noxattrfs:filesystem associate; + typeattribute var_spool_t file_type; + typeattribute var_spool_t polymember; + allow var_spool_t tmpfs_t:filesystem associate; + typeattribute var_spool_t tmpfile; + allow var_spool_t tmp_t:filesystem associate; + typeattribute fs_t filesystem_type; + allow fs_t self:filesystem associate; + typeattribute bdev_t filesystem_type; + allow bdev_t self:filesystem associate; + typeattribute binfmt_misc_fs_t filesystem_type; + allow binfmt_misc_fs_t self:filesystem associate; + allow binfmt_misc_fs_t fs_t:filesystem associate; + allow binfmt_misc_fs_t noxattrfs:filesystem associate; + typeattribute binfmt_misc_fs_t file_type; + typeattribute binfmt_misc_fs_t mountpoint; + typeattribute capifs_t filesystem_type; + allow capifs_t self:filesystem associate; + typeattribute configfs_t filesystem_type; + allow configfs_t self:filesystem associate; + typeattribute eventpollfs_t filesystem_type; + allow eventpollfs_t self:filesystem associate; + typeattribute futexfs_t filesystem_type; + allow futexfs_t self:filesystem associate; + typeattribute hugetlbfs_t filesystem_type; + allow hugetlbfs_t self:filesystem associate; + allow hugetlbfs_t fs_t:filesystem associate; + allow hugetlbfs_t noxattrfs:filesystem associate; + typeattribute hugetlbfs_t file_type; + typeattribute hugetlbfs_t mountpoint; + typeattribute inotifyfs_t filesystem_type; + allow inotifyfs_t self:filesystem associate; + typeattribute nfsd_fs_t filesystem_type; + allow nfsd_fs_t self:filesystem associate; + typeattribute ramfs_t filesystem_type; + allow ramfs_t self:filesystem associate; + typeattribute romfs_t filesystem_type; + allow romfs_t self:filesystem associate; + typeattribute rpc_pipefs_t filesystem_type; + allow rpc_pipefs_t self:filesystem associate; + typeattribute tmpfs_t filesystem_type; + allow tmpfs_t self:filesystem associate; + allow tmpfs_t fs_t:filesystem associate; + allow tmpfs_t noxattrfs:filesystem associate; + typeattribute tmpfs_t file_type; + allow tmpfs_t fs_t:filesystem associate; + allow tmpfs_t noxattrfs:filesystem associate; + typeattribute tmpfs_t file_type; + typeattribute tmpfs_t mountpoint; +allow tmpfs_t noxattrfs:filesystem associate; + typeattribute autofs_t filesystem_type; + allow autofs_t self:filesystem associate; + allow autofs_t fs_t:filesystem associate; + allow autofs_t noxattrfs:filesystem associate; + typeattribute autofs_t file_type; + typeattribute autofs_t mountpoint; + typeattribute cifs_t filesystem_type; + allow cifs_t self:filesystem associate; + typeattribute dosfs_t filesystem_type; + allow dosfs_t self:filesystem associate; +allow dosfs_t fs_t:filesystem associate; + typeattribute iso9660_t filesystem_type; + allow iso9660_t self:filesystem associate; +allow removable_t noxattrfs:filesystem associate; + typeattribute removable_t filesystem_type; + allow removable_t self:filesystem associate; + allow removable_t fs_t:filesystem associate; + allow removable_t noxattrfs:filesystem associate; + typeattribute removable_t file_type; + typeattribute removable_t usercanread; + typeattribute nfs_t filesystem_type; + allow nfs_t self:filesystem associate; + allow nfs_t fs_t:filesystem associate; + allow nfs_t noxattrfs:filesystem associate; + typeattribute nfs_t file_type; + typeattribute nfs_t mountpoint; +neverallow ~can_load_kernmodule self:capability sys_module; +role system_r; +role sysadm_r; +role staff_r; +role user_r; + typeattribute kernel_t domain; + allow kernel_t self:dir { read getattr lock search ioctl }; + allow kernel_t self:lnk_file { read getattr lock ioctl }; + allow kernel_t self:file { getattr read write append ioctl lock }; + allow kernel_t self:process { fork sigchld }; + role secadm_r types kernel_t; + role sysadm_r types kernel_t; + role user_r types kernel_t; + role staff_r types kernel_t; + typeattribute kernel_t privrangetrans; +role system_r types kernel_t; + typeattribute debugfs_t filesystem_type; + allow debugfs_t self:filesystem associate; +allow debugfs_t self:filesystem associate; + allow proc_t fs_t:filesystem associate; + allow proc_t noxattrfs:filesystem associate; + typeattribute proc_t file_type; + typeattribute proc_t mountpoint; + typeattribute proc_t filesystem_type; + allow proc_t self:filesystem associate; +neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; +neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; + allow sysctl_t fs_t:filesystem associate; + allow sysctl_t noxattrfs:filesystem associate; + typeattribute sysctl_t file_type; + typeattribute sysctl_t mountpoint; + allow sysctl_fs_t fs_t:filesystem associate; + allow sysctl_fs_t noxattrfs:filesystem associate; + typeattribute sysctl_fs_t file_type; + typeattribute sysctl_fs_t mountpoint; +allow kernel_t self:capability *; +allow kernel_t unlabeled_t:dir mounton; +allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; +allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; +allow kernel_t self:msg { send receive }; +allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; +allow kernel_t self:unix_dgram_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; +allow kernel_t self:unix_stream_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } listen accept }; +allow kernel_t self:unix_dgram_socket sendto; +allow kernel_t self:unix_stream_socket connectto; +allow kernel_t self:fifo_file { getattr read write append ioctl lock }; +allow kernel_t self:sock_file { read getattr lock ioctl }; +allow kernel_t self:fd use; +allow kernel_t proc_t:dir { read getattr lock search ioctl }; +allow kernel_t proc_t:{ lnk_file file } { read getattr lock ioctl }; +allow kernel_t proc_net_t:dir { read getattr lock search ioctl }; +allow kernel_t proc_net_t:file { read getattr lock ioctl }; +allow kernel_t proc_mdstat_t:file { read getattr lock ioctl }; +allow kernel_t proc_kcore_t:file getattr; +allow kernel_t proc_kmsg_t:file getattr; +allow kernel_t sysctl_t:dir { read getattr lock search ioctl }; +allow kernel_t sysctl_kernel_t:dir { read getattr lock search ioctl }; +allow kernel_t sysctl_kernel_t:file { read getattr lock ioctl }; +allow kernel_t unlabeled_t:fifo_file { getattr read write append ioctl lock }; + allow kernel_t unlabeled_t:association { sendto recvfrom }; + allow kernel_t netif_type:netif rawip_send; + allow kernel_t netif_type:netif rawip_recv; + allow kernel_t node_type:node rawip_send; + allow kernel_t node_type:node rawip_recv; + allow kernel_t netif_t:netif rawip_send; + allow kernel_t netif_type:netif { tcp_send tcp_recv }; + allow kernel_t node_type:node { tcp_send tcp_recv }; + allow kernel_t node_t:node rawip_send; + allow kernel_t multicast_node_t:node rawip_send; + allow kernel_t sysfs_t:dir { read getattr lock search ioctl }; + allow kernel_t sysfs_t:{ file lnk_file } { read getattr lock ioctl }; + allow kernel_t usbfs_t:dir search; + allow kernel_t filesystem_type:filesystem mount; + allow kernel_t security_t:dir { read search getattr }; + allow kernel_t security_t:file { getattr read write }; + typeattribute kernel_t can_load_policy; + if(!secure_mode_policyload) { + allow kernel_t security_t:security load_policy; + auditallow kernel_t security_t:security load_policy; + } + allow kernel_t device_t:dir { read getattr lock search ioctl }; + allow kernel_t device_t:lnk_file { getattr read }; + allow kernel_t console_device_t:chr_file { getattr read write append ioctl lock }; + allow kernel_t bin_t:dir { read getattr lock search ioctl }; + allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; + allow kernel_t shell_exec_t:file { { read getattr lock execute ioctl } execute_no_trans }; + allow kernel_t sbin_t:dir { read getattr lock search ioctl }; + allow kernel_t bin_t:dir { read getattr lock search ioctl }; + allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; + allow kernel_t bin_t:file { { read getattr lock execute ioctl } execute_no_trans }; + allow kernel_t domain:process signal; + allow kernel_t proc_t:dir search; + allow kernel_t domain:dir search; + allow kernel_t root_t:dir { read getattr lock search ioctl }; + allow kernel_t root_t:lnk_file { read getattr lock ioctl }; + allow kernel_t etc_t:dir { read getattr lock search ioctl }; + allow kernel_t home_root_t:dir { read getattr lock search ioctl }; + allow kernel_t usr_t:dir { read getattr lock search ioctl }; + allow kernel_t usr_t:{ file lnk_file } { read getattr lock ioctl }; + typeattribute kernel_t mlsprocread; + typeattribute kernel_t mlsprocwrite; + allow kernel_t self:capability *; + allow kernel_t self:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow kernel_t self:process transition; + allow kernel_t self:file { getattr read write append ioctl lock }; + allow kernel_t self:nscd *; + allow kernel_t self:dbus *; + allow kernel_t self:passwd *; + allow kernel_t proc_type:{ dir file } *; + allow kernel_t sysctl_t:{ dir file } *; + allow kernel_t kernel_t:system *; + allow kernel_t unlabeled_t:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; + allow kernel_t unlabeled_t:filesystem *; + allow kernel_t unlabeled_t:association *; + typeattribute kernel_t can_load_kernmodule, can_receive_kernel_messages; + typeattribute kernel_t kern_unconfined; + allow kernel_t { proc_t proc_net_t }:dir search; + allow kernel_t sysctl_type:dir { read getattr lock search ioctl }; + allow kernel_t sysctl_type:file { { getattr read write append ioctl lock } setattr }; + allow kernel_t node_type:node *; + allow kernel_t netif_type:netif *; + allow kernel_t port_type:tcp_socket { send_msg recv_msg name_connect }; + allow kernel_t port_type:udp_socket { send_msg recv_msg }; + allow kernel_t port_type:{ tcp_socket udp_socket rawip_socket } name_bind; + allow kernel_t node_type:{ tcp_socket udp_socket rawip_socket } node_bind; + allow kernel_t unlabeled_t:association { sendto recvfrom }; + allow kernel_t device_node:{ chr_file blk_file } *; + allow kernel_t mtrr_device_t:{ dir file } *; + allow kernel_t self:capability sys_rawio; + typeattribute kernel_t memory_raw_write, memory_raw_read; + typeattribute kernel_t unconfined_domain_type; + typeattribute kernel_t can_change_process_identity; + typeattribute kernel_t can_change_process_role; + typeattribute kernel_t can_change_object_identity; + typeattribute kernel_t set_curr_context; + allow kernel_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } socket key_socket } *; + allow kernel_t domain:fd use; + allow kernel_t domain:fifo_file { getattr read write append ioctl lock }; + allow kernel_t domain:process ~{ transition dyntransition execmem execstack execheap }; + allow kernel_t domain:{ sem msgq shm } *; + allow kernel_t domain:msg { send receive }; + allow kernel_t domain:dir { read getattr lock search ioctl }; + allow kernel_t domain:file { read getattr lock ioctl }; + allow kernel_t domain:lnk_file { read getattr lock ioctl }; + dontaudit kernel_t domain:dir { read getattr lock search ioctl }; + dontaudit kernel_t domain:lnk_file { read getattr lock ioctl }; + dontaudit kernel_t domain:file { read getattr lock ioctl }; + dontaudit kernel_t domain:sock_file { read getattr lock ioctl }; + dontaudit kernel_t domain:fifo_file { read getattr lock ioctl }; + allow kernel_t file_type:{ file chr_file } ~execmod; + allow kernel_t file_type:{ dir lnk_file sock_file fifo_file blk_file } *; + allow kernel_t file_type:filesystem *; + allow kernel_t file_type:{ unix_stream_socket unix_dgram_socket } name_bind; + if (allow_execmod) { + allow kernel_t file_type:file execmod; + } + allow kernel_t filesystem_type:filesystem *; + allow kernel_t filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; + allow kernel_t security_t:dir { getattr search read }; + allow kernel_t security_t:file { getattr read write }; + typeattribute kernel_t can_load_policy, can_setenforce, can_setsecparam; + if(!secure_mode_policyload) { + allow kernel_t security_t:security *; + auditallow kernel_t security_t:security { load_policy setenforce setbool }; + } + if (allow_execheap) { + allow kernel_t self:process execheap; + } + if (allow_execmem) { + allow kernel_t self:process execmem; + } + if (allow_execmem && allow_execstack) { + allow kernel_t self:process execstack; + auditallow kernel_t self:process execstack; + } else { + } + if (allow_execheap) { + auditallow kernel_t self:process execheap; + } + if (allow_execmem) { + auditallow kernel_t self:process execmem; + } + if (read_default_t) { + allow kernel_t default_t:dir { read getattr lock search ioctl }; + allow kernel_t default_t:file { read getattr lock ioctl }; + allow kernel_t default_t:lnk_file { read getattr lock ioctl }; + allow kernel_t default_t:sock_file { read getattr lock ioctl }; + allow kernel_t default_t:fifo_file { read getattr lock ioctl }; + } + allow unlabeled_t self:filesystem associate; +range_transition getty_t login_exec_t s0 - s0:c0.c255; +range_transition init_t xdm_exec_t s0 - s0:c0.c255; +range_transition initrc_t crond_exec_t s0 - s0:c0.c255; +range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; +range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; +range_transition initrc_t udev_exec_t s0 - s0:c0.c255; +range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; +range_transition kernel_t udev_exec_t s0 - s0:c0.c255; +range_transition unconfined_t su_exec_t s0 - s0:c0.c255; +range_transition unconfined_t initrc_exec_t s0; + typeattribute security_t filesystem_type; + allow security_t self:filesystem associate; + typeattribute security_t mlstrustedobject; +neverallow ~can_load_policy security_t:security load_policy; +neverallow ~can_setenforce security_t:security setenforce; +neverallow ~can_setsecparam security_t:security setsecparam; + typeattribute bsdpty_device_t device_node; + allow bsdpty_device_t fs_t:filesystem associate; + allow bsdpty_device_t tmpfs_t:filesystem associate; + allow bsdpty_device_t tmp_t:filesystem associate; + typeattribute console_device_t device_node; + allow console_device_t fs_t:filesystem associate; + allow console_device_t tmpfs_t:filesystem associate; + allow console_device_t tmp_t:filesystem associate; + allow devpts_t fs_t:filesystem associate; + allow devpts_t noxattrfs:filesystem associate; + typeattribute devpts_t file_type; + typeattribute devpts_t mountpoint; + allow devpts_t tmpfs_t:filesystem associate; + allow devpts_t tmp_t:filesystem associate; + typeattribute devpts_t filesystem_type; + allow devpts_t self:filesystem associate; + typeattribute devpts_t ttynode, ptynode; + typeattribute devtty_t device_node; + allow devtty_t fs_t:filesystem associate; + allow devtty_t tmpfs_t:filesystem associate; + allow devtty_t tmp_t:filesystem associate; + typeattribute devtty_t mlstrustedobject; + typeattribute ptmx_t device_node; + allow ptmx_t fs_t:filesystem associate; + allow ptmx_t tmpfs_t:filesystem associate; + allow ptmx_t tmp_t:filesystem associate; + typeattribute ptmx_t mlstrustedobject; + typeattribute tty_device_t device_node; + allow tty_device_t fs_t:filesystem associate; + allow tty_device_t tmpfs_t:filesystem associate; + allow tty_device_t tmp_t:filesystem associate; + typeattribute tty_device_t ttynode; + typeattribute usbtty_device_t device_node; + allow usbtty_device_t fs_t:filesystem associate; + allow usbtty_device_t tmpfs_t:filesystem associate; + allow usbtty_device_t tmp_t:filesystem associate; +user system_u roles { system_r } level s0 range s0 - s0:c0.c255; +user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; + user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; +constrain process transition + ( u1 == u2 + or t1 == can_change_process_identity +); +constrain process transition + ( r1 == r2 + or t1 == can_change_process_role +); +constrain process dyntransition + ( u1 == u2 and r1 == r2 ); +constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create relabelto relabelfrom } + ( u1 == u2 or t1 == can_change_object_identity ); +constrain { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } { create relabelto relabelfrom } + ( u1 == u2 or t1 == can_change_object_identity ); +sid port system_u:object_r:port_t:s0 +sid node system_u:object_r:node_t:s0 +sid netif system_u:object_r:netif_t:s0 +sid devnull system_u:object_r:null_device_t:s0 +sid file system_u:object_r:file_t:s0 +sid fs system_u:object_r:fs_t:s0 +sid kernel system_u:system_r:kernel_t:s0 +sid sysctl system_u:object_r:sysctl_t:s0 +sid unlabeled system_u:object_r:unlabeled_t:s0 +sid any_socket system_u:object_r:unlabeled_t:s0 +sid file_labels system_u:object_r:unlabeled_t:s0 +sid icmp_socket system_u:object_r:unlabeled_t:s0 +sid igmp_packet system_u:object_r:unlabeled_t:s0 +sid init system_u:object_r:unlabeled_t:s0 +sid kmod system_u:object_r:unlabeled_t:s0 +sid netmsg system_u:object_r:unlabeled_t:s0 +sid policy system_u:object_r:unlabeled_t:s0 +sid scmp_packet system_u:object_r:unlabeled_t:s0 +sid sysctl_modprobe system_u:object_r:unlabeled_t:s0 +sid sysctl_fs system_u:object_r:unlabeled_t:s0 +sid sysctl_kernel system_u:object_r:unlabeled_t:s0 +sid sysctl_net system_u:object_r:unlabeled_t:s0 +sid sysctl_net_unix system_u:object_r:unlabeled_t:s0 +sid sysctl_vm system_u:object_r:unlabeled_t:s0 +sid sysctl_dev system_u:object_r:unlabeled_t:s0 +sid tcp_socket system_u:object_r:unlabeled_t:s0 +sid security system_u:object_r:security_t:s0 +fs_use_xattr ext2 system_u:object_r:fs_t:s0; +fs_use_xattr ext3 system_u:object_r:fs_t:s0; +fs_use_xattr gfs system_u:object_r:fs_t:s0; +fs_use_xattr jfs system_u:object_r:fs_t:s0; +fs_use_xattr reiserfs system_u:object_r:fs_t:s0; +fs_use_xattr xfs system_u:object_r:fs_t:s0; +fs_use_task pipefs system_u:object_r:fs_t:s0; +fs_use_task sockfs system_u:object_r:fs_t:s0; +fs_use_trans mqueue system_u:object_r:tmpfs_t:s0; +fs_use_trans shm system_u:object_r:tmpfs_t:s0; +fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; +fs_use_trans devpts system_u:object_r:devpts_t:s0; +genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 +genfscon sysfs / system_u:object_r:sysfs_t:s0 +genfscon usbfs / system_u:object_r:usbfs_t:s0 +genfscon usbdevfs / system_u:object_r:usbfs_t:s0 +genfscon rootfs / system_u:object_r:root_t:s0 +genfscon bdev / system_u:object_r:bdev_t:s0 +genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 +genfscon capifs / system_u:object_r:capifs_t:s0 +genfscon configfs / system_u:object_r:configfs_t:s0 +genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 +genfscon futexfs / system_u:object_r:futexfs_t:s0 +genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 +genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 +genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 +genfscon ramfs / system_u:object_r:ramfs_t:s0 +genfscon romfs / system_u:object_r:romfs_t:s0 +genfscon cramfs / system_u:object_r:romfs_t:s0 +genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 +genfscon autofs / system_u:object_r:autofs_t:s0 +genfscon automount / system_u:object_r:autofs_t:s0 +genfscon cifs / system_u:object_r:cifs_t:s0 +genfscon smbfs / system_u:object_r:cifs_t:s0 +genfscon fat / system_u:object_r:dosfs_t:s0 +genfscon msdos / system_u:object_r:dosfs_t:s0 +genfscon ntfs / system_u:object_r:dosfs_t:s0 +genfscon vfat / system_u:object_r:dosfs_t:s0 +genfscon iso9660 / system_u:object_r:iso9660_t:s0 +genfscon udf / system_u:object_r:iso9660_t:s0 +genfscon nfs / system_u:object_r:nfs_t:s0 +genfscon nfs4 / system_u:object_r:nfs_t:s0 +genfscon afs / system_u:object_r:nfs_t:s0 +genfscon hfsplus / system_u:object_r:nfs_t:s0 +genfscon debugfs / system_u:object_r:debugfs_t:s0 +genfscon proc / system_u:object_r:proc_t:s0 +genfscon proc /sysvipc system_u:object_r:proc_t:s0 +genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0 +genfscon proc /kcore system_u:object_r:proc_kcore_t:s0 +genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 +genfscon proc /net system_u:object_r:proc_net_t:s0 +genfscon proc /xen system_u:object_r:proc_xen_t:s0 +genfscon proc /sys system_u:object_r:sysctl_t:s0 +genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 +genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 +genfscon proc /sys/fs system_u:object_r:sysctl_fs_t:s0 +genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 +genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 +genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 +genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 +genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 +genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 +genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 +genfscon selinuxfs / system_u:object_r:security_t:s0 +portcon udp 7007 system_u:object_r:afs_bos_port_t:s0 +portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0 +portcon udp 7000 system_u:object_r:afs_fs_port_t:s0 +portcon udp 7005 system_u:object_r:afs_fs_port_t:s0 +portcon udp 7004 system_u:object_r:afs_ka_port_t:s0 +portcon udp 7002 system_u:object_r:afs_pt_port_t:s0 +portcon udp 7003 system_u:object_r:afs_vl_port_t:s0 +portcon udp 10080 system_u:object_r:amanda_port_t:s0 +portcon tcp 10080 system_u:object_r:amanda_port_t:s0 +portcon udp 10081 system_u:object_r:amanda_port_t:s0 +portcon tcp 10081 system_u:object_r:amanda_port_t:s0 +portcon tcp 10082 system_u:object_r:amanda_port_t:s0 +portcon tcp 10083 system_u:object_r:amanda_port_t:s0 +portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0 +portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0 +portcon tcp 1720 system_u:object_r:asterisk_port_t:s0 +portcon udp 2427 system_u:object_r:asterisk_port_t:s0 +portcon udp 2727 system_u:object_r:asterisk_port_t:s0 +portcon udp 4569 system_u:object_r:asterisk_port_t:s0 +portcon udp 5060 system_u:object_r:asterisk_port_t:s0 +portcon tcp 113 system_u:object_r:auth_port_t:s0 +portcon tcp 179 system_u:object_r:bgp_port_t:s0 +portcon udp 179 system_u:object_r:bgp_port_t:s0 +portcon tcp 3310 system_u:object_r:clamd_port_t:s0 +portcon udp 4041 system_u:object_r:clockspeed_port_t:s0 +portcon udp 512 system_u:object_r:comsat_port_t:s0 +portcon tcp 2401 system_u:object_r:cvs_port_t:s0 +portcon udp 2401 system_u:object_r:cvs_port_t:s0 +portcon udp 6276 system_u:object_r:dcc_port_t:s0 +portcon udp 6277 system_u:object_r:dcc_port_t:s0 +portcon tcp 1178 system_u:object_r:dbskkd_port_t:s0 +portcon udp 68 system_u:object_r:dhcpc_port_t:s0 +portcon udp 67 system_u:object_r:dhcpd_port_t:s0 +portcon tcp 647 system_u:object_r:dhcpd_port_t:s0 +portcon udp 647 system_u:object_r:dhcpd_port_t:s0 +portcon tcp 847 system_u:object_r:dhcpd_port_t:s0 +portcon udp 847 system_u:object_r:dhcpd_port_t:s0 +portcon tcp 2628 system_u:object_r:dict_port_t:s0 +portcon tcp 3632 system_u:object_r:distccd_port_t:s0 +portcon udp 53 system_u:object_r:dns_port_t:s0 +portcon tcp 53 system_u:object_r:dns_port_t:s0 +portcon tcp 79 system_u:object_r:fingerd_port_t:s0 +portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 +portcon tcp 21 system_u:object_r:ftp_port_t:s0 +portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0 +portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0 +portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0 +portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0 +portcon tcp 1213 system_u:object_r:giftd_port_t:s0 +portcon tcp 70 system_u:object_r:gopher_port_t:s0 +portcon udp 70 system_u:object_r:gopher_port_t:s0 +portcon tcp 3128 system_u:object_r:http_cache_port_t:s0 +portcon udp 3130 system_u:object_r:http_cache_port_t:s0 +portcon tcp 8080 system_u:object_r:http_cache_port_t:s0 +portcon tcp 8118 system_u:object_r:http_cache_port_t:s0 +portcon tcp 80 system_u:object_r:http_port_t:s0 +portcon tcp 443 system_u:object_r:http_port_t:s0 +portcon tcp 488 system_u:object_r:http_port_t:s0 +portcon tcp 8008 system_u:object_r:http_port_t:s0 +portcon tcp 9050 system_u:object_r:http_port_t:s0 +portcon tcp 5335 system_u:object_r:howl_port_t:s0 +portcon udp 5353 system_u:object_r:howl_port_t:s0 +portcon tcp 50000 system_u:object_r:hplip_port_t:s0 +portcon tcp 50002 system_u:object_r:hplip_port_t:s0 +portcon tcp 9010 system_u:object_r:i18n_input_port_t:s0 +portcon tcp 5323 system_u:object_r:imaze_port_t:s0 +portcon udp 5323 system_u:object_r:imaze_port_t:s0 +portcon tcp 7 system_u:object_r:inetd_child_port_t:s0 +portcon udp 7 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 9 system_u:object_r:inetd_child_port_t:s0 +portcon udp 9 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 13 system_u:object_r:inetd_child_port_t:s0 +portcon udp 13 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 19 system_u:object_r:inetd_child_port_t:s0 +portcon udp 19 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 37 system_u:object_r:inetd_child_port_t:s0 +portcon udp 37 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 512 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 543 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 544 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 891 system_u:object_r:inetd_child_port_t:s0 +portcon udp 891 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 892 system_u:object_r:inetd_child_port_t:s0 +portcon udp 892 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0 +portcon tcp 119 system_u:object_r:innd_port_t:s0 +portcon tcp 631 system_u:object_r:ipp_port_t:s0 +portcon udp 631 system_u:object_r:ipp_port_t:s0 +portcon tcp 6667 system_u:object_r:ircd_port_t:s0 +portcon udp 500 system_u:object_r:isakmp_port_t:s0 +portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0 +portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0 +portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0 +portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0 +portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0 +portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0 +portcon tcp 4444 system_u:object_r:kerberos_master_port_t:s0 +portcon udp 4444 system_u:object_r:kerberos_master_port_t:s0 +portcon tcp 88 system_u:object_r:kerberos_port_t:s0 +portcon udp 88 system_u:object_r:kerberos_port_t:s0 +portcon tcp 750 system_u:object_r:kerberos_port_t:s0 +portcon udp 750 system_u:object_r:kerberos_port_t:s0 +portcon udp 517 system_u:object_r:ktalkd_port_t:s0 +portcon udp 518 system_u:object_r:ktalkd_port_t:s0 +portcon tcp 389 system_u:object_r:ldap_port_t:s0 +portcon udp 389 system_u:object_r:ldap_port_t:s0 +portcon tcp 636 system_u:object_r:ldap_port_t:s0 +portcon udp 636 system_u:object_r:ldap_port_t:s0 +portcon tcp 2000 system_u:object_r:mail_port_t:s0 +portcon tcp 1234 system_u:object_r:monopd_port_t:s0 +portcon tcp 3306 system_u:object_r:mysqld_port_t:s0 +portcon tcp 1241 system_u:object_r:nessus_port_t:s0 +portcon udp 137 system_u:object_r:nmbd_port_t:s0 +portcon udp 138 system_u:object_r:nmbd_port_t:s0 +portcon udp 139 system_u:object_r:nmbd_port_t:s0 +portcon udp 123 system_u:object_r:ntp_port_t:s0 +portcon udp 5000 system_u:object_r:openvpn_port_t:s0 +portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0 +portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0 +portcon tcp 106 system_u:object_r:pop_port_t:s0 +portcon tcp 109 system_u:object_r:pop_port_t:s0 +portcon tcp 110 system_u:object_r:pop_port_t:s0 +portcon tcp 143 system_u:object_r:pop_port_t:s0 +portcon tcp 220 system_u:object_r:pop_port_t:s0 +portcon tcp 993 system_u:object_r:pop_port_t:s0 +portcon tcp 995 system_u:object_r:pop_port_t:s0 +portcon tcp 1109 system_u:object_r:pop_port_t:s0 +portcon udp 111 system_u:object_r:portmap_port_t:s0 +portcon tcp 111 system_u:object_r:portmap_port_t:s0 +portcon tcp 5432 system_u:object_r:postgresql_port_t:s0 +portcon tcp 60000 system_u:object_r:postgrey_port_t:s0 +portcon tcp 515 system_u:object_r:printer_port_t:s0 +portcon tcp 5703 system_u:object_r:ptal_port_t:s0 +portcon udp 4011 system_u:object_r:pxe_port_t:s0 +portcon udp 24441 system_u:object_r:pyzor_port_t:s0 +portcon udp 1646 system_u:object_r:radacct_port_t:s0 +portcon udp 1813 system_u:object_r:radacct_port_t:s0 +portcon udp 1645 system_u:object_r:radius_port_t:s0 +portcon udp 1812 system_u:object_r:radius_port_t:s0 +portcon tcp 2703 system_u:object_r:razor_port_t:s0 +portcon tcp 513 system_u:object_r:rlogind_port_t:s0 +portcon tcp 953 system_u:object_r:rndc_port_t:s0 +portcon udp 520 system_u:object_r:router_port_t:s0 +portcon tcp 514 system_u:object_r:rsh_port_t:s0 +portcon tcp 873 system_u:object_r:rsync_port_t:s0 +portcon udp 873 system_u:object_r:rsync_port_t:s0 +portcon tcp 137-139 system_u:object_r:smbd_port_t:s0 +portcon tcp 445 system_u:object_r:smbd_port_t:s0 +portcon tcp 25 system_u:object_r:smtp_port_t:s0 +portcon tcp 465 system_u:object_r:smtp_port_t:s0 +portcon tcp 587 system_u:object_r:smtp_port_t:s0 +portcon udp 161 system_u:object_r:snmp_port_t:s0 +portcon udp 162 system_u:object_r:snmp_port_t:s0 +portcon tcp 199 system_u:object_r:snmp_port_t:s0 +portcon tcp 783 system_u:object_r:spamd_port_t:s0 +portcon tcp 22 system_u:object_r:ssh_port_t:s0 +portcon tcp 8000 system_u:object_r:soundd_port_t:s0 +portcon tcp 9433 system_u:object_r:soundd_port_t:s0 +portcon tcp 901 system_u:object_r:swat_port_t:s0 +portcon udp 514 system_u:object_r:syslogd_port_t:s0 +portcon tcp 23 system_u:object_r:telnetd_port_t:s0 +portcon udp 69 system_u:object_r:tftp_port_t:s0 +portcon tcp 8081 system_u:object_r:transproxy_port_t:s0 +portcon tcp 540 system_u:object_r:uucpd_port_t:s0 +portcon tcp 5900 system_u:object_r:vnc_port_t:s0 +portcon tcp 6001 system_u:object_r:xserver_port_t:s0 +portcon tcp 6002 system_u:object_r:xserver_port_t:s0 +portcon tcp 6003 system_u:object_r:xserver_port_t:s0 +portcon tcp 6004 system_u:object_r:xserver_port_t:s0 +portcon tcp 6005 system_u:object_r:xserver_port_t:s0 +portcon tcp 6006 system_u:object_r:xserver_port_t:s0 +portcon tcp 6007 system_u:object_r:xserver_port_t:s0 +portcon tcp 6008 system_u:object_r:xserver_port_t:s0 +portcon tcp 6009 system_u:object_r:xserver_port_t:s0 +portcon tcp 6010 system_u:object_r:xserver_port_t:s0 +portcon tcp 6011 system_u:object_r:xserver_port_t:s0 +portcon tcp 6012 system_u:object_r:xserver_port_t:s0 +portcon tcp 6013 system_u:object_r:xserver_port_t:s0 +portcon tcp 6014 system_u:object_r:xserver_port_t:s0 +portcon tcp 6015 system_u:object_r:xserver_port_t:s0 +portcon tcp 6016 system_u:object_r:xserver_port_t:s0 +portcon tcp 6017 system_u:object_r:xserver_port_t:s0 +portcon tcp 6018 system_u:object_r:xserver_port_t:s0 +portcon tcp 6019 system_u:object_r:xserver_port_t:s0 +portcon tcp 8002 system_u:object_r:xen_port_t:s0 +portcon tcp 2601 system_u:object_r:zebra_port_t:s0 +portcon tcp 8021 system_u:object_r:zope_port_t:s0 +portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0 +portcon udp 1-1023 system_u:object_r:reserved_port_t:s0 +nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:compat_ipv4_node_t:s0 +nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t:s0 +nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:link_local_node_t:s0 +nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 +nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:mapped_ipv4_node_t:s0 +nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 +nodecon fec0:: ffc0:: system_u:object_r:site_local_node_t:s0 +nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:unspec_node_t:s0 |